New
#11
It looks like those keys have something to do with Bitdefender Anti-Ransomware:
BitDefender Anti-Ransomware | Wilders Security Forums
It looks like those keys have something to do with Bitdefender Anti-Ransomware:
BitDefender Anti-Ransomware | Wilders Security Forums
Please only follow the advise from BleepingComputers, lt makes it very difficult to keep track of whats going on,
Note it also states this when you started the thread over there.
Roy
Roy, the guy from Bleeping computers has said obviously there is no sign of this on my computer apart from the continual registry entries, All is working ok, so he said he was closing the thread. So really it is not solved, but there do not appear to be any issues. Basically leave as is and monitor..
@ Exfso,
I realize this topic is outdated but, since this is an ongoing issue with others who are infected with Locky....
Out of curiosity, did you get this resolved? If so, what was the final resolution\cause for those keys regeneration?
Donna :)
Hello BillH651,
After extensive research, I came to the conclusion that these registry keys are associated with BitDefender Anti-Ransomeware (BDAR). To prevent from having to type out what I posted at another forum, I will just copy and paste my findings below:
You confirmed my thoughts when you pointed out that you uninstalled BDAR, deleted the reg keys, rebooted and they never came back. That alone proves that the technician you spoke with at BD was in the dark about the newest updates to BDAR. I am not only surprised but very disappointed that the technician had no knowledge of BDAR creating these registry keys.
Please read the articles in SecurityWeek and SpiceWorks. Both articles discuss the following:
As disclosed in SecurityWeek;
However, what users could do is to create the HKCU\Software\Locky registry key, which is the first thing that the ransomware tries to create on the compromised machine. The malware terminates if the creation process fails, and having the registry key already present on the computer ensures that the malicious application is not executed.You said that you read the BiteDefender article I shared with my associates. If you read it thoroughly then I am sure you came across the following comment by David:As disclosed in SpiceWorks;
At present, however, it works by taking advantage of a slew of built-in tests shared by Locky, TeslaCrypt, and CTB-Locker, which scan their host computer to see if it is already infected. "The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker," Computerworld writes.
I am almost certain that he also started the topic found at Simoch on the same day just hours later. Davidenko just shortened his name to David. If you have a look at his second post, he went out on a limb and installed BDAR to find out for himself since he wasn't getting the answers he needed to confirm his suspicions, just as you did by uninstalling BDAR.62. David says:
April 4, 2016 at 12:35 pm
I’ve read article
Free Bitdefender tool protects against ransomware infections | PCWorld
but still want to know how does it actually do?
“The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker. This prevents those programs from infecting them again.”
What does it “vaccines”? What part of Windows tells ransomware it is already infected by it?
The security guru's that be won't necessarily put this information out there in the internet for just anyone to find. As pointed out in the first paragraph of the SpiceWorks article:
The sooner that the bad guys find out that the good guys created a vaccine they will alter the code and the good guys will have to start all over again trying to find out how the bad guys altered the code so the good guys can update their tools and release an update. Honestly, it is a never ending battle between the good and the bad.The new Bitdefender Anti-Ransomware vaccine is built on the same principle as a previous tool that the company designed to prevent CryptoWall infections." That tool was later made obsolete and ineffective after CryptoWall's creators updated their ransomware. Something similar is expected to happen to Bitdefender's tool.
Think about the BDAR vaccine from a medical point of view.. Researchers create vaccines using the virus itself then inoculate the human population with that vaccine. Since a potential victim already has the antibodies of any particular virus, such as the flu, diphtheria, measles, mumps, etc., the virus can detect this and the potential victim will not get the full blown virus, if at all.
Truly, I would not be worried that you are infected, BDAR creates those registry keys to prevent you from becoming infected. As pointed out in the SecurityWeek article, if the registry keys already exist on the computer the malware will terminate itself and the creation process fails.
If you really are that worried about becoming infected, protect yourself by creating back ups pf personal data that you just couldn't bear to live without. You could eve go as far as cloning your drive. Never a bad idea to have more than one back up.
These entries may be from Bitdefender Anti-Ransomware. It tries to defeat ransomware by trying to convince it that your system is already infected. So it seems that Bitdefender Anti-Ransomware creates these keys on purpose. I have both Bitdefender Anti-Ransomware and similar reg keys. All scans of my system show no infection.
I have been wrestling with this same registry issue for several weeks now, and I have had a feeling that BDAR may have been the cause. I didn't try the uninstall trick (because I simply didn't think of it ), but now, in hindsight, it just makes sense that those keys would reappear. It works as a vaccine does in the human body.
My 'workaround' for this problem was to run Ccleaner after bootup to delete these keys. Now I see that was a bad move. Leaving me vulnerable...
I run MWB, ASC, and Ccleaner every night before I shut down; thinking that when I bootup in the morning, everything starts fresh, kinda like how I like to sweep my cabinet shop every night, so my employees come into a clean & tidy shop every day.
I've been a member here for a bit, and have solved more than a few issues with the help of the fine people here, and would just like to take this opportunity to say Thank You All!!