Facebook/Myspace users beware

I don't Facebook or Myspace, but my wife does and I want to give other users a heads up about a nasty virus going around on those sites.

She clicked a link to a picture and got a virus disguised as anti-virus software. It was call Security Tool. It comes in other forms as well I have heard.

It plants itself in the system files, registry, and various other hard to find places in Windows.

In short, it literally takes over your PC. It pops up at startup and tells the user that your PC is infected with countless viruses that, of course, only it can remove. Next, it will not let the user open ANY programs, apps, and in my case, even the task manager. As soon as you try to open a program, a pop-up appears telling you that the program is infected with a virus. If a user is naive enough to buy the bogus software, the criminals now have your credit card and personal info. Needless to say, don't click on anything it tells you to.

It was a bit tricky to totally clean up. Rebooting in safe mode is the only way to start the cleanup.

In any case, just be very cautious about what you click and open, just like email.

Thank You for the heads up Electrician. I would have never known and I will start being more cautious

I have been cleaning this type of virus for a couple of companies and individuals. I have seen it take various forms, but it's effective with company computers since employees think they are doing the right thing by activating the so called virus scanner.
I have had 3 calls today about it. The virus is likely coming from flash advertisments. There was a flash update 3 days ago. Go here to check your flash version: http://www.adobe.com/software/flash/about/

The virus/trojan opens the door for more infections and many computers that I have worked on contained rootkits, but I am unsure of which came first. The rootkits are effective at not being detected by virus scanners...I have been removing the drive and scanning them with another computer to detect them. Some of them replaced system files such as atapi.sys. The system files can be recovered by copying them from /windows/system32/dllcache (for winxp)

In many cases the virus prevented booting into safe mode, and crippled some of the tools used to repair the system such as taskmgr and regedit. A recovery console can be used to fix this.

Some users have been able to perform a system restore, but it tends to only be effective if they go back a month or two...The virus and rootkit could have been dormant for many weeks.

The virus is self updating, so if you do plan to try to manually remove it, it helps to disconnect the machine from the web. It seems that the virus can become aware that you are trying to remove it, and will try and lock down the machine.

The best advice is to wipe your machine and start fresh. Windows sucks up your drive after many updates anyway, you may find you can recover about 8g just from a fresh install. I have not seen this type of malware infect personal documents or media, so you should be able to backup your stuff.

After you get everything fixed, install microsoft security essentials if you don't have a current antivirus: http://www.microsoft.com/Security_Essentials/ It is free for legitimate windows users. It seems to use less resources than some of the big AV scanners out there (one of the reasons some users don't have AV)

edit:
I forgot to mention sysinternals: http://technet.microsoft.com/en-us/sysinternals/default.aspx specifically procmon, procexp, and autoruns.
autoruns can verify code signatures on all programs and drivers that are loaded at boot. go to options and enable verify code signatures then hide microsoft entries. Hit refresh, and anything that is left should be questioned. autoruns works like msconfig, but with more detail. If your computer takes a long time to startup, you can use it to disable some of the programs that load...just make sure you know what it is before you disable something important.

greg11 wrote:

The rootkits are effective at not being detected by virus scanners...

If antivirus software can't detect rootkits, what can?

Ghost wrote:

greg11 wrote:

The rootkits are effective at not being detected by virus scanners...

If antivirus software can't detect rootkits, what can?

sysinternals has a rootkit scanner: http://technet.microsoft.com/en-us/sysinternals/default.aspx The actual usefulness of it is debatable...and I never think to use it. I usually find them using autoruns with code signature verification enabled. (see my above post that I added to when you posted), or by using a clean computer to scan the harddrive as an external drive.

here is a fun read: http://en.wikipedia.org/wiki/Sony_BMG_CD_copy_protection_scandal...thanks sony

Another thing to check before connecting your computer back to the internet is your host file: located at c:\windows\system32\drivers\etc\hosts
Some maleware have been modifying this so legitimate sites such as microsoft.com get redirected to malicious sites.

Also check your internet connection settings...some change your connection settings to use a proxy that might be a localhost or a remote site. If you don't know what a proxy is, you probably shouldn't be using one.

I have still yet to work on an infected vista or win7 machine.
I did get a request today to look at a vista machine, but I suspect a hardware issue and not a malware issue.

wife got that and I did a search on google on my puter and found info and 2 sites that told how to remove it. it is a type of trojen and it does change proxy settings in IE and I had to do everything in safe mode but had to run msconfig to shut some things down befoe that worked!