From: AndyHancock on
I picked up the (seemingly new) "Antivirus Suite" malware,http://
www.spywareremove.com/removeAntivirusSuite.html. Every time I tried to
launch any exe, I got a bogus infection message and denial of
execution. This includes any indirect launching of "C:\Program Files
\Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the
system tray and choosing "Open Symantec Antivirus". No scanning was
possible.

I was followed step 1 in the above URL to kill the offending process.
I could then run Symantec AV, but initiating a scan caused the error
in http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/5bfc1a720f52435988256fb9007a3a9e.
Restarting the service solved that problem. The scan did not find
anything. I noted that Tamper Protection was turned off (not sure if
it was before) and turned it on. (1) Would this have prevented the
interruption of the Symantec AV service? (2) Would it have prevented
the malware executable that was removed in Step 1?

I am now following through with the remainder of the steps. I am not
whether the null hits from scanning is due to removal of all vestiges
of the malware or because the Symantec AV database does not recognize
this malware. The AV database was up to date as of this morning. (3)
Is there a way to determine whether this malware is in the AV
database?

Thanks.

P.S. A different cleanup routine found at
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite.
From: David H. Lipman on
From: "AndyHancock" <andymhancock(a)gmail.com>

| I picked up the (seemingly new) "Antivirus Suite" malware,http://
| www.spywareremove.com/removeAntivirusSuite.html. Every time I tried to
| launch any exe, I got a bogus infection message and denial of
| execution. This includes any indirect launching of "C:\Program Files
| \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the
| system tray and choosing "Open Symantec Antivirus". No scanning was
| possible.

| I was followed step 1 in the above URL to kill the offending process.
| I could then run Symantec AV, but initiating a scan caused the error
| in
| http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/
| 5bfc1a720f52435988256fb9007a3a9e.
| Restarting the service solved that problem. The scan did not find
| anything. I noted that Tamper Protection was turned off (not sure if
| it was before) and turned it on. (1) Would this have prevented the
| interruption of the Symantec AV service? (2) Would it have prevented
| the malware executable that was removed in Step 1?

| I am now following through with the remainder of the steps. I am not
| whether the null hits from scanning is due to removal of all vestiges
| of the malware or because the Symantec AV database does not recognize
| this malware. The AV database was up to date as of this morning. (3)
| Is there a way to determine whether this malware is in the AV
| database?

| Thanks.

| P.S. A different cleanup routine found at
| http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite.

Follow the directions noted at BleepingComputer.Com including the use of Malwarebytes'
anti malware


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: AndyHancock on
On Apr 7, 6:21 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net>
wrote:
> From: "AndyHancock" <andymhanc...(a)gmail.com>
>
> | I picked up the (seemingly new) "Antivirus Suite" malware,
> |http://www.spywareremove.com/removeAntivirusSuite.html.  Every time I
> | tried to launch any exe, I got a bogus infection message and denial of
> | execution.  This includes any indirect launching of "C:\Program Files
> | \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the
> | system tray and choosing "Open Symantec Antivirus".  No scanning was
> | possible.
>
> | I was followed step 1 in the above URL to kill the offending process.
> | I could then run Symantec AV, but initiating a scan caused the error
> | in
> |http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16e...
> | 5bfc1a720f52435988256fb9007a3a9e.
> | Restarting the service solved that problem.  The scan did not find
> | anything.  I noted that Tamper Protection was turned off (not sure if
> | it was before) and turned it on.  (1) Would this have prevented the
> | interruption of the Symantec AV service?  (2) Would it have prevented
> | the malware executable that was removed in Step 1?
>
> | I am now following through with the remainder of the steps.  I am not
> | whether the null hits from scanning is due to removal of all vestiges
> | of the malware or because the Symantec AV database does not recognize
> | this malware.  The AV database was up to date as of this morning.  (3)
> | Is there a way to determine whether this malware is in the AV
> | database?
>
> | Thanks.
>
> | P.S. A different cleanup routine found at
> |http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite.
>
> Follow the directions noted at BleepingComputer.Com including
> the use of Malwarebytes' anti malware
>
> Answered.
>
> Why didn't you add alt.comp.virus to this post since you knew to Cross-Post ?
> Afterthought maybe ?

I didn't know it existed when I made the initial post. It seems to
target the same audience as a.c.av, so it seems to makes sense to
combine them all.

