Apparently some sort of relatively aggressive virus is affecting certain embedded YouTube videos. Some are saying it affects IE and Firefox users, while others say it’s only going after IE. The virus is called Actns/Swif.T and seems to contain a redirect to a phishing website embedded within a SWF file.
The site apparently installs Antivirus 2009, which is malware. We’ll pull our most recent YouTube embeds, but be careful because this one appears to have just broken out today. If you find yourself being automatically redirected or experience other weird pop-ups, especially for something called Antivirus 2009, don’t click on anything.
[UPDATE: Spoke with Google/YouTube and apparently anti-spyware software from Computer Associates had been returning false positives, identifying certain files contained within YouTube embed codes as malware. The specific YouTube issue is apparently being corrected by Computer Associates and wasn’t actually harmful in the first place. If you’ve got CA software, you might want to check for any updates.]
I was just redirected from a Google search result to this Antivirus 2009 sticky page. Im using Chrome.
I’ve seen this several times on the net using three different browsers (Chrome, IE, and Firefox). It redirects you, and asks you to install something, but as long as you click cancel, then it shouldn’t install. I think that’s Vista’s UAC doing its job.
Well actually I was infected by this two weeks ago. This is the worst virus ever. Turns off regedit, Task manager, safe boot. I had it on my desktop and I was able to get access back to regedit and Task manager. But it just kept on creating trojans in my temp folder which I could only delete with File assassin. And now the virus has gotten so stubborn that I can’t even do that. MBAM SAS cannot detect it. SDFIX and COMBOFIX also do not work, HJT cannot see all its activities.
The virus moved to my usb stick and then to my laptop through which I was trying to trouble shoot desktop. Now the latop regedit and taskmanager are locked and I have tried all the tools and commands to open it up but can’t, the virus has gotten smarter I believe since it attacked the desktop.
It doesnot even allow using usbs anymore as I guess it know I was using them instead of internet to access antivirus programs.
Now the situation is this that I have bought anew comp and waiting for a solution to this virus, as I can’t afford to format my hardrives on the lap and desktop
P.S: AV 2009 was deleted it is some remnant of it that stayed on and caused this mess.
Refer to http://www.techspot.com/vb/topic115877.html for a complete detail of the problems I had with this thing
My CA Security centre just deleted this when i visited the Popbitch site.
I’ve seen this on multiple computers (at least over 20). This explanation would explain why SO many people get this virus. It’s a pain to clean off too and most don’t know they have it at all since it’s masquerading as a legitimate AV program. It’s extremely difficult to remove and several computers had to be wiped (hey we’re lazy, what can I say).
swf files are unable to propagate a virus alone. It is impossible for an infected computer to manipulate a file hosted online and further infect visitors who later encounter it. The virus must be spreading through other means.
Once infected it appears to alter one or more swf files in the cache (”temporary internet folder”).
We embed youtube video on our website. CA reports the actns/swift.T virus in a temp cache file and kills it. However, each time you visit the website with the embeded video, it downloads the l(1).swf file to the cache, the CA detects it and kills it again. We removed the embeded video and the problem went away. Put it back, it comes back. We also found a video on a Yahoo page that has the same virus. If you go directly to youtube and play the video, there are no problems. It appears to be only in the embeded websites.
Here’s a link to the infected yahoo video. It only seems to infect IE users and not Firefox users.
WARNING: It is infected, so only click on it if you want to test your AV software.
http://sports.yahoo.com/nba/blog/ball_dont_lie/post/Video-Derrick-Rose-breaks-Andre-Miller-s-ankles?urn=nba,125618
I think if you add a link to a clean up file or service will help some people… Just my 2c
what scares me is that this is still going on.
Is youTube hosting the infection? Is the embed code compromised somehow? Is there a DNS taint that’s pulling content from somewhere else?
Why is TechCrunch the only place I’ve seen a comment about this today?
YouTube is not hosting the infection.
so where does it come from? why is it appearing on pages with YouTube embedded content?
I had this virus earlier…made my windows unusable (as in i couldn’t boot my computer (in safe mode or reg) and eventually had to wipe HDD (which then had other issues)
I switched to Ubunut.
