Video Screencast Help

XP Antivirus 2008 2009

Created: 16 Oct 2008 • Updated: 21 May 2010 | 23 comments
bains1000's picture

Hi Guys

 

We are experiencing issues everyday with the XP Antivirus 2008/2009 on computers currenty running Endpoint MR2 and MR3.

 

Endpoint does not seem to be detecting the virus and somehow the virus is disabling proactive threat protection on a number of machines.

The only way we seem to be succesfully removing the virus is using a program called Malware bites which has successfully removed the issue on a number of computers. 

 

We have spoken to Support who wern't very helpful, they just claimed if we have the latest virus definitions it should be detected.  However again today we have another customer with the same issue with the latest definitions.  It worries me that a free piece of software online can detect and remove the virus yet your product doesn't!!

 

Why is Endpoint not detecting the virus?

Is anyone else experiencing this issue?

 

thanks

Comments 23 CommentsJump to latest comment

StefanM's picture

What virus are you talking about?

 

Is the program that detects the virus Malwarebytes Anti-Malware? http://www.malwarebytes.org/

 

 

Detecting malware is a very complex task; different results from different programs are possible. What you have detected may be a virus/malware - but it also may be not one.

 

Did you do a research for the reported virus/malware?

bains1000's picture

We are definitely getting a virus of some description, below is a link with details of what we are experiencing:

http://www.bleepingcomputer.com/malware-removal/remove-xp-antivirus-2008-2009

 

yes we are using malwarebytes.org

 

FernandoImperiale's picture

Hi bains1000,

 

I recommend you the following document:

 

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948

 

Then try to submit a sample of the file detected by the other tools.

 


Title: 'How to Use the Web Submission Process'
Document ID: 2007090711312848
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2007090711312848?Open&seg=ent

 

Remember that new versions of threats and virus become being detected after definitions creations.

If a new version is submited, definitions will be created.

 

Regards !

 

 

Fernando M. Imperiale

bains1000's picture

My concern is using Malware bytes (the free version) as well as AVG are picking up the virus and removing.  These are both free tools, why are we supplying Symantec EndPoint when it doesn't seem to work?

 

I understand there are different variants of the virus but we can not been the first to come across o many different variants, and if they haven't been detected why are we your competitors software detecting and removing the threat?

 

thank you

FernandoImperiale's picture


'What to do when a competitor's antivirus, adware scanner, or spyware scanner detects a threat that Symantec AntiVirus does not detect'

 

> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2001101708255048?Open&seg=ent

Fernando M. Imperiale

bains1000's picture

[Removed Link]

THIS LINK WILL TAKE YOU TO A SITE WITH VIRUS - BEWARE, Only click if you have protection, Endpoint seems to struggle.

 

Try that link above, I tried it on a machine last night with Symantec endpoint MR3 (all components installed) with the latest definitions.  Endpoint did pick up on the virus but after it installed.  Now everytime I reboot the machine I get joke.blusod and trojan.blusod, endpoint action states pending analysis, when I try to delete or quarantine is doesn't let me.  I am currently in the process of running a full scan in safe mode.

 

I am concerned as Endpoint was running on the machine fine, should endpoint stop the virus from getting onto the machine with proactive threat and auto protect?

 

Thanks.

Message Edited by bains1000 on 10-17-2008 04:22 AM
Link obfuscated for security reasons 
 
Message Edited by Paul Murgatroyd on 10-17-2008 04:37 PM
Message Edited by OptimusPrime on 10-17-2008 11:48 AM
bains1000's picture

I ran a full scan in safe mode, it picked up a virus and deleted it. Now when i fire the machine up i get the following: joke.blusod - Access Denied - blphcjg2j0ev1p.src trojan.blusod - restart required - cleaned by deletion - phcjg2j0ev1p.bmp both files located in c:\windows\system32. I have rebooted the machine several times and endpoint does not seem to be able to remove the threat?

bains1000's picture

Hi

 

I gave up on Endpoint, i ran malware bytes and here is a log of what was removed:

 

Memory Processes Infected:
C:\WINDOWS\system32\lphcjg2j0ev1p.exe (Trojan.FakeAlert) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcng2j0ev1p (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcng2j0ev1p (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcng2j0ev1p (Rogue.AntivirusXP2008) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcjg2j0ev1p (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.

 

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\rhcng2j0ev1p (Rogue.Multiple) -> No action taken.

