Video Screencast Help

What Microsoft Security Essentials found that Endpoint missed?

Created: 05 Dec 2009 • Updated: 25 Jul 2010 | 5 comments

Yesterday a user brought an infected machine running Windows XP SP2. So I pulled the drive and use Endpoint with the latest definition downloaded, to do a custome scan. It didn't find any thing. So I ran the sam drive through Microsofts Security Essentials and found a number of infected files. Not complaining about Endpoint, because one file for AntivirusSystemPro did get caught when I ran the same scan today. Heres what Endpoint missed:

Name: Trojan:Win32/FakeSpypro

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:E:\Documents and Settings\Stacey\Local Settings\Application Data\hrfgap\pgjtsysguard.exe
file:E:\Documents and Settings\Stacey\Local Settings\Temp\5710.exe
--------------------------------------------------------------------------------------------------
Name:TrojanDownloader:Win32/Renos.JI

Category: Trojan Downloader

Description: This program displays deceptive product messages.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
containerfile:E:\Documents and Settings\Stacey\Local Settings\Temp\c.exe
file:E:\Documents and Settings\Stacey\Local Settings\Temp\c.exe->(UPX)
--------------------------------------------------------------------------------------------------
Name:TrojanDownloader:Win32/Renos.KB

Category: Trojan Downloader

Description: This program displays deceptive product messages.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
containerfile:E:\WINDOWS\system32\sshnas.dll
file:E:\WINDOWS\system32\sshnas.dll->(UPX)
---------------------------------------------------------------------------------------------------
Name:TrojanDownloader:Win32/Renos.JW

Category: Trojan Downloader

Description: This program displays deceptive product messages.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
containerfile:E:\Documents and Settings\Stacey\Local Settings\Temp\b.exe
containerfile:E:\WINDOWS\msa.exe
file:E:\Documents and Settings\Stacey\Local Settings\Temp\b.exe->(UPX)
file:E:\WINDOWS\msa.exe->(UPX)
----------------------------------------------------------------------------------------------------
Name:TrojanDownloader:Win32/Renos.KA

Category: Trojan Downloader

Description: This program displays deceptive product messages.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:E:\Documents and Settings\Stacey\Local Settings\Temp\a.exe
----------------------------------------------------------------------------------------------------
Name:Adware:Win32/GameVance

nly if you trust the program or the software publisher.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:E:\Documents and Settings\Stacey\Desktop\SetupGamevance.exe
-----------------------------------------------------------------------------------------------------
Name:Program:Win32/PowerRegScheduler

Category: Potentially Unwanted Software

Description: This program has potentially unwanted behavior.

Recommendation: Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:E:\Documents and Settings\Stacey\Start Menu\Programs\Startup\PowerReg Scheduler V3hose.ede.exe
------------------------------------------------------------------------------------------------------
I've never udes this forum before, please advise if this isn't the plase for this info/issue to be brought up. Thanks.

Comments 5 CommentsJump to latest comment

Acretian's picture

Can you upload the files to symantec, so that if it is something which endpoint did not detect they will come up with new defs

Amilcar's picture

My PC is running on windows vista. Windows Defender is constantly detecting TrojanDownloader:Win32/Renos . I give the instruction to "remove", but it comes back all the time.
I have updated the definitions of Norton 360 and run a complete scan, but it does not detect it.

Any advice?

Regards

 
 
teiva-boy's picture

disable system restore
Scan in safemode


There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

cspringstead989's picture

Norton I.S. said that Gamevance was safe, so I downloaded it, then I start gettng pop-ups asking me to do surveys. With the first one Norton Insight said that I should remove the file, which I did. Still getting pop-ups! Tried to uninstall, wouldn't do it. Tried to manually remove the program, no go. Said that I didn't have permission to do it. I'm the only account on this computer so I should be able to do what I want with it. Finally Spybot S & D took care of it. You need to change Gamevance from safe to unsafe.