CA AV working?

[flame]

Hello

 

On my pc, I ran the anti-virus program (by Computer Associates) and it found that there were two infections on C:\My Documents...etc., called: Win32/FakeAV.JZ and Win32/FakeAV.JY, but the AV hasn't done anything about it. It just shows, Infected - 2; Cleaned - 0; Quarantined - 0! I did a 'search' for the infections in C:\ My Docs, but they weren't found.

 

Why hasn't the AV removed the infections - should I be concerned about this?

How can I remove them?

What kind of infections are they?

 

Any help please.

 

Thank you.

[Spools]

You can try the following:

 

1. Turn off System Restore - Start > right click on My Computer > Properties > System Restore tab > check Turn Off System Restore

 

2. Reboot in Safe Mode - At BIOS screen in start up continue pressing F8 until menu appears

 

3. Perform full scan with AV package

 

4. When scan is complete, reboot normally

 

5. If scan successfully removed bugs, turn System Restore back on

[maynardvdm]

Hi

 

To make sure you get all the infections to the following:

 

Your computer appears to be infected with Malware. Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a combination of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

 

It is in your best interest to note the following:

1. Please disable your resident security applications (such as AVG, Spybot, WinPatrol, etc.) before performing the below procedure so that they do not interfere with the process.
   
2. Perform all the steps in the order listed to avoid any conflicts.
   
3. If unsure, please stop and voice your doubts.
   
4. You might be required to go offline during the disinfection process. Therefore, it is recommended to print off the instructions below for ease of reference.
   

If you stick to the above guidelines, all should go smoothly.

 

================================================

STEP 1

1. Download ATF-Cleaner by Atribune.
   
2. Save the file to your Desktop.
   
3. Double-click on the file to run the program.
   
4. On the Main tab, check the Select All button.
   
5. Next, click on the Firefox tab (if applicable) and check the Select All button.
    
   Note: If you would like to preserve your saved passwords in Firefox, then click No at the corresponding prompt.
   
6. Now, click on the Opera tab (if applicable) and check the Select All button.
    
   Note: If you would like to preserve your saved passwords in Opera, then click No at the corresponding prompt.
   
7. Press the Empty Selected button and click OK to acknowledge the corresponding prompt.
   
8. Click on the Exit button to quit the program.
   

================================================

STEP 2

1. Please click here to download Malwarebytes' Anti-Malware.
   
2. Save the file to your Desktop.
   
3. Double-click mbam-setup.exe and follow the prompts to install the program.
   
4. At the end, make sure a check mark is placed next to:
   1. 
      
   2. Update Malwarebytes' Anti-Malware
      
   3. Launch Malwarebytes' Anti-Malware
      

[*]Click Finish.

[*]The program will download and update itself if it finds the necessity to do so. Please allow this.

[*]Once the program has loaded, select Perform full scan, then click Scan.

 

Note: Depending on your computer specifications, the scan may take some time to complete. Please wait patiently and do not interrupt the process.

[*]When the scan is complete, click OK, and then Show Results to view the results.

[*]Make sure that every entry is selected, and click Remove Selected.

[*]Restart your computer.

================================================

STEP 3

1. Please click here to download SUPERAntiSpyware (Free Version).
   
2. Save the file to your Desktop.
   
3. Double-click SUPERAntiSpyware.exe and follow the prompts to install the program.
   
4. Open SUPERAntiSpyware.
   
5. Under Configuration and Preferences, click the Preferences button.
   
6. Click the Scanning Control tab.
   
7. Under Scanner Options make sure the following fields checked:

   [*]Click the Close button to leave the control center screen.

   [*]On the main screen, under Scan for Harmful Software click Scan your computer.

   [*]On the left, make sure you check mark C:\Fixed Drive.

   [*]On the right, under Complete Scan, choose Perform Complete Scan.

   [*]Click Next to start the scan. Please be patient while it scans your computer.

   [*]After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.

   [*]Make sure every entry has a check mark next to it and click Next.

   [*]A notification will appear that Quarantine and Removal is Complete. Click OK and then Finish to return to the main menu.

   [*]Restart your computer.

   ================================================

   STEP 4
   1. Please visit the ESET Online Scanner, using Internet Explorer to initiate the scan.
       
      Note: If you are running Windows Vista, then you will need Administrative privileges to complete the latter part of the procedure. To do so, right-click on the Internet Explorer icon in the Start Menu and select the Run As Administrator option in the shell context menu.
      
   2. Check mark the YES, I accept the Terms of Use box.
      
   3. Click the Start button.
      
   4. Click the Install button on the following screen.
      
   5. Click Start. This will will initialize and update the scanner engine.
      
   6. Check mark the box beside Remove found threats.
      
   7. Click the Scan button. This will start the scan. Please be patient while it is in progress.
      
   8. Restart your computer.
      

   ================================================

   STEP 5
   1. Click on Start > Programs > Accessories > System Tools and select System Restore.
      
