Microsoft warns of malicious antivirus, 'Security Essentials 2010'

Status
Not open for further replies.
Wow, I have to say, be careful. I have kaspersky internet security actively running on my computer. I was on a legitimate website about how to design blog templates. I downloaded nothing. I accepted nothing. Am a very wise to the ways of "internet tricks" and all of a sudden it popped up. The security 2010 issue. Of course, even though it does look very microsoft legit, I didn't trust it from the get go because I've had my computer 3 years and never had any software on it that resembled this - but it actually installed an icon in my control panel. I did possibly consider that maybe microsoft loaded this virus program in my last update. But then I did click a link to close it and it took me to a page to purchase the program. I didn't click anything else at that point concerned of activating anything. And I opened my browser (I had already closed it) and it gave me an error page that stated it wouldn't let me go further do to security threats. It didn't look like the cheesy black warning screen above. It still looked very legit. BUT it didn't make sense. MS isn't going to load a program onto my computer in an update that blocks my browsing and then makes me pay to "fix" my computer before I can do anything else. At that point I ran kasperky update to get the latest (which was only 24 hrs old at the time) virus file. And I ran a complete scan on my computer - it didn't find anything. So, I didn't touch anything. I went to my laptop to research what hijacked my computer. My computer shut down and rebooted (which it is prone to do when a MS update comes in - I now know I need to change that setting). When it came back up - and I log in - the only thing that comes up is the security 2010 program with the link to "upgrade" so that it can fix the "Detected problems". Nothing else appeared on my computer - no start menu - nothing. So I shut down and log into a different user. It actually loads proper. I don't go anywhere near my browser. We went to the store and bought a backup drive and I'm backing up all my personal files while researching what this thing is to get rid of it - which is how I found this page.
So Mr. Glass House - before you throw stones - I was actively running the security program you have and on a legitimate website and it happened to me. Luckily I am taking care of it. It seems to me that no virus programs seem to find everything. I downloaded MSE onto my USB and loaded it on my computer and am currently running it, but after that I'm gonna do the 8 tests and get some help. Cause obviously this program doesn't find everything.
 
Now you know the difference between Viruses and Spyware.
In any case, nothing can protect you from yourself. Once you clicked, you were toast.
You may have some luck by using Malawarebyte, if the spyware will let you run it.
 
I run vipre from sunbelt. Their software doesn't hog system resources and they are reasonable priced for their home additional. Staying to legitimate sites and being aware of what you click on will go a long way to helping keep your computer free of virus. Unfortunately no matter how well protected or how careful you are there is always a chance of getting infected with something.
 
Wow, I have to say, be careful. I have kaspersky internet security actively running on my computer. I was on a legitimate website about how to design blog templates. I downloaded nothing. I accepted nothing. Am a very wise to the ways of "internet tricks" and all of a sudden it popped up. The security 2010 issue. Of course, even though it does look very microsoft legit, I didn't trust it from the get go because I've had my computer 3 years and never had any software on it that resembled this - but it actually installed an icon in my control panel. I did possibly consider that maybe microsoft loaded this virus program in my last update. But then I did click a link to close it and it took me to a page to purchase the program. I didn't click anything else at that point concerned of activating anything. And I opened my browser (I had already closed it) and it gave me an error page that stated it wouldn't let me go further do to security threats. It didn't look like the cheesy black warning screen above. It still looked very legit. BUT it didn't make sense. MS isn't going to load a program onto my computer in an update that blocks my browsing and then makes me pay to "fix" my computer before I can do anything else. At that point I ran kasperky update to get the latest (which was only 24 hrs old at the time) virus file. And I ran a complete scan on my computer - it didn't find anything. So, I didn't touch anything. I went to my laptop to research what hijacked my computer. My computer shut down and rebooted (which it is prone to do when a MS update comes in - I now know I need to change that setting). When it came back up - and I log in - the only thing that comes up is the security 2010 program with the link to "upgrade" so that it can fix the "Detected problems". Nothing else appeared on my computer - no start menu - nothing. So I shut down and log into a different user. It actually loads proper. I don't go anywhere near my browser. We went to the store and bought a backup drive and I'm backing up all my personal files while researching what this thing is to get rid of it - which is how I found this page.
So Mr. Glass House - before you throw stones - I was actively running the security program you have and on a legitimate website and it happened to me. Luckily I am taking care of it. It seems to me that no virus programs seem to find everything. I downloaded MSE onto my USB and loaded it on my computer and am currently running it, but after that I'm gonna do the 8 tests and get some help. Cause obviously this program doesn't find everything.
No. Kaspersky or anything else doesn't find everything. These types of attacks are called "Social Engineering" and they count on the fact the we all our onn worst enemies

What you experienced may have been enabled via "cross site scripting". A safety precaution you can take with respect to this is by using the Firefox browser, and obtaining an add-on called "NoScript". Everybody's browsing habits are different of course, but, I believe using this extension I've, "walked through the valley of the shadow of death", so to speak, without incident.

