Tammy, I ran into one a few weeks back that hid files and folders like what you described. I think I reversed everything it did, but is there any other info that you can share with the group aside from what you've posted here?
Thanks, Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 3, 2011 10:43 AM, "Tammy Stewart" <[email protected]> wrote: > Hi John, > > If you can get the fake AV's name -- I can likely shoot you some info. > There is a new(ish) one on the block that hides files, folders, shortcuts > and such. (windows recovery) > If that is what you see -- let me know. We have a restore procedure to > restore the hidden/moved files. > Also don't nuke the temps [yet] because that is where all the shortcuts are. > > If MBAM quarantines it -- the quarantine is normally located here: (depends > on OS) > > c:\documents and settings\USER_WHO_SCANNED\application > data\malwarebytes\malwarebyte's antimalware\quarantine <-- that dir has both > the logs & the quarantined items (xp/2k/2k3) > > C:\Users\USER_WHO_SCANNED\AppData\Roaming\Malwarebytes\Malwarebytes' > Anti-Malware\quarantine (vista/win7/win2k8) > > Please upload anything MBAM quarantines to us. > > http://www.sunbeltsecurity.com/threat > > Thanks John, > > Tammy > > -----Original Message----- > From: John Aldrich [mailto:[email protected]] > Sent: Friday, June 03, 2011 10:26 AM > To: NT System Admin Issues > Subject: Fake antivirus > > I'm going to go to a former co-worker's this afternoon to clean his system > (again) from another fake antivirus infestation. I've already got Vipre > Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't > had to deal with any fake antivirus in a few weeks. Just wondering if they > have developed any new tricks recently that I should be aware of? > > Oh, this user had Vipre Home on his PC, and got infested anyway. Should I > submit samples to Sunbelt (assuming I can find where they're quarantined)??? > > Thanks! > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
