ROGUE PROGRAM INTERNET SECURITY.INK HAS BEEN REMOVED BUT HAS PERSONAL DATA BEEN COMPROMISED.

[JJMAC]

On or about 4April 2012 I started to get messages to warn me that malicious programs had been detected. These messages were generated by a program called InternetSecurity.ink which appeared to have installed itself and scan my computer. Its executable file was isecurity.exe. Its target location was roaming. From the very start I suspected that this was a scamware program designed to frighten me into buying their program activation key. When I got a message to tell me that I had 91 useless and unwanted files on my computer any fleeting thoughts of activating security.ink were dispelled. I did have a problem though as not a single program including Internet Explorer and Windows Mail would open except McAfee Internet Security which continued to carry out scheduled real time scans and report that I was fully protected (no action is needed). The rogue InternetSecurity.ink program reported various malware infections. The most common one was W32Blaster-Worm which was said to infect the executable files of all the programs on my computer.

Malwarebytes has done a good job at cleaning up my computer. I can now get access to all my files.

I am concerned that my private data may have been compromised, including my life’s savings in bank accounts , building society savings accounts etc. I had left my computer switched on and unattended for three to four hours during which period it was connected to the internet. When I returned I got Security warnings & found that programs would not open. I switched off the computer. The following day I turned the computer on (with my router turned off) and was surprised that it booted up normally. All of the desktop icon were displayed but when clicked on them the associated programs failed with a message to say that the executable file was infected by W32Blaster-worm. However, I found McAfee Internet Security was carrying out a scheduled scan. I observed the progress of the scan going from file to file which took about 3 hours to complete. When it completed it reported that no viruses were found and my computer was secure (no action was required.). How could that be when not a single program would start.? I conclude that the rogue malware had made changes to the desktop shortcuts without infecting the actual programs? I had not tried to open any program directly instead of clicking on the desktop icons.

I attach LOGS of scans carried out on 12,13 & 14^th April 2012. Are there any conclusions to be drawn therefrom regarding the potential risk to the security of data found on my computer?

Many thanks/

JJMAC

log of malbytes SCANS ON 12, 13&14 of April 2012.doc

[Maurice Naggar]

Hello JJmac,

Sorry that you had not been replied to. But the MBAM log did show a backddor trojan along with the Internet Security rogue.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.

I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

[JJMAC]

Many thanks Maurice for your helpful advice. I am holding the infected computer off line until such times as I can get round to reformatting the hard drive, a task that I am not looking forward to. My home network consists of the infected computer, a laptop and another computer. Can I safely assume that the malware infection has not spread into the other 2 computers in my network? Can I also assume that it is safe to use the (previously) infected computer so long as it is not connected to the internet?.

Are there any precautions I should take when backing up files on the infected computer eg. are there any file types I should avoid.?

I have been badly let down by McAfee Internet Security which carried out a scheduled scan of my computer and reported that my computer was secure (no action required.) while in reality I was unable to open a single program by clicking on the desktop icons prior to Malwarebytes’ cleanup operation.

[Maurice Naggar]

You should scan all the other systems with their antivirus program and antimalware program as a basic precaution.

You may also want to scan them with some online scanners. (see below)

The victim computer you are cautioned to only do what you really must do. Which mainly is to copy/backup personal files, personal documents, personal records to OFFLINE media like external USB drive, CD, DVD

Later on you will need to thoroughly scan these files with a up-to-date antivirus and antimalware BEFORE opening or using them or restoring them !

Don't necessarily blame McAfee Internet Security for the rogue malware coming into the system, as that can happen (say by freewheeling websurfing or surfing to an infected or malicious website) to anyone despite having antivirus & antimalware apps installed.

Note that having MBAM PRO installed along with an antivirus will reduce the odds in your favor.

For a clean (new) Windows Install:

Before you do that, make sure you have at hand the Windows XP CD and also, a fresh new copy of your antivirus that is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).

If you do not have the XP CD, your OEM will most likely have a factory restore partition on the HDD.

When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.

See Windows XP Clean Installation - Partitioning and Formatting using Windows XP CD by Ramesh Srinivasan, MS-MVP & AumHa VSOP

Also Clean Install Windows by Michael Stevens, MS-MVP

I would urge you to follow the directions very carefully.

You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus.

NOTE: If XP CD is from a pc manufacturer, and they bundled an AV like McAfee or Norton/Symantec trial versions, immediately de-install those, since they will be outdated & of no use. Install your antvirus immediately after.

After Windows is installed & antivirus installed / Updates / and safer practices & prevention

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in Windows
  http://support.microsoft.com/kb/306525
  
• Check on other update issues as well, visit Secunia Online Software Inspector (OSI)
  See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacools...areblaster.html (all Protections should be enabled at all
  times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://winhelp2002.mvps.org/hosts.zip
  That would help to keep your browser away from known spyware/malware sites.
  See the FAQ page http://mvps.org/winh...02/hostsfaq.htm
  Sign up to Get notified when the MVPS HOSTS file is updated
  http://winhelp2002.m...org/updates.htm
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  Having a total image backup of your system stored on DVD/CD is highly important.
  Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if another disaster hits.
  Examples of image backup software: Acronis True Image, or the free (for personal use) Macrium Reflect http://www.macrium.com/reflectfree.asp
  or Paragon Backup & Recovery http://www.paragon-s...e/download.html
  
• Consider using Web of Trust WOT add-on for your browser(s)
  http://www.mywot.com/en/download
  http://www.mywot.com/en/faq/add-on
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  ESET Online Scanner
  Panda ActiveScan
  Trend Micro Housecall
  F-Secure Online Scanner
  
• See Six tips to help you stay safer online
  Other security references at Microsoft
  4 steps to protect your computer
  How to boost your malware defense and protect your PC
  
• Never, ever download free games, free tools, videos, mutli-media files or anything free unless you can be absolutely sure the source is safe !
  

We are finished here. Best regards.