I was going to follow both cleanup procedures, but I was wondering if
those more experienced than I (and maybe those who have seen this
malware before) could shed some light on questions (1) to (3).
From: AndyHancock on
On Apr 7, 10:28 pm, AndyHancock <andymhanc...(a)gmail.com> wrote:
> On Apr 7, 6:21 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net>
> wrote:
>
>
>
> > From: "AndyHancock" <andymhanc...(a)gmail.com>
>
> > | I picked up the (seemingly new) "Antivirus Suite" malware,
> > |http://www.spywareremove.com/removeAntivirusSuite.html.  Every time I
> > | tried to launch any exe, I got a bogus infection message and denial of
> > | execution.  This includes any indirect launching of "C:\Program Files
> > | \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the
> > | system tray and choosing "Open Symantec Antivirus".  No scanning was
> > | possible.
>
> > | I was followed step 1 in the above URL to kill the offending process.
> > | I could then run Symantec AV, but initiating a scan caused the error
> > | in
> > |http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16e....
> > | 5bfc1a720f52435988256fb9007a3a9e.
> > | Restarting the service solved that problem.  The scan did not find
> > | anything.  I noted that Tamper Protection was turned off (not sure if
> > | it was before) and turned it on.  (1) Would this have prevented the
> > | interruption of the Symantec AV service?  (2) Would it have prevented
> > | the malware executable that was removed in Step 1?
>
> > | I am now following through with the remainder of the steps.  I am not
> > | whether the null hits from scanning is due to removal of all vestiges
> > | of the malware or because the Symantec AV database does not recognize
> > | this malware.  The AV database was up to date as of this morning.  (3)
> > | Is there a way to determine whether this malware is in the AV
> > | database?
>
> > | Thanks.
>
> > | P.S. A different cleanup routine found at
> > |http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite.
>
> > Follow the directions noted at BleepingComputer.Com including
> > the use of Malwarebytes' anti malware

The mbam installation requires login as administrator. I'm trying to
avoid logging in as admin until I've gone through all possible steps
as nonadmin (which is that state under which the infection occurred).
Is there a way to obtain a similar level of assurance before switching
to an administrator account? I've followed the procedure at both
URL's. I know that Symantec AV *doesn't* catch this malware as of
today.

> > Why didn't you add alt.comp.virus to this post since you knew to Cross-Post ?
> > Afterthought maybe ?
>
> I didn't know it existed when I made the initial post.  It seems to
> target the same audience as a.c.av, so it seems to makes sense to
> combine them all.
>
> I was going to follow both cleanup procedures, but I was wondering if
> those more experienced than I (and maybe those who have seen this
> malware before) could shed some light on questions (1) to (3).

From: AndyHancock on
On Apr 8, 1:14 am, AndyHancock <andymhanc...(a)gmail.com> wrote:
> On Apr 7, 10:28 pm, AndyHancock <andymhanc...(a)gmail.com> wrote:
>
>
>
>
>
> > On Apr 7, 6:21 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net>
> > wrote:
>
> > > From: "AndyHancock" <andymhanc...(a)gmail.com>
>
> > > | I picked up the (seemingly new) "Antivirus Suite" malware,
> > > |http://www.spywareremove.com/removeAntivirusSuite.html.  Every time I
> > > | tried to launch any exe, I got a bogus infection message and denial of
> > > | execution.  This includes any indirect launching of "C:\Program Files
> > > | \Symantec AntiVirus\VPC32.exe" by right-clicking Symantec on the
> > > | system tray and choosing "Open Symantec Antivirus".  No scanning was
> > > | possible.
>
> > > | I was followed step 1 in the above URL to kill the offending process.
> > > | I could then run Symantec AV, but initiating a scan caused the error
> > > | in
> > > |http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16e...
> > > | 5bfc1a720f52435988256fb9007a3a9e.
> > > | Restarting the service solved that problem.  The scan did not find
> > > | anything.  I noted that Tamper Protection was turned off (not sure if
> > > | it was before) and turned it on.  (1) Would this have prevented the
> > > | interruption of the Symantec AV service?  (2) Would it have prevented
> > > | the malware executable that was removed in Step 1?
>
> > > | I am now following through with the remainder of the steps.  I am not
> > > | whether the null hits from scanning is due to removal of all vestiges
> > > | of the malware or because the Symantec AV database does not recognize
> > > | this malware.  The AV database was up to date as of this morning.  (3)
> > > | Is there a way to determine whether this malware is in the AV
> > > | database?
>
> > > | Thanks.
>
> > > | P.S. A different cleanup routine found at
> > > |http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite..
>
> > > Follow the directions noted at BleepingComputer.Com including
> > > the use of Malwarebytes' anti malware
>
> The mbam installation requires login as administrator.  I'm trying to
> avoid logging in as admin until I've gone through all possible steps
> as nonadmin (which is that state under which the infection occurred).
> Is there a way to obtain a similar level of assurance before switching
> to an administrator account?  I've followed the procedure at both
> URL's.  I know that Symantec AV *doesn't* catch this malware as of
> today.

I bit the bullet and installed mbam as admin. Currently scanning.
Would you (or anyone else) know if scanning under an admin account
allows the AV to scan user account files? This is something I've
always wondered about antimalware and defrag apps.

> > > Why didn't you add alt.comp.virus to this post since you knew to Cross-Post ?
> > > Afterthought maybe ?
>
> > I didn't know it existed when I made the initial post.  It seems to
> > target the same audience as a.c.av, so it seems to makes sense to
> > combine them all.
>
> > I was going to follow both cleanup procedures, but I was wondering if
> > those more experienced than I (and maybe those who have seen this
> > malware before) could shed some light on questions (1) to (3).