Files Infected:
C:\Program Files\rhcng2j0ev1p\database.dat (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcng2j0ev1p\license.txt (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcng2j0ev1p\MFC71.dll (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcng2j0ev1p\MFC71ENU.DLL (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcng2j0ev1p\msvcp71.dll (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcng2j0ev1p\msvcr71.dll (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcng2j0ev1p\rhcng2j0ev1p.exe.local (Rogue.Multiple) -> No action taken.
C:\Program Files\rhcng2j0ev1p\uninstall.exe (Rogue.Multiple) -> No action taken.

C:\Documents and Settings\Administrator\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\lphcjg2j0ev1p.exe (Trojan.FakeAlert) -> No action taken.

 

Could someone from Symantec please respond to this thread.  I attended a seminar at Symantec office in the UK in March this year, the lady opened up by admitting they had made some serious mistakes with Endpoint and they are working on them.  We have a lot of customers using this product and right now I have NO confidence your software works!!

 

We were told at the seminar once MR2 is realised it will fix the issues with the product, and here we are running MR3 and the software does not work!!Why should we continue reselling and recommending your software, exposing ourselves when I feel know full well if the PC gets the XP Antivirus 2008/2009 Symantec will not stop this threat, why? 

 

Please do not respond with submit your virus, or check you have the latest definitions, we have clearly checked these.  I understand there are different variants of the virus but malware bytes is picking these threats up.  Your software should stop the threat from being downloaded and installed. 

 

It saddens me to have to write an email like this as we have been a Symantec Partner for years and have always championed your software.

 

skipdog's picture

It is quite sad that their product cannot remove this and a single software author of Malwarebytes is able to detect and remove ALL VARIANTS of this infection.

 

There is another GIANT thread on this forum regarding this infection and Symantec tries to say about anything to cover up the fact that one lone software author does a better job of finding and removing this infection than Symantec's ENTIRE staff. We cannot fathom recommending Endpoint to any of our other customers. Symantec will say all kinds of "but its hard!!!!" nonstop, but it doesn't change the fact that they cannot seem to figure out how to discover new variants of this infection in the wild while a SINGLE PERSON who writes Malwarebytes is able to do this task.

 

What bothers me so much about this particular infection is that it is CLEARLY the most widespread infection of its kind to come out in the last year(well maybe ever as far as I can remember). I cannot understand how anybody can explain that our repair shop has been FLOODED with these PCs and all of the libraries/hospitals that we do service for have the same problems. One single software author can stop this whole headache but Symantec's ARMY of technicians cannot. It is not easy to tell customers who have spent THOUSANDS of dollars on protection that the protection completely failed and a free product does the job better. Customers are not happy when they have to pay for labor to remove something that they already spent so much money on to prevent from happening.

 

There is no excuse and the excuses that I HAVE heard from Symantec, have been quite pathetic. Yes, you guys ARE CAPABLE OF GOING OUT AND FINDING THESE INFECTIONS!! ONE LONE SOFTWARE AUTHOR CAN DO IT!!

 

Anyways, good luck. Malwarebytes works great. Without it, I could not even fathom how many ADDITIONAL hours of labor would have been lost.

bucrepus's picture

This threat has also kicked my backside with Endpoint Protection. I had it infect 9 computers at 3 different remote sites across the US. I have to agree about AVG, it caught it on my home computer BEFORE it caused any damage. This threat has been out quite a while, the XP Antivirus 2009 appears to even be an upgrade of the old threat. On 2 machines, the newer variant created a symantecAV.exe file and wrote it to startup in the registry under windows/currentversion/run key. This threat should have been stopped long ago by the Endpoint product. I just upgraded about a hundred machines to Endpoint 11 from Corp v9, because it was having trouble catching the newer type threats. Why does the Symantec site show this threat, but Endpoint can't trap it (or traps it too late). This threat was listed on symantec's site with a symantec security response on July of this year. There is little excuse for Endpoint not handling this threat properly. I had to wind up re-installing 3 of the machines before I learned about the malawarebytes program, which removed it from the others. 

 

BUC

bains1000's picture

Dear Symantec

 

I am disappointed you have not commented any further on this thread, are you ignoring us?  It looks like there are a number of users who have purchased your product quite rightly expecting it to STOP virus and Spyware, WHY IS IT NOT WORKING?

 

Please have the decency to reply to this thread, this issue will NOT go away if you ignore it. If we do not get a response we will require a full refund of all our licenses so we can purchase a product that works!!

 

Thank you.

Matt Pierce's picture

Today celebrates my 13th rebuild in 2 weeks due to smitfraud infections.  All but 2 clients had SEP 11 MR3 with PTP.

Philip's picture

I'm actually concerned that this fake AV infection is not captured by a Symantec competitor commercial product as well...

