Endpoint Protection

On my non-admin user, i have a program running that displays a "System Tool" page and runs a scan showing infected files.  It wants me to purchase this software... 

I ran EndPoint scan and removal, but this keeps comming back.

How do I kill it?

Thanks

Carl..

Check this post:

https://www-secure.symantec.com/connect/forums/system-tool-malware-or-spyware

Please follow the steps underneeth; unfortunatelly fake AV are rather difficult to remove.

1. Isolate the machine from your production network.
2. Please download Rapid Releases definitions (http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr), install them and launch full scan.
3. If it does not help, use Symantec Endpoint Recovery Tool (LiveCD) following the instructions on:
How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions
http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US
4. Use Symantec endpoint Protection Support Tool with Power Eraser (eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect) following the article:
Support Tool with Power Eraser Tool included
http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US
5. Check the loadpoints on your machine:
How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files
http://www.symantec.com/business/support/index?page=content&id=TECH141402
6. If you manage to identify infected files and thay are not detected by SEP, please submit the files using this link:
http://www.symantec.com/business/security_response/submitsamples.jsp
They will be verified and new definitions will be created.

Thank you brian, this worked for me.

Don't forget to mark as Solved so it can benefit others as well

Thumbs up for Brian! :-)

I just bought the system tool product is there anything I can do to get rid of, and get my money back?????

Unfortunately, this may not be possible.

I would immediately call your credit card company and cancel your credit card. Alert them as to what happened so they can see what can be done to stop this fraud. In addition, you may want to tell them to watch out for multiple transactions as the bad guys are likely to use your credit card to make additional purchases or sell to someone else who will do the same.

You can try removing with a product such as malwarebytes or hitman pro. You will need to boot into safemode and then run a scan.

You can also follow this post for removal:

https://www-secure.symantec.com/connect/forums/system-tool-malware-or-spyware

Symantec Enpoint Protection was able to clean this infection with latest virus definitions and a full system scan in Safe mode with networking!

2010-DEC-24_10:45pm: “System Tool” VIRUS infected computer.

Was in Firefox version 3.6.3, perusing OkCupid site, but had a lot of other tabs open.

NIS2005 had started a system scan at 8pm, but I had paused it.

Firefox got really slow, I believe, coming almost to a halt. 

I might conjecture that this virus gets in by exploiting a weakness in Firefox.  Or possibly coming in through an external Ad on a website.

NIS2005 firewall alerted:

Outbound TCP connection.
Remote address,service is (91.193.194.40,http(80)).
Process name is "C:\Documents and Settings\All Users\Application Data\pNnPp08200\pNnPp08200.exe".

|

I blocked it This One Time, despite NIS's recommendation to allow it.

NIS should always give you that option to block or allow once; most times it doesn't.

|

Found the file there in its own folder, in All Users.  The note you get when rolling over it in Windows Explorer said it was Microsoft, and is a registry editor.

There’s another 1kb file there: “pNnPp08200” with no extension.

I Googled pNnPp08200, but got nothing.

|

Then I saw a red shield that looks like Windows Security Center, in my clock tray with a bubble that said my system was infected with spyware, and to click it to download critical updates. 

When I clicked it, a so called utility came up: “System Tool” and scanned my hard drive.  NIS2005 appeared to be gone and disabled, as well as Task Manager and System Restore wouldn’t appear when run.  I think this virus puts up a desktop screen that looks normal, but hides all other applications you have running.  When I pushed the power button on my computer, it said it was shutting down firefox (which I thought I already had closed). 

System tool also replaces your desktop wallpaper with one that warns you of spyware.

|

The NIS2005 CD I have doesn’t boot scan.  NIS2003 boot scans, but doesn’t see the SATA drive or because it is NTFS.

So I booted the computer, and powered off before it could finish, so it would give me the: Windows did not finish booting normally” menu.

||

I chose “boot with last configuration that worked,” cause I thought that would do a system restore.  It did not, and the virus was still there.

|

So I did it again, and booted into Safe Mode. 

||

From there, there’s a dialogue box that tells you you’re in safe mode, and it asks if you are going to do system restore, to choose “No”.  I chose no, and did a system restore. 

||

System seems fine now; back to normal.  I ran CCleaner in case there was anything in the browser cache.

The pNnPp08200.exe above is gone, but the other file and the folder are still there.  I ran a complete scan, with bloodhound set to its’ highest level, but it didn't find anything.

|

I wonder how the infection got on my computer.  NIS2005 was supposedly still working, and had virus defs of December-22, two days ago. Maybe it infected Firefox?  How did it get access to All Users\Application Data ?

The latest version of Firefox is 3.6.13

If you're on 3.6.3, you're pretty far behind on being patched.

http://www.mozilla.org/security/known-vulnerabilities/firefox36.html

Are you up to date on Windows patches?

Are you setup as admin on your PC? If so, your dead in the water.

Do you have UAC disabled? Some malware can easily bypass UAC but figured I'd ask anyways as it can help in some situations.

What you had is FakeAV. You likely clicked on a link which directed you (wothout you knowing) to another site (which was infected) and the snowball started from there.

I have the system tool problem too, and have tried to restart my computer in safe mode, to try and deal with it but all that's happening when I press the f8 button on restarting is a huge scream. I'm operating on windows 7; does that make any difference to how I should be dealing with this?

Is this unusual? Is there something else I ought to be doing to fix it?

I am not particularly proficient at handling this sort of issue on my computer, so is it better to just pack the thing up and take it to my local expert?

I would like to try and fix it myself, how much trouble can I get myself into as a babe in the woods?

advice gratefully accepted, though I suspect you will tell me to go to the experts.

Did you see this post

https://www-secure.symantec.com/connect/forums/system-tool-malware-or-spyware