I have been hammered all day by the Actns/Swif.T. Tried getting in touch with CA all day but still haven’t had any luck on that even though they were to call me 1 1/2 hours ago. I went in and disabled the heuristic scanner for policies (eTrust 8.1)and pushed it out. I haven’t had any more instances pop up since then (1 hour as opposed to every couple of minutes). I believe that the signature is seeing any embedded flash stuff and reporting it as the Actns/Swif.T
I think you’re right, Bosch. My CA is reporting EVERY single embedded youtube video’s temp swf file from numerous websites and messageboards as infected with Actns/Swif.T. I seriously doubt that the virus has spread to ALL youtube embeds all over the web. As you said, CA’s signature must be seeing all .swf files from embedded Youtube vids as Actns/Swif.T.
When I first encountered this hell malware, a few weeks ago, on my new laptop (Vista).. I thought the problem was fixed with SmitFraudFix (http://siri.geekstogo.com/SmitfraudFix.php)
I was able to restore my desktop, theme, wallpaper.. and all appeared “well.”
That didn’t last long.
Now I can’t ping my TCP/IP Printer, I can’t print (obviously,) I can’t save or download, from anywhere..
Norton and antibot are useless, to it, it seems.. spybot can’t clean that attached to MSIE. (I don’t use MSIE, but it defaulted to it, in a click to a youtube video.. and the hell began!)
I have ability to reinstall OS but I’ve never done it before.. *sigh*
Machine is 3 months old. This is bad stuff.
It may be a false positive from the CA software. GRRRRrrrr!!!
I’m pretty sure it is. There’s no way every single youtube embedded video is infected. CA must have messed up in their most recent update. Hopefully they’ll fix it soon, because it’s hella annoying to have every youtube embed get flagged as a trojan. >:(
Just added the following to the post:
“Spoke with Google/YouTube and apparently anti-spyware software from Computer Associates had been returning false positives, identifying certain files contained within YouTube embed codes as malware. The specific YouTube issue is apparently being corrected by Computer Associates and wasn’t actually harmful in the first place. If you’ve got CA software, you might want to check for any updates.”
Sorry for the confusion. Better safe than sorry, though, eh?
this is another viruse
http://www.iamlittle.net/?p=89
Is anyone else seeing random web sites getting redirected to phony YouTube sites using a Google redirector?
So I’m using CA eTrust and have gotten a few of these messages. I HAD been watching a lot of YouTube vids but they were just YouTube vids from Youtube.com, only a few were embedded in myspace or a forum or something. What are the chances that I actually have a virus vs. one of these “false positives”?
If anyone wants to test the virus I think I can post it somehwere by zipping my usb stick, which I believe has some of the virus if not the entire thing. I would really like to see a solution to this.
anyone think maybe this started cause youtube had maitence last night?
So these messages only pop up when I click on a certain web page that has like 5 youtube vids embedded. Funny thing is, a co-worker has the same setup on their laptop as I do and can go to the page no problem… do I have something to worry about?
As i was looking at myspace my CA Anti virus picked up Actns/Swif.T and deleted all but one. I was not directed to download any Antivirus 2009, but now I cannot acces my Temp folder. So how do I get rid of it?
Luis, I too could not access my Temp folder… I just typed it into the address bar at the top …\temporary internet files\ (or whatever) and was able to access it from there. It doesn’t matter even if you do delete it though, the next time you come across an embedded youtube vid, it’ll come back and eTrust will pick it up. I’m just wondering if it’s a CA problem or an actual virus…
OK… so my CA Anti-Virus says it found the SWF files and has deleted them, but I still can’t access my Temp Folder.. furthermore when place my cruser over stated folder it says its empty, which i know is not true. Any one else expierience the same thing??
