Beware of "Internet Security 2010" -- worst Trojan

Our "pub" where you can post about things completely Off Topic or about non-silent PC issues.

Moderators: NeilBlanchard, Ralf Hutter, sthayashi, Lawrence Lee

Post Reply
NeilBlanchard
Moderator
Posts: 7681
Joined: Mon Dec 09, 2002 7:11 pm
Location: Maynard, MA, Eaarth
Contact:

Beware of "Internet Security 2010" -- worst Trojan

Post by NeilBlanchard » Thu Feb 11, 2010 10:46 am

Hello Folks,

I'm just finishing up reinstalling Windows on a laptop for a client, that was infected by a Trojan malware program, that calls itself "Internet Security 2010" -- PLEASE KEEP YOUR FIREWALL & ANTIVIRUS UP TO DATE!!! Update Windows with all the security updates, as well. Microsoft has a big job ahead of them, fighting this thing...

*This* *is* *the* *worst* *Trojan* *malware* *EVER*!

It installs in the "Safe" mode of Windows.
It prevents you from using System Restore to reverse its installation.
It blocks you from getting to websites that help you fight it.
It blocks you from downloading files, by shutting down the browser.
You cannot install another browser like FireFox.
It blocks your antivirus.
It blocks you from using RegEdit.
It modifies the hard drive so you cannot read the drive in Linux.
It pops up continuously with warnings that your machine is infected (NO KIDDING!) and they want to sell you the "solution". I am *sure* that while it might make the symptoms go away, it would remain infected. You have to pay them to let them continue to use your computer.

If it gets a foothold on you computer, it downloads and installs additional Trojan programs.

Google "Internet Security 2010" and you will see lots of evidence of this huge threat.

It seems to do something even more: when I tried to install WinXP from an installation CD -- the hard drive is not "seen". You would have to buy a new hard drive, and that might not work. I tried putting in another old hard drive, and it was not "seen" either, but it might have other issues... I *was* able to install Linux on that other hard drive -- it was "seen" by Linux. The only plausible explanation I can come up with is that this malware *moves* something required for running Windows from the hard drive controller to the hard drive; thus making it impossible to even use a new hard drive to reinstall Windows. [Edit: a better explanation is suggested below.]

Have I raised your awareness enough to get you to take steps to prevent your Windows machine from getting this? Please do this -- this is a very, very serious challenge.
Last edited by NeilBlanchard on Thu Feb 11, 2010 6:47 pm, edited 1 time in total.

xan_user
*Lifetime Patron*
Posts: 2269
Joined: Sun May 21, 2006 9:09 am
Location: Northern California.

Post by xan_user » Thu Feb 11, 2010 10:52 am

people who write and profit from this crap should be hung by their toenails on youtube.

washu
Posts: 571
Joined: Thu Nov 19, 2009 10:20 am
Location: Ottawa

Post by washu » Thu Feb 11, 2010 11:59 am

While it does sound nasty, the hard drive not being seen by the XP install CD is probably just not loading the AHCI drivers.

You can load the AHCI drivers from a floppy or turn off AHCI in the BIOS. If you tried a Vista or 7 install it should also see the drive just fine.

NeilBlanchard
Moderator
Posts: 7681
Joined: Mon Dec 09, 2002 7:11 pm
Location: Maynard, MA, Eaarth
Contact:

Post by NeilBlanchard » Thu Feb 11, 2010 6:45 pm

That certainly sounds plausible -- the problem is this lap top has no floppy drive (and I do not own a USB unit -- which might not work w/o USB drivers anyway?), and Microsoft has seen fit to force you to use a floppy to install those... AFAIK, they cannot be installed from a CD-ROM... sheesh.

xan_user
*Lifetime Patron*
Posts: 2269
Joined: Sun May 21, 2006 9:09 am
Location: Northern California.

