Video Screencast Help

System is infected with a trojan called SVcHost/fake

Created: 19 Apr 2012 • Updated: 11 Jun 2012 | 8 comments
This issue has been solved. See solution.

We have a critical system which has become totally unresponsive and Symantec will not open.  We have run a 3rd party scanner tool in safe mode and it detects a virus called SVCHOST/fake but cannot properly clean it.  I am aware that different providers sometimes use different names.  I am looking for the process to remove it and the Symantect remove and repair tool to fix it. 

When I search below I cannot see any repair tool which references this name, any ideas ?  this has become urgent.

http://www.symantec.com/security_response/removaltools.jsp

Comments 8 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

What version of SEP are you carrying?

Is that SAV 9.0?

If yes, SAV 9 is way outdated, your systems are not getting the protection from modern threats using a product that old.

http://www.symantec.com/docs/TECH134713

http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=savce

https://www-secure.symantec.com/connect/forums/symantec-antivirus-sav-9x-and-symantec-client-security-scs-2x-end-definitions

There has been an Antivirus (AV) Engine Update posted 10 May 2010. Since this update, some legacy versions of SAV, namely 7.x, 8.x and 9.x are likely to be affected by the above symptoms. Due to the additional features added to the definition set, this would show an increase in size of the definition file. Because of this, it will affect old systems and some EOL products that may not work properly.

Migrate to the latest supported Symantec security product, currently Symantec AntiVirus (SAV) 10.1.x or Symantec Endpoint Protection (SEP) 11.0.x

There are useful some tools that are provided by Symantec for help with finding those hard to detect threats.

1.       The Power Eraser Tool eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.

2. The SERT (Symantec Endpoint Recovery Tool)is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.

3. The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.

Rapid Release Virus Definitions –

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

Power Eraser tool –

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitionshttp://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

Support Tool with Power Eraser Tool included –

http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

If you are unable to remove the threat(s) from your systems, please submit the suspected files to Symantec or ThreatExpert for analysis. New signatures will be created and included in future definition sets for detection.

http://www.symantec.com/business/security_response/submitsamples.jsp

http://www.threatexpert.com/submit.aspx

Also, check this Thread:

https://www-secure.symantec.com/connect/forums/smart-hdd-virus-removal

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
TechJet2012's picture

Thanks.  Yes SAV 9.x, most of the other servers been upgraded this one missed for some reason (maybe issue with the uninstall).  AV engine cannot be uninstalled or upgraded at this point due to the virus so we need to deal with this first.  We will download and run the tools you suggested in the order you mention them.  I assume they are standalone executables which need to be run in safe mode ?

Do you know if SVcHost/fake goes by any other names within Symantec ?

Mithun Sanghavi's picture

Hello,

It could be anything...as per the description you are providing, it could be

W32.SillyFDC

OR

Trojan.FakeAV

OR

any of it's Variants.

However, the only way to find out is to Submit the Threat File to the Symantec Security Response Team.

Try these steps:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

TechJet2012's picture

The production machine is currently disconnected from the network (it is a virtual server) is there a way to run power eraser without it needing internet access ?

Mithun Sanghavi's picture

Hello,

In that Case, you may have to go with another tool, Symantec Endpoint Recovery Tool (SERT), check this Article:

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

http://www.symantec.com/docs/TECH131732

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

TechJet2012's picture

We managed now to get internet connection but when we run power eraser it is displaying the following message, any ideas ?

Unable to run a scan as the symantect reputation database is not available. The scan button will be disabled
Mithun Sanghavi's picture

Hello,

I would request you to Re-run the Symantec Support Tool and To use Symantec Power Eraser, check the Symantec Power Eraser box when you run the Support Tool.

Again, understading the Reputation Database - It is a repository of information that Symantec has about a large number of common files, and whether they are valid or malicious. For example, the Reputation Database has information on the file Notepad.exe, including the checksums for valid versions of the file. If Notepad.exe is called from a load point, Load Point Analysis submits information about the file on the computer, and the Reputation Database response indicates whether it is a valid version of the known file. This is the most useful and most heavily weighted criterion for determining the validity of a file.

The computer must have an internet connection in order to check the Reputation Database. If no internet connection is available, you can export a report and open it in the Support Tool on a different computer that has an internet connection in order to complete the Reputation Database check. Load Point Analysis cannot complete without completing the Reputation Database check.

VIDEO: https://www-secure.symantec.com/connect/videos/power-eraser-overview

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.