Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

HELP: AVASoft Antivirus Professional Fake Software Infection

Created: 19 Mar 2013 • Updated: 21 Mar 2013 | 4 comments
This issue has been solved. See solution.

Hello:

I have a client who appears to be infected with the AVASoft Antivirus Professional rogue/fake anti-virus software.  The SEP client's definitions were updated, today, prior to the infection, as they are dated March 19, 2013.  I cannot find information about this, within the Symantec website; so, is there any information relating to the detection, cleanup, etc. of this infection, using a Symantec Endpoint Protection 11.x, unmanaged client? 

When the system is booted up, the infection disables SEP from the system tray, as the user can see the SEP system tray icon disappear, upon system start; then, the AVASoft Antivirus Professional system tray icon appears.  I have instructed the person to boot into SAFE MODE and run a full system scan.  So far, the unmanaged SEP 11.x client can start in SAFE MODE and is scanning, which is good, because the SEP 11.x client cannot start when the person boots, normally.

Therefore, any KB, technical notes, tool, etc,. would be greated appreciated; thank you.

Operating Systems:

Comments 4 CommentsJump to latest comment

.Brian's picture

Run Load Point Analysis and submit any suspicious files to security response. You can also run Power Eraser which should help to remove some of the more persistent malware as well as malware without a signature.

Using SymHelp, how to collect the Load Point Analysis Logs and Submit the same to Symantec Technical Support Team.

Article:TECH203028  |  Created: 2013-02-21  |  Updated: 2013-03-07  |  Article URL http://www.symantec.com/docs/TECH203028

 

Download SymHelp from this link

Symantec Help (SymHelp)

Article:TECH170752  |  Created: 2011-09-29  |  Updated: 2013-02-12  |  Article URL http://www.symantec.com/docs/TECH170752

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi Volron,

These may help:

Additional information about FakeAV threats
Article URL http://www.symantec.com/docs/TECH191739 
 

How to troubleshoot FakeAV if it is not detected
Article URL http://www.symantec.com/docs/TECH157781 
 

Putting IPS into place on SEP is very effective against FakeAV.  AV alone is not enough for complete protection.

Hope this helps!

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

Consider Using Symantec Power Eraser when:

An outbreak on a small number of workstations or windows servers

Symptoms seen of Fake/Rogue AV such as:
  • A reoccurring pop up notification
  • Alerts indicating that they are infected
  • Prompts to register (buy) the solution
  • Fake Blue Screen Of Death messages

I would suggest you to work on the below Articles:

Using Symantec Help (SymHelp) Tool, how to Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

http://www.symantec.com/docs/TECH203027

Symantec Power Eraser using Symantec Help (SymHelp) Tool.

http://www.symantec.com/docs/TECH203683

How to troubleshoot FakeAV if it is not detected

http://www.symantec.com/docs/TECH157781

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
Voltron's picture

Hello, everyone:

I want to thank everyone for their valuable assistance. I plan to follow the strategies outlined above, along with a few others, geared toward this specific "infection." The KB articles pointed to in this posting have been valuable and will help me in this instance and I am certain will be helpful, in the future. Once again, thank you, everyone.