As to the source of your infection, I think somebody else recently said their son got the computed infected @ Wikipedia. Hmm, but we really don't know if junior was being totally forthright, now do we?

As to your backup strategy, I use what I like to call an "internal external drive". I scan all files first for malware ther move them to a separate HDD in the same computer. If a problem occurs, then you could take out the OS drive and throw it away, and have all your files intact. Please note, reformat of "C:/", is usually the worst that's necessary. :rolleyes:
 
I agree with Guest above on the intractability of this infection. I would classify myself as fairly experienced at malware removal and can go through a HijackThis log pretty well, but I'm only about a 6 out of 10 on Windows (e.g. can edit the registry but mostly don't know what it means). I hope my post will help some folks with this, and possibly save hours of frustration.

To those who feel user behavior is to blame, let me assure you, it isn't. I have seen this infection twice (once personally, once on a friend's computer) without any knowing user-initiated action, clicking, installing, etc. I've read about many more. There isn't any way to tell whether it is lurking in a "legitimate" ad or website - news reports state that multiple legit sites infected users, including the entire USA Senate IT infrastructure. And full antivirus and malware software protection simply has not kept up. I use Firefox exclusively and it, Windows and AV software is always on autoupdate. So even if you may feel you're more protected, careful, and worldly-wise than the average user, you may be humiliated to find, as I did, that you aren't.

The one thing that would probably work is disabling scripts in your browser. However, that will essentially eliminate your ability to access many sites. And selectively enabling scripting, despite advice from security experts, is really not a viable defence method since there is no way to tell what sites to trust.

The two variants I've seen are Security Central and Vista Guardian, and I've read about at least a dozen more (Security Essentials 2010, Virus Doctor, etc). The current versions of Norton, Trend, and McAfee do not find it, Malwarebytes and Spybot can't remove it, and it is a deeply embedded and disabling infection. One of the most annoying things is that the antivirus vendors actually characterize the threat danger as "Low", if you're lucky enough to decrypt codes to find your malware AND you can have a second machine to look it up. Symantec actually has a tool that was released in 2005 (!) to fix this - needless to say, malware mutations have made it ineffective - and has not posted any further information about removal since then, at least that I was able to find.

No two descriptions of the behavior of this software are alike, based on my research. They use different random registry keys, different random file names, and hide behind different services and processes. A brute force fix takes hours (never completed in my case) and is exhausting since there is no single guide to removal. Safe mode is not necessarily helpful because much of the malware infrastructure still runs at startup.

More behavior: Once it's on your computer you can't get to many security sites to figure it out, and if you're savvy enough to get rid of the hosts file it has several ways of adding it back. All the usual firewalls recognize there is a new program trying to access the Internet but blocking it does no good. Effects get worse as time passes. Initially, annoying dialog boxes occur any time a new program is opened, and, after a time (2 days in my case), execution of new programs is completely disabled with either "Access Denied" or "Execution Blocked Due To Infection" messages. It happens on non-privileged and privileged accounts. Once execution is disabled, you are out of business. You can buy yourself some time and peace by stopping the GUI process in Task Manager while you do basic diagnosis (my variant called this MSCui.exe) but even that will not work after a while. My advice is to immediately forget trying to work through the problem unless you really want a challenge and you are good at Windows. That will save you a lot of time.

There are only two repair alternatives I've seen (beyond a theoretically possible line-by-line registry and system directory cleanup). You can recover the system to a few days before, or you can reinstall Windows. I would love to hear another alternative but I have found no other way after extensive research and some very bitter experience. Once recovered, I had to reinstall Firefox as either the image or startup script was corrupted.

Prevention advice: I suspect that it's too late for most readers, but here it is anyway. Absent MSFT and the antivirus vendors catching up to these incidents, make sure you set recovery points every day or after each substantial system change, and keep copies of anything you might need to reinstall. Also - and this is admittedly extra paranoid - do frequent disk backups, unplug the backup device between runs, and don't plug it back in until you have a quiet/clean system. My feeling is that it's only a matter of time before the malware coders figure out how to screw up disk recovery also. Anything you can do on the keyboard they can do behind your back, but they haven't figured out a way to plug in a device yet. This ancient and low-tech method is still IMHO the best thing we've got.

