How to troubleshoot suspected Misleading Applications and Rogue Security Software (Trojan.FakeAV or Fake AntiVirus)

Article:TECH157781  |  Created: 2011-04-11  |  Updated: 2014-06-04  |  Article URL http://www.symantec.com/docs/TECH157781
Article Type
Technical Solution

Product(s)

Issue



  • You cannot open the Symantec Endpoint Protection (SEP) user interface or any other program.
  • System utilities like Command Prompt, Task Manager, and the Registry Editor are disabled.
  • The suspect program is intentionally misrepresenting the security status of the computer by continually presenting fake scan dialog boxes and alert messages that prompt the user to buy the product.  Newer variants may also show massive file fragmentation and/or imminent disk failure related problems to tempt the user into purchasing the product.

Users may encounter this kind of threat when they visit Web sites that attempt to convince them to remove non-existent malware or security risks from their computers by installing the bogus software. The Trojan can also be installed by other malware, drive-by downloads, and when downloading and installing other software.


Error




Cause



Misleading Application - Applications that intentionally misrepresent the security status of a computer. These applications typically masquerade as security notifications about any fake infections that must be removed.

Rogue Security Software - A type of misleading application (also known as scareware) that pretends to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provides the user with little or no protection whatsoever and, in some cases, can actually facilitate the installation of malicious code that it purports to protect against. Commonly, rogue security software claims that the programs can remove unwanted applications such as spyware or adware. Not only do these scams cheat users out of money by charging for their fraudulent product, but the personal and credit card information that users provide to register these fake products could also be used in additional fraudulent activity.

Trojan.FakeAV - A detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.


Solution



  1. The simplest way to remove the threat from the computer is to run a full system scan on the compromised computer. With the latest definitions installed the scan should be able to remove the threat in most cases without incident. Please see Best Practices for Troubleshooting Viruses on a Network for additional detail. If SEP is unable to find the threat, please proceed to the next steps.
  2. Restart the computer into Safe Mode.
  3. Browse to %APPDATA%
  4. Search for a folder, .bat file, or .exe file with a random name like VRQWSDJFGK. This folder will typically contain the Misleading Application/Rogue Security Software/Trojan.FakeAV file(s).
  5. If you are unable to find the folder in the above mentioned location, try looking for it in C:\Documents and Settings\All Users\Application Data
  6. Once the folder and file are traced, submit the file to Symantec Security Response using the appropriate entitlement and steps provided in the article TECH102419. Please contact Symantec Technical Support for assistance with file submission if needed. NOTE: It is NOT recommended to delete the threat file(s) manually. Symantec Endpoint Protection should be used to detect and remove the threat in order to ensure any side effects that the threat has implemented can be successfully repaired/restored to their original functionality. Deleting the file(s) manually may result in components of the threat being left behind or lead to user profile corruption.
  7. Restart the computer back into Normal Mode.
  8. Create an Application and Device Control policy to block that file's execution using steps provided in the article TECH93451, rather than deleting the file. Apply the Application and Device Control policy to the client group to protect all of the computers.
  9. If Internet access has been blocked, correct the proxy settings in Tools > Internet Options > Connections > LAN Settings. Typically Misleading Applications/Rogue Security Software/Trojan.FakeAV modify the Hosts file or change these settings to 'Automatically detect settings', when there is no proxy server in use in the environment. If there is no proxy server in the environment, you may uncheck this setting.
  10. In many cases, the issue may inadvertently be resolved if the user profile has been deleted and a new user profile is created. This is because these programs are typically installed within the user's profile (to ensure that the program has the proper level of folder access it requires to run). In some instances where a few users regularly use the same computer, you may only see these programs if the infected user is logged in, but if you switch to another user, these programs may not be running. This is not necessarily the case every time however.

 

Threat Analysis Scan (formerly Symantec Power Eraser)

If you are unable to find the suspicious threat file(s), the Threat Analysis Scan built into SymHelp is designed to complement mainline antivirus applications by detecting and remediating specific types of threats:

  • New variants of existing threats for which there is no coverage by the current definition sets
  • Fake antivirus applications, and other rogueware
  • Rootkits
  • System settings that have been tampered with maliciously

Please see the following Knowledge Base Article for additional information:

 

Additional Resources:

If you use the Symantec Endpoint Protection Manager to manage SEP clients, consider the following articles:

 

More Information:

Additional articles with excellent information and valuable links to podcasts, blog posts, videos and other resources on the topic.

 




Legacy ID



2010071307124148


Article URL http://www.symantec.com/docs/TECH157781


Terms of use for this information are found in Legal Notices