How to troubleshoot FakeAV if it is not detected

Article:TECH157781

Created: 2011-04-11

Updated: 2013-01-14

Article URL http://www.symantec.com/docs/TECH157781

Article Type
Technical Solution

Product(s)

Show all

Languages

Show all

Problem

Symptoms:

You cannot open Symantec Endpoint Protection (SEP) or any other program.
System utilities like Cmd, Taskmgr, and Regedit are disabled.
Pop-ups appear from what appears to be an antivirus program other than the one you know to be installed, one which states that there are viruses in the computer and that the computer is infected. Newer variants may also appear to show massive file fragmentation and/or imminent disk failure.

Users may be directed to malicious sites by way of the following methods:

Spam emails that contain links or attachments
Blogs and forums that are spammed with links to adult videos
User-generated content spam, such as fake videos
Malicious banner advertisements
Sites advertising pornography or pirated software
Search Engine Optimization (SEO) poisoning
Fake torrent files or files on file sharing networks
Web pages containing exploits

Cause

FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased. It is also referred to as "rogue antivirus".

Solution

Boot the computer in Safe Mode.
Browse to C:\Documents and Settings\%userprofile%\Local Settings\Application Data\
There may be a folder or a .bat file or an .exe with a random name like VRQWSDJFGK. This folder contains the Fake AV file.
If you don't find the folder in above mentioned location, try looking for it in C:\Documents and Settings\All Users\Application Data
Once the folder and file are traced, submit the file to Symantec Security Response using the appropriate entitlement.
Once the file is submitted successfully, the file may be deleted. However, it is not recommended to delete the threat file manually, as it may result in user profile corruption.
Boot the computer in normal mode.
If you are not able to access Internet, correct the proxy settings in Tools > Internet Options > Connections > LAN Settings. Most of the times the Fake AV changes the setting to 'Automatically detect settings'. If there is no proxy server, you may uncheck this setting.

In many cases, the issue gets resolved if the user profile has been deleted and a new user profile is created. This is because these programs are trojans and mostly get installed on the user's profile (on the folders to which the user has access). In some instances where a few users regularly use the same computer, you may only see these programs if the infected user is logged in, but if you switch to another user (with another, non-infected profile), these programs may not be running. However, this is not necessarily the case every time.

Symantec Power Eraser

If you are unable to find the suspicious threat file/s, the Symantec Power Eraser is designed to complement mainline antivirus applications by detecting and remediating specific types of threats:

New variants of existing threats for which there is no coverage by the current definition sets
Fake antivirus applications, and other rogueware
Rootkits
System settings that have been tampered with maliciously

Please see the following Knowledge Base Article for additional information:

About Symantec Power Eraser
http://www.symantec.com/docs/TECH134803

Additional Resources:

Using Symantec Support Tool, how to collect the suspicious files and submit them to Symantec Security Response:
https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec
Does Symantec Endpoint Protection protect me from fake anti-virus programs?
http://www.symantec.com/docs/TECH122898
Trojan.FakeAV
http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99
Trojan.FakeAV!gen
http://www.symantec.com/security_response/writeup.jsp?docid=2009-082116-5319-99

If you use the Symantec Endpoint Protection Manager to manage SEP clients, consider the following articles:

Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security
http://www.symantec.com/docs/TECH132337
Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347
Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in SEP 11.x
http://www.symantec.com/docs/TECH104909

More Information:

Additional articles with excellent information and valuable links to podcasts, blog posts, videos and other resources on the topic.

Symantec Report on Rogue Security Software - Released in October 2009
http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=istr_rogue_security
An article on Misleading Applications
http://www.symantec.com/norton/theme.jsp?themeid=mislead

TECH122898 Does Symantec Endpoint Protection protect me from fake anti-virus programs?

Legacy ID

2010071307124148

Article URL http://www.symantec.com/docs/TECH157781

How to troubleshoot FakeAV if it is not detected

Problem

Cause

Solution

Related Articles

Legacy ID

Please Sign In

Knowledge Base Search

Knowledge Base Search

MySymantec

MySymantec

Contacting Support

Contacting Support