Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to troubleshoot FakeAV if it is not detected

Created: 13 Apr 2011 • Updated: 05 Jul 2011 | 9 comments
Language Translations
Mithun Sanghavi's picture
+14 14 Votes
Login to vote
FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased. 
 
Symptoms: 
  1. Cannot open SEP or any other program.
  2. System utilities like Cmd, Taskmgr, Regedit are disabled.
  3. Receiving Pop-up from another Rogue Antivirus stating there are Virus in the machine and the machine is infected. 

Solution:

1. Boot the computer in safe mode.
2. Browse to C:\Documents and Settings\%userprofile%\Local Settings\Application Data\
3. There would be a folder or a .bat file or an .exe with a random name like VRQWSDJFGK.
4. This folder contains the Fake AV file.
5. If you don't find the folder in above mentioned location, try looking for it in C:\Documents and Settings\All Users\Application Data
6. Once the folder and file are traced, submit the file to Symantec Security Response using the appropriate entitlement.
7. Once the file is submitted successfully, the file can be deleted.
8. Boot the computer in normal mode.
9. If you are not able to access Internet, Correct the proxy settings in Tools > Internet Options > Connections > LAN Settings. Most of the times the Fake AV changes the setting to 'Automatically detect settings'. If there is no proxy server, you may uncheck this setting.
 
NOTE: It is not recommended to Delete the Threat File manually, as it may result to User profile corruptions.
 
In many cases, we found that the issue gets resolved, if the User Profile has been deleted and a new User profile is created. This is because, these programs are Trojans and mostly gets installed on the User's Profile (On the folders which the user has access to.). 
 
So, in case, if you have couple of users on the same computer; you may see these programs if the infected user login to his profile and if you switch the profile, you may not see these programs running in another non-infected profile.
 
However, this case is necessarily not the case everytime. This is a sample based on some infections.
 
 
So, In case if you are unable to Find the Suspicious Threat File, you may consider to work on the Article Provided below:
 
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 
 
 
 
A Common Question always arises --- Does Symantec Endpoint Protection protect me from fake anti-virus programs?
 
YES. Check the article below:
 
 
 
Symantec and FakeAV (Technical Write-up's)
 
1) Trojan.FakeAV
 
 
2) Trojan.FakeAV!gen
 
 
 
Also, If you have Symantec Endpoint Protection Manager to manage SEP clients, you might consider going through the below articles.
 
1) Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security
 
 
2) Best practices regarding Intrusion Prevention System technology
 
 
3) Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x
 
 
 
 
Now, about the BEST TOOL which you can use during situations like this,
 
Symantec Power Eraser
 
Symantec Power Eraser is designed to complement mainline antivirus applications by detecting and remediating specific types of threats:
  • New variants of existing threats for which there is no coverage by the current definition sets
  • Fake antivirus applications, and other rogueware
  • Rootkits
  • System settings that have been tampered with maliciously

Check this Article:

About Symantec Power Eraser
 
 
 
 
More Information:
 
Some Good Articles with Excellent information on valuable links to podcasts, blog posts, videos and other resources on the topic. 
 
 
Symantec Report on Rogue Security Software - Released in October 2009
 
 
 
An article Misleading Applications
 
 
 
 

Comments 9 CommentsJump to latest comment

Aniket Amdekar's picture

Nice article. If you have located the file, you can manually put them in the quarantine of SEP client as well.

Regards,

Aniket Amdekar

0
Login to vote
deepak.vasudevan's picture

Dear Mithun,

Is there a way to protect the hosts file in the computer? In a recent experience I found that there were a bunch of host entries to google.com, symantec.com. (but the IP addresses were pointing to a UK server) Hence LiveUpdate could  not function.

We had to correct the issue by resorting to System Restore (1 week back). The host file was not even allowed to  be overwriting as it was denying access. Even when I killed the processes, removed the entries and saved it in two minutes I saw those bunch of entries coming up again.

0
Login to vote
w-d's picture

You can block writing to hosts file. 1 condition is that the SEP client needs to have Application and Device Control component installed (a subcomponent of Proactive Threat Protection).

To configure it login to Symantec Endpoint Protection Manager and go to Policies -> Applicatin and Device Control then right-click on an existing Application and Device Control policy and select Edit. In the new window please go to Application Control and enable Block modifications to hosts file. Confirm everything with OK and assign the policy to the groups if needed.

0
Login to vote
profman87's picture

We have been somewhat successful stopping the installation in the first place by turning up the sensitivity of the Proactive Threat Protection. 

0
Login to vote
Mohan Babu's picture

Nice 

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

0
Login to vote
MiRzA's picture

Creat another User/profile and login with new user. hopefully it will give you some  access to basic tools (task manager, CMD).

0
Login to vote
.Brian's picture

Many times when a PC is infected with FakeAV, it will not allow you to run any legitmate removal programs. Typically, what I do is use Process Explorer to find the malware. If you try to use Process Explorer on an infected system, it will not be allowed as the FakeAV will kill it immediately and alert you that procexp.exe was infected and cannot be run.

A simple trick to get around this is to rename the Process Explorer executable to a legitmate Windows process, winlogon.exe, explorer.exe, svchost.exe, etc. and than run it.

The FakeAV knows not to kill a valid critical Windows process otherwise Windows will likely crash or hang and the virus will not be able to accomplish what it needs to do.

Has worked 95% of the time for me when fighting these types of infections.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

+1
Login to vote