   2. Choose the radio button marked Create a Restore Point on the first screen and click Next. Give the restore point a name then click Create. The new point will be stamped with the current date and time. Keep a note of this so you can find it easily should you need to use System Restore.
      
   3. Next, click on Start > Run, type Cleanmgr and click on OK.
      
   4. Click on the More Options tab.
      
   5. Click the Clean Up button in the System Restore section to remove all previous restore points except the most recent one.
      

   This will remove any infected files that have been backed up by Windows. The files in "System Restore" are protected to prevent any programs changing those files. This is the only foolproof way to ensure the deletion of those files.

    

   Note: Please don't use it on a regular basis as this will clear all previous restore points. The feature might be very useful to revert your computer to working condition if something goes wrong.

    

   Re-enable all your security applications and please return here and tell us how the computer seems to be operating.

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining

[flame]

Thank you spools and maynardvdm for replying.

 

spools: I followed your instructions (1 to 5) but unfortunately the two infections were again detected by the AV scan.

 

maynardvdm: From your instructions, you seem to be suggesting that I should replace all my current protective programs? As you may appreciate, I'm reluctant to do this. Is the below list out of date/ ineffective?

 

I have already installed: CA AV (which I paid for - should I ask for my money back?), COMODO Firewall, CCleaner.

 

I would still like to know how this infection got through, what it's doing?

 

The full address for the infected location is: C:\My Docs\my name\Local Settings\Temp5682e... If this helps?

[RandyL]

Hi flame;

Maynard is not suggesting you replace your security.

 

The steps in the disinfection process are all free scans and removal programs.

 

It has a proven record of cleaning infections.

 

Once you run those programs you should be clean and can continue using your security products if you wish.

 

It's anybodies guess how the infections got in but they appear to be in your temp files and should be cleaned by the steps provided.

[Spools]

Because you've paid for your antivirus software, you should be able to get free support from Computer Associates directly. It might be worth letting them know the trouble you're having as they might be able to apply it to others.

 

I noticed other varients of your bug in their latest definitions so it's possible they'll have a fix shortly.

[Match]

I would still like to know how this infection got through, what it's doing?

 

Although there are many ways to transmit an infection, the most common method is to embed them into a file i.e. Video,Music,image or Program file. which you need to download and open to get infected and hence this sites policy on P2P Software, and none legitimate licensed software (Cracked).

 

as to what they do

 

Trojan Virus normally an information gathering tool for Hackers, IE bank details and Identity theft

 

Worm Virus this is quite nasty as it is a means of spreading a program and if you read the link information you I'm sure will realise the implications.

 

I hope this answers your question or if not goes part way to explaining things more clearly for you

[flame]

Oh!

 

Hello again:)

 

 

Maynard:

Thank you for the instructions for infection removal. Here are its results:

 

 

I was unable to disable the Firewall – it seemed to only permit its removal (?)– but all else was stopped.

 

 

STEP 1

Completed o.k.

 

 

STEP 2

Results:

Objects Infected – 1

Vendor – Rogue.Installer.

Items – C:|Program Files\setup.exe.

Action Taken – No Action Taken – (but, I removed it anyway!).

 

 

STEP 3

Results:

Total - 6

 

File Items – Threat Description – Adware.Tracking Cookie – 5 - Trojan.Downloader-Gen/A – 1

 

STEP 4

Results:

Unable to install!

Installed ActiveX. Start Menu>right-click IE – Options: Browse the Internet, Internet Properties, Remove from this list. Unable to locate an Administrator option.

 

 

STEP 5

Results:

2. It created a Restore Point, automatically, after the SuperAntiSpyware installation.

3. Selected – 'Files from all users on this computer.'

5. Disc Cleanup for OS (C:\)

 

Finally, went back to CA AV, to scan again and check if the two infections had been removed during the above.

Selected scan was selected (infections location – C:\My Docs...etc,).

 

 

RESULT

Win32/FakeAV.JZ and JY...STILL THERE!!!:eek:

 

 

Please advise.

[maynardvdm]

Ok

 

Do this online scan instead:

 

Trend Micro HouseCall - Free Online Virus and Spyware Scan - Trend Micro USA

 

Just click on Free scan

 

and then select continue with free scan

 

Let us know the results.

[flame]

the next attempts

 

Spools:

I've emailed CA AV, but I've only received one automated acknowledgment and another directing to info I already know. I think they are just standard responses. I'll contact them again next week.

 

Maynard:

Here are my results from using TREND MICRO HOUSECALL:

 

Clicked, Scan Now. It's free!

Selected: Quick Select (scan complete computer for malware, grayware and vulnerabilities).

clicked, Next.

 

STEP 1

Preparing to scan the computer.

