I got my first virus in ages the other night. I think it was a link off of Reddit or Digg.
Anyways, I know I should have been using noscript with my Firefox but I wasn't. I am using Google Chrome to write this and will use noscript when I use Firefox from now on. the virus would not let me use Chrome or Firefox, I didn't test IE but thankfully it let me run Opera with no problems! Everyone should have Opera anyways.
So here it is and hopefully this will help a few others since searches didn't yield much of a result since it may still be relatively fresh.
Firefox all of the sudden showed three windows "opening" but never popped up. next thing you know my machine was in shutwdown mode. Then it restarted.
Anyways, the virus mascarades as a "Windows security" center alert after rebooting and says something about "windows firewall". It says that win32.zafi.b is doing something etc. Hijackthis didn't turn up anything suspicious. I then ran Sophos anti rootkit and it picked up some unknown files but i didn't delete them. Finally I searched for "windows security alert win32.zafi.b" and found this thread where I found the fix!! I don't think it was randomly names though as I had the exact same file names as the guy in the link below. (ocboo1892823.exe and sysspc.dll)
http://www.computing.net/answers/security/fake-security-alert/24161.htmlI had to delete a registry entry in the following location
D:\Documents and Settings\Eli\Application Data\Google\ocboo1892823.
"D:\Documents and Settings\Eli\Application Data\Google\ocboo1892823.exe" 2
Hopefully this helps someone out. Here is a screenshot.
I used a Ubuntu 8.04 Live CD to boot up and delete the files from the following Google folder.
D:\Documents and Settings\Elijah\Application Data\Google