We’ve got a bad outbreak at our office. If the real problem is the install of Antivirus 2009, that part is easy. Copy the following into a .txt file:
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINDOWS\APPINIT_DLLS\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\AntvrsInstall[1].exe]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\AntvrsInstall[1].exe]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\AntvrsInstall[1].exe]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\AntvrsInstall[1].exe]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\AntvrsInstall[1].exe]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\AntvrsInstall[1].exe]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\AntvrsInstall[1].exe]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\AntvrsInstall[1].exe]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\AntvrsInstall[1].exe]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\AntvrsInstall[1].exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\AntvrsInstall.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Antivirus Pro 2009]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\Antivirus Pro 2009]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\Antivirus Pro 2009]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Antivirus Pro 2009]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\Antivirus Pro 2009]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\Antivirus Pro 2009]
Save and close, then rename the file Antivirus2009.reg. Put the new .reg file somewhere easy, like your desktop or My Documents. Restart the computer in safe mode. Run the .reg file by double-clicking it. Look in Program Files and delete the Antivirus2009 folder if there is one. Delete any icons on your desktop, sys tray, or quick launch. Empty your recycle bin and restart–Antivirus 2009 is gone.
The only problem is I’m not sure how to get rid of the original file–delete all .swf files?
I have CA also,
It is telling me there is a virus with a video on a site, contacted the site, and they got back to me saying that it was a false positive, and directed me to this page.
To anyone else, dont worry, its not a real virus.
-MaTT
Okay I get that this is possibly just a false positive but I am still getting the pop ups but none for this AV2009. Thing is I checked my update log for my CA software and saw that an update for anti-virus data was done this morning. Went to a site w/ an embedded youtube vid and have had the problem since. I have run scan after scan, deleting it and still getting the pop ups. It seems that everyone here for the most part has CA anti-virus. Is it possible that this update started it all and is really where the problem lies?
I ran across this last night and had to repeatedly run CA to get rid of it.
I did a roll back on xp that took me to a state one week ago and no longer got the pop up warning from CA. I updated a short while ago and the pop up warnings began again
I ran across this last night and had to repeatedly run CA to get rid of it.
I did a roll back on xp that took me to a state one week ago and no longer got the pop up warning from CA. I updated a short while ago and the pop up warnings began again
We are having the same issue. We have CA eTrust antivirus as well. We have a youtube video that we have embedded on one of our web sites that we know is clean, and is giving the pop-up. I had a VMware virtual machine that I had not turned on since yesterday. I brought it up and shut off realtime so updates didn’t download. The page did not give me a warning. I updated signatures, and the popup showed up.
This has to be CA’s deal, but I cannot even log in to the forums…
This is not just a YouTube problem. I was on MySpace the other day and I clicked on a tab for profile and it automatically sent me to a site for this Virus scan. I never clicked on anything, but I have noticed that it happened a few times while I was navigating through MySpace. Now, I have signed onto MySpace today and all of a sudden my Etrust Antivirus is popping up and telling me it is this Swif virus. So, I do not think it is limited to just YouTube. Once the Etrust comes up I cannot go to my start menu and click on a program. It is telling me that the file I am requesting has been moved/renamed or deleted. So I have to actually reboot the computer to get anywhere on it right now. It is even logging me off of web sites and making me have to re enter passwords in order to get back in. This is not a noral virus!
It’s happening to me as well on myspace pages that do not even have youtube videos posted. LIKE MY OWN PAGE. CA pops up and deletes virus stuff. I noticed that a week ago going to someone’s photos on myspace the 2009 thing popped up and tried to get me to get their crap and it wouldn’t let me close it out so I shut down.
It’s happening to me as well on myspace pages that do not even have youtube videos posted. LIKE MY OWN PAGE. CA pops up and deletes virus stuff. I noticed that a week ago going to someone’s photos on myspace the 2009 thing popped up and tried to get me to get their crap and it wouldn’t let me close it out so I shut down.
CA HAS FIXED IT. I finally got a new signature code that fixes the youtube embedded video virus issue.
I had 3 false positives today from Etrust ITM. It kinda freaked us out at first because we thought that the virus got through another layer of AV. (we have AV at our gateway)
Too many people in these comments (and at other sites) are confusing Antivirus 2009 (which is a hugely harmful malware which has been around for a while and can infect you many ways) with this new virus. I also see people thinking that this new virus is a hoax in and of itself because of the false positives. Let me give everyone the story on this one…
Antivirus 2009 is bad stuff and it has many ways of propagating. It is not new, and the easiest way I have found of getting rid of it at this point, is formatting.
Actns/Swif.T is bad stuff, but unless you visited the video posted in an earlier comment about derrick rose (or a couple of other youtube/yahoo video’s), chances are you do not have this virus. This virus is still a very real threat and could be very harmful if you do get infected.
