Video Screencast Help

Security Tool malware

Created: 09 Oct 2009 | 33 comments

We just had a laptop hit with the Security Tool malware.  It's a little vicious once the program starts up because it will auto close Task Manager.  I tired MalwareBytes Anti-Malware and RootRepeal, but they did not detect it once I was in Safe Mode.  The process runs at Windows startup and has a helper process in case you are able to remove it.  I'm just wondering why SEP did not pick this up, as we full scanned several times.

Comments 33 CommentsJump to latest comment

Sandeep Cheema's picture

New variant perhaps. You can submit the file to them for the definitions.

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

AliceDoc's picture

Symantec Totally misses the malware, Will not recognize or remove it. I got Spyware Doctor from PCTools and sucessfully removed it. I wonder if the companies who run these scams pay Symantec not to reconize them. The Symantec spyware scan doesn't recognize many of the spyware programs that Spyware Doctor removes in it's scans just after Symantec had "cleaned" the computer. Why it it this way? I would love to see if these companies pay Symantec to ignore their spyware.

sandra.g's picture

Are you really suggesting Symantec is in cahoots with organized crime?

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

.Brian's picture

The people that distribute these types of malware are not part of a "company"

They are sometimes paid by companies, devious ones, to create and distribute this junk though.

Thanks to sites like VirusTotal, hackers can upload their samples to ensure they are not detected. I'm not knocking VirusTotal because I use it quite bit but it can also be used for this.

If you do know an AV out there that can stop 100% of malware, please do let us know. I will be able to save a ton of money by getting rid of my IPS/IDS, firewalls, proxies, spam firewalls, vpns, etc etc and only run AV.

Hackers know which which AV companies are at the tope of their game. Symantec and McAfee specifically are the two big dogs out there. Hackers will continuously re-code their malware so it is not detected by the major players. So even though Symantec missed something, they can take it as a compliment. The bad guys are intentionally trying to avoid them because they know the chances of getting caught are pretty good.

Malwarebytes, Hitman Pro, Spyware Dr, etc are second opinion scanners. And as you can see from the first thread, Malwarebytes missed it.

Have you taken a look at the security response recommendations for SEP? Or you can google "SEP Secret Sauce" which was an excellent article written by tevia-boy on making SEP much stronger. Out of the box settings will not cut it for SEP.

I would suggest opening a new thread if you need help as this one is quite old. Many are here to help in that regard.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sierra's picture

My company has an infected machine.

jjohnston14's picture

I got hit today too!.  SEP did not catch it even after full scan.  Tried Spyware Doctor and it removed it, but it returns on the next reboot.

henrycavanagh's picture

I got hit at 1:30 pm today 10/9/09. EST.  I kept getting pop ups claiming I was infected with 26 of this and 50 of that, and I noticed two shields on the task bar next to the symantec shield.  I kept closing the popups.  I could not right click them.  I scanned with symantec, it found a trojan and deleted it but could not find Security Tool.  The stupid thing put icons on the desktop.  I searched for the target and found it under Documents and Settings/Applications Data/ All users/ and then under there a folder with a long number starting with 5.  I was not allowed to delete it.  It also would not let me open any help functions in Windows or Symantec.  It also hid my desktop icons and the desktop folder under my log in account appeared empty but it was not.  I rebooted the computer and logged in.  AS SOON as the desktop started appearing, I went into task manager, processes, and waited for the process to show up, and sure enough it showed up as the exact same number as in the folder described above...I ended the process as soon as it popped up.  I then deleted the executable and folder, and all icons I could find (there were about 7 icons strewn about my computer in various places).  So far, it appears to be gone...fingers crossed.  Try this.  Hope it works...love to find the %@#^ who puts these things out there.

chrisoverb2002's picture

Experience very similar to henrycavanugh.  Symantec - the reason I apy for your product is to protect my computer. You have the next 36 hours to come up with something that KILLS this Security Tool malware dead as a door nail, or I want my money back.

Raffu's picture

Hello everyone,

We had the similar issue, with this Fake Antivirus ,,, SEP is not catching it even after a full scan. It will not allow any software to get it installed on the PC. Submitted the Suspicious files and Symantec Team is analysing it.

Thanks & Regards

Rafiq Ahmed

Mick2009's picture

Henrycavanaugh gave some excellent advice above.  Techniques like he recommended are very helpful for stopping these threats.

There have been several threads in the forums about these smitfraud / misleading applications.  The information in the following will require some reading, but the content will be helpful:

https://www-secure.symantec.com/connect/forums/antivirus-2009-2010-etc-malware 
https://www-secure.symantec.com/connect/forums/sep-cannot-remove-antivirus-pro-2010
https://www-secure.symantec.com/connect/forums/xp-antivirus-2008-2009
https://www-secure.symantec.com/connect/forums/xp-antivirus-2008

These are also good:

http://subsync.symantec.com/norton/theme.jsp?themeid=mislead
https://www-secure.symantec.com/connect/blogs/misleading-applications-show-me-money
https://www-secure.symantec.com/connect/blogs/misleading-applications-show-me-money-part-2
https://www-secure.symantec.com/connect/blogs/misleading-applications-show-me-money-part-3

Finally, it is also possible to contact Technical Support,.  They have tools which can diagnose where the misleading applciation is loading from, and can recommend suspicious files to submit to Security Response so that definitions may be written against the threat.

If you have been able to identify the .exe that is behind an undetected Misleading app / Fake AV on your own, please do take the time to submit it to Symantec's Security Response.  Protection against new variants will be sped up by such helpful submissions.

Thanks and best regards,

Mick

With thanks and best regards,

Mick

Rajesh Kumar-SEP's picture

I had a similar problem. I have send the suspicious files to symantec, after the analisys, symantec has release  RR definitions for the issue.

Please check the belwo information.

* The submission has finished the analisys:

* New definitions of Rapid Release (RR) are already available:

 

- Also, you can download the file *.jdb, update the console as explained in the document below, then, clients machine will get updated

How to update definitions for Symantec Endpoint Protection Manager using a JDB file

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/
- Go into the folder with Sequence Number 101263 or higher (if the folders have lower numbers, wait a bit so they get updated)
- Download Intelligent Updater: symrapidreleasedefsv5i32.exe or symrapidreleasedefsv5i64.exe
- Run it in the infected machines in order to get them updated with the RR definitions
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009072204590148

Regards,
Rajesh.

Rajesh Kumar-SEP's picture

* New definitions of Rapid Release (RR) are already available:

 

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/
- Go into the folder with Sequence Number 101263 or higher (if the folders have lower numbers, wait a bit so they get updated)
- Download Intelligent Updater: symrapidreleasedefsv5i32.exe or symrapidreleasedefsv5i64.exe
- Run it in the infected machines in order to get them updated with the RR definitions

ShadowsPapa's picture

You can also help to PREVENT such things by using a process similar to what I did in the article describing how to block rogue BHOs - or for that matter, anything that loads in the profile area. Be ready to grant some exceptions, however - or you will block Java updates, Outlook signatures, etc.
But I submitted an article that shows how to use SEPs application control to block those things to begin with.......... and log their attempts.

Vikram Kumar-SAV to SEP's picture

And here's  the article  
https://www-secure.symantec.com/connect/articles/h...

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

zj74's picture

Hopefully this will help someone:

We had the malware on a desktop.  Symptoms were the same as others...

Bogus "security tool" pops up, reports a large number of bogus files infected, suggests to go to their website and pay to get their software to fix it.

Desktop icons were hidden, only thing showing on screen generally was the "security tool" screen

Could not get into safe mode on reboot, would get blue screen of death

Could not run regedit, it would immediately shut down on startup

Could not run Malwarebytes' Anti-malware program

SAV would report one file infected, would suggest a reboot, file would come back infected each time, never removed

Could not get into task manager, it would immediately shut down on startup

Tried all of the above.

Tried a vbs script to delete the S.T. registry entries, no luck

Tried to rename Malwarebytes mbam.exe to winlogon.exe, no luck

Tried a SAV full system scan, no luck, only turned up file it initially reported (had latest copy of data)

Tried RegAssassin from Malwarebytes, no luck

When I tried RegAssassin over and over there was a long enough delay in the PC to where I could open up task manager for running processes.  Once I did that I found a rogue .exe with a string of numbers. 

Once I killed that, all .exe's were allowed to run.  Got into regedit and deleted entries listed in Symantec link.  Also went into \documents and settings\<my user>\Application Data\nnnnnn folder and deleted it  (it was the same number as the rogue .exe program, a random string of numbers.

Also, went into start->run->msconfig  startup tab just to be sure.

Rebooted, S.T. didnt show up, could then run full SAV scan and Malwarebytes against PC, all appears clean.   Hope this helps.............

zj74's picture

If you're not able to get into task manager to stop it, try opening up windows explorer and looking for the folder listed in my previous msg \documents and settings\<my user>\Application Data\nnnnnn for the nnnnnnn.exe (random string of numbers) and rename it to nnnnnn.doc and rebooting.  You might get some messages on reboot, but go past them.

Or you might try the get into msconfig method and uncheck it.

These are the things that worked for me...........

hellenbrand1's picture

I got the Security Tool malware yesterday and have tried as many of the recommendations as I can understand.  It is disappointing that my Semantec program definitions are up to date and did not prevent this, and yet this malware has been discussed on here for a full month now.  Please help!  I do not want to reformat my laptop.  How do I contact technical support to help with this?

ttexastyler18's picture

hey everyone, i had this same problem with all the sweet nothings this malware had to offer. i followed Henrycavanaugh's advice and came to the same end he did. that is to say, it was a good one. i quickly wrote down the process and this is what it came up as: 61819429. if you see that on your computer get rid of it asap. i would send it into norton but i cant seem to find out how. so anyone who can actually make sense of Norton's definition updates should do so. it worked perfectly tho, brought tskmgr up as soon as pc started booting up, waited for the process, ended the process. then disabled it at startup through msconfig. and searched the code on registry editor and deleted it in all places the registry could find. now i have just to reboot a second time and cross my fingers

Grant_Hall's picture

Even though you are a Norton user I think you might be able to submit it at the same spot as the business people running Symantec Endpoint Protection. That site is here http://www.symantec.com/business/security_response.... If you try the top link for home users I don't think it ask for any information that would cause you troubles so go ahead and try and submit it there. Hope it is gone after your second reboot : )

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

GMARKIE's picture

Just something to keep in mind: if you get a malware infection (many have the ability to disable your anti-virus program) the
processes they install are locked when you are running windows so trying to get rid of them while in Windows doesn't make
much sense.  I'm right now repairing a friend's laptop after they were tricked into installing this malware and my best plan of
attack and one you should consider if you have the ability and equipment is to remove the infected drive and run Malwarebytes
or another good remover from another laptop or desktop machine with the infected drive attached via usb or other means.
Make sure you are up to date on your uninfected machine so you don't catch a "cold."

gMarkie

scoop6274's picture

c'mon Symantec, this is still an issue 10 Weeks later? This is the second computer in two weeks that I have had to clean because Endpoint protection did not stop it. This is ridiculous. Fortunately, my process of fixing the computer was not as dificult as those above.

And the sixth computer in 4 months I have had to clean because of other viruses.

I was able to boot into safe mode with networking.
then run SuperAntiSpyware - portable edition off of a jumpdrive which cleaned it out.
then as added protection I installed (in safe mode after restart) Malwarebytes Antimalware and scanned
then as further added protection, installed CCleaner and did a registry cleaning.

Note, all of the above were free solutions that solved my problem.  Why is it we pay for your product and it can't stop this or clean it, and I can go and get free solutions and it cleans the computer no problem. Looks to me like you're just taking the money and running. I have to run Endpoint Protection at work because it is the corporate approved AntiVirus (as wrong as I think that is right now).

I'm not sure I can in good conscience recommend, or use any Norton Anti-Virus product on my own machines or any machine I work on or repair for a friend because of the issues I have had. It won't matter how much you discount your product, how much you advertise, or how much you stick it in with prebuilt PC's, eventually people will find out it doesn't work, and stop paying for it.

