Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2203 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/FakeAvHm-A infection

smith497

Dear Sophos people,

my sophos anti-virus tells me I've been infected with the Mal/FakeAvHm-A. It was last updated the last time about two weeks ago and the reported malware is from March 2009. Nevertheless spam pages and unwanted dialogs are opening. In addition I am not able to open sophos, regedit, msconfig or any other program useful to get rid of this. so what can I do?

:3223


This thread was automatically locked due to age.
  • 0

    I booted my computer in safe mode with a command prompt and am running sav32cli (the emergency virus check) from a flash drive. The log says it removed this infection, but the entire scan hasn't finished, and I have yet to restart the computer. Will let you know if it clears up the glitches.

    :3232
  • 0

    If you are suffering a malware fake AV attack I recommend contacting Sophos support.

    In the mean time. Are you able to run any executables? Are the any further infections found after the SAV32cli run?

    :3241
  • 0

    It may be a bit late for me to reply with this, but we've had a couple of laptops come in with Fake Anti-virus programs which have installed into the user's profile (thus bypassing the need for admin rights).  Quite how it got past Sophos in the first place is a different matter, but the easiest way I've found to clean these infections is to remove the HD and connect it via USB to a working machine and then run a full scan on the external drive.  Once all traces of infection have been removed, it's a lot easier to fix any damage caused by the virus (usually easier just to kill the entire profile and restore files and settings from a backup).

    SATA/USB adapters aren't expensive (only a few pounds/dollars/whatever each), so it's always worth having a couple around for such situations.

    :3307
  • 0

    FakeAvs can be nasty, if you can get an autoruns log, send it to support and call in.

    If it is blocking exes, rename autoruns to something else like autoruns.com or services.exe and try that.

    A lot of the time it is just one bad exe running.

    Nice note - to revert the taskmgr/regedit issue you can use regengui:

    www.sophos.com/support/cleaners/regengui.com

    Although if the malware is active, it will likely write it back (which is also a way to track the file doing it via procmon :P)

    :3322
  • 0

    We have been hit by FakeAV and we have found changing our protection settings it enable HIPS has greatly reduced our cleanup and prevented infections. Read the details and know what you are getting by enabling HIPS. Also SESC 9.5 will be providing Sophos white listing of HIPS from Sophos Labs to help make this even better.  There will even be tamper protection option included in SESC 9.5 which should reduce some of these attacks that are disabling Sophos. 

    The days have gone when anti-virus vendors could protect systems by providing definitions for known threats.  Today malware is being used to attack systems for money, more often then to do harm or play jokes on people. The new easy job is to trick people into paying for fake products or to steal a person's data. This new approach to malware is being done in large numbers and the codes are being changed daily, sometimes within hours of a release.

    Here is an article covering the life of malware in Aug 2009:  http://www.scmagazineus.com/most-malware-dies-within-24-hours/article/146384/ (2009)

    Here is an article covering fake AV from Sophos:
    http://www.sophos.com/support/knowledgebase/article/110379.html (2010)

     SophosLabs explains HIPS in detail:
    http://www.sophos.com/security/sophoslabs/sophos-hips/index.html (2010)

    :3346