Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 18551 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus removal

weste

I've run the free Sophos Anti-Virus, version 7.6.2.  The result of the scan revealed two items:  Mal/FakeAvCn-C and Mal/FakeAvCn-B.  The items are in the Quarantine Manager.  The Quarantine Manager is divided into three columns: Type, Name, and Details.  Clicking on the name of each virus links to the web page to download the same free tool that I just used.  Am I really supposed to download and run the same tool again?

Clicking on the first part of the details for each virus links to the ProgramData folder of the C drive, with the second one linking to a subfolder of the ProgramDate folder.  Clicking on the second part of the details for each item, designated by "[more]", opens a window listing detected components of each item.  At the bottom of the window is the message that a full computer scan is needed to detect all of its components.  To what scanner does this refer?  Am I supposed to run the same anti-virus again, or something else?

All I really want to do is to remove the both of them.  None of the removal methods refer explicitly  to Windows 7, which I find amazing.  Any of the other methods describes a Quarantine Manager that differs from the one shown to me.  The Quarantine Manager on my computer gives me only three actions to perform:  Select all, Deselect all, and Clear from list.  Does "Clear from list" mean remove/delete?

:19747


This thread was automatically locked due to age.
  • 0

    Well, I have the actual Sophos AV program, v9.5 and up to date, and it still cannot fully remove this malware (Mal/FakeAvCn-B).  It keeps coming back after every restart. I believe it is related to the "Security Sphere" fave antivirus.

    Sophos detects it at start up, I proceed to clean it up, and there it is again after retarting the computer, or even just logging on and off again.  This is on an XP machine.

    Any advice would be appreciated

    :19901
  • 0
    Likely "something" settled partially in. Usually these beasts can be cleaned up with an aggressive scan initated from the console - unless there is an as yet undetected part involved. It would help if you could post the location of the recurrent detection (ideally a part of SAV.txt).
    You account has administrative rights, hasn't it?

    Christian
    :19903
  • 0

    I already did a full system scan from the console - no dice.  :smileysad:

    From the AV log, it loooks like Sophos keeps picking it up as: Documents and Settings\All Users\Application Data\jI28300KkJbH28300\jI28300KkJbH28300 .  Not sure if that's what you are looking for.

    But again, it cleans it up and it comes right back. 

    Trying ot avoid a whole wipe and reinstall, but it looks increasingly bleak.

    :19907
  • 0

    Hi,

    I also have a mal/fakeAVCn-A infection of my windows 7 system - detected by Sophos 9.5 and quarantined but with other messages such as "catalyst control host application has stopped working", HIPS RegMod009, "failed to save all the components for the file \\system32\00000283 the file is corrupted or unreadable.  The computer was rebooted a couple of times and now the desktop does not load completely, I can't see the Sophos icon to initiate a search or look at the quarantined area.  Not sure what to do.  any help would be appreciated.

    :19931
  • 0

    Just started my computer and saw the sophos icon appear  and was able to start the console  and initiated a search. ongoing now.

    :19933
  • 0

    Thanks for posting the location of the threat, it is quite common for these scoundrels. I've got rid of quite a number of this kind and normally a reinstall is not necessary.

    Here's what you should do:

    • First of all use more aggressive settings. On-access read/write/rename (which is, BTW, the recommended default from version 10 on) - automatic cleanup/delete, scan for suspicious files - deny access only (yes), scan for suspicious behaviour (HIPS) - blocking mode.
    • Check SAV.txt for detections - usually some items are located in one of the user's temp directories. At this point you have to turn off on-access scanning (but only if you don't have ongoing detection/cleanup loops) - if you are careful this is usually safe. Browse to the locations with Explorer (uncheck Hide extensions for known file types) and sort by date. Locate the detected items (if they haven't been deleted), if you know the timestamp from the first detection (from the SAV log) use this as a starting point. Search for files with a size similar to the one from AppData or some 100k (executables as well as those with no or a .tmp extension). If possible look at them with FileAlyzer© or a similar tool - executables are suspicious (especially if they are UPX compressed).
    • Grab the files marked as suspicious by Sophos, the ones you found with explorer and those "near" them - i.e. with (almost) identical timestamps - and pack them in an encrypted (password protected) .zip archive (now you should turn on on-access scanning) and submit this archive to SophosLabs. Dont worry about sending "too many" (already known, clean or "unnecessary") files (but don't send your whole C: drive) as the triage is automated - better one to many than omitting an important sample. New or updated identities are usually issued within a very few hours after which SAV on your machine will in most cases automatically remove the threats. It is a good idea to run a full scan (checking all files) afterwards if you can spare the time.
    • Again - sending samples is the important part.  

    There are additional steps you can take (but if you are not familiar with these taks you need not)

    • Search the registry for occurrences of the name from AppData (jI28300KkJbH28300 in your case) and try to delete the keys. If you can't or they reappear you've got one of the nastier types.
    • Often keys/values are set like in [HKLM|HKCU]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit or [HKLM|HKCU]\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . You might or might not be able to delete these.
    • Process Monitor can be used to find out which process writes these keys and Process Explorer might help in finding and killing rogue processes. Sometimes malware prevents the use of these tools though.

    As your machine and Sophos are still working there's a good chance you get rid of the infection this way.

    Good luck

    Christian

    :19947
  • 0

    I agree that "Clear from list" is really confusing language. It's not clear what it means and I'm not sure if I should click on it or not. In addition, the "Help" guide only says, "Click Clear from List to remove selected items from the list without dealing with them.

    This action does not delete the items from disk."  I got the go-ahead from my IT department, so I clicked it. I got a message that says, "If you clear a quarantined item from the list, this does not remove the item from the computer. Sophos recommends that you use cleanup, deletion, or authorization. Click OK to clear the item from the list of quarantined items."

    :51170
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?