Endpoint Protection

 View Only
Expand all | Collapse all

Trojan.FakeAV!gen24

  • 1.  Trojan.FakeAV!gen24

    Posted Mar 18, 2010 10:09 PM
    Hi,


    I keep getting the above Risk on the Auto-Protect, but when I do the Full Scan (after disabling System Restore), it always turned up nothing, guess it must be hiding under some temporary name.  I also cannot locate any FileName mentioned in the Auto-Protect.

    I have attached 4 JPEG screen shots.

    What should I do?

     
    Much thanks
    GlobeTrekker
     


  • 2.  RE: Trojan.FakeAV!gen24

    Posted Mar 19, 2010 03:20 AM
    Hi Globetrekker,

    Looks like the detections are in Windows' temporary locations.  I recommend booting into safe mode and running a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc.  Perform a full system scan in safe mode, too.  Hopefully that will do the trick, as in safe mode Windows just loads a bare-bones version of itself, usually without any threats being loaded. 

    Here's a good article that may help:  What Does "Risk was partially removed" Mean?  Generally these results happen when Windows has been "tricked" into protecting a malicious process.  A scan in safe mode is usually successful.

    You may also wish to set some harmless program, like notepad.exe, to be the default for Windows to use to open .qef and .qsp files.  (that's the extension of the Trojan Horse that is being detected.)  If the threat does evade Symantec's attempts to stop / delete it, it might then be tricked itself into doing something harmless.

    Final piece of advice: the screenshots show that you are using SAV, but what version?  Once this threat has been successfully deleted, I strongly encourage you to upgrade to SAV 10.1 MR8 or MR9, if you are running anything less recent. 

    Let the forum know of your progres, if time allows!

    Thanks and best regards,

    Mick


  • 3.  RE: Trojan.FakeAV!gen24

    Posted Mar 21, 2010 10:49 AM
    Thank you Mick for your assistance,


    I have done what you suggested but it is still lurking around.

    I clean up my temporary files, associated .QEF and .QSP files to Calculator and Paint Brush respectively and restarted in safe mode, did a full scan. Restart my laptop and just open up one web page pointing to www.google.com

    and almost every 10 minute the Auto Protect will catch one or two attempts.

    And I think my SAV is already 10.1 MR 8.

    Please refer to Scan History, version, Auto Protect, File Association.

    What does this virus do anyway, I read some forum that it "steals credit card details and login password" etc, is this true?
    If Auto Protect caught it, does it mean that it is not sending anything out from my laptop?

    What should I do next?


    For your further advise, regards
    LT


  • 4.  RE: Trojan.FakeAV!gen24

    Posted Mar 21, 2010 11:46 AM
    My hunch would be that something that is currently undetected is constantly placing files in the temp directory.  I'd try using the latest rapid release definitions and doing a full scan.


  • 5.  RE: Trojan.FakeAV!gen24

    Posted Mar 22, 2010 07:20 AM
    Hi LT,

    If the AP detections constantly re-occur, and the files have new names each time, then it is probable that something currently undetected is re-creating them.  Here's the first document to read: Best practices for responding to active threats on a network

    It might be best, at this point, to contact Symantec Technical Support for assistance in locating that undetected threat.  (Of course, if you are familiar with the Sysinternals tool Process Monitor, you may be able to determine what process is creating them yourself.... ) 

    The first thing they will likely ask you to do is run a diagnistic which will examine the computer's load points.  Though you have SAV installed (and a decent version of SAV, too) the SEP Support Tool will run and help to find suspicious files.  These can then be submitted to Security Response.  Symantec will examine the suspicious fiels and develop new signatures against them, if necessary.

    Feel free to download and run that tool yourself, if you like, and see if it highlights any suspicious files.  If not, give Tech Support a call.  One way or another, let's get to the bottom of this outbreak.

    Please do let the forum know of your progress!

    Thanks and best regards,

    Mick





  • 6.  RE: Trojan.FakeAV!gen24

    Posted Mar 27, 2010 08:40 PM
    Antivirus scan detected Trojan.FakeAV!gen24 - followed removal instructions to update virus definitions, turned off systems restore, booted in safe mode (both with and without netwrking), and each time scan detected virus - tried to repair, but no luck; tired to quarantine but no luck, and tried to remove, but no luck.  Have repeated this process several times.

    Any one have any thoughts on what to do?

    Bob


  • 7.  RE: Trojan.FakeAV!gen24

    Posted Mar 28, 2010 05:09 PM
    Maybe try Malwarebytes or HitmanPro ... I've had reasonable success with those in the past in removing threats from PCs.


  • 8.  RE: Trojan.FakeAV!gen24

    Posted Mar 28, 2010 08:11 PM
    You should submit the files to Symantec so we can make a anti-virus definition specifically for your strain of the virus. Check the guide below for instructions:

    What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/73537d3ec91e9d3288256a220027acf0?OpenDocument

    T
    hanks
    Grant


  • 9.  RE: Trojan.FakeAV!gen24

    Posted Mar 29, 2010 02:36 AM
    In the rare cases where even a full system scan in safe mode does not have permissions to delete a malicious file, there are procedures and tools that Symantec Technical Support can recommend which will remove the threats.  For those, though, it is best to to contact Support rather then the volunteer community forum.

