Scary malware/virus!

[DoubleCheese]

So, a colleague's laptop suddenly won't work. He called to tell me that no programs will run and there's a large warning on the desktop....He grabbed a shot with his phone and emailed it over. Have a look at this!



The out of focus balloon in the tray is clickable and loads a form for you to input your credit card details to pay for the removal of the spyware. Nothing else on the desktop works apparently... MS Security Essentials has been disabled isn't showing as running, Malwarebytes won't update....I'll be getting my hands on it tomorrow to re-install.

Anyone seen this before?

 

[fullmetaltony]

Yeah, on a colleagues laptop. Though we have 3rd party IT support on our work supplied laptops and they removed it. Don't know much more about it but recognise that screen.
Definitely malicious.

 

[titaniumx3]

Maybe start windows in safemode, find the responsible process and delete it. Load back normally and runs av scan and malwarebytes.

 

[3dcandy]

Only seen that screen when somebody physically clicked on or allowed a program to install...last time was a "video" from facebook. Only seems to work on XP too

 

[SiriusB]

Boot into Safe Mode and run malwarebytes. You can also try running Avira's rescue CD. http://www.avira.com/en/support-download-avira-antivir-rescue-system

Or one of the online scans, such as Eset. http://www.eset.com/online-scanner

 

[AntiHeroUK]

As mentioned above, boot into safemode with networking, run malwarebytes full scan and it will remove it for you. Boot into Windows and run the scan again just to make sure it's definitely gone.

 

[Dewotter]

Malwarebytes didn't help me with this a few weeks ago, I used combofix to get rid of it.

 

[Roland0]

XP is soooo bad!

 

[DoubleCheese]

Ok, so it sound pretty common and fixable without having to re-install?

 

[McMav]

Yup got this at the moment on a laptop at work running mbam in safemode as we speak. Its a variation of System Tool malware thats doing the rounds atm.

 

[Dano]

Safe mode and malwarebytes will fix this one, have seen half a dozen machines with it since Sunday.

 

[Deleted member 77746]

Had it here aswell, North East. I had to deal with this and erm well it seems it's spreading wide.

 

[SoundsGood]

Had this last night aswell.. I think it came from an infected PDF file. MalwareBytes didn't pick it up so ran HitmanPro which sorted it within a few minutes.

 

[Nymins]

Had this about two weeks ago and got a phone call over the weekend that my friend had it too.

Seems to be doing the rounds! Simple enough to get rid of though.

 

[SparkyG]

This can be a right pig to get rid of if you are not too savy with PC software (Windows)

 

[DoubleCheese]

I'll have to wait for the unit to come in tomorrow as he can't seem to get MBAM or MS Securty Essentials to update. I'm glad its easily fixed though! Top tip on how to avoid this in future?

 

[Deleted member 77746]

I'll have to wait for the unit to come in tomorrow as he can't seem to get MBAM or MS Securty Essentials to update. I'm glad its easily fixed though! Top tip on how to avoid this in future?

Just be careful, no other way really.

 

[Duke]

If MBAM won't update, reset all IE settings to default. Spyware like this can also sometimes enable proxy settings, so make sure all the boxes are unticked within 'Lan Settings' within IE.

I think you can download the definition file and put it in the folder anyway. Probably best to have the system off the web until clean.

 

[thingemajib]

friend of mine had this the other day - a boot into safemode and install/quick scan/full scan of malwarebytes had him right as rain

 

[theheyes]

Yeah, currently doing a format/reinstall because of this on a laptop (Vista). It seems to be extremely good at spreading itself.

Had this last night aswell.. I think it came from an infected PDF file. MalwareBytes didn't pick it up so ran HitmanPro which sorted it within a few minutes.

This is pretty interesting, because MSE caught an attempted download on my computer over the weekend. I loaded a legitimate site and (stupidly) ok'd a javascript message (although they're not all that uncommon to be fair) which then tried downloading and opening an malicious pdf. It was the pdf itself MSE recognised as Win32\pdfjsc.ML which is a very recent variant and I wouldn't be surprised if it was related. I'm thinking maybe it is spreading through a third-party advertiser.

Luckily for me I don't think it affected the version of Adobe Reader I was running and the AV caught it in time anyway, although I've disabled javascript on my machine for the time being.