Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 12773 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Antivirus Disable Notfiy"

Linn10

Greetings

A month ago, I helped a friend clean up his XP Pro computer. He had his own AV, and Windows kept pestering him to install an AV, so I disabled the anti-virus notify.

The other day, he was infected with the FBI MoneyPak ransomware. I got rid of it pretty easily by doing a system restore. Then I scanned with every tool  I could find, including Sophos virsu removal tool, V 2.3, which found a few instances of "RansomWare" which I could only assume was the MoneyPak.

In the log, one instance was listed as in a restore folder, which is to be expected. But another instance was in a registry file. Sophos listed the ransomware "in" a file called "Antivirus Disable Notify". Is this possible?

This really confuses me; can anyone explain?  It also makes me feel personally responsible for getting my friend infected.

Thanks.

:40227


This thread was automatically locked due to age.
Parents
  • 0

    It was probabaly flagged as the ransomware (as well as other types of malware/scareware/ransomware) commonly changes entries in the registry as its method of controlling your computer. 

    The "auto notify antivirus disabled" registry entry is a common entry changed by infections as they usually disable your existing AntiVirus software and don't want Windows continually telling you it has been disabled.  LIkewise they may change it and have it pop up, then add their popup to it stating you are infected, need to purchase their cleaner to clean.. yada yada yada.

    So it doesn't surprise me that it flagged that reg key. 

    I would assume (assume as I am not 100% sure of the way Sophos works) - I would assume that Sophos compared the existing reg key against its database and noticed a discrepency as the regkey had been changed, or maybe it checked the modified date of the regkey.. something to that effect.

    :40543
Reply
  • 0

    It was probabaly flagged as the ransomware (as well as other types of malware/scareware/ransomware) commonly changes entries in the registry as its method of controlling your computer. 

    The "auto notify antivirus disabled" registry entry is a common entry changed by infections as they usually disable your existing AntiVirus software and don't want Windows continually telling you it has been disabled.  LIkewise they may change it and have it pop up, then add their popup to it stating you are infected, need to purchase their cleaner to clean.. yada yada yada.

    So it doesn't surprise me that it flagged that reg key. 

    I would assume (assume as I am not 100% sure of the way Sophos works) - I would assume that Sophos compared the existing reg key against its database and noticed a discrepency as the regkey had been changed, or maybe it checked the modified date of the regkey.. something to that effect.

    :40543
Children
No Data