Endpoint Protection

I'm throwing this up because it's something I ran into and I've found nothing on Google about it. 

Threat Capability/intent:

Unknown

Effected OS's:

Windows 7 x64  (confirmed, but likely all versions of Windows)

Description: 

Randomly a popup occur that says "Warning your computer is at risk of malware attacks".  This popup appears to be triggered by Internet Explorer going to a new page.  This can be any page, even known good ones.  Clicking "Ok" shoots you to www1.simpleguardinsentinel.ln.  The page instantly shows a status of a "scan" going through your hard drive. 

Resident Files:

While there may be a program resident on the computer somewhere I have yet to find it.  Files are likely protected from searches in Windows. Searching the registry reveals at least 3 registry entries.  Deleting these entries appears to at least temporarily disable the malware.

Further Data Needed:

Searches of effected file system in Linux.

Further data on registry entries.

Further data on reaction of deleted registry entries/files (if applicable)(Number of reboots for return).

Notes:

If there is a better place to post this please point me to it.

Unfortunately I made the mistake of killing it before I fully examined it. 

I do not know exactly where I picked it up initially, but will look to catch it again under a controlled environment unless further guidance is found.  I want to say I accidently clicked an advertisement that I thought was a news article.

Check the load points in registry and and find any suspectable file entries are present.If present submit the same to symantec....

If you have a valid serial number for SEP you can get the SERT utility and see if anything gets detected.

If that fails to find the threat, run the Power Eraser Tool.

SERT - http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

Support Tool with Power Eraser Tool included –

http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US

 Virus Submission links -

http://www.symantec.com/business/security_response/submitsamples.jsp

http://www.threatexpert.com/submit.aspx

Honestly this sounds like a fake AV, which usually takes advantage of vulnerabilities (IE, Adobe Reader, Java), with malicious code being unwittingly served by an ad server.  (Likely clicking anywhere on the pop up would direct you to the malicious site, not just clicking "OK".)

The SERT utility would be useful in that you're not loading your OS and scanning outside of it.

sandra

Well It does sound as a Fake AV. The registry entries you deleted must be pointing to the malware files have you removed them as well. They get downloaded to the Local Temp first so you can check there if there is something suspicious sitting quiet.

Anyone heard of Sentinel Client V 3.5?  This is the only think close that I've found so far.  With Windows 7 I'm still getting the hang of what is normal and what is not.