Averum

I started manually copying a replacement DLL to many PCs this evening and in each case this fixed it. What I noticed was the DLL was present on each system, but it was damaged/corrupt. It appears that Malwarebytes tried to restore it as I requested, but the restored copy is not good. Going to have to fix all of these the hard way. Hands on.

I started manually copying a replacement DLL to many PCs this evening and in each case this fixed it. What I noticed was the DLL was present on each system, but it was damaged/corrupt. It appears that Malwarebytes tried to restore it as I requested, but the restored copy is not good. Going to have to fix all of these the hard way. Hands on.

My fear is this looks to be a delete-on-reboot type thing... So still going to have problems as computers are rebooted.

I got a hold of a Windows 7 Enterprise laptop that was missing the file. Letting startup repair run on that system restored the file. I have a script running on all my machines now to let me know if the file was not restored, but nothing so far. So once again, just the ones that were rebooted in the past few hours are looping.

I'ved manually checked about 15 systems at this point. The file appears to have restored, any that rebooted are hosed.

As of this morning at 4:47am EST Malwarebytes began removing the following file. C:\Windows\System32\ntdll.dll Around the same time I began getting reports of systems boot looping. I have added the file to the ignore list and sent a command from the console to restore this file on all machines. Hopefully any system that has not been rebooted will restore this file. I am now looking at ways to easily resolve this issue on the affected system.

I also would like to change this setting.

Recently Malwarebytes Enterprise started detecting the following as a threat and correcting it "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore|DisableConfig". However, we have system restore points disabled through Group Policy (always have). This caused us issues as the size of my SQL database shot up as scores of new detections rolled in making everything unstable. We shutdown the VM and assisgned more resources to it to compensate for the suddenly inflated SQL database size. Once I was able to get back in I added that key to the ignore list of ALL polices that we have deployed. Yet still I come in each morning and check threat view and see it is being detected and removed/fixed. Obviously group policy is just going to keep reapplying it. I need it to stop.

I haven't had any issues with actually running Malwarebytes so far. The automated scans just don't hit the location I need them to.

In my case the .exe appears to be running directly from the users roaming profile. Which in our case is P:\Application Data The exact file name for the one I am working on now is svc-xero.exe Full path behing P:\Application Data\svc-xero.exe I was able to active the ransomeware with its own key. This gave me back control of the task manager and allowed me to find the name and location. I was then able to delete it from that location and then scan the registry and delete entries that I found there. At this poine I was able to manually scan both the C (local drive) and the users P (roaming) and Malwarebytes cleaned several things. I don't think Malwarebytes scans this extra location with its day to day scans and I can not see how to enable scanning the P drive from the Malwarebytes console. The .exe was running from the P drive, not the C drive. I have another thread open asking about scanning that location with my automated scans.

Is it possible to set Malwarebytes to scan drives beyond the local OS drive from the Malwarebytes server console. Our users back up data to roaming profiles and I fear the profiles are infected.

I've had about 10 of these in the past 24 hours on our domain. I am having to manually clean them as both Symantec and Malwarebytes are not currently catching it. The infected exe appears to be stored on the users roaming profile, under application data. It is called Windows Antivirus Master. Here is a screenshot that I pulled from another site. Do you guys have anything in the pipe to detect this annoyance? Thanks.

Perfect, thank you.

Support had me enable "Enable Serial Client IP Detection" now I am getting lots of hits on the workstations. I do have another question though. Under Admin > Client Push Install, there is an option to scan an IP range from a file. What should the formatting look like in the text file to utilize this.

We scanned a range that includes around 200 workstations. It picked up two devices which are not computers I am trying to manage. Both of them being devices that provide network connectivity for medical equipment.

No they come back with all the correct information.

Server Name/Address Host Name/IP

I'm trying to determine why no computers on the domain are visible to me from the Malwarebytes Enterprise console. As you can see I can ping the target computer. This computer is a fresh image with only the Windows XP SP3 loaded onto it. Windows Firewall is deactivated (AD policy) and File and Printer Sharing is checked under exceptions. Network Access Sharing and Security is set to "Classic". What else do I need to be looking at?