Began then stopped - the progress bar didn't change – 'Idle' written under the bar.

 

 

Ticked, I want to select a different House Call Kernel.

'Using Java-based House Call Kernel.'

clicked, Starting House Call.

But, stopped as before.

 

 

Tried House Call 6.6, instead.

Step 1 of 3:

clicked, Start Scanning.

 

 

STEP 2

This time progressed to Step 2:

Ran for approx 50 minutes.

 

 

Detected:

Malware – 0

Grayware – 0

Vulnerabilities – 0

 

 

STEP 3

'Listing and removing infections and vulnerabilities'

Scanned Resources: 219633.

But, nothing happened.

 

 

Started again, as above.

This time:

Detected: 1 Malware: Cryp_Xed-6

Listing and Removing Detected Infections and Vulnerabilities.

Took several minutes, and TRJ_...etc; WORM_AKBOT.AW, etc., flashed past very fast.

But, at the end of deletions, the one Malware was still showing as detected.

Ran again, and Cryp_Xed-6 again still there!

Therefore, I'm not sure if it has been deleted?:confused:

 

 

Ran CA AV again, and a 'selected scan' for C:\My Documents...etc.

Result:

Win32/FakeAV.JZ and JY detected and not deleted, again.

 

Is there a clue in the name of this 'bug,' FakeAV - why it won't go?

[Guest Wolfeymole]

Did you actually run all of the tools listed in post 3 at all Flame?

[flame]

Hello Wolfeymole

 

Maynard's instruction set of downloadable programs: I did all EXCEPT his STEP 4 (ESET Online Scanner), for the reason I gave (in Post 8).

[Guest Wolfeymole]

You said;

 

STEP 4

Results:

Unable to install!

Installed ActiveX. Start Menu>right-click IE – Options: Browse the Internet, Internet Properties, Remove from this list. Unable to locate an Administrator option

You do not "Install" Nod but run it as an online scan via Internet Explorer.

 

If anything demands administrator rights then right click and click Run as Administrator.

[flame]

You said;

 

 

 

You do not "Install" Nod but run it as an online scan via Internet Explorer.

 

If anything demands administrator rights then right click and click Run as Administrator.

 

Nope! I still can't see how to get administrator rights from the Start Menu (No1 of STEP 4) in Vista via IE?

 

Would you be able to give me 'landing instructions' for No1?

 

Thank you.

[Guest Wolfeymole]

I don't know what your on about here.

 

Open IE and go here, accept the Terms of Use and click Start.

 

Free ESET Online Antivirus Scanner

 

 

1. Note: If you are running Windows Vista, then you will need Administrative privileges to complete the latter part of the procedure. To do so, right-click on the Internet Explorer icon in the Start Menu and select the Run As Administrator option in the shell context menu.
   
2. Check mark the YES, I accept the Terms of Use box.
   
3. Click the Start button.
   
4. Click the Install button on the following screen.
   
5. Click Start. This will will initialize and update the scanner engine.
   
6. Check mark the box beside Remove found threats.
   
7. Click the Scan button. This will start the scan. Please be patient while it is in progress.
   
8. Restart your computer.
   

[flame]

I don't know what your on about here.

 

Open IE and go here, accept the Terms of Use and click Start.

 

As I showed in my Results in STEP 4, all I had found from the Start Menu were three options . I have since clicked the 'Remove from this List' option and the 'shell content' has NOW appeared - it wasn't there before - that's what I'm 'on about!' But there's another problem with opening this program, so forget it, I'll just have to go to a shop!

[flame]

postscript to CA AV working?

 

In case it's useful to anybody else?

 

I finally got a 'helpful' email from CA (Computer Associates) about the infections on my pc: They suggested I download an updated Security Suite. I ran a full scan, and it found the two infections, but this time one (only one!) of them had been moved into the Quarantine zone, and I could only delete that one manually (huh?). I then did a selective scan for C:|My Docs, etc., and afterwards both infections were gone!!!

 

So why were CA AV sending me automated updates all this time, yet I had not been updated from a 2007 Security Suite to the 2009 version? For this reason, I hesitate to recommend CA despite that the solution finally lay with them. Though, as the solutions provided here hadn't cleared the infections, I wonder if the infections were particularly designed to attack CA?

[maynardvdm]

Thanks for letting us know.

 

It does make one wonder.

 

Look here for our recommendations: http://extremetechsupport.com/forum/malware-removal-av-firewalls-etc/3597-free-pc-help-recommended-security-products.html

[flame]

I just had a look again at CA AV's Forum

 

CA Treats customers with contempt - CA Home and Home Office Forum

 

Interesting!

[DirtyPolo]

Very interesting find flame.

 

Thanks for letting us know.

 

Often is this the case with some companies that you must ask to talk to the superior people in order to get past that "Parttime call center" kid and get a solution.