Doc -

I bought the 5-PC license for WinAntiRansomPlus and I'm running it alongside BitDefender AntiRansomware and MWB AntiRansomware.  So far, they seem to be playing nice together.

BitDefender goes about its business quietly without notifications but it may have blocked Locky on two of my rigs.  I happened to spot an obsolete software key on each when running the CCleaner Registry cleaner yesterday: HKCU\Software\Locky.  Which means I'm 'lucky' to have paid attention to your posts here.

So you know you may have saved at least one poor soul some misery.  For that, I say "Thanks!"

Addendum:  That 'obsolete' software key keeps getting rewritten to the registry after being deleted.  Not immediately, but it shows up again if I run CCleaner an hour or two after deleting it.

Got some work to do.

If I helped, I'm truly happy Daiwa. Are you sure that registry key isn't being written by one of your AR program updates (I assume they update daily...and maybe stuff is hanging around in memory and getting rewritten?). 

If I were you, I would definitely be asking the AR makers about this and making a post about it in MWB's Forum...and maybe WARPs as well...

McAfee's site says the presence of that specific reg key is indicative of infection, but so far no harm.  I'll keep this thread updated.

After reading Daiwa's reply #1 I decided to run CCleaner's registry cleaner and found the same obsolete reg key, HKCU\Locky. When I clicked on fix issues a window opened and said the key is left behind after uninstalling software. The only ones I uninstalled was CCleaner and BitDefender Anti-Ransomeware to update to the latest versions.

Interesting, Uvah.  I'm talking to my tech guy this morning on this issue.  My first suspicion was that BitDefender had blocked a Locky attempt and that a harmless reg key was left behind.  Now not so sure.  I'll post back.

After a lengthy session with my tech guy, it appears probable that the reg key in question is actually being written by one of the antiransomware apps, most likely BitDefender Antiransomware, for reasons unclear.  We actually found a set of two related keys in 6 different locations in the reg - CCleaner only found 1 set flagged as 'obsolete'.  It may be part of a strategy to 'immunize' against Locky.

One more little experiment to conduct before I can be sure.  More to follow.

Locations please.

Daiwa...I guessed correctly (response #2). . Glad about that!

DrJBHL

reply 8

Daiwa...I guessed correctly (response #2). . Glad about that!

You were close, Doc.  Not just on program update, but within an hour of the keys being deleted.

I'd love to give you the locations, Uvah, but I wasn't watching real-time as he did the reg search.  All you need to do is search in regedit for Locky & delete all found keys.

Thank you!

@Daiwa...thanks, I will.

There was a second key in the same section as each Locky key, gibberish alphanumeric name starting with 7ou, that CCleaner had also flagged as obsolete.  It, too, kept getting rewritten to the reg, so we nuked all those, too.

I can report that 18 hours after deleting all found Locky keys and all the 7ou... keys, they remain gone on both rigs.  Interesting that CCleaner only picked up one set of the keys as obsolete when there were multiple sets.  The only protectionware difference between the two rigs is one runs BitDefender AV, the other Avast Pro AV.  Both run MWB, MWB Anti-exploit and BD Antiransomware.  And they are now both running WinPatrol WinAntiRansomwarePlus.  Still not sure where those Locky keys came from.

Additional info today.

Avast Pro blocked the Locky trojan in several emails this morning - first time I'd seen a popup indicating so, but I assume there were others that I missed in the past.  This happened with active scanning of the inbound emails before they reached my inbox.

Found 4 instances of the Locky & 7ouHlW14R0XZ0x keys in the reg, all empty, suggesting that the trojan is able to get that far before Avast blocks it.

BitDefender on the other machine doesn't show popups, just does its biz in the background so it appears to be effectively blocking Locky as well.