Computer Associates wrote virus definitions that falsely identified embedded youtube videoes (perhaps all of them) as this Actns/Swif.T. Though the virus does exist, most people who received the warnings did not actuall have the virus. Chances are if you did actually get the virus, it would have fixed the infection. If it did not it would almost for sure have detected AV2009 and not allowed it to be installed.
I had CA notify me about 2 actns/swif.t issues earlier today in IE. I thought nothing of it, but about 5 minutes ago I was browsing some myspace bands and I was notified about 16 times in two instances. I was eventually pushed to the Antivirus 2009 site and it wanted to go through the process while I was trying to exit IE. I alt f4ed until everything closed and I restarted my computer. I went to the same myspace site that was acting up just to be sure.
Nothing happened, but I would like to know about what is going on. I am somewhat computer savvy, but I have no idea what is really happening with this “virus” or “false alarm” system. I am running a scan with CA right now. Do I need to go and fix anything? Nothing was installed from the Antivirus 2009 site, but I want to make sure my computer is safe. Any help or information would be appreciated.
Thank you,
Ketchup
If you are wanting a quick fix for AV2009.
Download a program called Malware Bytes, http://www.malwarebytes.org/ , its saved my skin so many times and customers. Its a free program to use and its really clever and powerful at what it does.
Load it on, update it and remove the infected files, reboot, launch HijackThis and then clean out other bad items.
Then run ATF cleaner on the machine to clean up any temp remains.
Thanks.
How can I tell if I have Antivirus 2009 on my computer?
I have noticed that my CA Anti-Virus checker has 3/12/2009 as the renewal date. It is due for renewal in March 2009.
I have not been able to access anything on my computer for 5-6 days which requires a password. I’m unable to type a password in the box and I keep hearing a constant clicking noise.
I keep getting messages that CA virus checker has detected and cleaned Actns/Swif.T.
Antivirus 2009 causes popup windows and redirected browser pages–if your browser keeps taking you to pages you never requested and/or you’re getting lots of popups, it might be Antivirus 2009. Run the reg edit I posted earlier in safe mode (to get to safe mode, reboot your computer and press F8 repeatedly while it restarts until it takes you to the page where you can choose safe mode). The password thing sounds like a virus or spyware. CA isn’t good at spyware–do you have a specific program to identify spyware? If not, try spybot. It’s free, it’s pretty good, and you can get it at spybot.com.
Antivirus 2009 causes popup windows and redirected browser pages–if your browser keeps taking you to pages you never requested and/or you’re getting lots of popups, it might be Antivirus 2009. Run the reg edit I posted earlier in safe mode (to get to safe mode, reboot your computer and press F8 repeatedly while it restarts until it takes you to the page where you can choose safe mode). The password thing sounds like a virus or spyware. CA isn’t good at spyware–do you have a specific program to identify spyware? If not, try spybot. It’s free, it’s pretty good, and you can get it at spybot.com.
On the CA site itself, I read about a few variations of actns/swift, ones ending in different letters, but nothing is posted on the CA site about actns/swift.T virus. WHY NOT?
I first was warned that two temp internet files were infected last night, but the CA program only deleted one file, which I thought was weird. If it is a trojan, did it change/move to not be deleted? I tried to delete the second file myself with no luck. I ran the CA virus scan completely last night, and it came up with no virus anywhere. However, today, after checking a review I wrote months ago that includes an embedded video from utube, I got 17 virus warnings at once! Again, only some of the files were deleted. Now, I know that my embedded video and my utube page have been up for months without any issue, so what’s going on? I also browsed a few myspace pages a couple days ago.
Some of the warnings on the CA site for the other actns/swift viruses are reported as medium threats that can be a real problem. So, I am not sure if this is a “false positive” or what, but do know that PREVIOUSLY to the virus warnings that popped up yesterday, my computer and the CA program acted weird a couple weeks ago.
My CA program was saying it had expired, gone for about a week, then came back on with a completely different expiration date. My computer was odd too, web pages were not loading, and Vista gave me the message that my secure sites — my email sign on and anything with a password– were not secure and not to proceed. That lasted few days, then all seemed fine again. But now I am suspicious. I was not redirected to a phising or down-loadable site, but the CA program itself failed for a week. Did a virus hit CA that caused it to “expire”? I read above that others have CA programs that oddly changed expiration dates too.
