Hi Johnathan & all,
Sorry - been a busy one today. Based on what we all have found, this has been working quite well as long as the temps have not been emptied out: If the rogue is still running & nothing is seeing it normally it will be found: (where random.exe is a random name executable) Normally 2 of them. XP: C:\documents and settings\all users\application data\random.exe Vista\Windows7: C:\programdata\random.exe One will be a random set of numbers & the other will be a random set of upper/lower letters. Taskkill /im filename /f Works well then rename the extensions so they don't load again or delete files. This should get most if not all the shortcuts back and unhide everything it hid. (it will also end up unhiding windows patch install directories & application data folders) http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76 <http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid =7944&enterthread=y> &threadid=7944&enterthread=y There will be some additional registry stuff that needs fixing to repair some IE settings that can leave the system vulnerable to getting hit again. Additional info here: (reg/file info at bottom of page) http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery Regards, Tammy _____ From: Jonathan [mailto:ncm...@gmail.com] Sent: Friday, June 03, 2011 12:55 PM To: NT System Admin Issues Subject: Re: RE: Fake antivirus Tammy, I ran into one a few weeks back that hid files and folders like what you described. I think I reversed everything it did, but is there any other info that you can share with the group aside from what you've posted here? Thanks, Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 3, 2011 10:43 AM, "Tammy Stewart" <copper...@personainternet.com> wrote: > Hi John, > > If you can get the fake AV's name -- I can likely shoot you some info. > There is a new(ish) one on the block that hides files, folders, shortcuts > and such. (windows recovery) > If that is what you see -- let me know. We have a restore procedure to > restore the hidden/moved files. > Also don't nuke the temps [yet] because that is where all the shortcuts are. > > If MBAM quarantines it -- the quarantine is normally located here: (depends > on OS) > > c:\documents and settings\USER_WHO_SCANNED\application > data\malwarebytes\malwarebyte's antimalware\quarantine <-- that dir has both > the logs & the quarantined items (xp/2k/2k3) > > C:\Users\USER_WHO_SCANNED\AppData\Roaming\Malwarebytes\Malwarebytes' > Anti-Malware\quarantine (vista/win7/win2k8) > > Please upload anything MBAM quarantines to us. > > http://www.sunbeltsecurity.com/threat > > Thanks John, > > Tammy > > -----Original Message----- > From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] > Sent: Friday, June 03, 2011 10:26 AM > To: NT System Admin Issues > Subject: Fake antivirus > > I'm going to go to a former co-worker's this afternoon to clean his system > (again) from another fake antivirus infestation. I've already got Vipre > Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't > had to deal with any fake antivirus in a few weeks. Just wondering if they > have developed any new tricks recently that I should be aware of? > > Oh, this user had Vipre Home on his PC, and got infested anyway. Should I > submit samples to Sunbelt (assuming I can find where they're quarantined)??? > > Thanks! > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin