Security Tool malware

New variant perhaps. You can submit the file to them for the definitions.

My company has an infected machine.

I got hit today too!.  SEP did not catch it even after full scan.  Tried Spyware Doctor and it removed it, but it returns on the next reboot.

I got hit at 1:30 pm today 10/9/09. EST.  I kept getting pop ups claiming I was infected with 26 of this and 50 of that, and I noticed two shields on the task bar next to the symantec shield.  I kept closing the popups.  I could not right click them.  I scanned with symantec, it found a trojan and deleted it but could not find Security Tool.  The stupid thing put icons on the desktop.  I searched for the target and found it under Documents and Settings/Applications Data/ All users/ and then under there a folder with a long number starting with 5.  I was not allowed to delete it.  It also would not let me open any help functions in Windows or Symantec.  It also hid my desktop icons and the desktop folder under my log in account appeared empty but it was not.  I rebooted the computer and logged in.  AS SOON as the desktop started appearing, I went into task manager, processes, and waited for the process to show up, and sure enough it showed up as the exact same number as in the folder described above...I ended the process as soon as it popped up.  I then deleted the executable and folder, and all icons I could find (there were about 7 icons strewn about my computer in various places).  So far, it appears to be gone...fingers crossed.  Try this.  Hope it works...love to find the %@#^ who puts these things out there.

Experience very similar to henrycavanugh.  Symantec - the reason I apy for your product is to protect my computer. You have the next 36 hours to come up with something that KILLS this Security Tool malware dead as a door nail, or I want my money back.

Hello everyone,

We had the similar issue, with this Fake Antivirus ,,, SEP is not catching it even after a full scan. It will not allow any software to get it installed on the PC. Submitted the Suspicious files and Symantec Team is analysing it.

Thanks & Regards

Rafiq Ahmed

Henrycavanaugh gave some excellent advice above.  Techniques like he recommended are very helpful for stopping these threats.

There have been several threads in the forums about these smitfraud / misleading applications.  The information in the following will require some reading, but the content will be helpful:

https://www-secure.symantec.com/connect/forums/antivirus-2009-2010-etc-malware 
https://www-secure.symantec.com/connect/forums/sep-cannot-remove-antivirus-pro-2010
https://www-secure.symantec.com/connect/forums/xp-antivirus-2008-2009
https://www-secure.symantec.com/connect/forums/xp-antivirus-2008

These are also good:

http://subsync.symantec.com/norton/theme.jsp?themeid=mislead
https://www-secure.symantec.com/connect/blogs/misleading-applications-show-me-money
https://www-secure.symantec.com/connect/blogs/misleading-applications-show-me-money-part-2
https://www-secure.symantec.com/connect/blogs/misleading-applications-show-me-money-part-3

Finally, it is also possible to contact Technical Support,.  They have tools which can diagnose where the misleading applciation is loading from, and can recommend suspicious files to submit to Security Response so that definitions may be written against the threat.

If you have been able to identify the .exe that is behind an undetected Misleading app / Fake AV on your own, please do take the time to submit it to Symantec's Security Response.  Protection against new variants will be sped up by such helpful submissions.

Thanks and best regards,

Mick

I had a similar problem. I have send the suspicious files to symantec, after the analisys, symantec has release  RR definitions for the issue.

Please check the belwo information.

* The submission has finished the analisys:

* New definitions of Rapid Release (RR) are already available:

- Also, you can download the file *.jdb, update the console as explained in the document below, then, clients machine will get updated

How to update definitions for Symantec Endpoint Protection Manager using a JDB file

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/
- Go into the folder with Sequence Number 101263 or higher (if the folders have lower numbers, wait a bit so they get updated)
- Download Intelligent Updater: symrapidreleasedefsv5i32.exe or symrapidreleasedefsv5i64.exe
- Run it in the infected machines in order to get them updated with the RR definitions
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009072204590148

Regards,
Rajesh.

* New definitions of Rapid Release (RR) are already available:

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/
- Go into the folder with Sequence Number 101263 or higher (if the folders have lower numbers, wait a bit so they get updated)
- Download Intelligent Updater: symrapidreleasedefsv5i32.exe or symrapidreleasedefsv5i64.exe
- Run it in the infected machines in order to get them updated with the RR definitions

You can also help to PREVENT such things by using a process similar to what I did in the article describing how to block rogue BHOs - or for that matter, anything that loads in the profile area. Be ready to grant some exceptions, however - or you will block Java updates, Outlook signatures, etc.
But I submitted an article that shows how to use SEPs application control to block those things to begin with.......... and log their attempts.

And here's  the article  
https://www-secure.symantec.com/connect/articles/h...

Hopefully this will help someone:

We had the malware on a desktop.  Symptoms were the same as others...

Bogus "security tool" pops up, reports a large number of bogus files infected, suggests to go to their website and pay to get their software to fix it.

Desktop icons were hidden, only thing showing on screen generally was the "security tool" screen

Could not get into safe mode on reboot, would get blue screen of death

Could not run regedit, it would immediately shut down on startup

Could not run Malwarebytes' Anti-malware program

SAV would report one file infected, would suggest a reboot, file would come back infected each time, never removed

Could not get into task manager, it would immediately shut down on startup

Tried all of the above.

Tried a vbs script to delete the S.T. registry entries, no luck

Tried to rename Malwarebytes mbam.exe to winlogon.exe, no luck

Tried a SAV full system scan, no luck, only turned up file it initially reported (had latest copy of data)

Tried RegAssassin from Malwarebytes, no luck

When I tried RegAssassin over and over there was a long enough delay in the PC to where I could open up task manager for running processes.  Once I did that I found a rogue .exe with a string of numbers. 

Once I killed that, all .exe's were allowed to run.  Got into regedit and deleted entries listed in Symantec link.  Also went into \documents and settings\<my user>\Application Data\nnnnnn folder and deleted it  (it was the same number as the rogue .exe program, a random string of numbers.

Also, went into start->run->msconfig  startup tab just to be sure.

Rebooted, S.T. didnt show up, could then run full SAV scan and Malwarebytes against PC, all appears clean.   Hope this helps.............

If you're not able to get into task manager to stop it, try opening up windows explorer and looking for the folder listed in my previous msg \documents and settings\<my user>\Application Data\nnnnnn for the nnnnnnn.exe (random string of numbers) and rename it to nnnnnn.doc and rebooting.  You might get some messages on reboot, but go past them.

Or you might try the get into msconfig method and uncheck it.

These are the things that worked for me...........

I got the Security Tool malware yesterday and have tried as many of the recommendations as I can understand.  It is disappointing that my Semantec program definitions are up to date and did not prevent this, and yet this malware has been discussed on here for a full month now.  Please help!  I do not want to reformat my laptop.  How do I contact technical support to help with this?

hey everyone, i had this same problem with all the sweet nothings this malware had to offer. i followed Henrycavanaugh's advice and came to the same end he did. that is to say, it was a good one. i quickly wrote down the process and this is what it came up as: 61819429. if you see that on your computer get rid of it asap. i would send it into norton but i cant seem to find out how. so anyone who can actually make sense of Norton's definition updates should do so. it worked perfectly tho, brought tskmgr up as soon as pc started booting up, waited for the process, ended the process. then disabled it at startup through msconfig. and searched the code on registry editor and deleted it in all places the registry could find. now i have just to reboot a second time and cross my fingers