Hi Plun
Hope your well, I agree the tools you recommended are exactly whats needed
for this infection, Smitrem is excellent for repairing the damage caused by
these trojans and resetting IE value's back to Microsoft's default, It also
removes temp and prefetch files as part of the fix then runs disk cleanup at
the end so it will take care of any junk in the temp folders. If its PSGuard
related then some scanners were having problems removing the ShudderLTD &
PSGuard registry keys but Smitrem also makes this look simple as it replaces
them with a dummy entry first then removes them as well as removing all the
rogue Antispy programs related to these trojans, checking the wininet.dll
file for infection, repairing the desktop restrictions and Task Manager if it
has been disabled.
As you say its strange Microsoft's scanner isnt capable of detecting and
repairing any damage caused by these Smitfraud variants especially as this
has been around for many months, It is a never ending battle trying to keep
up with this junk as they are forever releasing new files such as the latest
SpyAxe variants which SmitRem also removes but hopefully once Microsoft
finish the development of the Antispyware program they can put more time into
adding signatures and keeping up with the malware.
I experienced this last week by running the 'loadadv' files which are stored
on at least 5 different sites, The sites are based in Russia and use security
holes and exploit scripts to load various files on the pc without any
warning.
I had Microsoft Antispyware updated and enabled and watched all the junk
load onto the system without any being blocked then the desktop changed and I
had look2me, Spysheriff, various Password Stealers, Qoologic, cmdService,
Target Saver, CWS, Trojan Delf, Proxy variants & various Kill AV Trojans
installed which eventually shut down the protection and turned the machine
into a zombie sending out hundreds of spam mails every minute which were
hidden from view but obvious using a packet sniffer. Once Id rebooted and
re-enabled Microsoft Antispyware it then detected some of the files like
Target Saver, cmdService & Nameshifter but they were already installed then
and the antispy showed it removed them but there was still many files left
after the scan plus the spam mails being sent out and other infections like
Qoologic regenerated probably due to the scanner missing some of the infected
files,
I did receive a email from an MVP about getting more samples to Microsoft so
thats nice to hear they are trying to keep up with the junk which I
appreciate isnt a easy task, I have hundreds of files saved from testing so
thats not a problem and I also have links to all the exploit scripts and
files coming from these sites and all the affiliate sites the trojans contact
to download more junk so Im more than happy to pass the information on if
there is a way to do that.
For free its a great program to protect the system but Im hoping by the time
beta2 is released they have all the signatures updated and removal issues
fixed so then its will be alot easier for them to just add new signatures
when infections are released and be able to block all the junk before it can
get onto the system rather than letting it install then detecting parts of it
in the scan and the users having to find alternative tools to repair the
damage.
I'm confident it will be a excellent Antispyware solution by the time its
released so we just have to be patient and use these other tools as and when
required untill the beta is closer to completion.
Merry Christmas to you as well Plun and best wishes for the New Year
Andy