My girlfriend’s pc got hit with this thing from connecting to Myspace. (first mistake) She said she didn’t even click on anything and the CA Antivirus just started showing notifications. CA did it’s normal thing where it detected like 8 or 9 threats, and only actually deleted about 5 of them. It’s been explained to me that these kinds of threats leave some kind of seed file in your Windows Folders and these seed files constantly try to create virus type files that CA Antivirus will then detect as threats. That’s why randomly the little CA box will show up and say something like “18 threats detected and removed” … and it will just keep doing that. Unfortunately I think the resolution to this problem, outside of yet ANOTHER Windows Reformat, is to just simply start dropping Microsoft. I am a die hard Windows user, but come on now, this is just getting to be ridiculous. The “PC Guy” in my city gets $50 to remove a virus like this, and I’m sure places like Best Buy are probably double that amount. I would say pin it on CA for not “protecting” us. But really, saying you’ll protect a Windows pc from threats, is like saying you’ll post the boy scouts to protect us from China. This is b/s. I’m off to Linux land.
I had dozens of embedded and/or linked videos on my site, all youtube, and CA would erase the cached/temp files even while I was editing with my editor. Always referencing the “actns/swif.t” file and deleted it. (I never actually was redirected).
I deleted all ‘reference to’ or ‘links to’ all videos just in case. I am optimistic it is a false positive. BUT; Why would a redirect happen as many on here have said? That is not a false positive! That is a problem.
For somebody more computer savy than I, it would even happen when I pulled the link, (not the one offered on youtube, the link out of the embed code), and use that in a iframe. I would get the warning.
I also have noticed that my pages always waited for: (s.ytimg.com), to load, assuming it was the img file of the static video.
Anyway it went from a standard link:
http://www.youtube.com/v/bUTBGz4zV9Y&hl=en&fs=1
To a mile long link: (I broke to not make a good link).
http://www.youtube.com/swf/l.swf?
swf=http%3A//s.ytimg.com/yt/swf/cps-vfl66122.swf
&video_id=bUTBGz4zV9Y&rel=1&showsearch=1&eurl=
&iurl=http%3A//i3.ytimg.com/vi/bUTBGz4zV9Y/hqdefault.jpg
&sk=cmeruds0w8OsMsAXU41JNDfHiI_qvLrHC&use_get_video_info=1&load_modules=1&fs=1&hl=en
Maybe somebody can figure out what it actually does? If anything.
I’ve now successfully cleaned 5 computers with the infected .swf’s and several with the Antivirus 2009 (and Antivirus 2008). Just create the reg edit file I posted earlier (be sure to include the Windows Registry line at the top.) Save the reg edit to the infected computer, then reboot to safe mode. Dump all temp files, run the reg edit. Delete any Antivirus folders or icons. Reboot. No more Antivirus 2009, no more infected swf notifications, no need to wipe the hard drive.
I have removed all embedded YouTube videos from my site to protect my visitors.
Does anyone know if it is safe to put them back yet?
Thanks!
Mine popped up Nov. 1. Almost set like a Trojan, to go off at a certain date. Went online to see what it was about. One site said it attaches or is borne by adult video websites. The only one I ever use is YouTube, so logically….
I had the damn Antivirus 2009 popping up all day long. AVG and Windows Defender cornered it for me and the next day…it was gone. Even the virus vault was empty. I’ve been warning people on DeviantART as well about this (seeing as many on there have links to their own AMV’s they make and share).
So if we watch youtube clips we get viruses?
Woke up to this virus 12/2/2008. What a mess, it kept replicating. I knew it had something to do with YouTube because I could no longer see embedded videos on my computer. I ran several scans, downloaded Avira, and turned off System Restore. I think turning off System Restore did the trick, but I’m not totally sure. Try it, you have nothing to lose – then run your AV program again. Hope this helps, it such a huge waste of time to deal with these issues. Good luck!
Is there any information about this subject in other languages?
or maybe it is this ….
http://jrpcrepair.com/2008/10/watch-out-fake-youtube-page-infecting-computers/
timberland@bazargo.com
Just blast them away with kaspersky or Symantec products.