Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 18558 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus removal

weste

I've run the free Sophos Anti-Virus, version 7.6.2.  The result of the scan revealed two items:  Mal/FakeAvCn-C and Mal/FakeAvCn-B.  The items are in the Quarantine Manager.  The Quarantine Manager is divided into three columns: Type, Name, and Details.  Clicking on the name of each virus links to the web page to download the same free tool that I just used.  Am I really supposed to download and run the same tool again?

Clicking on the first part of the details for each virus links to the ProgramData folder of the C drive, with the second one linking to a subfolder of the ProgramDate folder.  Clicking on the second part of the details for each item, designated by "[more]", opens a window listing detected components of each item.  At the bottom of the window is the message that a full computer scan is needed to detect all of its components.  To what scanner does this refer?  Am I supposed to run the same anti-virus again, or something else?

All I really want to do is to remove the both of them.  None of the removal methods refer explicitly  to Windows 7, which I find amazing.  Any of the other methods describes a Quarantine Manager that differs from the one shown to me.  The Quarantine Manager on my computer gives me only three actions to perform:  Select all, Deselect all, and Clear from list.  Does "Clear from list" mean remove/delete?

:19747


This thread was automatically locked due to age.
Parents
  • 0

    Thanks for posting the location of the threat, it is quite common for these scoundrels. I've got rid of quite a number of this kind and normally a reinstall is not necessary.

    Here's what you should do:

    • First of all use more aggressive settings. On-access read/write/rename (which is, BTW, the recommended default from version 10 on) - automatic cleanup/delete, scan for suspicious files - deny access only (yes), scan for suspicious behaviour (HIPS) - blocking mode.
    • Check SAV.txt for detections - usually some items are located in one of the user's temp directories. At this point you have to turn off on-access scanning (but only if you don't have ongoing detection/cleanup loops) - if you are careful this is usually safe. Browse to the locations with Explorer (uncheck Hide extensions for known file types) and sort by date. Locate the detected items (if they haven't been deleted), if you know the timestamp from the first detection (from the SAV log) use this as a starting point. Search for files with a size similar to the one from AppData or some 100k (executables as well as those with no or a .tmp extension). If possible look at them with FileAlyzer© or a similar tool - executables are suspicious (especially if they are UPX compressed).
    • Grab the files marked as suspicious by Sophos, the ones you found with explorer and those "near" them - i.e. with (almost) identical timestamps - and pack them in an encrypted (password protected) .zip archive (now you should turn on on-access scanning) and submit this archive to SophosLabs. Dont worry about sending "too many" (already known, clean or "unnecessary") files (but don't send your whole C: drive) as the triage is automated - better one to many than omitting an important sample. New or updated identities are usually issued within a very few hours after which SAV on your machine will in most cases automatically remove the threats. It is a good idea to run a full scan (checking all files) afterwards if you can spare the time.
    • Again - sending samples is the important part.  

    There are additional steps you can take (but if you are not familiar with these taks you need not)

    • Search the registry for occurrences of the name from AppData (jI28300KkJbH28300 in your case) and try to delete the keys. If you can't or they reappear you've got one of the nastier types.
    • Often keys/values are set like in [HKLM|HKCU]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit or [HKLM|HKCU]\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . You might or might not be able to delete these.
    • Process Monitor can be used to find out which process writes these keys and Process Explorer might help in finding and killing rogue processes. Sometimes malware prevents the use of these tools though.

    As your machine and Sophos are still working there's a good chance you get rid of the infection this way.

    Good luck

    Christian

    :19947
Reply
  • 0

    Thanks for posting the location of the threat, it is quite common for these scoundrels. I've got rid of quite a number of this kind and normally a reinstall is not necessary.

    Here's what you should do:

    • First of all use more aggressive settings. On-access read/write/rename (which is, BTW, the recommended default from version 10 on) - automatic cleanup/delete, scan for suspicious files - deny access only (yes), scan for suspicious behaviour (HIPS) - blocking mode.
    • Check SAV.txt for detections - usually some items are located in one of the user's temp directories. At this point you have to turn off on-access scanning (but only if you don't have ongoing detection/cleanup loops) - if you are careful this is usually safe. Browse to the locations with Explorer (uncheck Hide extensions for known file types) and sort by date. Locate the detected items (if they haven't been deleted), if you know the timestamp from the first detection (from the SAV log) use this as a starting point. Search for files with a size similar to the one from AppData or some 100k (executables as well as those with no or a .tmp extension). If possible look at them with FileAlyzer© or a similar tool - executables are suspicious (especially if they are UPX compressed).
    • Grab the files marked as suspicious by Sophos, the ones you found with explorer and those "near" them - i.e. with (almost) identical timestamps - and pack them in an encrypted (password protected) .zip archive (now you should turn on on-access scanning) and submit this archive to SophosLabs. Dont worry about sending "too many" (already known, clean or "unnecessary") files (but don't send your whole C: drive) as the triage is automated - better one to many than omitting an important sample. New or updated identities are usually issued within a very few hours after which SAV on your machine will in most cases automatically remove the threats. It is a good idea to run a full scan (checking all files) afterwards if you can spare the time.
    • Again - sending samples is the important part.  

    There are additional steps you can take (but if you are not familiar with these taks you need not)

    • Search the registry for occurrences of the name from AppData (jI28300KkJbH28300 in your case) and try to delete the keys. If you can't or they reappear you've got one of the nastier types.
    • Often keys/values are set like in [HKLM|HKCU]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit or [HKLM|HKCU]\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . You might or might not be able to delete these.
    • Process Monitor can be used to find out which process writes these keys and Process Explorer might help in finding and killing rogue processes. Sometimes malware prevents the use of these tools though.

    As your machine and Sophos are still working there's a good chance you get rid of the infection this way.

    Good luck

    Christian

    :19947
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?