"Antivirus Suite" malware

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I picked up the (seemingly new) "Antivirus Suite" malware,
http://www.spywareremove.com/removeAntivirusSuite.html .  Every time I
tried to launch any exe, I got a bogus infection message and denial of
execution.  This includes any indirect launching of "C:\Program Files
\Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the
system tray and choosing "Open Symantec Antivirus".  No scanning was
possible.

I was followed step 1 in the above URL to kill the offending process.
I could then run Symantec AV, but initiating a scan caused the error
in
http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/5bfc1a720f52435988256fb9007a3a9e .
Restarting the service solved that problem.  The scan did not find
anything.  I noted that Tamper Protection was turned off (not sure if
it was before) and turned it on.  (1) Would this have prevented the
interruption of the Symantec AV service?  (2) Would it have prevented
the malware executable that was removed in Step 1?

I am now following through with the remainder of the steps.  I am not
whether the null hits from scanning is due to removal of all vestiges
of the malware or because the Symantec AV database does not recognize
this malware.  The AV database was up to date as of this morning.  (3)
Is there a way to determine whether this malware is in the AV
database?

Thanks.

P.S. A different cleanup routine found at
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite .

Re: "Antivirus Suite" malware


| I picked up the (seemingly new) "Antivirus Suite" malware,
| http://www.spywareremove.com/removeAntivirusSuite.html .  Every time I
| tried to launch any exe, I got a bogus infection message and denial of
| execution.  This includes any indirect launching of "C:\Program Files
| \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the
| system tray and choosing "Open Symantec Antivirus".  No scanning was
| possible.

| I was followed step 1 in the above URL to kill the offending process.
| I could then run Symantec AV, but initiating a scan caused the error
| in
|
http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940 /
| 5bfc1a720f52435988256fb9007a3a9e.
| Restarting the service solved that problem.  The scan did not find
| anything.  I noted that Tamper Protection was turned off (not sure if
| it was before) and turned it on.  (1) Would this have prevented the
| interruption of the Symantec AV service?  (2) Would it have prevented
| the malware executable that was removed in Step 1?

| I am now following through with the remainder of the steps.  I am not
| whether the null hits from scanning is due to removal of all vestiges
| of the malware or because the Symantec AV database does not recognize
| this malware.  The AV database was up to date as of this morning.  (3)
| Is there a way to determine whether this malware is in the AV
| database?

| Thanks.

| P.S. A different cleanup routine found at
| http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite .

Answered.

Why didn't you add alt.comp.virus to this post since you knew to Cross-Post ?
Afterthought maybe ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: "Antivirus Suite" malware



wrote:
Quoted text here. Click to load it
(3)
Quoted text here. Click to load it

I didn't know it existed when I made the initial post.  It seems to
target the same audience as a.c.av, so it seems to makes sense to
combine them all.

I was going to follow both cleanup procedures, but I was wondering if
those more experienced than I (and maybe those who have seen this
malware before) could shed some light on questions (1) to (3).

Re: "Antivirus Suite" malware



Quoted text here. Click to load it

The mbam installation requires login as administrator.  I'm trying to
avoid logging in as admin until I've gone through all possible steps
as nonadmin (which is that state under which the infection occurred).
Is there a way to obtain a similar level of assurance before switching
to an administrator account?  I've followed the procedure at both
URL's.  I know that Symantec AV *doesn't* catch this malware as of
today.

Quoted text here. Click to load it


Re: "Antivirus Suite" malware



Quoted text here. Click to load it

I bit the bullet and installed mbam as admin. Currently scanning.
Would you (or anyone else) know if scanning under an admin account
allows the AV to scan user account files? This is something I've
always wondered about antimalware and defrag apps.

Quoted text here. Click to load it


Site Timeline