    Thanks and best regards,

    Mick


  • 10.  RE: Trojan.FakeAV!gen24

    Posted Apr 01, 2010 01:31 AM
    Just a quick link for a new Security Response blog post: Back to Basics with Fake AV

    Might be of interest.  Symantec is continuing to add protection against new variants that are submitted and is monitoring the trends.  More articles will be posted in the future. 

    Thanks and best regards,

    Mick


  • 11.  RE: Trojan.FakeAV!gen24

    Posted Jun 24, 2010 11:38 AM
    We have found that if the computer is infected with the Trojan.Fake.AV!GenXX and none of the above tricks work - Try this:

    1.  Shut computer down and unplug
    2.  Open the case and remove the hard disk drive
    3.  Slave the hard disk drive in another computer (WARNING - make sure you have your anti-virus on the second computer completely up to date.  I gave this information to someone else and the anti-virus in his second computer was months out of date!  Yup...)
    4.  Scan the infected drive with MalwareBytes (fully updated).  Symantec will also scan the files MalwareBytes scans since MalwareBytes opens each file to scan it.

    This has worked for use 98% of the time.  We have never had a virus infect the second computer (yet), and have been doing this for over a year now.  We have several hundred computers with users from all walks of life and intelligence and we have infected computers on a regular basis (NOTE TO SYMANTEC - even though Symantec Endpoint Protection is running on all computers).

    Good Luck

    Tim


  • 12.  RE: Trojan.FakeAV!gen24

    Posted Jun 24, 2010 12:14 PM
    As a last resort try the Norton Power Eraser tool.

    The Norton Power Eraser uses aggressive methods to detect  threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

    http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default




  • 13.  RE: Trojan.FakeAV!gen24

    Posted Jun 25, 2010 07:06 AM

    Fake AV / missleading app / smitfraud / scareware / rougeware is an area that Symantec is very actively investigating.  In October 2009, a white paper was made public on the topic. The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs and how they affect users. The report includes an overview of these programs, how they work, their risk implications, various distribution methods and innovative attack vectors.

    To learn more, please download and read the report or listen to the podcasts on the subject. http://www.symantec.com/business/theme.jsp?themeid=threatreport or  http://www4.symantec.com/Vrt/wl?tu_id=XuOB125692283892572210

    You may also find some excellent info on FakeAV in these forum threads:

    https://www-secure.symantec.com/connect/forums/sep-and-fakeav
    https://www-secure.symantec.com/connect/forums/fakeav-webcast-app-and-device-control-examples

    https://www-secure.symantec.com/connect/forums/question-fakeav-and-proactive-threat-protection

    Hope this helps! Please do keep the forum up-to-date with your progress.

    Thanks and best regards,

    Mick



  • 14.  RE: Trojan.FakeAV!gen24

    Posted Nov 30, 2010 04:12 PM

    I still haven't figured out why Symantec just can not catch the fake AV.  I mean Malware-bytes and the others catch and get rid of it - as to where Symantec may quarantine it but doesn't get rid of it. And 90% of the time it is in their list of know infections.  Is there any type of help for this???????



  • 15.  RE: Trojan.FakeAV!gen24

    Posted Nov 30, 2010 04:25 PM

    Are you running the SEP with the recommended security settings? Richard, next time please start a new thread for your issue.

     

    Security Response recommends the following Scan Settings

     

    Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
    Lock settings Some Some All
    Remediation: terminate processes No No Yes
    Remediation: terminate services No No Yes
    Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
    Network Auto-Protect Disabled Enabled Enabled
    Bloodhound Level Default (2) Default (2) Default (3)
    SEP Startup System Start System Start System Start
    Auto-Protect Scan Modify and access Modify and access Modify and access

    Security Response recommends the following setting changes to Truscan for best protection

     

    Truscan Default Setting Security Response Recommendation
    Scan Sensitivity 9/Low 100
    Action on Detection Log Terminate
    Scan Frequency 1:00 00:15

    http://www.symantec.com/business/support/index?page=content&id=TECH122943&locale=en_US

     

    Also see our "Security Best Practices"  - http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&inid=us_sr_carousel_panel7_best_practices



  • 16.  RE: Trojan.FakeAV!gen24

    Posted Nov 30, 2010 04:50 PM

    Yes, an application and device control policy will stop this.



  • 17.  RE: Trojan.FakeAV!gen24

    Posted Apr 25, 2011 10:07 AM

    I have had Trojan.FakeAV all over my organization and the only thing that get completely rid of it is Malwarebytes.

    Symantec has been detecting it but not removing it completely.

    SEP 11.6100.645