Video Screencast Help

"Antivirus 2009, 2010, etc" malware

Created: 28 Sep 2009 • Updated: 09 Sep 2010 | 6 comments

Hey guys, just thought I'd throw this out there.
I occasionally have users who somehow manage to get infected with AV 2009 or similar malware (and I run the latest SEP and a web-filtering proxy with AV). I can run a full scan and it will report "All clean". Even software like Malwarebytes and Ad-Aware will report "All clean". It's very difficult to remove manually, and it's faster to just re-image the drive.

So, I'm wondering.. does any AV protect against this frustrating, *obviously professional* malware? What's the next step to combat this?

Comments 6 CommentsJump to latest comment

snekul's picture

You have to hope your A/V (whoever it is) catches it before it gets into the system, otherwise, yes it is very difficult to remove.  If you have a good imaging and deployment strategy, that probably is faster then trying to clean it up.  Eventually the code to clean-up each varient gets added, but there are so many variants of this malware, that can be difficult and in many cases you're not in a position to wait for the cleanup code to get added.

A few things you can do to reduce malware in general:

While some variants of Antivirus 2009, etc. will install as a limited user to the user's profile, they can't prevent themselves from being easily deleted when they fail to get admin rights.  If possible, limit admin rights as much as possible.

If you have "trouble" users who repeatadly get infected, try installing a toolbar to warn them when they enter a dangrous site, WOT comes to mind.

If your users should only be running software from paticular locations and not installing it themselves, then group policies or SEP application and device control rules can easily keep your computer from becomming infected by only allowing programs to run that are in Windows and Program Files (and any other directories you need).  This works esspecially well if your users do not have rights to those directories.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

Mick2009's picture

Hi MaxStr,

There's some info on the subject in this forum thread, too:

https://www-secure.symantec.com/connect/forums/sep-cannot-remove-antivirus-pro-2010

Another recommendation: educate end users that if they see one of those fake pop-ups, "Do you want to installed Smitfraud2010, Yes/No?"  don't hit "No."  They are usually coded that the misleading application will be installed no matter what interaction there is.  The best course of action is to open up task manager and kill the iexplore.exe process straight away from there.

Right after that, the installer for the scamware might be sitting in their IE temp folder.  I really do recommend submitting any suspicious files (either the installers or the .exe's, etc, that have managed to get themselves installed) to Symantec Security Response.  With help from customers, Symantec is blocking new variants every day.

Thanks and best regards,

Mick

With thanks and best regards,

Mick

pchouse's picture

My customer has noton internet security 2009. Yesterday he came to my store with laptop infected with Antivirus System PRO. Obviously laptop was infected with this virus after the popup apeared & he clicked NO. I tried removing it manually but it returned after cleaning. I could not get help from norton! Can any one provide detailed accurate manual removal of this virus from XP Pro?
Thanks. Mike

Grant_Hall's picture

Hi pchouse,

Just wanted to let you know that you posted in the Symantec Endpoint Protection forums which is seperate from the Norton line of products. You should try to post here: http://community.norton.com/norton/.

There are also many guides out there on the internet going over your exact question. http://www.google.com/search?q=antivirus+system+pr...

I hope this helps and sorry about the confusion on which was the correct forum,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

smshashi's picture

I had a bigger problem with this rogue malware on my Windows Vista (rogue called Antivirus Vista 2010!!). I recognised this as some kind of virus and immediately remove the regisry settings related to av.exe. Norton Internet Security software was unable to recognise this. Since I deleted the registry entries before running the MBAM as mentioned in the bleepingcomputer website, MBAM was unable to recognise this!! I restarted in safe mode couple of times and followed whats told in above website. Then it had already made lot of damage. next time I logged in, i was unable to click any exe, it used to open the folder containing the exe. After the next restart, I was unable to logn again!! My keyboard and mouse did not work!! I had to re-format & re-install windows vista!!

Really frustrating the way Windows and this virus/malware duo works. Being the top company in antivirus, Symantec should have already provided solution for this, instead of just mentioning about the rogue in their articles!! MBAM already provides solution for this. Really frustrating.

sbertram's picture

Next step to do is run free web based virus scanners to see if it cleans up the PC.  Run House call by Trend Micro?