Jump to content
Demonslay335

Graphics Driver False-Positive?

Recommended Posts

I've received a "Ransomware Detected" notification after installation of my nVidia graphics driver, and then Intel graphics driver.
 
2016-01-26_0939.png

2016-01-26_0947.png
 
MBARW seems to not like the streaming service I guess for the nVidia, not sure what of the Intel driver triggered it. The install of the driver and GeForce Experience software completed fine, I got the notification after the installs.
  
Here's the link to the exact file I downloaded from nVidia's website for my GeForce GT 525M on my laptop.
 
http://us.download.nvidia.com/Windows/361.43/361.43-notebook-win8-win7-64bit-international-whql.exe
 
Here's the Intel Graphics 3000 driver I downloaded from Intel's website (I know it's a "previously released" version, but the latest release is having a bug with my system that I'm troubleshooting).
 
https://downloadmirror.intel.com/24696/a08/win64_152823.exe

Share this post


Link to post
Share on other sites

Hello,

Thanks for your feedback! It looks like you are having issues with some type of false positive. In order to fix this issue the quickest way possible we will need to collect some files to review for information.

Please follow the steps below:

1.) Hold down the Windows Key(Flag Button) + Press "R". If done correctly a "Run Box" will appear.

2.) Type or copy and paste the following in the "Run Box" textbox: "%programdata%\Malwarebytes\Malwarebytes Anti-Ransomware" (Include the quotes)

3.) If the last step was done correctly, you will see an explorer window with some files in. Please highlight all files in this directory by Clicking and Holding the left mouse button and hovering over all files.

4.) With all files selected, right click any files and click "Send To" >> "Compressed (Zipped) Folder".

5.) If done correctly, you will have a new zip file. Rename this "MBARWFILES".

6.) At this point upload the MBARWFILES.zip to this thread through the attach file option. If the file is too large, please upload it to a sharing link site like Dropbox, Box, etc.

Thanks! If you need any help please dont hesitate to ask.

Share this post


Link to post
Share on other sites

Thanks Nathan. Sorry for the delay, the forum didn't notify me of your reply, fixed those settings now.

 

I see the procedure was posted just yesterday, lol. Here's the files.

MBARWFILES.zip

Share this post


Link to post
Share on other sites

Pretty sure the 0.9.5.304 update fixed this. I restored from the quarantine after updating, and it hasn't triggered MBARW so far. I'll let you guys know if it comes up again. :)

Share this post


Link to post
Share on other sites

Blarg, it's going haywire again. Not sure if I should open a new topic since it's different false-positives.

 

MBARW is quarantining Git (bundled with SourceTree) and Microsoft Word, and I think it's trying to mess with Chrome right now since my Hangouts is going nuts. I seem to have trouble with this program when I first startup my system.

 

One thing that might not be helping is that I was working on improving the decrypter for Hidden Tear yesterday; it probably thought that when I compiled the decrypter and then committed to my local Git repository that Git was an infected process. Word was quarantined when I decrypted a .doc file successfully and viewed a preview of it in Explorer.

 

Attached is a new dump. The NvStreamService.exe in the quarantine won't let me restore it, it says there was an error (not too concerned about that one). The others won't let me restore since they are pending deletion on reboot it says.

 

2016-01-28_0811.png

MBARW-FILES.zip

Share this post


Link to post
Share on other sites

Thanks for feedback Demon. Please reboot the machine, turn off protection, restore the files, zip them up and upload them here, and turn on protection. We will get these FPs fixed.

 

Thanks! :)

Share this post


Link to post
Share on other sites

Sorry, replies to this forum don't seem to be going to my email right, even after double-checking settings...

 

Installed beta 5 (by time I got to seeing this post, that's the latest one). Build 0.9.14.361. It quarantined Yafu and ECM, which have never bothered it before.

 

Attached new dump.

MBARW-FILES.7z

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.