Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New type of tech support /remote access scam ?


  • Please log in to reply
2 replies to this topic

#1 kootscheepers

kootscheepers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 14 August 2017 - 05:34 AM

In the last two weeks i had two cases were customers data was deleted without them authorizing anything. They were working, and suddenly the data was missing. In both cases I found a hidden folder in the user profile named "Window's updating....please wait" containing  ConnectWiseControl.ClientSetup.msi, mailpv.cfg, mailpv.exe, monitoring_agent.exe, and Tender.msi. The files were mostly documents and accounting system data files. In one case files were deleted from a nas drive as well.

 

No data could be retrieved from previous versions , or recycle bin. Normal data recovery software also only yielded limited results.

 

In both cases the client confirmed that a windows update screen popped up while they were working, and forced the pc to reboot.

 

Has any one else come across this , and any ideas  to recover data and prevent future attacks ?

 

 



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:51 PM

Posted 14 August 2017 - 07:47 AM

In the last two weeks i had two cases were customers data was deleted without them authorizing anything. They were working, and suddenly the data was missing. In both cases I found a hidden folder in the user profile named "Window's updating....please wait" containing  ConnectWiseControl.ClientSetup.msi, mailpv.cfg, mailpv.exe, monitoring_agent.exe, and Tender.msi. The files were mostly documents and accounting system data files. In one case files were deleted from a nas drive as well.

 

No data could be retrieved from previous versions , or recycle bin. Normal data recovery software also only yielded limited results.

 

In both cases the client confirmed that a windows update screen popped up while they were working, and forced the pc to reboot.

 

Has any one else come across this , and any ideas  to recover data and prevent future attacks ?

 

 

You can upload those files to virustotal.com and paste the results here. Without either the malicious file or knowing what was done, it's hard to say whether the files can be recovered.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 kootscheepers

kootscheepers
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 14 August 2017 - 08:15 AM

The files themselves are not infected or detected as being infected or malicious, but they are being used in a malicious way without the owners of the pc being aware that it was installed.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users