Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 12775 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Antivirus Disable Notfiy"

Linn10

Greetings

A month ago, I helped a friend clean up his XP Pro computer. He had his own AV, and Windows kept pestering him to install an AV, so I disabled the anti-virus notify.

The other day, he was infected with the FBI MoneyPak ransomware. I got rid of it pretty easily by doing a system restore. Then I scanned with every tool  I could find, including Sophos virsu removal tool, V 2.3, which found a few instances of "RansomWare" which I could only assume was the MoneyPak.

In the log, one instance was listed as in a restore folder, which is to be expected. But another instance was in a registry file. Sophos listed the ransomware "in" a file called "Antivirus Disable Notify". Is this possible?

This really confuses me; can anyone explain?  It also makes me feel personally responsible for getting my friend infected.

Thanks.

:40227


This thread was automatically locked due to age.
Parents
  • 0

    I see...(I think)

    Are you saying that Sophos found some files related to the ransomware, and then it found that the AV notification was turned off, so it made the connection between the 2 for me - in one step, and it blamed the AV notification disabling on the ransomware, instead of on me (who was the actual culprit)?.

    ...or... that it noticed that the AV notify was disabled, and since the latest ransomware is known to turn off the av notification, then it assumed that it was ransomware that did it?

    Funny it didn't mention ransomware anywhere else.

    Thanks!

    :40287
Reply
  • 0

    I see...(I think)

    Are you saying that Sophos found some files related to the ransomware, and then it found that the AV notification was turned off, so it made the connection between the 2 for me - in one step, and it blamed the AV notification disabling on the ransomware, instead of on me (who was the actual culprit)?.

    ...or... that it noticed that the AV notify was disabled, and since the latest ransomware is known to turn off the av notification, then it assumed that it was ransomware that did it?

    Funny it didn't mention ransomware anywhere else.

    Thanks!

    :40287
Children
No Data