Symantec, my advice to you - FIX your product so it works!

bike12's picture

well, symantec is still not stopping any of the fake av varients. very very disappointing. just had Security Tools infect a computer and symantec didn't see it coming, didint' stop the registery entries or the processes. used rkill.com to stop the processes then used malwarebytes to remove the files i couldn't find. hint; to get rkill to run, i had to download rkill.com to the desktop, then log out and  in again otherwise Security tools would stop it. before security tools could start all of it's processes (one stops any executable, even if it's a .com or .pdf), i was able to run rkill.com. then removed the rest by searching manually as well as running malwarebytes. guess if i was patient i could have just let malware bytes clean the computer but i wanted to have a go at it.
I got all but 3 files.
 in the last year, i've had various computer infected with the fake av viruses, some installed after a trojan opened a backdoor for them. and symantec didn't even detect vundo on that computer? so we are switching to different av corporate software.

sbertram87's picture

Are you using the newest version of SEP?  Might want to upgrade to see if that new version keeps you safe from here on in.

MattMiller's picture

SEP 11.0.5002.333 can't seem to catch any of these things. We've had so many viruses and fake antivirus programs in the past year, it's tough to keep up. We've escalated these issues a few times with Symantec Tech Support and we've been told such things as "You'll need to reload your computer", "If your end user allows the program to run, there's nothing we can do about it" and "These things happen".

Now that Symantec has fouled up our 3-year agreement we signed in December and is making us start the whole she-bang again, we're trying out other vendors. How the mighty Symantec has fallen and no matter how many times we try to tell their management about it, they just don't want to listen.

durkinr's picture

We had at least one system get infected today fromthis virus. The user was directed to an infected site from Wikipedia.

Luckily the user was not a local admin on the PC, whihc prevented the infection from spreading beyond his registry and the All Users profile.

We used tasklist and taskkill to remotely kill the randomly numbered process. A scan with SEP 11.0.5 did not detect anything. We manually removed the infection from the All Users profile, the users profile, and the users registry.

We are running a scan with Malwarebytes now.

Arek01's picture

I'm in the same boat as the rest of you. I'm tired of the security tool and or other malware side-stepping symantec av protection. Different malware (doesn't have to be the security tool) is aparently able to bypass the on file scan when the file is created on the file system, is able to initialize it's process and run in the background, mean while the lastest versions of symantec endpoint (11.0.5 with latest defs) or SAV 10.1.9000  don't even know it's there. Then after I stop the background malware processes, SEP or SAV will finally pick up the malware files. Symantec; you gusy seriously need to work on this. My customers are not happy when this happens, especially after they've just renewed for another year of SEP.

I'm also running additional free antivirus scanners or Malwarebyte's to fix an issue SEP or SAV are unable to.

sandra.g's picture

Security tool and other fake AV programs are constantly being modified to evade detection.  Of course, we prefer to get submissions of all suspicious files so that definitions can be created, but even better is keeping them off of a system to begin with.  I have compiled a list that I regularly send out to customers who wonder why they keep getting infected with these things, even with current defs.  Bottom line is that modern threats are way more complicated than they used to be.  It is imperative to employ more than just antivirus.

Title: 'Does Symantec Endpoint Protection protect me from fake anti-virus programs?'
http://service1.symantec.com/SUPPORT/ent-security....

Title: 'Security Response recommendations for Symantec Endpoint Protection settings'
http://service1.symantec.com/SUPPORT/ent-security....

You can increase the sensitivity of the heuristic detection in Antivirus/Antispyware:

Title: 'How to enable, disable, or configure Bloodhound (TM) heuristic virus detection in Endpoint Protection.'
http://service1.symantec.com/SUPPORT/ent-security....

You can also increase the sensitivity of the heuristic scanner of Proactive Threat Protection (PTP), which is shipped with a relatively low setting so as not to trigger false positives in a production environment.  I recommend testing on a small group set to "log only" so that you can create exclusions for system critical processes that are detected.

Title: 'How to increase the sensitivity of Proactive Threat Protection in Symantec Endpoint Protection 11.x'
http://service1.symantec.com/SUPPORT/ent-security....

If you are not using Network Threat Protection (NTP) because you don't want to use the firewall, it is recommended to install it anyway to reap the benefits of Intrusion Prevention.  Unknown threats can be stopped and prevented from infecting a system in the first place based on the method by which it is trying to get on the system.

