• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Pesky "Trojan.FakeAV" won't go away!

I got a fake UPS invoice a few months ago with a nasty surprise in it. Norton found the trojan, but it still got through. Now, when I do a scan with my "TimeMachine" removable drive connected by USB, Norton keeps finding 30 examples of the trojan and says that they are "fully Repaired", but they show up again on each scan that I do. If I run the scan on the laptop ONLY, it does not detect the trojans.

Is there some way of removing these trojans that I am missing???

PS- I did do the live update to make sure all the definitions are up to date!

System: MacBook Pro running  OS 10.6.4

Replies

Kudos0

Re: Pesky "Trojan.FakeAV" won't go away!

I got a fake UPS invoice a few months ago with a nasty surprise in it. Norton found the trojan, but it still got through. Now, when I do a scan with my "TimeMachine" removable drive connected by USB, Norton keeps finding 30 examples of the trojan and says that they are "fully Repaired", but they show up again on each scan that I do. If I run the scan on the laptop ONLY, it does not detect the trojans.

Is there some way of removing these trojans that I am missing???

PS- I did do the live update to make sure all the definitions are up to date!

System: MacBook Pro running  OS 10.6.4

Kudos0

Re: Pesky "Trojan.FakeAV" won't go away!

If you got the trojan in your e-mail, what probably happened is that Norton AntiVirus has prevented the virus from being written to your hard drive. However because of how some mail programs store their messages, there are copies of the trojan embedded in the email message that we cannot delete.

In the Norton AntiVirus application, there should be a full path of the virus that was detected. Please post the full path here, and we can give you more information on how to fully erradicate the trojan. To get the full path:

  1. Launch the Norton AntiVirus application.
  2. From the main window, click on "View recent activities…"
  3. Sort the Activity Log window by "Event Type" by clicking on the Event Type.
  4. Find the "Auto File Scan" item and click on the triangle next to it.
  5. Scroll until you find the detection for Trojan.FakeAV. The "Details" column will contain the full path to the file.

(Rest assured, your Mac is still protected--e-mail attachments are scanned as soon as they are downloaded, so even if the attachment is still in your email message, Norton AutoProtect will block it every time somebody tries to save the attachment to your Mac). 

Ryan McGann Technical Director Norton Business Unit, Symantec
Kudos0

Re: Pesky "Trojan.FakeAV" won't go away!

Thanks for the help!

If I follow the directions you have posted, I am not able to get the items you need. I'll let you know the differences I am seeing and you can let me know if what I am doing is OK or wrong!

First, I did a manual scan, so it does not show up on the Auto File scan. So, Under manual scan I see there are 30 entries for the trojan. Under each of the 30, it remarks that File was deleted and virus was fully repaired. These trojans are only on the TimeMachine back-up drive, so i assume that the drive contains my last 30 back-ups.

When I get to the file path, I cannot copy/paste it. It simply does not allow a right-click. I also cannot see the full filepath, no matter how I expand the window or move the bars. When I hover the cursor over the line, it has a pop-up box that does show the full path, but as soon as I move the cursor, it is gone.

But basically, the filepath is from "library/mail/pop.earthlink/junk.mbox/messages/26150.emlx.

The others are a variant of that.(some have downloaded mail paths, and attachment paths)

Let me know what I am doing wrong with the capture of the path for you. I am stumped......

Kudos0

Re: Pesky "Trojan.FakeAV" won't go away!

The copy/paste issue in NAV is a known one we will address in a future version.

I've decided we don't need to pursue the sample uploading we discussed via email, because the problem appears to be specific to Time Machine.  Here's how I would suggest removing the files manually from your backups.

1. From the Time Machine menu (upper right of screen), choose "Enter Time Machine"

2. This will put you in Time Machine, which shows a Finder-like view of the backups.

3. Navigate to the infected files (as found in your manual scan)

4. Select the files (either individually or as a group)

5. In the Tools menu (gear icon) on the Time Machine window, select "Delete All Backups of xxxx" (where xxx is the file to be removed)

You'll receive an "Are you sure" alert, but if the file is the correct one, go ahead.  This should prevent future scans from detecting the backed up files.

We'll investigate this further to see if we can make this work more seamlessly in NAV.  Thanks for all your help, and let me know it this doesn't work or you have more questions.

-- Lee

Kudos0

Re: Pesky "Trojan.FakeAV" won't go away!

Thanks Lee!

I will do that asap. I will let you know if it does not work.

This thread is closed from further comment. Please visit the forum to start a new thread.