Hey there,
So I’ll get straight into it, recently scammers are figuring out that I am using VMWare 3 minutes into the call, and it baffled me because I hid the VM pretty well, in the BIOS and everything.
Looking at the logs I realized that what they’re doing is transferring the C:/Program Files folder and looking for either VMWare or Oracle VirtualBox.
I hid the VMWare folder, so before you comment with that, no, it won’t help.
Is there anything I can do against that?
Thanks and have a nice day.
@CyanApple#92198 jim browning has steps to do that maybe u missed something o something ur not doing hope his video helps with hiding it 
@Scambaiter956#92254 Nope, seen his videos. It has nothing to do with the problem I am having.
The problem is to hide it from file transfer, and it is quite complicated since ‘hidden’ files in windows are not removed in FTP, so they can still see them.
@CyanApple#92395 ahh gotcha
In virtualbox, you can install the guest additions anywhere you want. Or not at all.
What log file did you check and how did you determine what they transferred?
Go to C:\Users\Derek\Documents\Virtual Machines\VMNameHere
and do open up VMNameHere.vmx in any text editor and add this one line to it
SMBIOS.reflecthost = "TRUE"
@Vertigo#92470 I am using VMWare.
@GlobalHell2K19#92525
:facepalm:
Do you guys even bother reading the post first or just the title, the problem is not the BIOS, but the VMWare folder inside Program Files.
@CyanApple#92577
I know, but I assume its not different for vmware. With VB, I believe I even moved the folder after installation. The only effect is that the tray icon and background process doesnt start and there is no shared clipboard, which is what I want for a scambaiting session anyway. And I can manually start them if I need them.
That said, I kind doubt they discovered your VM that way. more likely is they ran remote diagnostics using goto assist. Have a look here:
http://scammer.info/d/19950-goto-assist-logmein-vm-detection
@Vertigo#92636
It is different, as a matter of fact, most of the drivers that are essential to operating the VM are located there.
So I cannot move, rename or delete that folder, the only thing I can do is hide it, and I did. But it does not help.
I know that they did run a remote diagnosis on the VM, that said, it is not it, as I masked it perfectly, down to the drivers.
Show me a screenshot of gotoassist remote diagnostics, and Ill believe you. Honestly, I dont know how the app works, and if it reports the same as msinfo32 or dxdiag, I wouldnt be confident my own VM is perfectly hidden as there certainly still are plenty of references left in the registry.
As for hiding the folders; you could try if the gotoassist file transfer utility lists soft or hard symbolic links. It probably does, but If it does not, you could try moving the folder and creating a symbolic link instead:
https://www.howtogeek.com/howto/16226/complete-guide-to-symbolic-links-symlinks-on-windows-or-linux/