GT7: A new virus?

An hour ago, while I was playing Mobsters on MySpace, my FireFox page minimized its self and I got a pop up called “GT7” with a warning “We found a suspicious activity in your computer, click here to do a scan” or something similar to that. I immediately logged off by restarting my computer because I did not trust to click anywhere on that POP UP. Then, when I logged on again the page link “hxxp://53b690d.secure-my-computer.com/miit/?6e3c=caad0b&1b1=b66e68dzce&a40=bc8boaz8oa” was showing on my address window, but said “page can not be found”. I think that’s where the POP UP came from. I did not go to that link, so I don’t know how it suddenly appeared on my address bar.

Does anyone have any information about this GT7 virus scan pop up?

Thanks for your help, to both of you, I changed the http :slight_smile: now, if only I can figure out how to answer each of you, lol. I’m new to this ‘forum’ thingy

sound like you hit a fake scan page…
do a scan with this

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click on the remove selected button to quarantine anything found
you may post the scan log here

hi if that is the link with the pop up thing on it edit your post and change the http part in the link to hxxp please

I downloaded the program u gave me and did a quick scan. This is what it found…

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4434

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/15/2010 9:08:07 PM
mbam-log-2010-08-15 (21-08-07).txt

Scan type: Quick scan
Objects scanned: 121407
Time elapsed: 15 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\RegGenieOnUninstall.exe (Spyware.Passwords) → Quarantined and deleted successfully.

Looks fine, nothing very bad…and if you update and scan again MBAM should show clean!

I have the same problem with the GT7 trojan/virus that completely knocks me out of myspace and then wants me to run a security check on my computer using this GT7 program. I have tried malwarebytes and many other programs to get this thing out of my system. Any other advise on what I can try to get rid of this thing? I have never had such a problem getting rid of malware before.

Thanks,

gjcableguy

Manual removal

Removing Antivirus Security (Manually)

  1. Delete the following flies from your computer:
    * %UserProfile%\Desktop\Antivirus Security.lnk
    * %UserProfile%\Start Menu\Antivirus Security
    * %UserProfile%\Start Menu\Antivirus Security\Antivirus Security.lnk
    * %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus Security.lnk
    * c:\WINDOWS\system32\scui.cpl
  2. Click Start > Run, type regedit and delete the following registry entries:
    * HKEY_CURRENT_USER\Software
    9178374C66E059CC11C19DCD899FD538
    * HKEY_CURRENT_USER\Software\Microsoft\Windows
    CurrentVersion\Uninstall\AV9

If all goes well, this Fake Antivirus Security should now be removed from your system,

polonus

@gjcableguy
Do you know where you got it from? if you post the URL make it unclickable by posting hxxp and not http or wxw and not www

Have you tried these
SUPERAntiSpyware ? www.superantispyware.com or http://filehippo.com/download_superantispyware/
Dr.Web CureIt http://www.freedrweb.com/cureit/?lng=en
Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en
Hitman Pro 3 - Second Opinion Malware Scanner http://www.surfright.nl/en/hitmanpro

Yesterday while I was on Myspace Mobsters it happened again. I did change my passwords in all my MySpace webpages and I still got the same GT7 pop up scan message. I quickly rebooted and when I logged on again I used the Malwwarebytes scanner. This time it found no problems. Then last night a fellow mobbie from mobsters told me that a person that his crew where warring with, hacked their computers, stole their web pages on myspace and stole their passwords. I’m not sure if that hacker person had anything to do with it or not, but we have proof on xchat (photocoby of the chat conversation between the hacker and my friend) that admits he hacked their computers, stole their web pages on myspace and their passwords and threatened them that if they don’t quit the game he will never give them back their webpages on myspace.

"indrednek broadcast a message: “Main hacker is “xx BARBIE xx” MOBSTERS ID: 509379614 (on MYSPACE). Lets keep this hacker dead!!! PROOF HERE: hxxp://www.myspace.com/534193297/photos/6995234 <= xx BARBIE xx/Edge (SAME PERSON SAYING ON XCHAT THAT HE DID HACK THEIR ACCOUNTS”

Hope this helps

@Katereena

I did change my passwords in all my MySpace webpages and I still got the same GT7 pop up scan message.
Next time you see this GT7 pop-up, can you take a screen shot and post it?