 

I guess we can't advise customers to use free products :)

Message Edited by Philip on 10-22-2008 07:45 AM
RDFTS's picture

I can't agree with this thread more. As a consultant, I have been suggesting and implementing Symantec's business antivirus since 1997 with NT. I mostly work with SAV 10 and getting more and more on SEP since MR3 has came out. I too am struggling with users getting Antivirus 2009 and stuff like this and they aren't even local administrators. I am really surprised that Symantec can't stop this and they have known about it since July 2008. And then to top it off, when you call for support, you are talking to folks in India that you can't even understand. My clients have paid thousands and thousands of dollars for a program that doesn't even work anymore. And I am stupid enough to keep renewing, year after year.

 

After over 10 years, I am going to start looking elsewhere for a better product with better support. I hate doing this but a competitor didn't make me switch, it was Symantec themselves that is going to make me switch. Such a shame.

 

And it doesn't surprise me that Symantec isn't responding to this thread. They simply do not care anymore...or should I say the folks in India don't. Shoot why did Symantec outsource to India anyways?, for the cheap labor of course. Guess if I only made a dollar a day, I wouldn't care either....

bains1000's picture

Due to Symantec lack of concern with this issue we are looking at moving all of our customers.

 

RDFTS's picture

One thing that I have done to fight this ScareWare or Smitfraud, whatever you want to call it is to blocked EXE extension downloads with the majority of my clients. I mainly use ISA and can do this very easily and then just have the IT Dept / Sys Admin be able to download EXE files (hopefully they know what they are doing). Seems for Antivirus 2009, it tries to download a file called A9Installer_(random number/char).exe.

 

I am not switching clients until their renewal is due.

 

Anybody got anything good to say about VIPRE for the Enterprise?

cruelsister's picture

Please don't waste your time with Sunbelt Vipre. As no credible testing site has yet put it through its paces, I tested it against my own malware collection after it was releaseAbout 500K samples, all 24 months old or newer). I found the detection rate to be very poor at about 65% (with Symantec at atouch over 98%).

 

If you have to switch to something else go with either Avast or Avira Enterprise. Vipre is junk.

jeffwichman's picture

I would like to comment on this thread.  I am not a Symantec employee but a rather happy customer.  If you are having problems with support then you should be esclating your case.  From my understanding you can always request a state-side tech support rep when you begin a support call.

 

Whenever I have difficulties with support I contact my Sales Rep or Sales Engineer who depend on me renewing my contract each year.  They will push to get you the answers you need.  These forums are not the place to complain/whine about support issues.  The forums are for customers helping other customers.  I wish I had a sure fire fix for everyone but I do not.  What we have done was to create an Custom IDS policy with some of the emergingthreats.net content to detect and block some of these harder to block attacks. 

 

One thing you might want to try if you're not happy with the detection rate of PTP is to change it from the SYmantec default setting for trojans.  We have increased it without many compliants in our environment to just over halfway.

Thomas R's picture

We also had a client on our network show up with XP Antispyware 2009 that was undetected by SEP 11 MR 2. (After discovering the malware on this client we upgraded all the computers to MR 3).

 

The extent that XP Antispyware trashed the client was severe.  Its interesting to me that some threats are called viruses and some are called malware.  Its all virus to me and it simply means outside forces are trashing the computers and have secret access to them.

 

We phoned SEP support and reached an overseas technician.  We informed him that SEP no longer had a green dot and the status of Antivirus and Antispyware as well as Proactive Threat Protection had been turned off and could not be turned back on.  After checking into the matter, the tech indicated the malware had broken SEP and the computer needed additional work to clean it. The tech then used Webex and provided a program called Norton Security Scan.  Before hanging up, he told us to run the program and it would fix the problem.  When we attempted to run Norton Security Scan on the compromised client, Norton Security Scan attempted to update its content by contacting a Symantec server, but apparently was blocked by XP Antispyware and was prevented from running.

 

We phoned SEP support again and reached a stateside technician.  He indicated that the previous support technician didn't follow protocol in assisting us and should not have sent the Norton Security Scan program to us.  He then requested we boot to safe mode and run an SEP scan.  When we tried to start the client in safe mode, XP Antispyware prevented logging into Windows, so we couldn't boot the computer in safe mode.  At that point the support technician stated that our computer was compromised to the point that the hard drive would need to be reformatted and our case was closed.

 

With nothing to fear at that point, we downloaded and installed Malware Bytes.  It located and cleaned the virus according to the information it provided.  SEP then returned to normal operation and the green light returned.  We then ran the Norton Security Scan program that was provided by the first support rep and this time it phoned home okay, updated itself and then ran.  It detected more stuff and indicated that it had cleaned some more.  We then ran a full scan with SEP and it quarantined more files.

