miekiemoes

Hi, When the key gets recreated by Ransomfree, if you do a scan, it will then detect it again. That's where you need to add the exclusion on. Alternatively, you can also disable PUM detections from the scan settings. Settings > protection > Potential Threat Protection > Potentially Unwanted Modifications, set to Ignore detections.

Hi, With "killing", do you mean, Malwarebytes actually deletes it? So its gone afterwards from the location? Or do you mean "killed", that the process is only killed? In that case, a reboot should reload the process again. So in case of the process only being killed, but the file is still present - then it's because our antiransomware behavior detection sees it as suspicious, but fails to do additional checks (most probably because the PC doesn't have internet connection). So that's why it takes the "better safe than sorry" approach and kills the file from running. It doesn't delete it. In that case, either connect to the internet, or add the file that gets killed to the Malwarebytes exclusions.

Hi, In order to exclude, when the scan is done, uncheck the detection and click "Next" Then you'll see a new window open where it will ask what to do with this. In your case, you need to select: "Ignore Always".

Ok, we should be good. I verified myself with latest version of the Ccleaner Cloud and the value TCID is indeed not created under that key.

Ok good - I'll verify on my end as well and sign up for the Ccleaner Cloud, just to verify/make sure

Hmm, I'll do some more investigation about those keys. Could indeed be possible these are created by default by Ccleaner Cloud.

Hi, Did you have the compromised version before? Because this detection was only added since very recently to deal with registry traces of the compromised version.

Hi, This hasn't been reported yet though. Can you zip and attach the MBAMSERVICE.LOG present in the C:\ProgramData\Malwarebytes\MBAMService\logs\ folder? Thanks!

Hi, No, as you need to exclude it from scanning rather, not from the internet. To add the exclusion, open Malwarebytes > Settings > Exclusions tab Below, click the button: "Add Exclusion" Then, select "Exclude a File or Folder" (this should be prechecked already by default) Click Next You'll see a field that says: "Specify a File or Folder" - there, click the button "Select Files..." and browse to the file you want to exclude. For "How to Exclude", select: "Exclude from detection as malware, ransomware or potentially unwanted item" (this is normally also selected by default already) Then click the OK button below.

Hi, I just checked your file and it was indeed fixed already. The reason why it probably got "killed" (and not deleted) was because this machine probably didn't have an Internet connection, so additional queries on this file couldn't be performed to determine status. That's why Malwarebytes takes the "better safe than sorry" approach in this case, especially since it has behavior we often see with ransomware and/or similar suspicious behavior - hence why we kill the process then. Note, with behavior detection, there's always a chance for False positives, and especially httpd.exe is occasionally causing this. So that's why I suggest excluding the D:\ProgramFiles\Apache\Apache24\bin\httpd.exe file from Ransomware detection. Because most probably, a next update to Apache *might* trigger this again if not excluded. Hope this helps.

Hi, This looks like a false positive indeed, so I suggest you unquarantine it. Can you also zip and attach the httpd.exe file, so we can have a look? Thanks! Edited to add - this should have been fixed already. Can you verify please, so this is no longer detected?

We have just released a blog post as well regarding this: https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/ I'm going to close this thread now, so for any questions regarding this - feel free to comment in the blogpost. Thanks!!!

No need to Panic - Having Malwarebytes delete it and/or updating to the latest version of Ccleaner takes care of this all and your system will be clean. This is in no way related with Petya though

The installer has both 32 and 64 bits - so I'm sure in your case, the setup file was detected. It must have been this file then: https://www.virustotal.com/en/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/ - ccsetup533.exe "If so, are 64-bit users safe if no registry keys are present for the 32-bit version?" Basically yes, but always good to update anyway

Yes, you should be OK after having malwarebytes remove what it has found or updating to the latest version of Ccleaner (as that also overwrites the file, in case it wasn't removed previously). No need to reinstall Windows