Endpoint Protection

From Personal Antivirus:

The system is infected with Trojan.Win32.Agent.azsy.
This malicious program is a Trojan. It is a Windows PE EXE.

SAV 11 does not detect and remove this after a full scan

Do you mean SEP 11? What version are you running?

Are you running with the latest definitions?

That threat name with MD5 hash 0x4B8B532F5B3AB47C29FDF33917AB11E0 has been addressed.

Ensure that all the machines in your network have the latest virus definitions

Disable all Admin shares such as C$, D$
Disable System Restore
Disable the Autorun feature.
Run a Full scan on all the machines
Disconnect the machines from the network
Restart the machine in Safe Mode with Networking
Run a Full scan on all the machines
Restart the machine in Normal mode and run a full scan again

Let us know if your system is cleaned successfully.

Do you mean SEP 11? What version are you running?

Yes, SEP 11. Ver 11.0.4014.26. We are in the process of
upgrading all computers to SEP 11 Ver 11.0.4202.75.
Cut me some slack I have 3000+ machines to upgrade.

Are you running with the latest definitions?

Yes, 2009-07-23 rev. 003

That threat name with MD5 hash 0x4B8B532F5B3AB47C29FDF33917AB11E0 has been addressed.

When??

Ensure that all the machines in your network have the latest virus definitions

Disable all Admin shares such as C$, D$
Disable System Restore
Disable the Autorun feature.
Run a Full scan on all the machines
Disconnect the machines from the network
Restart the machine in Safe Mode with Networking
Run a Full scan on all the machines
Restart the machine in Normal mode and run a full scan again

That's alot of work for something that was addressed a while ago,
but I'll follow instructions.

Briandr73,

I am just trying to learn what product you are using, so that we can help troubleshoot your issue

The first definition for this threat (Trojan.Clampi) came out on 1/18/2008.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-011616-5036-99

See removal page for more specific info.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-011616-5036-99&tabid=3

Thomas

Personal Antivirus popped up on my computer this morning. It is quite irritating. Do I need to take my computer to a shop and is it possible to locate how or on what source this virus was attached to?

All I want to do is get this thing off my computer. Norton does not find it when I run a scan. It is not listed in my programs so I don't know how to uninstall.

Am I supposed to know what Admin shares are?

I would have to second this question.  I have had a few comptuers where their def files are up to date and this program was still allowed to install.

We use EPP v11.0.4202.75 with Antivirus and AntiSpyware protection and proactive threat protection loaded.

So the question is valid.  How does this seem to pass by and how do you remove it?

Find the file and submit to Symantec Security response to analyze,

But my bet would be that thousands have submitted PAV.exe and it is still being allowed to pass.

My daughter has gotten the same virus on her laptop.. also running norton, program is not listed in add/remove found in program files, but can not delete.  omg this is awfull.  Norton doesn't pick it up at all.

You hit the nail right on the head!! I am so anti virus, learned the hard way, and we all have up to date norton, spyware ect..... Not only how does it pass by and how do you remove? but why does Norton not even pick it up as a file?  I have found the file, and ran norton on just that file, No virus it says.. Ya Whatever!!

If it's getting installed and not being detected by any AV software, it's a new version of the threat, with probably most of the internal code re-done, hence no match for the program in the signatures.

It'd be best if you can call support and have an engineer isolate and upload the threat files to Security Response for analysis and new signature creation.

Help yourself..by helping symantec...Submit as many suspected files as you can..
https://submit.symantec.com/gold /basic /essential /bcs depending on your support contract
if no contract then /retail

You may want to download the latest Rapid Release definitions,

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

I agree with Vikram to submit it to Symantec Support.

I too was just hit with this virus yesterday. I have updated my Norton and rerun a scan and it was not found. Still infected with it and don't know what else to do to get rid of it. Any help out there?

The next step is to submit the virus sample to Symantec so our team can analize it and create a rapid release definition for you to download and apply. Depending on your support contract the place to submit them to is here:

https://submit.symantec.com/gold or /basic /essential depending on your support contract of no contract then /retail


Also when you say you "reran" the scan do you mean you started in safe mode (with system restore off) and scanned. If not this is what you need to do, not just a scan on the main partition of the OS.


Cheers
Grant-

Hello,

      I've setup my PC with MS Vista with two accounts without admin rights, one for me and another for my wife.  These are used for everyday use.  These reduce the risk of infestation from a virus or trojan as I recall from others who haved advised me.  I have one admin account used only when necessary.  I was advised that his should be the standard practice.  If you are connected to the internet with an admin account, it's much easier for a virus or trojan to cause trouble because it has the permissions it needs to install programs and change computer settings such as startup settings and registry settings etc.
      Here's an example.  Today my wife was on the internet and the PAV virus from the internet kept poping up stating that she had numerous viruses on the PC.  She was using her non-admin account.  It tried to install on the PC but it couldn't because it didn't have the proper rights.  The non-admin account was protecting the PC as intended.  I wasn't home to help.  So... she mistakenly then logged into the admin account and PAV installed and began causing trouble. 
      When she realized what had happened, she used NAV to scan for the problem and NAV did find the pav.exe file.  I was suprised to see that it had a "low risk" score and NAV did nothing about it. 
      To get rid of it I simply closed the program, restarted the PC and then deleted the directory at C:\Program Files\PersonalAV.  That was it.  I haven't had a problem yet in the past few hours.  The pav.exe wasn't found in the registry so I didn't have to remove any entry there.

Thanks, Scott

To be honest, the only way that I have found to remove Personal Antivirus was with 3rd party software like Malwarebytes (has worked every time for me). SEP11 seems to be unable to remove the problem even if it finds the virus.

I was just hit by this malware this morning - 11.4202.75 and August 13th definition didn't detect any part of this thing. I ultimately had to download malwarebytes to remove it.

My renewal is this fall, it may be time for something new…..