Yesterday around 2:30 pm the PC I am on was infected by a trojan/malware attack. I was merely browsing facebook and trusted sites, so I'm not sure where it came from, unless one of the Apps I clicked on from a friend's link had been infected and kicked it over to me. (Though no one else seemed to be having any problems with it.) I suppose viruses can come from anywhere. As a primarily Mac user unfamiliar with automatically downloading viruses, I'm not quite sure how self-propagating viruses work out in internet land...I don't have the problem of downloading things that I don't want!
Anyway. Rebooted in Safe Mode, and dumped the offending malware by deleting the files into the recycle bin. McAfee found one bad registry. (Hopefully there aren't any more that leave this computer vulnerable.) Frankly, I never use Windows, just because of the risk of viruses... I'm on my boyfriend's computer! I felt so bad that it got a virus when I was using it. Been working on fixing it this morning and last night... on an slightly unfamiliar OS! Yippie. Good thing I'm even slightly familiar!
Anyway, here's a rundown of the symptoms :
You get redirected while web browsing, randomly. At first, it looks like that fake pop up scam through "Windows Security," which tries to trick you into thinking you've actually got a virus. So you think you've combatted it by refusing to click download, and exiting the page... but here's how it behaves differently than the non-downloading version... it automatically downloads itself! McAfee will initially detect that it's attempting to re-write a registry... which I selected the block option -- but it didn't stop the download of the virus at all.
So then it evades the "change registry" block, sticks itself on the computer, and takes over, hostily, I might add! You have a shortcut to Security Tool 2011 on the desktop. (I think this is a fairly new occurance of Security Tool 2010. Seems to come out as a new version close to Christmas, oh JOY. Most online posts related to Security Tool 2010 seemed to start around December and a few months before back in 2009....so 2011 version must be very similar. And it must be exploiting a vulnerability in IE...) I saw the version that does not self-download a few months ago, as well, but managed to get off the site without contracting anything, because my college's notice board had warned about it.
After it downloads itself, all heck breaks lose. Every icon in the task bar disappears but an icon for the "security tool." You can not access any applications, whatsoever, except for Firefox and IE. It blocks Safari, it blocks Task Manager, and it blocks McAfee, all the while telling you in a pop-up in the task bar -- "This file is infected, please activate your anti-virus software." (At which point, you're screaming at it that "THAT IS THE ANTIVIRUS SOFTWARE STUPID!!") It keeps popping up with a graphical interface, which shows you a fake virus scan. Keeps asking if you really want to proceed "unprotected." At this point, I'm cursing up a storm... can't access anything. Finally, Windows BSODs, and shuts itself off, due to critical thread errors, etc. When you restart, you have a little bit of time before it pops itself back up... but it will still come back up if you aren't fast. It's in the startup items too.
So you have to restart in Safe Mode and delete the files it downloaded... then run the virus scan, otherwise you're FUBARd... I think I have it deleted, because I'm logged in on the account that had the virus normally and haven't had any more troubles with it taking over. (It doesn't affect the whole system, just the user account that it gets downloaded to, thankfully it can't hop through to other accounts. Yet.)
Just thought people should know that this thing is out there, and I just got it yesterday!! Even with up-to-date virus "protection." I think it must be an in-the-wild LIVE virus! Beware.
A few questions that have come up as a result of the experience :
1.) Does McAfee always come up in a "your computer is unprotected" state while working in safe mode and safe mode with networking? Is that a normal thing?
2.) Can and will McAfee repair damaged registries if any exist?
3.) Is Malwarebytes a scam or is it an actual legitimate malware removal tool? Is it recommended that I download it if it is legitimate? Will it even help if this is a new version of an old virus?
4.) Is there ANYTHING else that I can do to ensure that this virus is TRULY gone!?
5.) Is there an Artemis file that is actually a virus? What is up with that? I've got several that have popped up as quarantined during McAfee's scans. Are they ALL false positives, or are there viruses with that name now?
Further steps I took to try and keep this from happening again:
- Enabled prompts on all browser downloads system wide
- Installed Firefox add ons to disable certain internet plugins, in case plugins are being used as the exploit to cause this popup.
- Installed Safari add ons to disable certain internet plugins, especially on facebook.
- Locked down all activex controls, scripts, etc on IE - required prompts or disabled where necessary. (Went from Medium High security to High.)
- Double checked to see that all updates from windows were current on this computer. (Yes, up-to-date before attack.)
Anything else that I need to do to ensure it's truly gone, and won't come back again?Message was edited by: SamSwift - adding category. This thread is now locked, please skip to the end for details on what to do if you're infected with 'security tool 2011'. Thanks. on 02/08/11 16:58:50 IST
I have the same trojan. I tried McAfee stinger to fix it but it's still there. I thought my McAfee would prevent this. Do I need to take it somewhere to get rid of it? I don't think I could do it myself- there are too many choices online to "fix it yoursself" how do I know which is best?
Most importantly- can I still use my computer in the meantime if I don't do what the system tool 2011 asks?
Thanks for any info!!
Could you let me know the version of Stinger you ran and the location from which it was run from.
I would suggest that you read the below and post the logs from stinger ( in the high detection mode)
I would NOT use your computer in normal mode with that virus in there. It downloads other stuff and takes over your machine... making it impossible to do anything after awhile. My guess is that you got it from Facebook, which was where I contracted it. If someone who studies these viruses and puts their .DAT files into McAfee wants to know WHICH facebook app gave it to me for study, send me a private message, and I will pass that information along.
I had to use Malwarebytes to remove it, as McAfee Security Center only found the damaged registry key and the scvhost file, plus a few !Artemis files.The infected system had 60 viral files according to Malwarebytes that McAfee never saw. (Holy cow!)
To the person helping arley : The problem with the virus is that it takes over the Windows Explorer Shell, just like its predecessors, and blocks any attempts to open any other program.
Arley: Do you have any other login on your computer? If there is another user account, it is not infected by the virus. Just don't browse to any facebook applications.
Hello. I just got this virus a few hours ago, probably from Facebook - though my daughter will not confess. It was named System Tool - but did the same thing as described here. It plopped an icon on my desktop, quickly disabled all attempts at running AV and any other program and of course wanted me to pay 59.95 for "virus protection" -. I was able to log off and switch users so I can try and troubleshoot this issue as it is maddening to say the least!! I read all of the threads and some are a bit over my head - but I want to try and work through this and learn how to resolve it. My system would not allow me to run the .DAT file since it was unsigned - I ran stinger, but figured that was pointless since this seems to be a new variant of the "FakeAlerts" malware.
SO ... here I am asking for help to get this thing off my system and hopefully identify the file so I can help others who are in the same boat.
Stinger has been updated very recently. Could you log on to vil.nai.com and download the latest version of Stinger.
Run the same on the machine and update the logs in the next response.
Absolutely the worst trojan I have ever experienced. This thing is nasty!
Malwarebytes did find it last night, and I had thought it had removed it. but it’s here again. I also use the sysinternals.com process explorer, which was helpful to find the executable as it was running on the system. However, I can’t actually see the file in explorer or the cmd shell to delete it!
Hopefully the registry keys mentioned in this article will disable it long enough for malware bytes to finish the cleaning.
I lost two days of coding production (so far) to this damned thing!
It appears that Sam forgot to lock this rather old thread. Any new infections please start a new one. If the McAfee solutions don't help there is a removal guide here: http://www.bleepingcomputer.com/virus-removal/remove-security-tool (scroll down as the first links are ads) and they have a special section for reading Hijackthis logs where they can help here.
Locking thread.Message was edited by: Ex_Brit on 27/09/11 6:48:54 EDT AM