Topic Title

Hello Folks,

I'm just finishing up reinstalling Windows on a laptop for a client, that was infected by a Trojan malware program, that calls itself "Internet Security 2010" -- PLEASE KEEP YOUR FIREWALL & ANTIVIRUS UP TO DATE!!! Update Windows with all the security updates, as well. Microsoft has a big job ahead of them, fighting this thing...

*This* *is* *the* *worst* *Trojan* *malware* *EVER*!

It installs in the "Safe" mode of Windows.
It prevents you from using System Restore to reverse its installation.
It blocks you from getting to websites that help you fight it.
It blocks you from downloading files, by shutting down the browser.
You cannot install another browser like FireFox.
It blocks your antivirus.
It blocks you from using RegEdit.
It modifies the hard drive so you cannot read the drive in Linux.
It pops up continuously with warnings that your machine is infected (NO KIDDING!) and they want to sell you the "solution". I am *sure* that while it might make the symptoms go away, it would remain infected. You have to pay them to let them continue to use your computer.

If it gets a foothold on you computer, it downloads and installs additional Trojan programs.

Google "Internet Security 2010" and you will see lots of evidence of this huge threat.

It seems to do something even more: when I tried to install WinXP from an installation CD -- the hard drive is not "seen". You would have to buy a new hard drive, and that might not work. I tried putting in another old hard drive, and it was not "seen" either, but it might have other issues... I *was* able to install Linux on that other hard drive -- it was "seen" by Linux. The only plausible explanation I can come up with is that this malware *moves* something required for running Windows from the hard drive controller to the hard drive; thus making it impossible to even use a new hard drive to reinstall Windows.

Have I raised your awareness enough to get you to take steps to prevent your Windows machine from getting this? Please do this -- this is a very, very serious challenge.

Any ideas on how it came into the system? I've been seeing/hearing about a lot of webpages that look like a Windows XP explorer window and claim that the users AV, Windows updates or what not is out of date. Luckly they did not install the package the site wanted them to. This has poped up from Yahoo mail inboxes and facebook app pages on the two or three cases I've seen personally. It seemed almost like the random ad images on the pages were caring them, but I can't confirm that. Thanks for the heads up.

Also, For those who are not experanced at hunting this type of stuff, don't Google search for this!

We have also battled this POS here and we may have finally beaten it. Here is a link to a guide we used to get rid of it:

http://www.bleepingcomputer.com/virus-r ... urity-2010

We downloaded two free programs to help get rid of it as recommended on this site, rkill.com and Malwarebytes Anti Malware. After you have gone through the steps I think you have to repair your Windows but I don't think you have to do a complete reinstall. The machine we used this procedure on has been okay for a week or two now, so I think it was successful.

Hi Josh,

They were using Internet Explorer, and they literally were in the process of upgrading to a newer version of NOD32, when this happened. It had WinXP SP3, but probably did not have all the current updates.

I have now put FireFox in, NOD32 v4, and the latest updates are happening now. They will be adding a good software firewall, asap.

Josh -- why shouldn't we Google this?

[Edit 2: Oh, I got a much better answer to why the HD was not "seen" by the WinXP installation: "the hard drive not being seen by the XP install CD is probably just not loading the AHCI drivers.

You can load the AHCI drivers from a floppy or turn off AHCI in the BIOS. If you tried a Vista or 7 install it should also see the drive just fine."

There is no toggle in the BIOS for this, unfortunately. I replied that MS forces you to install those drivers from a floppy -- and this machine has no floppy! Someone else responded that a custom "slipstreamed" installation CD can be made with these drivers integrated, but how much of a pain would that have been? If we could use Vista or Win7 (we cannot) then this would have been a non-issue.

Thankfully, it is now working, and it did not come to this. ]

Josh -- why shouldn't we Google this?

You probably can get away with it as you know what to watch for, but most people should not go googling for a virus by it's name it's advertising as. That's why I made the distintion for those who are not experenced with the tricky little things these sleeze bags do and the prompts which can leave you with no option but to download something. Never kick a bear, unless you have to.

Hello Folks,

An urgent note of caution for those of you using Facebook:

DO NOT use the email notification feature on Facebook! I think this is how people are getting phished.

I would turn off the feature in you preferences (there are a LOT of the check boxes -- and Save Changes afterward!), and then ignore any emails that you get that say they are from FB -- many of the emails I've been getting have been weird. And I strongly suspect they are phishing for my password...

Here's an important malware / worm to know about and to check you computer for, called Conficker:

http://www.npr.org/2011/09/27/140704494/the-worm-that-could-bring-down-the-internet

Here's a test to see if your computer is infected:

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

And if you need to remove Conficker, you can use this:

http://free.avg.com/us-en/conficker