Hi Globetrekker,

Looks like the detections are in Windows' temporary locations.  I recommend booting into safe mode and running a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc.  Perform a full system scan in safe mode, too.  Hopefully that will do the trick, as in safe mode Windows just loads a bare-bones version of itself, usually without any threats being loaded. 

Here's a good article that may help:  What Does "Risk was partially removed" Mean?  Generally these results happen when Windows has been "tricked" into protecting a malicious process.  A scan in safe mode is usually successful.

You may also wish to set some harmless program, like notepad.exe, to be the default for Windows to use to open .qef and .qsp files.  (that's the extension of the Trojan Horse that is being detected.)  If the threat does evade Symantec's attempts to stop / delete it, it might then be tricked itself into doing something harmless.

Final piece of advice: the screenshots show that you are using SAV, but what version?  Once this threat has been successfully deleted, I strongly encourage you to upgrade to SAV 10.1 MR8 or MR9, if you are running anything less recent. 

Let the forum know of your progres, if time allows!

Thanks and best regards,

Mick

Thank you Mick for your assistance,

I have done what you suggested but it is still lurking around.

I clean up my temporary files, associated .QEF and .QSP files to Calculator and Paint Brush respectively and restarted in safe mode, did a full scan. Restart my laptop and just open up one web page pointing to www.google.com

and almost every 10 minute the Auto Protect will catch one or two attempts.

And I think my SAV is already 10.1 MR 8.

Please refer to Scan History, version, Auto Protect, File Association.

What does this virus do anyway, I read some forum that it "steals credit card details and login password" etc, is this true?
If Auto Protect caught it, does it mean that it is not sending anything out from my laptop?

What should I do next?

For your further advise, regards
LT

My hunch would be that something that is currently undetected is constantly placing files in the temp directory.  I'd try using the latest rapid release definitions and doing a full scan.

Hi LT,

If the AP detections constantly re-occur, and the files have new names each time, then it is probable that something currently undetected is re-creating them.  Here's the first document to read: Best practices for responding to active threats on a network

It might be best, at this point, to contact Symantec Technical Support for assistance in locating that undetected threat.  (Of course, if you are familiar with the Sysinternals tool Process Monitor, you may be able to determine what process is creating them yourself.... ) 

The first thing they will likely ask you to do is run a diagnistic which will examine the computer's load points.  Though you have SAV installed (and a decent version of SAV, too) the SEP Support Tool will run and help to find suspicious files.  These can then be submitted to Security Response.  Symantec will examine the suspicious fiels and develop new signatures against them, if necessary.

Feel free to download and run that tool yourself, if you like, and see if it highlights any suspicious files.  If not, give Tech Support a call.  One way or another, let's get to the bottom of this outbreak.

Please do let the forum know of your progress!

Thanks and best regards,

Mick

Antivirus scan detected Trojan.FakeAV!gen24 - followed removal instructions to update virus definitions, turned off systems restore, booted in safe mode (both with and without netwrking), and each time scan detected virus - tried to repair, but no luck; tired to quarantine but no luck, and tried to remove, but no luck.  Have repeated this process several times.

Any one have any thoughts on what to do?

Bob

Maybe try Malwarebytes or HitmanPro ... I've had reasonable success with those in the past in removing threats from PCs.

You should submit the files to Symantec so we can make a anti-virus definition specifically for your strain of the virus. Check the guide below for instructions:

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/73537d3ec91e9d3288256a220027acf0?OpenDocument

Thanks
Grant

In the rare cases where even a full system scan in safe mode does not have permissions to delete a malicious file, there are procedures and tools that Symantec Technical Support can recommend which will remove the threats.  For those, though, it is best to to contact Support rather then the volunteer community forum.

Thanks and best regards,

Mick

Just a quick link for a new Security Response blog post: Back to Basics with Fake AV

Might be of interest.  Symantec is continuing to add protection against new variants that are submitted and is monitoring the trends.  More articles will be posted in the future. 

Thanks and best regards,

Mick

We have found that if the computer is infected with the Trojan.Fake.AV!GenXX and none of the above tricks work - Try this:

1.  Shut computer down and unplug
2.  Open the case and remove the hard disk drive
3.  Slave the hard disk drive in another computer (WARNING - make sure you have your anti-virus on the second computer completely up to date.  I gave this information to someone else and the anti-virus in his second computer was months out of date!  Yup...)
4.  Scan the infected drive with MalwareBytes (fully updated).  Symantec will also scan the files MalwareBytes scans since MalwareBytes opens each file to scan it.

This has worked for use 98% of the time.  We have never had a virus infect the second computer (yet), and have been doing this for over a year now.  We have several hundred computers with users from all walks of life and intelligence and we have infected computers on a regular basis (NOTE TO SYMANTEC - even though Symantec Endpoint Protection is running on all computers).

Good Luck

Tim

As a last resort try the Norton Power Eraser tool.

The Norton Power Eraser uses aggressive methods to detect  threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

http://security.symantec.com/nbrt/npe.asp?lcid=103...

Fake AV / missleading app / smitfraud / scareware / rougeware is an area that Symantec is very actively investigating.  In October 2009, a white paper was made public on the topic. The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs and how they affect users. The report includes an overview of these programs, how they work, their risk implications, various distribution methods and innovative attack vectors.

To learn more, please download and read the report or listen to the podcasts on the subject. http://www.symantec.com/business/theme.jsp?themeid=threatreport or  http://www4.symantec.com/Vrt/wl?tu_id=XuOB125692283892572210

You may also find some excellent info on FakeAV in these forum threads:

https://www-secure.symantec.com/connect/forums/sep-and-fakeav
https://www-secure.symantec.com/connect/forums/fakeav-webcast-app-and-device-control-examples
https://www-secure.symantec.com/connect/forums/question-fakeav-and-proactive-threat-protection

Hope this helps! Please do keep the forum up-to-date with your progress.

Thanks and best regards,

Mick

I still haven't figured out why Symantec just can not catch the fake AV.  I mean Malware-bytes and the others catch and get rid of it - as to where Symantec may quarantine it but doesn't get rid of it. And 90% of the time it is in their list of know infections.  Is there any type of help for this???????

Are you running the SEP with the recommended security settings? Richard, next time please start a new thread for your issue.

Security Response recommends the following Scan Settings

Security Response recommends the following setting changes to Truscan for best protection

http://www.symantec.com/business/support/index?pag...

Also see our "Security Best Practices"  - http://www.symantec.com/business/theme.jsp?themeid...

Yes, an application and device control policy will stop this.