Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Fake AV - Virus problem that needs to be addressed

Created: 29 Jan 2010 | 7 comments

Hopfully this is the correct forum for this topic.

My wife's computer was hit with a fake AV alert virus.

Norton seems to have cleaned the virus (but may not have), but .... there continues to be a red shield with a white X on the status bar that say NAV is out of date.  This has never been true on her computer.

When I look at the NAV history I find these:
Unauthorized access block (Open Process Token)        Blocked        1/26/2010 9:38:48 AM
Trojan.FakeAV detected by Auto-Protect            Removed        1/26/2010 7:30:08 AM
Statistical Submission: Trojan.FakeAV            Submitted    1/26/2010 7:26:06 AM
AntivirusSystemPro detected by Virus scanner        Removed        1/25/2010 5:57:15 PM
Statistical Submission: AntivirusSystemPro        Submitted    1/26/2010 5:52:43 PM
vxcjsysguard.exe accessed your network resources    Detected    1/24/2010 5:17:35 AM
tvcp.exe made 5 modifications to your System Config.    Detected    1/24/2010 5:17:20 AM
IPS Detection Statistical Submission            Submitted    1/24/2010 5:16:55 AM

It's seems clear that the infection occurred around 1/24/2010 5:16:55 AM

On the 26th is when all the fake AV message appeared (because my wife closed the laptop right around the time of infection).

The Norton Alert shield has been red ever since and it's never been out of date.

One more piece of info.

On my netbook (NOT the infected computer above), I had not turned it on in 34 days so I had the red alert shield on the status bar but ... after running live updates from NAV and clicking on the "fix" button (IN NAV not the shield application) which ran a quick scan the shield went away.

On my wife's laptop (the infected computer), Norton detects no problems and about a dozen full scans have been run since the 26th and many quick scans have run.  This is why I believe the red shield program may be infected.

I believe something is still not cleaned

Comments 7 CommentsJump to latest comment

LiftedBlazer's picture

Hey WebGuru, i got this nasty little virus not more than twenty minutes ago. I was searching to figure out where it came from, and ran across your troubles. I had no anti-virus installed, and once i saw it  I knew it was fake, and attempted to download and install avg free.

The download was successful, but the virus wouldn't allow me to actually run the program, so I couldn't install the anti-virus. Searching for solutions, I found this program called Trojan Remover, reccommended by a user on another internet forum discussion group. I was skeptical about the program, but i had nothing to lose, so I tried it. It removed the fake av virus immediately, plus a couple others I hadn't noticed, and after a restart of the computer, there is no fake av virus any longer. You can find the trojan remover at simplysup.com/tremover/download.html . You have to take my word on it, but if the fake A V virus is still on the computer, I know it will remove it instantly. 

Just follow the guidelines while its running, if it has an option highlighted, you should probably use it. I think its an excellent solution for the AV virus, especially since it seems you're not being helped here.

ngyj's picture

Hi there! I'm sorry for your nasty virus and i can tell it happened to me something like this. Anyway these programs you mention here, if you ask me, there are not the best. But no offense please; i use something i like and for me it's perfect. Maybe it helps you too http://www.trustdownload.com/Antivirus-and-Spyware-Cleaners/Antivirus/Kaspersky-Internet-Security-7.0.html

magee_underground's picture

I think I had the same fake virus that you are talking about. It is a java application that some how manages to download itself to your machine without norton noticing. I think its meant to try and get credit card details by making you purchase an antivirus program, but I did figure out how to remove it because while the system was infected it would not allow me to run norton. On my system I found the directory of the program in C:\Users\(type you username here)\AppData\Local, if this doesn't end up being where it is on your system you can easily find its location. Just double click its icon in the notification bar (near clock), when it opens right click anywhere inside the open window and select properties. The properties window should open and in there you should see the location, it should look something like what I wrote above (take note of the location). You will have to restart your system in safe mode to delete the program because while it is running it will not allow you to delete it. Restart your computer then once it loads past the first black screen (bios screen) keep pressing the F8 key (this works for vista, not sure if its the same for other OS). It should load up a screen that gives you the option to start windows in safe mode, select it then wait for your system to load. When its loaded go to the directory mentioned before.  In this location you should find a folder with the name starting with 'p' followed by a bunch of random letters and numbers (I cant remember exactly what the name was). All you need to do is select the folder, hold down the SHIFT key then press the delete key. The computer will ask "are you sure you want to pemanently delete?" press yes then your done. Now just go to the start menu and restart your system. When it boots up you should be free of this annoying fake virus. You might also find that your web browser doesnt work after you have removed it, if so open your browser select tools then options then select the tab that says connections or network. There should be some sort of settings or properties button (internet explorer has LAN settings), select it and in there it will probly have "use a proxy server", uncheck that box and select the box that says automatically detect settings or don't use proxy (all web browsers tend to be different). Now press ok or apply and it should be fine. Hope this helps, it worked for me.

Fd23's picture

Hiya I've been trying the last few hours to get rid of this and read so many false forums. Tried this. First time, worked like a charm (well aren't you a clever clogs magee_underground). Thank you so much. Saved me from getting a new computer. You're a life saver :D

debzj09's picture

Several weeks ago my laptop was hit w-something similar sounding and gave me a pop up window saying my system was under attack.  I closed the window and immediately opened amalwayrebytes" Anti-Malware, which said something like  "cannot open, file corrupt".

Next I restarted my system and when I started my brower (Chrome), it wouldnt bring up any pages other than what's in the cache.  Next I tried using IE and the same thing occurs.  I get "page not found" message, so it appears to be attacking each.  Last I tried Firefox which worked for a couple of days then the same thing happened.
 
I first fired up my desktop system (this, no sound card) plus haev since moved so this isn't very fresh in my memory anymore. I really want my laptop functioning online again with Chrome with the others as backup. 

I have a specific question (other than is there another fix)is: 
   - How can I download a fix, a new browser,  etc. onto the laptop?

I appreciate your answers qnd help.
Deb

Thomas K's picture

Hi Deb, What AV product are you running? It sounds as if your system is still infected. First thing to do is get the latest AV definitions installed.

Next, boot into safe mode and running a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc. Perform a full system scan in safe mode.

If that fails to remove the threat, then give the Norton Power Eraser Toll a try.

http://security.symantec.com/nbrt/npe.asp?lcid=103...

Keep us posted on your progress.

Best,
Thomas