Post by xan_user » Thu Feb 11, 2010 6:49 pm

NeilBlanchard wrote:AFAIK, they cannot be installed from a CD-ROM... sheesh.
should be able to nlite those drivers into a custom install disc.

aristide1
*Lifetime Patron*
Posts: 4284
Joined: Fri Apr 04, 2003 6:21 pm
Location: Undisclosed but sober in US

Post by aristide1 » Thu Feb 11, 2010 8:55 pm

I clicked on a pick of Natalie Portman on Google images. Next thing I know my system freaks out. Popup boxes with a security symbol popup immediately. I'm infected with 6 virsuses and I need to buy this software now. I kept closing boxes, but they opened as fast I closed them. I used Task Manager finally to shut them all down. When I ran my Av software there was nothing there. The whole thing was a lie to make me buy.

I know now - Look at Natalie Portman only in magazines.

Ransom ware:
http://www.msnbc.msn.com/id/7961600/

xan_user
*Lifetime Patron*
Posts: 2269
Joined: Sun May 21, 2006 9:09 am
Location: Northern California.

Post by xan_user » Fri Feb 12, 2010 6:59 am

aristide1 wrote:I clicked on a pick of Natalie Portman on Google images.
http://www.msnbc.msn.com/id/32533198/ns ... -security/

aristide1
*Lifetime Patron*
Posts: 4284
Joined: Fri Apr 04, 2003 6:21 pm
Location: Undisclosed but sober in US

Post by aristide1 » Fri Feb 12, 2010 7:12 am

xan_user wrote:people who write and profit from this crap should be hung by their toenails on youtube.
Another reason to keep your toenails short.

andyb
Patron of SPCR
Posts: 3307
Joined: Wed Dec 15, 2004 12:00 pm
Location: Essex, England

Post by andyb » Fri Feb 12, 2010 8:25 am

I have found that this is very common, and it is NOT the worst bit of malware ever, and is relatively easy to get rid of if you know how and have a spare PC.

Firstly disable system restore on the infected PC, then shut it down, remove the HDD, hook it up to your second PC, make sure the second PC does not try to boot from the infected drive as it will probably destroy windows.

Delete all of the temp and temp internet files, then run NOD32 on the appropriate drive (I have mine set up to find everything except "potentially unwanted programs", and delete everything that it finds that it cant clean), put the drive back into the PC it came from and load windows in safe mode, install Spybot S+D with the latest definitions, and Malwarebytes with the latest difenitions (probably easiest to copy the files onto the drive when it is hooked upto the second PC). And run them one after the other.

The machine should then be usable after a reboot, but your winsock might need to be reset, and you might not be able to edit the registry or change other settings in the control panel or windows explorer. I have a great program that fixes the winsock and another that re-enables the use of regedit, PM me with your e-mail address if you want me to e-mail them to you.


Andy

NeilBlanchard
Moderator
Posts: 7681
Joined: Mon Dec 09, 2002 7:11 pm
Location: Maynard, MA, Eaarth
Contact:

Post by NeilBlanchard » Fri Feb 12, 2010 2:18 pm

Thanks for that, Andy! Do you think it would also work to put the infected drive in an external enclosure and then cleaning it on another Windows machine?

This is certainly the worst malware I have ever fought with -- have you encountered a worse one? :shock: Care to tell us about it?

xan_user
*Lifetime Patron*
Posts: 2269
Joined: Sun May 21, 2006 9:09 am
Location: Northern California.

Post by xan_user » Fri Feb 12, 2010 3:14 pm

NeilBlanchard wrote:
This is certainly the worst malware I have ever fought with -- have you encountered a worse one? :shock: Care to tell us about it?
Norton suite, hands down! :roll: :lol:

NeilBlanchard
Moderator
Posts: 7681
Joined: Mon Dec 09, 2002 7:11 pm
Location: Maynard, MA, Eaarth
Contact:

Post by NeilBlanchard » Fri Feb 12, 2010 7:24 pm

Hi,
xan_user wrote:Norton suite, hands down! :roll: :lol:
Yeah, I've done that one -- manually editing the Registry is a cake walk compared to this!

psiu
Posts: 1201
Joined: Tue Aug 23, 2005 1:53 pm
Location: SE MI

Post by psiu » Fri Feb 12, 2010 8:36 pm

My father in law got this on his machine. Luckily he had it dual-booting with Linux. Was able to get him to download Malwarebytes Anti Malware (aka MBAM) and get it all sorted out. His AV (I think it was AVG) didn't pick it up. Nothing like late night phone support. Urgh.

