Endpoint Protection

 View Only
Expand all | Collapse all

Trojan.FakeAV - Deleted but it took the internet connection with it.

  • 1.  Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Feb 05, 2010 09:18 AM
    I am the IT person for a small city and I have cleaned quite a few viruses off of our systems over the years but I just cannot think of the solution to this problem.  So... I need help.

    One of my users had the Trojan.FakeAV on her computer so I checked the registry and deleted three references to it.

    After that, Endpoint Protection popped up, scanned the system, found "Trojan.FakeAV" and deleted it.

    Now, this user's system refuses to connect to the internet.  At first, she could conntect to anything that started with "https://" but that has since gone away as well.
    I have checked several settings and I cannot find anything that helps.

    Does anyone out there have a clue?  Please help. my user really needs her computer back and I do NOT want to reinstall her system from scratch.

    Thanks,


  • 2.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Feb 05, 2010 09:29 AM
    are you able to connect to anything other than https://
    can you check your host file? might have modified it. let us know if you see any malicious entry.


  • 3.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Feb 05, 2010 09:35 AM
    Also, check to see it if hardcoded the IP address or checked the setting in IE for proxy server


  • 4.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Feb 05, 2010 09:43 AM

    Have you tried browsing through some other browser

    Have you checked the network properties.

    Is the NIC card able to fetch any ip address

    Do you get any APIPA ip address such 169.x.x.x

    Check whether the NIC drivers are installed if required reinstall it

    Are you able to ping 127.0.0.1

    Check for the Connection options under Internet Explorer >> Options

    Check for any Proxy settings.

    Try reinstalling Internet Explorer from the add/remove features.


  • 5.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Feb 05, 2010 11:12 AM
    Another thing which can "break" Internet access is if the virus/malware injected Layered Service Providers into your TCP/IP stack.  Tools like MalwareBytes and HiJackThis can detect and remove these, and there is a tool I've used in the past called "LSPFix" that could also do it.  It's been a while though, so YMMV.  But I would go for MalwareBytes as a first step.


  • 6.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.
    Best Answer

    Posted Feb 05, 2010 11:18 AM
     Run this tool to fix your problem
    https://www-secure.symantec.com/connect/downloads/lsp-fix


  • 7.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Feb 05, 2010 11:26 AM
    I have to be the guy that always say this, but in my opinion you're best off reformatting a system that A/V software cannot easily clean.  I say this for a few reasons:

    1) Can you really verify the malware didn't do anything else to the system?
    2) Are you sure there wasn't another backdoor left in place by the malware or somebody who may have conencted via it?
    3) Personal accountability/liability

    For the last point, do you really want to risk being targeted should something else go wrong with the machine that leads to a compromise of protected data?  If you did everything possible to clean up the machine, then you've removed your risk from that aspect of the process.


  • 8.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Feb 05, 2010 11:53 AM
    Certainly check the proxy setting in IE before you reformat the system.  In the past, I've found fakeav will setup a proxy to the localhost as mentioned above.


  • 9.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Feb 05, 2010 02:54 PM
    Thanks, I will check out these suggestions as soon as possible.

    Thanks a bunch.

    BTW, I have a civil engineer that keeps harping on me to change my AV software to AVG.  Now, I have heard of it and I guess that it's okay, but Endpoint Protection has protected my network for many years and the only time that my users get infected is when they go to sites that are not work related.  We will be writing policy to handle this but I was wondering if anyone has had first-hand experience with AVG and could let me know why Symantec is better so that I can explain it to this engineer.

    Thanks again!


  • 10.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.



  • 11.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Feb 05, 2010 03:20 PM
    No AV is 100%. SEP catches things that AVG does not and vice versa. If users would stop visiting "garbage" sites, the issue would be a lot smaller. Everyone wants to blame the AV software when something isn't caught and they say it doesn't work, etc. but you also need other layers in place as well, not to mention educating the users. Ask your engineer next time they get infected to see what they were doing. Of course they will say "nothing, reading CNN" but that is not true. I see this time and time again and go and check the logs to see that they were lying and likely emabarrased by what they were looking at.

    And AVG is average compared to SEP...just an fyi



  • 12.  RE: Trojan.FakeAV - Deleted but it took the internet connection with it.

    Posted Apr 17, 2010 01:25 PM
    I understand that AVG has posted some good test results in the LAB environment; however, I have noted that many of my clients (requiring support for infected computers) were under the protection of AVG.  I like AVG because it is good for business.  I would never us it on my own equipment.

    Endpoint performs well also.  The issues I see with endpoint are more closely related to serious compatibility issues that occur after an endpoint update.  I have experienced few "failure to protect" issues with my Endpoint clients.  I have also noted very poor quality from their tech support staff. 

    I recently changed one of my clients to Vipre by Sunbelt Software.  Early indications are very good.  During deployment, I needed to call support on three occasions.  All of these calls were answered by an english (native) speaking support tech in Florida.  Two of the three calls were answered within 5 minutes, the other took approximately 10 - 15 minutes. The fact that it is a US based company with FREE tech support scores them bonus points.

    Good (malware) hunting