If any antivirus vendors or Windows wizards are reading this, I suggest that you come up with something that ensures the integrity of simply running a program, i.e. run means run, not run some user-defined sequence of potentially infected commands. That would at least allow the ability to continue diagnosis and removal for a determined user. Symantec's tool did this for old malware and old Windows versions but we need something that works today, and that will continue to work as the malware mutates.

BTW - OSX and Linux don't have this problem. All Windows variants do. I think the newer Windows releases are pretty good generally, but regardless of your position on the OS wars, Microsoft really needs to solve the security problem. While I agree that any software is going to have security issues, it's immaterial whether OSX/Linux could have the problem or the reasons why they don't - they simply don't at this time. It is literally getting worse by the day - this thing is the MRSA of the Internet right now, and those of you who got here by Googling certainly know it. Good luck to all in your removal efforts.
 
usually I never run into any kind of malitious content when i surf the net, but I have run into this one. I've seen other versions like this to trick you into clicking on it and installing a 'security patch or program' that actually gives you a nice little trojan. Fortunatly I've never been dumb enough to click on it.
 
With these softwares we need to make it sure that we install the right anti-virus for our computer. Antivirus is very important for the computer to be safe so if that would be the case that the anti-virus itself is the malware that needs to be removed from the computer then that would be a big problem. So for us not be a victim with this anti-virus we have to make it sure that we alert enough in identifying this "fake" anti-virus.

Thanks for the warning Microsoft!!!!
 
To those who feel user behavior is to blame, let me assure you, it isn't. I have seen this infection twice (once personally, once on a friend's computer) without any knowing user-initiated action, clicking, installing, etc. I've read about many more. There isn't any way to tell whether it is lurking in a "legitimate" ad or website - news reports state that multiple legit sites infected users, including the entire USA Senate IT infrastructure. And full antivirus and malware software protection simply has not kept up. I use Firefox exclusively and it, Windows and AV software is always on autoupdate. So even if you may feel you're more protected, careful, and worldly-wise than the average user, you may be humiliated to find, as I did, that you aren't.

The one thing that would probably work is disabling scripts in your browser. However, that will essentially eliminate your ability to access many sites. And selectively enabling scripting, despite advice from security experts, is really not a viable defence method since there is no way to tell what sites to trust.
Dear Guest, this is obviously a well thought out, and informative post. If I may I would like to try and "enhace" or perhaps "mitigate" a few of you viewpoints. I'm a bit uncertain as to whether you're only referencing "user initiated action", to this one specific infection, or it is a broader statement. I'm going to work with the assumption that it is broad reference, and reply with that respect.

The fact that anyone can be infected by means of a "drive by download", is documented, and conceded, but so are "social engineering" types of infections. Perhaps you are smarter than that, but rest assured that others are no so well informed or prudent. When dealing with teenager's explanation of the origin of an infection, I really think those tales need to be taken with a great big spoonful of salt, and not a grain.

As to the issue of script blocking, any script has to be scrutinized, before permission is granted, or what would be the point. So, a little bit of caution must be employed. With "NoScript" I issue permissions, firstly to the visited site, and any other script that really needs to run; as an example; 1st. Newegg.com, 2nd Neweggimg.com, then lastly akamai.net, this for the verisign server, and only when I try to buy something. Everything else has it's nose up one's bum, "doubleclick.net, and even "googleanalytics".

With TV station and network sites, script approval again is issued in only the order necessary to have the site work. Usually it takes another one or two approvals, to get the video player to work.After a while you do get a feel for it, as it's simple enough for even me to figure out.

Ah, TV stations. At one point, I think it was Macaffee Site Advisor, had yellow or red listed our local NBC 10 station, due to the fact they left their Email address, then began to receive 30 emails a month. So, I try to tell as little as possible when I get to a site, and leave even less information when I leave. And don't get me started about the nitwits on FaceBook

All of that said, I think it helps to be lucky as well.....
 
Yes, i am annoyed of "Security Essentials 2010" since yerterday. Of course, I faced the problems exactly as mentioned above. I want to be reminded of such threats regularly.
 
Very interesting points of view...I have this service and & I know for sure they are not scammers though sometimes it seems like they are. First of all they have a support center for customers who have some problems and the statement that it's not working isn't correct - I contacted them not once and always got response even if it took some time. Now thi program seems to be working properly
 
Very interesting points of view...I have this service and & I know for sure they are not scammers though sometimes it seems like they are. First of all they have a support center for customers who have some problems and the statement that it's not working isn't correct - I contacted them not once and always got response even if it took some time. Now thi program seems to be working properly
Dear Guest, Why don't you read this; https://www.techspot.com/vb/topic150620.html then try again to explain the validity of the "live support" you speak of. Perhaps you're one of the "team"..?
 
Status
Not open for further replies.
Back