 

Since then it seems that this client is being targeted and is the subject of threats, etc. and the logs show this client is quarantining files fairly regularly, while no other clients are the target of attacks. It appears that the infected client is being managed okay, but with occasional quarantining of files. Frankly, I was surprised that this client became compromised because it has had NAV/SEP installed for several years.  We monitor SEPM each day and we have notifications set up and we watch the network more closely now due to this intrusion.   I wanted to share the story for the benefit of Symantec and the other users here.  We have been using the security software for a long time and its generally provided good security and we haven't had any problems in all the years we've had it running.  In this instance, however, the attack caused a disruption in the company that took a great deal of time to deal with. -Tom  

RDFTS's picture

Dispater,

It is nice to know that someone is very satisfied with SEP. I can't believe that a company as large as Symantec would put out such a shotty product when security protection is so important now days, so perhaps it is us who need to understand it better instead of complaining. I do not want to switch, I honestly do not but I need to do what is best for my clients (and myself).

 

You mentioned that these forums are not for complaining but to help others, fair enough, I agree. So can you give us more detail on how you created these custom IDS Policies and default settings so we can all learn from what you know?

 

That would be extremely helpful and make believers out of all of us!

bucrepus's picture

I don’t usually make comments such as these, but what kind of statement is "If you are having problems with support then you should be escalating your case. " Why should 'I' escalate the case. I call support. It's not my responsibility to fix the issue, it is Symantec's. If I pay $$$ for their product, I expect (maybe I should not) some sort of professional support, not have to continually ask for it.  I think Symantec should fix the issue, period.  I appreciate your proposed solution; maybe you should contact Symantec and propose it. I do not have a problem so much with a new attack; I do have a problem with a threat that has been known to Symantec for MONTHS still getting through with no problems and destroying machines, even with the latest updates. Reinstalling the OS or some cleanwipe registry program that wipes other programs is not a professional solution; with a reinstall of the endpoint protection This is not a decent solution just because support can't figure out how its getting through. Stating things that have happened to your organization because of a software package is not 'whining'.   BUC

jeffwichman's picture

I agree that the solution should stop the malware you are encountering.  I am not implying that you should continue to hound Symantec for support to fix the issue... what I am saying is that if you are unhappy with the outcome/resolution support offers it is up to you to esclate the issue.  For example if a first level support engineer doesn't address the issue and let's you go, how will Symantec ever know the customer is not happy?  I run things past the first level support engineers to get my cases created... within one week (depending upon how critical the issue is) I call my Sales Rep/Tech and have them get me a level 2 or 3 engineer who has direct contact with the coders creating fixes.

 

I highly doubt you will find one antivirus solution to address every threat/variant that exists. 

 

I will also provide the detail from the Custom IDS signature to detect these threats copied from EmergingThreats.net in a little while... once i get to my next break.

jeffwichman's picture

Here's the Custom IDS signature I put together using the rules over at EmergingThreats.net.  If you're not sure about creating custom IDS signatures I suggest starting with the basics to get an understanding of the signatures. 

 

Open the Policies Section, Intrusion Prevetion Policies.  click "Add Custom Intrusion Prevention Policy" under tasks.  Under the Signatures section click Add and give the Signature Group a name that makes sense.  Click the Add button under "Signatures for this Group".  At this point click the HELP button and print out each of the related IPS signature creation pages.  You will want to reference these multiple times. 

 

1. Give your Signature a Name ET AntiSpyware 2008
2. Provide Description
3. Set the direction to incoming
4. Under content paste the following:

rule tcp, dest(80), msg="ET TROJAN XPantivirus2008 Download", content="XPantivirus20\d{2}_v\d{6}\.exe/Ui", content="XPantivirus20"

5. Capture the packet log and LET IT SET TO ALLOW until you've TESTED!!!!

Click OK.

 

Same steps for a secondary rule.

1.  ET Antispyware 2009
2.  same
3.  same
4.  rule tcp, dest(80), msg="ET TROJAN XPantivirus2009 Download", content="A9Installer_[a-zA-Z0-9]\.exe",
5.  Capture the packet log and LET IT SET TO ALLOW until you've TESTED!!!!

 

Use these rules at your own risk.  These rules may/not work.  We use very strict webfiltering for our environment so users rarely ever see web borne threats.  If you know of a site hosting this malware up send me a PM with the URL for me to test. 

 

I will post additional items later this weekend on blocking the XP Antivirus 2009 malware.  I have no samples however, so results may vary.

 

Cheers