Jump to content

Fatdcuk

Staff
  • Content Count

    20,723
  • Joined

Posts posted by Fatdcuk


  1. 2 hours ago, Ezrway said:

    Thank you for responding to my post.  Do you have any idea why Malwarebytes was unable to remove the item identified as "Registry Key: 1" in the quoted text from my original post?

    Thanks again!

     

    Hi

     

    Not 100% sure what has occured for you, possibly if your running MBAM from a limited user account that can sometimes interfere with removals from the HKLM hive.

    That said we should not be removing that key (It belongs to CCleaner Cloud ops) but only removing the data stored under that key should it be MUID or TCID or NID which are the values set when the affected installer has been run.

    If none of those values are present then the detection of the key should not occur.


  2. 10 hours ago, Nikilet said:

    Looks like it doesn't matter who posts here because no one is going to respond anyway.

    Hi and sorry for the delay in replying as this thread had been overlooked.

    Avast had purchased Piriform but are keeping the software/company by its original names.

    Once we became aware of the hack (as the whole industry became aware) we created detection for the bad installer and the compromised software executable file.

    This would have prompted our software to detect and quarantine those affected files. The removal of ccleaner.exe(32 bit) would break the software operations on 32bit OS's and hence the need to update to the new non affected version.

    * the 64bit ccleaner.exe executable was not compromised but because of how CCleaner chooses to install then the affected version had both executables present(32 & 64bit).

    Users using CCleaner on 64 bit OS's would not be affected as it is only the 32bit executable that was compromised and the 64bit OS would not use that executable file when loading the software.

    We laterly added detection for a registry trace that was only present after the original compromised installer had been run.

    * This detection would be present on both 32 and 64 bit installs, but it is only 32 bit  installs that were potentially compromised.

    That trace was a "marker" and not an active component part of the compromised version but we decided we would remove it none the less.

    Back to your initial question(s) then if you have removed the bad 32 executable (ccleaner.exe) then it is no longer an active risk.

    Were you at risk ?

    Alas the compromised version was backdoored so everytime the software was previously launched so was the backdoor code.

    Had the active backdoor been exploited then we cannot tell you the answer to that but all we can advise is as with any potential security breach you change all your passwords from a secure computer .If you have used the affected computer for data sensitive activities such as online banking, online purchasing or sensitive work we would advise you contact your bank and/or work IT to advise them of your potential exposure to a data breach so the appropriate steps can be taken to protect yourself and others.


  3. 24 minutes ago, Dee0900 said:

    What good is creating a detection after the fact? It's a bit late after someone's system and personal data has been compromised.

    You are correct and we all feel that same frustration .

    Alas that is the ongoing problem which is industry wide. In this instance the whole industry was caught out by this trusted chain hack.

    Unfortunately it is an ongoing game of cat and mouse where the bad actors always get to go first. We all can try to develope new technologies to mitigate risk against  attacks but still as of yet there is no mythical silver bullet that can protect 100% on every potential attack scenario.

     


  4. 5 minutes ago, EcoFuelPlus said:

    just had another notification - this time the database version was 2017.09.14.05 !

     

     

     

    Yup, i just pushed out the next lot of new defs for today to the database .

     

    The faulting def was removed with the previous update cycle (#4) .

     

    Again our thanks for reporting this guys and apologies for any inconvenience caused.

     

    I will close this topic off now as it is now resolved.


  5. Hi Dave

     

    Thanks for the update :)

     

    If Malwarebytes experiences the failed to restore from quarantine issue then the computer will need to be restarted first and then the error will no longer occur when attempting to unquarantine items.

     

    Additionally an alternative way to configure Malwarebytes to ignore detections is to run a scan(to generate those detections). At the removal screen then make sure all required lines are unchecked and ask us to remove items. A secondary window will then be created where we offer the option to ignore once or ignore always. Selecting ignore always will automatically add items to the ignore list in the software.


  6. Hi Wittmann

     

    We currently are detecting certain Auslogics sofwares as PUP. (PUP stands for Potentially Unwanted Program).

    In your case it is wanted.

    Please can you update MBAM to the current database and run a new threatscan.

    This time at the end of the scan make sure all boxes are unchecked (EG empty) and then ask MBAM to remove the items found.

    This wiil generate a pop up windows asking if you would like to add those detections to the ignore list.

    Please select "Ignore always" for all detections and then rescan to confirm the items are no longer detected.

    Thanks in advance :)


  7. Hi DeanSF and welcome to the Malwarebytes support forums.

    It seems that the client application is sharing some data with the Mail.ru PUP software (PUP stands for Potentially Unwanted Program).

    Please can you update MBAM to the current database and run a new threatscan.

    This time at the end of the scan make sure all boxes are unchecked (EG empty) and then ask MBAM to remove the items found.

    This wiil generate a pop up windows asking if you would like to add those detections to the ignore list.

    Please select "Ignore always" for all detections and then rescan to confirm the items are no longer detected.

    Thanks in advance :)

     

     

     

     


  8. Hi AyeAyeCaptain

     

    It had  been listed because there was a version being pushed on download wrappers back ~ 6months which contained a backdoored driver component.

    We listed as potentially unwanted at the time because of this and the fact the distributing wrapper was force installing it.

    However on current review we are no longer seeing the bad version being pushed recently so will delist the detection of the software on the next update cycle today.

    Thanks for reporting this :)

     


  9. Hi JunkTony and welcome to the Malwarebytes support forums.

    GeekBuddy is a software also distributed by Comodo  however your detections are confirmed false positives and will get fixed on the next update cycle today.

    Thank you for taking the time to report this.

     

     


  10. Hi and thank you for the assist and your patience with this.

    That detection should be fixed with DB 2017.03.30.08 that just went live.

    I have just scanned through 4k+ in lines of code looking for any other potential faulting defs. Fingers crossed they are gone now but feeling totally boss-eyed none the less lol

    If you can update and recheck (and fingers crossed).

    Thanks in advance.

     

     

     


  11. Many thanks Perski.

    Yes it was a case of the blacklist( bad URL's) inserted into Prefs.js and we were not differentiating between what was is seen set by the Elex hijacker and what was set by the 3rd party sofware to block them.

     

    I have tweaked our defs to take this into account and the adjustments just went live with the last database update.

     

    Please can you update the Malwarebytes database and confirm whether the detection(s) still persist.

     

    Thanks in advance :)


  12. Hi Perski and welcome to the Malwarebytes support forums.

     

    I am unable to replicate your reported detection so please could you attach a Malwarebytes scan log where the detections are made to a reply.

     

    Thank in advance :)


  13. Hi all

    This false positive will now be fixed with the most recent database update > 1.0.1404

    Again our sincerest apologies on this guys.

    * As this issue is confirmed to be resolved i will lock the thread now.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.