"Antivirus Suite" malware
in [Viruses]
|
From: AndyHancock on 7 Apr 2010 18:04 I picked up the (seemingly new) "Antivirus Suite" malware,http:// www.spywareremove.com/removeAntivirusSuite.html. Every time I tried to launch any exe, I got a bogus infection message and denial of execution. This includes any indirect launching of "C:\Program Files \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the system tray and choosing "Open Symantec Antivirus". No scanning was possible. I was followed step 1 in the above URL to kill the offending process. I could then run Symantec AV, but initiating a scan caused the error in http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/5bfc1a720f52435988256fb9007a3a9e. Restarting the service solved that problem. The scan did not find anything. I noted that Tamper Protection was turned off (not sure if it was before) and turned it on. (1) Would this have prevented the interruption of the Symantec AV service? (2) Would it have prevented the malware executable that was removed in Step 1? I am now following through with the remainder of the steps. I am not whether the null hits from scanning is due to removal of all vestiges of the malware or because the Symantec AV database does not recognize this malware. The AV database was up to date as of this morning. (3) Is there a way to determine whether this malware is in the AV database? Thanks. P.S. A different cleanup routine found at http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite.
From: David H. Lipman on 7 Apr 2010 18:20 From: "AndyHancock" <andymhancock(a)gmail.com> | I picked up the (seemingly new) "Antivirus Suite" malware,http:// | www.spywareremove.com/removeAntivirusSuite.html. Every time I tried to | launch any exe, I got a bogus infection message and denial of | execution. This includes any indirect launching of "C:\Program Files | \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the | system tray and choosing "Open Symantec Antivirus". No scanning was | possible. | I was followed step 1 in the above URL to kill the offending process. | I could then run Symantec AV, but initiating a scan caused the error | in | http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/ | 5bfc1a720f52435988256fb9007a3a9e. | Restarting the service solved that problem. The scan did not find | anything. I noted that Tamper Protection was turned off (not sure if | it was before) and turned it on. (1) Would this have prevented the | interruption of the Symantec AV service? (2) Would it have prevented | the malware executable that was removed in Step 1? | I am now following through with the remainder of the steps. I am not | whether the null hits from scanning is due to removal of all vestiges | of the malware or because the Symantec AV database does not recognize | this malware. The AV database was up to date as of this morning. (3) | Is there a way to determine whether this malware is in the AV | database? | Thanks. | P.S. A different cleanup routine found at | http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite. Follow the directions noted at BleepingComputer.Com including the use of Malwarebytes' anti malware -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: AndyHancock on 7 Apr 2010 22:28 On Apr 7, 6:21 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> wrote: > From: "AndyHancock" <andymhanc...(a)gmail.com> > > | I picked up the (seemingly new) "Antivirus Suite" malware, > |http://www.spywareremove.com/removeAntivirusSuite.html. Every time I > | tried to launch any exe, I got a bogus infection message and denial of > | execution. This includes any indirect launching of "C:\Program Files > | \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the > | system tray and choosing "Open Symantec Antivirus". No scanning was > | possible. > > | I was followed step 1 in the above URL to kill the offending process. > | I could then run Symantec AV, but initiating a scan caused the error > | in > |http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16e... > | 5bfc1a720f52435988256fb9007a3a9e. > | Restarting the service solved that problem. The scan did not find > | anything. I noted that Tamper Protection was turned off (not sure if > | it was before) and turned it on. (1) Would this have prevented the > | interruption of the Symantec AV service? (2) Would it have prevented > | the malware executable that was removed in Step 1? > > | I am now following through with the remainder of the steps. I am not > | whether the null hits from scanning is due to removal of all vestiges > | of the malware or because the Symantec AV database does not recognize > | this malware. The AV database was up to date as of this morning. (3) > | Is there a way to determine whether this malware is in the AV > | database? > > | Thanks. > > | P.S. A different cleanup routine found at > |http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite. > > Follow the directions noted at BleepingComputer.Com including > the use of Malwarebytes' anti malware > > Answered. > > Why didn't you add alt.comp.virus to this post since you knew to Cross-Post ? > Afterthought maybe ? I didn't know it existed when I made the initial post. It seems to target the same audience as a.c.av, so it seems to makes sense to combine them all. I was going to follow both cleanup procedures, but I was wondering if those more experienced than I (and maybe those who have seen this malware before) could shed some light on questions (1) to (3).
