Get autoruns out and find out where the entry point is Sent from my BlackBerry® wireless device
-----Original Message----- From: "John Aldrich" <[email protected]> Date: Thu, 16 Jun 2011 22:14:20 To: NT System Admin Issues<[email protected]> Reply-To: "NT System Admin Issues" <[email protected]> Subject: RE: Fake antivirus This came in handy today... I got a call right after lunch today (Thursday) about a computer that was showing the symptoms. I used RKILL to get rid of the active process and then cleaned it with MBAM and followed the instructions in the link. However, this particular variant appears to have had a tag-along that MBAM did not find and so far Vipre has not found... some sort of adware. Ads keep popping up all the time on the desktop and iexplore.exe is running in the background. Any suggestions? From: Tammy Stewart [mailto:[email protected]] Sent: Thursday, June 16, 2011 12:07 PM To: NT System Admin Issues Subject: RE: Fake antivirus Good to hear Mike, Just in case some others missed it – http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid= 7944&enterthread=y If still getting redirects after the rogue exes have been removed – it is usually volsnap.sys that is compromised. Replacing with known good copy from recovery console/barts/UBCD/etc will take care of that issue. If still active – avoid logging in with admin privs if possible & use process explorer to kill the rogue, rename it etc. (run as) Logging in with admin privs will surely mangle volsnap.sys. Cheers! Tammy ________________________________________ From: Mike Sullivan [mailto:[email protected]] Sent: Thursday, June 16, 2011 10:12 AM To: NT System Admin Issues Subject: Re: Fake antivirus I ran into this on Monday, at least I have my users locked down and they only saw the message that the hard drive was failing and their shortcuts disappeared. I followed Tammy's instructions and had it cleaned up pronto! On Thu, Jun 16, 2011 at 6:53 AM, Jonathan <[email protected]> wrote: I've run into a nice variant of this just this morning....the window is titled, "Windows Vista Restore" and the caption at the top of the window says, "PC Performance & Stability analysis report". It is telling me hat the hard drive is failing and that private data is at risk. When I went into the root of C:. it only showed one file, named bootsect.bak. After I chose to display all hidden and os files, viola,everything in C: and on the desktop appeared. What a way to start a Thursday - at least it isn't Monday! JR On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright <[email protected]> wrote: Try setting him up with ClearCloudDNS - might help prevent future infections. Roger Wright ___ "Formula for success: rise early, work hard, strike oil." - J. Paul Getty On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich <[email protected]> wrote: > Thanks... This particular user is unlucky enough to have teenagers who use > his computer. My guess is they are visiting infected/hostile/0wned sites and > that's how he's getting infected. Never really had a problem when he was > working here, so I'm suspecting it's some of his grandkids that are causing > the problem. > > As I have not yet seen the problem, I don't know if it's going to be easy or > difficult. Hopefully MBAM and Vipre won't have any problem with it. :D > > Thanks again! > > > > From: James Rankin [mailto:[email protected]] > Sent: Friday, June 03, 2011 10:31 AM > To: NT System Admin Issues > Subject: Re: Fake antivirus > > May be time to invest in some UAT (user awareness training). Continual > re-infestation either means he is unlucky, or gung-ho in his browsing. > > I've had some fake AVs recently which were ridiculously easy to get rid of > (kill process, delete files, remove autorun entry). Others have been more > stealthy - such as killing targeted windows like Task Manager. Booting into > safe mode usually prevents these extra "features" from bothering you. > > But as with everything - a reimage may be the only way to be sure. > On 3 June 2011 15:26, John Aldrich <[email protected]> wrote: > I'm going to go to a former co-worker's this afternoon to clean his system > (again) from another fake antivirus infestation. I've already got Vipre > Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't > had to deal with any fake antivirus in a few weeks. Just wondering if they > have developed any new tricks recently that I should be aware of? > > Oh, this user had Vipre Home on his PC, and got infested anyway. Should I > submit samples to Sunbelt (assuming I can find where they're quarantined)??? > > Thanks! > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > IMPORTANT: The information in this email is CONFIDENTIAL. If its contents > are disclosed in any way my lawyers will swoop down from black helicopters > like Seal Team Six and drag you away with a black bag over your head. They > will then take you to a secret prison and make you fight to the death with > other people who dared to share this email. You will be given a large bowie > knife and a supply of methamphetamines while I watch the said deathmatch and > wager vast sums of money on who will be the winner. If the fight becomes > boring or there is a stalemate, I will release rabid dogs and my two-stone > cat into the arena to liven things up a bit. If these animals become in any > way docile, I will squirt them with water pistols until they become a bit > more temperamental. > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin -- Jonathan, A+, MCSA, MCSE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin -- Thank you, Mike Sullivan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