My dad got one of the Vundo variants a few years ago. Got him through that as well. Nothing like remote phone support and remote VNC through dialup. He had a paid for Norton subscription.

There were some dubious solutions for this Internet Security thing I found originally in my searches as well. Be careful...I can recommend MBAM at least.

Fred
Posts: 86
Joined: Fri Jan 18, 2008 5:00 pm
Location: Northern Sweden

Post by Fred » Fri Feb 12, 2010 8:46 pm

Hmm... viruses and the likes feels so pre-2003.

But maybe that's just me. xD

psiu
Posts: 1201
Joined: Tue Aug 23, 2005 1:53 pm
Location: SE MI

Post by psiu » Fri Feb 12, 2010 9:01 pm

Fred wrote:Hmm... viruses and the likes feels so pre-2003.

But maybe that's just me. xD
Just sent out an email reminding the old people in my life to not click on anything. I'm the remote phone tech-support and don't enjoy (1200 mile round trip) in home support calls :(

Why do otherwise smart people click on so much stupid crap (and go where they shouldn't be)?

mr. poopyhead
Patron of SPCR
Posts: 376
Joined: Thu Jun 29, 2006 8:37 pm
Location: Mississauga, ON
Contact:

Post by mr. poopyhead » Fri Feb 12, 2010 9:30 pm

my girlfriend's dad had one of these "pay me now to clean up your system" programs installed too. nasty bit of software... something also changed his hosts file to redirect all google addresses to some fake google website, which looks EXACTLY like the real google, except the search results are really weird...

i've also seen one of these things change your DNS server address to some bogus DNS server that returns all these phishing sites instead of the real things...

pretty clever stuff...

aristide1
*Lifetime Patron*
Posts: 4284
Joined: Fri Apr 04, 2003 6:21 pm
Location: Undisclosed but sober in US

Post by aristide1 » Fri Feb 12, 2010 10:38 pm

psiu wrote:Why do otherwise smart people click on so much stupid crap (and go where they shouldn't be)?
Because it's Natalie Portman!

'Nuff said.

:mrgreen:

andyb
Patron of SPCR
Posts: 3307
Joined: Wed Dec 15, 2004 12:00 pm
Location: Essex, England

Post by andyb » Sat Feb 13, 2010 3:46 am

Thanks for that, Andy! Do you think it would also work to put the infected drive in an external enclosure and then cleaning it on another Windows machine?
Sure it will, it just wont scan as fast, all that you need to do to get rid of most viruses (and a malware/virus mixture like you have) is to make sure the viruses/malware are not running.
This is certainly the worst malware I have ever fought with -- have you encountered a worse one? Shocked Care to tell us about it?
"Stop Sign" - DO NOT CLICK ON ANYTHING ON THEIR WEBSITE, AND DONT EVEN HAVE A LOOK IF YOU ARE USING INTERNET EXPLORER - NOT FOR THE FEINT HEARTED, DO SO AT YOUR OWN RISK, and another that is also pure evil that I cant remember the name of. We have seen the sum total of 3 PC's with "Stop Sign", the first 2 got re-installed, then we found a specific way of defeating it without totally wrecking windows on the third, fortunately it is pretty rare but is pure evil.

There are also numerous viruses doing the rounds at the moment that if not worked on in the right way (the right order as well) will wreck windows totally. Often its as easy to backup all of the data and totally re-install, and also guarunteed to work, but that has to be weiged up against all of the work of re-installing, I use imaging software and 32/50/64GB boot partitions with all of the software, and the rest of the drive with all of the data (and my doc + desktop thanks to Tweak UI) on XP machines - makes life much easier for re-installs as there is little data to back up (e.g. Firefox bookmarks).


Andy

Bradshaw
Posts: 20
Joined: Wed Nov 11, 2009 10:47 am

Post by Bradshaw » Mon Mar 01, 2010 7:59 am

I use Faronics Deep Freeze and Sandboxie to make sure my computer is always secure.

Sandboxie creates a sandbox for my internet browser and with Deep Freeze I can make sure my C: Drive is always secure.

Post Reply