Title: 'Best practices regarding Intrusion Prevention System technology'
http://service1.symantec.com/SUPPORT/ent-security....

If you are infected and are having difficulty determining which files are malicious, please use the Load Point Analysis feature of the SEP Support Tool.  Please see the following for more information:

Title: 'The Symantec Endpoint Protection Support Tool'
http://service1.symantec.com/SUPPORT/ent-security....

Title: 'About the Load Point Analysis feature in the Symantec Endpoint Protection Support Tool'
http://service1.symantec.com/SUPPORT/ent-security....

Other best security practices are to ensure systems have critical Windows patches in place:

Microsoft Baseline Security Analyzer
http://www.microsoft.com/downloads/details.aspx?Fa...

Missing critical updates for third party programs can be a vector of infection.  Current versions to the best of my knowledge:

    - Adobe Reader: 9.3.2 - anything earlier is vulnerable and those vulnerabilities are actively exploited
    - QuickTime for Windows: 7.6.6; iTunes: 9.1
    - Java: Version 6 Update 20
    - Flash: 10.0.45.2

There are also some good user-contributed suggestions right here on the forums:

- Using Application and Device Control to protect against browser hijackers and fake AV
https://www-secure.symantec.com/connect/articles/h...

- Setting recommendations for different technologies
https://www-secure.symantec.com/connect/forums/tur...

Hope this helps,
sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

Scuba Steve's picture

Another thing to add to sandra's great post is the fact that these threats are re-packed every 15 minutes, therefore bypassing av definitions. We have multiple vectors for stopping these types of threats. But you must have all features installed in your environment to properly protect you. Having only AV installed is no longer a viable option for security in today's threat landscape.

Also user education can help as well. Most of these threats can be stopped if the user simply didn't click to allow the program to download its package.

NetRat's picture

Sad to say that we live in a different world network/systems-wise. It's no longer enough to have one form of AV product and expect to be safe.

To better understand the situation pick up any of the Rootkit or Pen Testing books at your local Barnes & Noble and it'll blow your mind.

fazza91's picture

I got someone on-line from Symantec to fix this remotely and they did an excellent job including instructions on what to do next time. From other sources, Spy Doctor does work provided you only re-boot when instructed and not before. The trouble is Security Tool slipped through again into my laptop and Norton 360 seems not only powerless to prevent it getting on board (it's hardly a new Trojan from the look of the entries above and Google entries I've found!) but, as others on this forum have noted, doesn't seem to be able to detect or quarantine it in subsequent scans.  

Mark_Occasional's picture

My handle describes my level of technical knowledge. I do not buy the add-ons, my income level is below national average. 

My issue is related to fazza91. I find 'Antimalware Doctor' standing 6 x 3 on my desktopt, a further icon on the desk-top and one on the tool-bar, an X on a shield. 

I go to Norton and run a scan. This is the thing:
the full system scan usually lasts a couple of hours. This time it's over and done in twenty minutes. Antimalware Doctor, not explained.

The above has been going on for .... Norton's reaction might be described as 'lacking'?

sandra.g's picture

I can't advise on Norton because I'm not technically familiar with it. You may want to visit the Norton community.

You can certainly give the Symantec Power Eraser a try, which is part of the SEP Support Tool.

Title: 'The Symantec Endpoint Protection Support Tool'
http://service1.symantec.com/SUPPORT/ent-security....

Title: 'About Symantec Power Eraser'
http://service1.symantec.com/SUPPORT/ent-security....

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

AugustaPC's picture

"RKill" - Malware Process killer,, killed the process for me, then allowing access ,install, and updating of Malwarebytes and all other programs again, in normal boot mode.

 

"RKill - What it does and What it Doesn't - A brief introduction to the program"

by Bleeping Computer

http://www.bleepingcomputer.com/forums/topic308364.html 

 

This handy tool kills, stops the process, works on many other pieces of malware. I had to click on one of the Rkill files about 5 times, before it finally caught and killed the Security Tool process. 

 

The main file to Security Tool was in Users, "account name", app data, roaming folder ( i think) 0300....exe something file, can't recall. Most of these rogue programs are located in this, strange looking files. If malwarebytes is updates, right click on the strange file and scan it (after Rkill)