More bad guys than ever are launching cyber-attacks for fun and profit.
I’ve recently encountered an old enemy: a Trojan Horse that’s been around for 3 years or more. It’s recently calling itself XP Total Security 2012 and it’s gotten nastier and more tenacious than its earlier incarnations. I no longer spend much time trying to remove this bad boy: I just backup the infected computer’s data, format the hard drive, re-install Windows, and restore the (scanned) data. Most security experts agree with this tactic.
Elinor Mills, in an article that appeared in CNet News, June 17, 2011: Keeping up with the hackers, included a chart of recent major break-ins.There are some surprising headliners in the Victims column: RSA, who specialize in security, Sony makes multiple appearances, payroll giant ADP, Citigroup, US Senate,et al.
This Trojan Horse seems to be helping you defend against infections. Unfortunately, it’s an infection that’s trying to steal your money.
I’ve recently encountered a Trojan Horse program called SecurityTool that has a very convincing friendly facade. When I first saw it, I thought that it was a legitimate antivirus program / firewall, similar to Norton 360. It seems to scan your PC and discover infections. It disables all user programs except itself “for your protection” and hijacks the web browser to point the user to a web page where it attempts to have the user buy a program that will “fix” his/her computer. It’s essentially ransomware. Please don’t enter your credit card number when this program is active — who knows who will then capture your credit card info?!
Here are simple instructions to remove SecurityTool: http://www.2-spyware.com/remove-security-tool.html. I’ve found that the folder that contains the SecurityTool executable may have a different name than the one referred to within the article. You may have luck discovering its folder’s name by booting into Safe Mode (press F8 at startup) and running msconfig.exe to examine the startup group. The SecurityTool executable file is easily identifiable because it will probably be the only startup group executable file that’s located in a subdirectory beneath Documents and Settings.
I’ve used a different removal procedure. I physically remove the infected PC’s hard drive, and temporarily hang that hard drive as a slave from a known clean PC, and then (step1) use the clean PC to scan the infected hard drive. AVG 8.5 will detect and remove the offending executable files. This method treats the registry as just another set of files, so after returning the hard drive to the infected PC, you’ll need to scan it. When you’re done, you will probably be left with a vestigial item in the startup group. To avoid this, note what was removed in step 1 and remove any reference to it within the startup group. (Use either msconfig.exe or SpyBot Search & Destroy in Advanced / Tools / Startup to do this.)
Increasingly, I find myself routinely removing infected hard drives from victims’ PCs to scan them on clean PCs. Otherwise, I’m trying to clean an infected PC with an infected PC.
Here’s what Google reported about myspace.com a few minutes ago:
“What happened when Google visited this site?
Of the 31916 pages we tested on the site over the past 90 days, 72 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-17, and the last time suspicious content was found on this site was on 2009-09-17.
Malicious software includes 77 scripting exploit(s), 5 trojan(s), 1 worm(s).
Malicious software is hosted on 45 domain(s), including <deleted>.
31 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including
This site was hosted on 29 network(s) including <deleted>.
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, myspace.com appeared to function as an intermediary for the infection of 1 site(s) . . .“
You can test Google’s safe browsing analyzer on other sites by, within your browser’s address bar, changing myspace.com to another site of interest.
Recent articles about Facebook and Myspace dangers:
It’s baaaaack! “PC Antispyware 2010” is a warmed-over version of Antivirus 2009, and just as pernicious.
Stay away from this bad boy — it is bad news. If you should see it on your PC, get thee to a good virus- and spyware- scanner as soon as possible. I like Bit Defender’s on-line scanner: http://www.bitdefender.com/scanner/online/free.html If this doesn’t work, you may need to remove the disk, temporarily install it as a slave in a known clean PC, and scan the disk from that PC.
Here’s similar malware, posing as anti-malware:
. . . and another . . .
The presence of these Trojan horses is just more evidence that on the Internet, nothing is necessarily what it claims to be.
There’s a very nasty Trojan Horse program on the loose, which advertises itself as Antivirus 2009. It appears to be a legitimate antivirus program, but in fact is itself a virus.
Worse, there are clones on the loose: System Antivirus 2008, Ultimate Antivirus 2008, Vista Antivirus 2008, XP Antivirus 2008 etc.
Antivirus2009 and its clones will try to redirect your web browser to antivirus-premium-scan.com, webscannertools.com, googlescanners-360.com, livesecurityinfo.com, antivirusonlivescan.com, bestantivirusscan.com, antivirus-best.com, internetquarantinesite.com, premiumlivescan.com and secureclick1.com. These websites may attempt to install still more malware on your computer.
If you have the misfortune to fall victim to Antivirus 2009 or its clones, you’ll find it difficult to remove. I removed it recently from a customer’s PC, but didn’t document the procedure. I’ve not tested the following procedure, but it looks like it should work: http://www.youtube.com/watch?v=2W5VMPptpzs&feature=related