Possible it had a keylogger or other spy installed that found his CC account # and phoned home with it ?
Erik Goldoff IT Consultant Systems, Networks, & Security _____ From: Jim Slattery [mailto:jslatt...@medexassist.com] Sent: Friday, December 04, 2009 10:11 AM To: NT System Admin Issues Subject: RE: New virus trick I had the same thing happen. several reboots before I figured it out. Since then, I run autoruns and go through it with a fine-tooth comb when cleaning up an infection. scheduled tasks can be killed from autoruns. Speaking of tricky viruses, I know someone that swears they didn't give their credit card information out (I trust this person to not be that stupid to give a credit card number to an anti-virus window that pops up and asks for it. and he's well aware he has Norton AV), got a charge from Pope Software for $40. seems to be one of those same fake AV programs, Pope Green Defender The bank has refunded their money, and gone after the company, but this worried me. Any other user, I'd be thinking they screwed up, but this person is OCD about money. Anyone else heard of this happening with Pope or any other fakeAV? Jim Slattery Systems Administrator MEDEX Global Group 8501 LaSalle Road, Suite 200 Baltimore, MD 21286 USA Direct: 1-410-308-7931 Main: 1-410-453-6300 Toll free: 1-800-537-2029 Fax: 1-410-308-7905 www.medexassist.com <http://www.medexassist.com/> _____ From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, December 04, 2009 9:39 AM To: NT System Admin Issues Subject: New virus trick I was at a seminar yesterday put on by Sunbelt and during a break I had a chance to talk to one of the presenters and told him of a recent malware incident I'd cleaned up. He'd never heard of such a trick before so I thought I'd bring it to y'all's attention so you can be on the lookout for it. Basically it was the same old malware that's been going around with the Antivirus Pro sort of stuff, but the twist was that even using Malware Bytes we were not able to get rid of it. After I was poking around a bit, (I don't recall why I was looking at the root of C:, but I was) I noticed a batch file in the root of the C: drive that, when I opened it and looked at it, it created a bunch of scheduled tasks to re-download the malware/adware. I wised up and deleted that file, then went into the Scheduled Tasks and deleted all the malware-created scheduled tasks. Then I was able to successfully clean the stuff out! What really got us was that Malware Bytes would clean it, then say it needed to reboot to finish, and then as soon as we came back, the fake antivirus was right back there. What I believe it was doing was re-downloading itself from the internet each time we cleaned it. So, anyway, if you guys ever have a problem like this, it wouldn't hurt to check the scheduled tasks! John-AldrichTile-Tools ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image001.jpg>>
<<image002.jpg>>
