Hi John, If you can get the fake AV's name -- I can likely shoot you some info. There is a new(ish) one on the block that hides files, folders, shortcuts and such. (windows recovery) If that is what you see -- let me know. We have a restore procedure to restore the hidden/moved files. Also don't nuke the temps [yet] because that is where all the shortcuts are.
If MBAM quarantines it -- the quarantine is normally located here: (depends on OS) c:\documents and settings\USER_WHO_SCANNED\application data\malwarebytes\malwarebyte's antimalware\quarantine <-- that dir has both the logs & the quarantined items (xp/2k/2k3) C:\Users\USER_WHO_SCANNED\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\quarantine (vista/win7/win2k8) Please upload anything MBAM quarantines to us. http://www.sunbeltsecurity.com/threat Thanks John, Tammy -----Original Message----- From: John Aldrich [mailto:[email protected]] Sent: Friday, June 03, 2011 10:26 AM To: NT System Admin Issues Subject: Fake antivirus I'm going to go to a former co-worker's this afternoon to clean his system (again) from another fake antivirus infestation. I've already got Vipre Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't had to deal with any fake antivirus in a few weeks. Just wondering if they have developed any new tricks recently that I should be aware of? Oh, this user had Vipre Home on his PC, and got infested anyway. Should I submit samples to Sunbelt (assuming I can find where they're quarantined)??? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