From: AndyHancock on 8 Apr 2010 01:14 On Apr 7, 10:28 pm, AndyHancock <andymhanc...(a)gmail.com> wrote: > On Apr 7, 6:21 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> > wrote: > > > > > From: "AndyHancock" <andymhanc...(a)gmail.com> > > > | I picked up the (seemingly new) "Antivirus Suite" malware, > > |http://www.spywareremove.com/removeAntivirusSuite.html. Every time I > > | tried to launch any exe, I got a bogus infection message and denial of > > | execution. This includes any indirect launching of "C:\Program Files > > | \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the > > | system tray and choosing "Open Symantec Antivirus". No scanning was > > | possible. > > > | I was followed step 1 in the above URL to kill the offending process. > > | I could then run Symantec AV, but initiating a scan caused the error > > | in > > |http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16e.... > > | 5bfc1a720f52435988256fb9007a3a9e. > > | Restarting the service solved that problem. The scan did not find > > | anything. I noted that Tamper Protection was turned off (not sure if > > | it was before) and turned it on. (1) Would this have prevented the > > | interruption of the Symantec AV service? (2) Would it have prevented > > | the malware executable that was removed in Step 1? > > > | I am now following through with the remainder of the steps. I am not > > | whether the null hits from scanning is due to removal of all vestiges > > | of the malware or because the Symantec AV database does not recognize > > | this malware. The AV database was up to date as of this morning. (3) > > | Is there a way to determine whether this malware is in the AV > > | database? > > > | Thanks. > > > | P.S. A different cleanup routine found at > > |http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite. > > > Follow the directions noted at BleepingComputer.Com including > > the use of Malwarebytes' anti malware The mbam installation requires login as administrator. I'm trying to avoid logging in as admin until I've gone through all possible steps as nonadmin (which is that state under which the infection occurred). Is there a way to obtain a similar level of assurance before switching to an administrator account? I've followed the procedure at both URL's. I know that Symantec AV *doesn't* catch this malware as of today. > > Why didn't you add alt.comp.virus to this post since you knew to Cross-Post ? > > Afterthought maybe ? > > I didn't know it existed when I made the initial post. It seems to > target the same audience as a.c.av, so it seems to makes sense to > combine them all. > > I was going to follow both cleanup procedures, but I was wondering if > those more experienced than I (and maybe those who have seen this > malware before) could shed some light on questions (1) to (3).
From: AndyHancock on 8 Apr 2010 01:42 On Apr 8, 1:14 am, AndyHancock <andymhanc...(a)gmail.com> wrote: > On Apr 7, 10:28 pm, AndyHancock <andymhanc...(a)gmail.com> wrote: > > > > > > > On Apr 7, 6:21 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> > > wrote: > > > > From: "AndyHancock" <andymhanc...(a)gmail.com> > > > > | I picked up the (seemingly new) "Antivirus Suite" malware, > > > |http://www.spywareremove.com/removeAntivirusSuite.html. Every time I > > > | tried to launch any exe, I got a bogus infection message and denial of > > > | execution. This includes any indirect launching of "C:\Program Files > > > | \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the > > > | system tray and choosing "Open Symantec Antivirus". No scanning was > > > | possible. > > > > | I was followed step 1 in the above URL to kill the offending process. > > > | I could then run Symantec AV, but initiating a scan caused the error > > > | in > > > |http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16e... > > > | 5bfc1a720f52435988256fb9007a3a9e. > > > | Restarting the service solved that problem. The scan did not find > > > | anything. I noted that Tamper Protection was turned off (not sure if > > > | it was before) and turned it on. (1) Would this have prevented the > > > | interruption of the Symantec AV service? (2) Would it have prevented > > > | the malware executable that was removed in Step 1? > > > > | I am now following through with the remainder of the steps. I am not > > > | whether the null hits from scanning is due to removal of all vestiges > > > | of the malware or because the Symantec AV database does not recognize > > > | this malware. The AV database was up to date as of this morning. (3) > > > | Is there a way to determine whether this malware is in the AV > > > | database? > > > > | Thanks. > > > > | P.S. A different cleanup routine found at > > > |http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite.. > > > > Follow the directions noted at BleepingComputer.Com including > > > the use of Malwarebytes' anti malware > > The mbam installation requires login as administrator. I'm trying to > avoid logging in as admin until I've gone through all possible steps > as nonadmin (which is that state under which the infection occurred). > Is there a way to obtain a similar level of assurance before switching > to an administrator account? I've followed the procedure at both > URL's. I know that Symantec AV *doesn't* catch this malware as of > today. I bit the bullet and installed mbam as admin. Currently scanning. Would you (or anyone else) know if scanning under an admin account allows the AV to scan user account files? This is something I've always wondered about antimalware and defrag apps. > > > Why didn't you add alt.comp.virus to this post since you knew to Cross-Post ? > > > Afterthought maybe ? > > > I didn't know it existed when I made the initial post. It seems to > > target the same audience as a.c.av, so it seems to makes sense to > > combine them all. > > > I was going to follow both cleanup procedures, but I was wondering if > > those more experienced than I (and maybe those who have seen this > > malware before) could shed some light on questions (1) to (3).
|
Pages: 1 Prev: Exploits not needed to attack via PDF files Next: There's more going on than I realize |