Fake AV Malware Not Stopped

Just thought I'd add an enduser perspective to this. I somehow got XP Security 2012 onto my system (pretty sure I did not download or install anything on purpose, I tend to kill all iexplore.exe processes instead of clicking on any suspicious popup) and once it was obviously there (both in systray and popups) Sophos did not detect it. Because this happened in between the holidays I did not go through our IT department, but instead resorted to fixing it myself.

Full scan by Sophos: nothing. Neither did a full scan by Microsoft Security Essentials (which by then had to get manually updated virus definitions). Also latest Kapersky declared everything OK.

I had identified the main process "spg.exe" which could be killed but always reappeared after a few minutes. MSE's free tech support advised to find and delete the offending exe file and  they provided an exefix_xp.com application to fix program/file extension association and they recommended scan with superantispyware. After some internet search ran MalwareBytes which did a great job detecting and fixing remaining issues of the FakeAV. Final registry cleanup with ccleaner. These steps did take time, and it sure would have been nice if Sophos could have just detected and removed it. And with everything locked down on the enduser machine this may be avoidable, but there also has to be a realistic balance. Aside from the quite high resource usage of SavService.exe Sophos usually protects very well in the background without interference.

PS: I probably should have submitted the file to Sophos labs but the online form encourages endusers to go through internal IT department channels first.

Just thought I'd add an enduser perspective to this. I somehow got XP Security 2012 onto my system (pretty sure I did not download or install anything on purpose, I tend to kill all iexplore.exe processes instead of clicking on any suspicious popup) and once it was obviously there (both in systray and popups) Sophos did not detect it. Because this happened in between the holidays I did not go through our IT department, but instead resorted to fixing it myself.

Full scan by Sophos: nothing. Neither did a full scan by Microsoft Security Essentials (which by then had to get manually updated virus definitions). Also latest Kapersky declared everything OK.

I had identified the main process "spg.exe" which could be killed but always reappeared after a few minutes. MSE's free tech support advised to find and delete the offending exe file and  they provided an exefix_xp.com application to fix program/file extension association and they recommended scan with superantispyware. After some internet search ran MalwareBytes which did a great job detecting and fixing remaining issues of the FakeAV. Final registry cleanup with ccleaner. These steps did take time, and it sure would have been nice if Sophos could have just detected and removed it. And with everything locked down on the enduser machine this may be avoidable, but there also has to be a realistic balance. Aside from the quite high resource usage of SavService.exe Sophos usually protects very well in the background without interference.

PS: I probably should have submitted the file to Sophos labs but the online form encourages endusers to go through internal IT department channels first.