• Content count

  • Joined

  • Last visited

1 Follower

About shadowwar

  • Rank
    Forum Deity
  • Birthday

Recent Profile Visitors

58,257 profile views
  1. I would hold up a second here. It looks like you are running a commercial product called drivelock. This uses a custom MBR to boot the disk as the disk is encrypted. Mbam restored the standard windows MBR and that is the issue here. Using windows utilities to restore the mbr wont work. You may have to contact Drivelock and see if they have a utiltity to restore the MBR to their custom mbr. Most drive encryption programs have a bootable cd that can fix these. I have not used drivelock before so i cant be 100% sure. The customer is being helped by Lisa in support. I would stick with that for now. Doing these windows commands may cause more issues to be fixed once the custom mbr is repaired. After this is repaired we would appreciate if you can follow the instructions from lisa so we can prevent this from happening again by getting some whitelisting info.
  2. You can use spycar to test detection.
  3. I would need to see the mbam log from the detection of kovterl to see why we werent able to remove it.
  4. PUP means Potentially Unwanted Program Also may want to look at this google search. There are a few review sites on the first page.
  5. Please see here: Also: If you will still like to use it it can be added to exclusions in malwarebytes. This is not detected as a virus but a Potentially Unwanted Program. AKA PUP.Optional.
  6. Where did this come from and where was it located on your pc? I removed all the garbage from the file and was left with 45 lines. This removes the .minecraft directories and c drive root directory with the RD command. All the mojang stuff it says is just distraction for it to delete the files. It never contacts out of the pc. Rule of thumb if something promises to unban you, its Malware. Its simply almost impossible from the pc end.
  7. Sure.
  8. Sorry i am not allowed to give out malware.
  9. What wasnt blocked. Are you physically executing the ransomware against the anti ransomware component? Are you running it from the location as it would of been seen in the wild? Like temp? If this is all true if you can pm me the md5 of the sample i could take a look and see why. We do have some updates coming out in a few days for some new variants to the anti ransomware and anti exploit modules. This is the advantage of mbam 3 in that we can update engines without having to release a whole new version. 2,x and earlier the engine isn't upgradeable to adapt to new threats without a whole new version. All these modules are designed to work together in three. What one module may miss the others should hopefully catch. For example say you get a nemucod script emailed to you. Anti exploit module would stop it from downloading the payload. If it gets by the anti exploit module and its a ransomware payload then that module should get it on behaviour. If none of this happens then the main engine kicks in to try to stop it. This is also assuming not running in free mode but either trial or paid. Anti ransomware works on an executable file only. If it detects ransomware behaviour it only kills that file. The main engine is what can clean up the traces. Mrtee , Mbam works on actions and signatures. Layered approach as described above.
  10. The main problem is you are testing with something known already to us. So the same signature is being used on both versions. Test with a ransomware mbam 2 misses and mbam3 anti ransomware should in theory stop it based on behaviour and execution and not using a signature. Also testing with mbam 3 is not your standard testing. Its tuned to how infections occur in the wild. Just scanning a file with mbam 3 wont alway yield a detection result. The in the wild infection attempt has to be duplicated for anti exploit or anti ransomware modules to work in mbam 3. Just scanning a file these modules wont come into play as its not a real world infection attempt. Basically it shuts the door on infection attempts from the wild.
  11. Thanks for the info. The devs are aware but are having one hell of a time duplicating it. I let them know and they may reply here with questions.
  12. Ok thats good at least. Another user experienced this. Can you try his workaround? in the temporary profile do the following: In Malwarebytes Settings > Protection, uncheck Start Malwarebytes at Windows startup Then restart the computer and your normal profile should open. If it does start fine Then go ahead and reenable start with windows in malwarebytes. Reboot again and it should work normally.
  13. would you mind trying a test for me to see if we can narrow this down? Any of the following results that start with below please uncheck these before removal. HKLM\SOFTWARE\MICROSOFT\ HKLM\SOFTWARE\WOW6432NODE\MICROSOFT Let me know if it loads correctly after that.
  14. Can you attach a copy of the log here that causes the profile problem. So i can see what was removed and get a direction to go with what might be causing this. Thanks!
  15. Did you uncheck a result? Would need to see the screen before this. moving to general support as this is not a fp.