Internet Security 2010 malware, oh how I hate thee!
 

I hate

I Hate

I HATE

Internet Security 2010.

Some stupid home user was browsing on their laptop last night and got hit with it.

Oh god was it a pain to get rid of.

3 users had it here at work, so I was wondering how they all got it. My guess is either an infected email attachement (the AV on our Domino server should have caught it), or more probably a pop-up that they clicked on when they shouldn't.

So, I spent 3 hours cleaning it, only to finally kill it, but have a damaged login process that got me stuck in an infinite login/logout loop.

Finally said screw it, re-imaged the machine, and rebuilt the applications from the start.

Easier that way.

nearly 8 hours messing with this crap.

I'd rather have open heart surgery while I was awake without anesthetic.

All thanks to some users who don't bother to read the email warnings about it that we regularly send out.

If someone found the people who wrote this malware and murder them in their sleep I don't think I'd be the least bit bothered by it.

Yeah we had one machine get hit with that here at the weekend. There was a machine last week that got hit by something along the same lines. I was using realVNC to connect to it and I thought I was having terrible connection problem as the screen would lock up it turned out it added in two process with names like Embassy Security each of which was dedicated itself to crippling a 100% of a core. I managed to get it off of this laptop, the guys a sales guy, any he had to go off to do something and I left a scan running at some point I connected back up to check on it and he's on a website sexy swingers or something with pictures and all. So I have an idea how this **** gets on machines. The minute I saw that website, "I was like okay forget this and disconnected." but called the guy after a couple of hours and the moment he answers he's like yeah I only just got back been out getting groceries.

Avoiding this stuff is simple good browsing habits. People won't pick-up hitch hikers by the road side, but they'll click on a pop-up add on the net. Which is pretty much the same thing.

Stupid users. Then again, Stupid users keep me employed. 80% of the work I do is becuase of stupid users. The rest of the stuff is real issues with application bugs, installs, and planned things.

Had one of these at work too today. Running malwarebytes in safe mode seemed to remove it. But it looks like it has done something to completely disable network access. Going to try a new NIC in there just incase, but I suspect it has overwritten some important Windows files.

See mine got stuck in infinite login loop. Tried the steps listed in the microsoft kb to repair it, and a few others before I gave up. It was just faster to re-image the machine and reload the apps.

I have friends who get this on a regular basis. No matter how many times i clean up their machine and tell them to NOT CLICK ON THE POP-UPS i can be assured that a month later they will phone me saying "Internet security is telling me i have viruses so i clicked on it to scan and now it's got worse!"

I swear they do it on purpose as some sort of joke for me to sort it out. I dread to think what sites they go on to get it so often.

I've told family members I won't clean the same infection more than twice if they do something like that. They do it again they can PAY for service.

Now, for work, I can't turn away someone. However I will forward onto their supervisors and my boss that their browsing habits are causing issues. Which will either lead to severely curtailed privleges on the machine, or the laptop being taken away.

had to do it a few times. Just add their computer station and user profile to the no access AD group and wala, NO internet whatsoever, no matter where they go. And a few sanctions from their bosses as well.

I've been removing variations of these for quite a while now (XP Antivirus 2008, 2009, 2010, RogueAntiSpyware, Antivirus 360, Antivirus XP, Antivirus 2010, etc), someone out there keeps updating them so the antivirus software doesn't catch it when people click on whatever they click on in the browser to get these.

Some of them are fairly easy to remove, just require a boot in safe mode, msconfig, remove sysguard.exe from the documents folder, others require much more work. I've even run into a few that didn't remove and I ended up having to reinstall said system.

Oh man, you just described what I used to do at work all the time. Down to even rebuilding the HDD because login system files getting screwed up.

I've gotten pretty good at getting rid of a lot of those "Rogue" AV malware in just a few minutes. Most of the time, no damage is done. One of the best programs I have in my toolkit is "Autoruns" for helping to find and delete malware registry entries and files.

Well no more. I am in the process of converting all our machines over to use SteadyState. It allows our employees to do their jobs, but every night, the drives get restored back to a state I configured. Any changes made to the system are blown away.

This system makes it impossible for the user to make any changes to the C:\ drive of the computers. Period. No more dealing with users getting malware, installing unauthorized programs, or general screwing around with the systems.

They only have a small partition available to them to save any documents needed for work and their email working directories are also on this partition so that their emails don't get erased on reboot.

Mac FTW.

Why would you suggest something which also has malware?

Saying something like "Linux FTW" would have been much better.

I've had my iMac and Macbook Pro for 2 years without a virus scan and I haven't had a single virus or any malware whatsoever.

And how does your experience alter the fact that malware exists for OSX.

And if you've never had a virus scan, how do you know you have never had a virus? I couldn't begin to tell you the number of viruses I have found on windows machines that scanners have missed and showed no signs of actually doing something wrong. If it weren't for the fact I know what to look for, those viruses would still be on those machines.

Out of interest how does it deal with things like local profiles and group policy?

Nice theory you got there...

I have never been murdered in all of my 24 years on this earth, so murder does not exist!

...ahhh ignorance is bliss. [rofl]

You heard me... BIATCH!

It locks in the settings you set up ahead of time. Once you have specified how you want the machine to run, you turn on the protection and no further changes can be made Unless the account has admin privileges and you specify "Steady State" to prompt admins to save or delete changes.

To control the PC, all I have to do is log into the administrator account which controls "Steady State" and I can make any changes I want and then tell the machine to save the changes on logout. Normal users can not do this.

As for local profiles. You can choose to lock the ability for a profile to save data to their profile area, such as anything within the "Documents and Settings" folder. Anything they save to these areas will be wiped upon logout. That's why I made another partition specifically to allow users to save their data to without the risk of losing it. The only downside is they can not save documents to the "My Documents" area. But this isn't much of a problem since I placed shortcuts to the safe location they can save to before I locked down the machines.

It has tons of options you can play with. Like locking out the users ability to use MMC controls or even access to the control panel. They can't even change the locations of the desktop icons.


Edit: Oh, and Steady state also takes charge of updates to the machine. You can tell it when to download new updates and it will install automatically without user interaction. This also applies to Microsoft Security Essentials since it uses the Microsoft updates as well. Any other program, it needs to either recognize it or you have to write a script to allow it to update.

It's not necessarily even good browsing habits, it's good updating habits. A friend of mine got something similar from a link on google, searching for something totally benign. I traced it back to a really outdated version of sun java that it exploited. He figured because he used firefox he was safe from anything like that. Safe mode + malware bytes + rootkit removal + XP recovery console /fixmbr did the trick

So many of my customers come with thier pc's. It's a bitch to remove and and removal it ****s up windows. Most of the times I end formatting.

Then how do you KNOW you don't have a virus or malware that just isn't obvious?