Yesterday around 2:30 pm the PC I am on was infected by a trojan/malware attack. I was merely browsing facebook and trusted sites, so I'm not sure where it came from, unless one of the Apps I clicked on from a friend's link had been infected and kicked it over to me. (Though no one else seemed to be having any problems with it.) I suppose viruses can come from anywhere. As a primarily Mac user unfamiliar with automatically downloading viruses, I'm not quite sure how self-propagating viruses work out in internet land...I don't have the problem of downloading things that I don't want!
Anyway. Rebooted in Safe Mode, and dumped the offending malware by deleting the files into the recycle bin. McAfee found one bad registry. (Hopefully there aren't any more that leave this computer vulnerable.) Frankly, I never use Windows, just because of the risk of viruses... I'm on my boyfriend's computer! I felt so bad that it got a virus when I was using it. Been working on fixing it this morning and last night... on an slightly unfamiliar OS! Yippie. Good thing I'm even slightly familiar!
Anyway, here's a rundown of the symptoms :
You get redirected while web browsing, randomly. At first, it looks like that fake pop up scam through "Windows Security," which tries to trick you into thinking you've actually got a virus. So you think you've combatted it by refusing to click download, and exiting the page... but here's how it behaves differently than the non-downloading version... it automatically downloads itself! McAfee will initially detect that it's attempting to re-write a registry... which I selected the block option -- but it didn't stop the download of the virus at all.
So then it evades the "change registry" block, sticks itself on the computer, and takes over, hostily, I might add! You have a shortcut to Security Tool 2011 on the desktop. (I think this is a fairly new occurance of Security Tool 2010. Seems to come out as a new version close to Christmas, oh JOY. Most online posts related to Security Tool 2010 seemed to start around December and a few months before back in 2009....so 2011 version must be very similar. And it must be exploiting a vulnerability in IE...) I saw the version that does not self-download a few months ago, as well, but managed to get off the site without contracting anything, because my college's notice board had warned about it.
After it downloads itself, all heck breaks lose. Every icon in the task bar disappears but an icon for the "security tool." You can not access any applications, whatsoever, except for Firefox and IE. It blocks Safari, it blocks Task Manager, and it blocks McAfee, all the while telling you in a pop-up in the task bar -- "This file is infected, please activate your anti-virus software." (At which point, you're screaming at it that "THAT IS THE ANTIVIRUS SOFTWARE STUPID!!") It keeps popping up with a graphical interface, which shows you a fake virus scan. Keeps asking if you really want to proceed "unprotected." At this point, I'm cursing up a storm... can't access anything. Finally, Windows BSODs, and shuts itself off, due to critical thread errors, etc. When you restart, you have a little bit of time before it pops itself back up... but it will still come back up if you aren't fast. It's in the startup items too.
So you have to restart in Safe Mode and delete the files it downloaded... then run the virus scan, otherwise you're FUBARd... I think I have it deleted, because I'm logged in on the account that had the virus normally and haven't had any more troubles with it taking over. (It doesn't affect the whole system, just the user account that it gets downloaded to, thankfully it can't hop through to other accounts. Yet.)
Just thought people should know that this thing is out there, and I just got it yesterday!! Even with up-to-date virus "protection." I think it must be an in-the-wild LIVE virus! Beware.
A few questions that have come up as a result of the experience :
1.) Does McAfee always come up in a "your computer is unprotected" state while working in safe mode and safe mode with networking? Is that a normal thing?
2.) Can and will McAfee repair damaged registries if any exist?
3.) Is Malwarebytes a scam or is it an actual legitimate malware removal tool? Is it recommended that I download it if it is legitimate? Will it even help if this is a new version of an old virus?
4.) Is there ANYTHING else that I can do to ensure that this virus is TRULY gone!?
5.) Is there an Artemis file that is actually a virus? What is up with that? I've got several that have popped up as quarantined during McAfee's scans. Are they ALL false positives, or are there viruses with that name now?
Further steps I took to try and keep this from happening again:
- Enabled prompts on all browser downloads system wide
- Installed Firefox add ons to disable certain internet plugins, in case plugins are being used as the exploit to cause this popup.
- Installed Safari add ons to disable certain internet plugins, especially on facebook.
- Locked down all activex controls, scripts, etc on IE - required prompts or disabled where necessary. (Went from Medium High security to High.)
- Double checked to see that all updates from windows were current on this computer. (Yes, up-to-date before attack.)
Anything else that I need to do to ensure it's truly gone, and won't come back again?