If you feel unsecure that you may have an infection follow this guide from Essexboy and post the OTL log here so Essexboy can have a look
http://forum.avast.com/index.php?topic=53253.0

lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt )

So far so good, the ‘GT7 pop up scan’ did not show up again. Also, today I figured out how to do a ‘screenshot’ in case I need to take a photo of it. Thanks so much for all your help. If that pop up shows up again I will take a screenshot and post it here.

I went in to look at my pics on myspace and had that gt7 thing pop up so far no virus but where did it come from and how do I orevent it from happening again

Hi Everyone,
I got same problem with GT7 by accepting message sent by friend from Facebook. Obviously I accepted that.
Then this comes up. See 1st pic.
When closing alert See 2nd pic.
3rd pic shows what Malware found

:((((((

Nothing all that.

I still have it. !!!

I got same problem with GT7 by accepting message sent by friend from Facebook.
and what was in that message, a link?

Pondus.

The following was in the message:
Zhen sent you a message.
Zhen XXXX
Zhen XXXX August 26, 2010 at 9:29pm
Subject: Yo
YouTube Video hxxp://www.facebook.com/l/d4855EsaU7RiG4mYw_QCuvka_XA;www.geelantrophies.com/zaaj/?1770

I clicked it and it took me on: See Pic

make the link you posted unclickable by changing http to hxxp or www to wxw

and you downloaded and run that file?

You posted a picture from Malwarebytes,
does that mean it detect it ? but not remove it ? can you post the scan log ?

For the first time in my life I have run this kind of a file coz I trusted my friend and was hoping it is nothing serious. “VIDE CUL FIDE”
I have removed all infected stuff now. :slight_smile:
So far so good. Nothing coming up now.

This is the scan log: (Sorry it is in Polish)

Malwarebytes’ Anti-Malware 1.46
www .malwarebytes .org

Wersja bazy: 4485

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

2010-08-26 20:57:07
mbam-log-2010-08-26 (20-57-07).txt

Typ skanowania: Szybkie skanowanie
Przeskanowano obiektów: 144129
Upłynęło: 13 minut(y), 1 sekund(y)

Zainfekowanych procesów w pamięci: 1
Zainfekowanych modułów w pamięci: 0
Zainfekowanych kluczy rejestru: 0
Zainfekowanych wartości rejestru: 1
Zainfekowane informacje rejestru systemowego: 0
Zainfekowanych folderów: 0
Zainfekowanych plików: 6

Zainfekowanych procesów w pamięci:
c:\Windows\andy127.exe (Worm.KoobFace) → Unloaded process successfully.

Zainfekowanych modułów w pamięci:
(Nie znaleziono zagrożeń)

Zainfekowanych kluczy rejestru:
(Nie znaleziono zagrożeń)

Zainfekowanych wartości rejestru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuri49tkd (Worm.KoobFace) → Quarantined and deleted successfully.

Zainfekowane informacje rejestru systemowego:
(Nie znaleziono zagrożeń)

Zainfekowanych folderów:
(Nie znaleziono zagrożeń)

Zainfekowanych plików:
c:\Windows\andy127.exe (Worm.KoobFace) → Quarantined and deleted successfully.
C:\Users\Robert\AppData\Local\Temp\zpskon_1282864011.exe (Worm.Koobface) → Quarantined and deleted successfully.
C:\Users\Robert\Local Settings\Application Data\010155555710297.xxe (Worm.KoobFace) → Quarantined and deleted successfully.
C:\Users\Robert\Local Settings\Application Data\09954101565552.xxe (Worm.KoobFace) → Quarantined and deleted successfully.
C:\Windows\bk23567.dat (KoobFace.Trace) → Quarantined and deleted successfully.
C:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) → Quarantined and deleted successfully.

Ok here is the detection for that file

VirusTotal - setup457212.exe - 24/42
http://www.virustotal.com/file-scan/report.html?id=0e63818c958f8e7d3dfdf2d42d195dd2f602611a80af4f73ffaea43ad6d646be-1282854916

Malwarebytes detect that file, so does Superantispyware and DrWeb
SuperAntiSpyware 4.41.1000 http://filehippo.com/download_superantispyware/
DrWeb CureIt http://www.freedrweb.com/cureit/?lng=en

The picture you posted from Malwarebytes shows " No action taken " you have to click the remove selected button to quarantine the infection

So far so good. Nothing coming up now.
OK so if you scan again the log is clean?