formidable malware -- PC_AntiSpyware2010

[NetLink_Blue]

Yesterday I managed to infect my Vista Ultimate with a very virulent ( new?)
strain of PC_AntiSpyware2010. The battle for control of my computer lasted
5 hours last evening, and a few more hours this morning.

I finally threw in the towel today, and re-imaged my Vista partition with a
backup (a bit old - but oh well). Thank goodness Acronis 10 came thru for
me. The pucker factor was pretty high, considering my hard-drive had
changed considerably as to partition sizes and number.

I'm no slouch as far as peeking under Vista's skirts ... but damn! 2010
took away all my weapons that I could throw at it. Safe mode OR normal
boot. Task Manager worked (slowly, like regedit and everything else on poor
'ol Vista), but stopping rogue entries became a Mallet & Ground Chuck game.

Malware Bytes Anti-Malware
Hi-Jack This
Stubware Scanner
System Internals Auto-Runs (sheesh)
SmitFraudFix

.... the above programs would start and become active -- than would just
quietly shutdown. RegistryFix7 and another registry contestant held up
longer, but also just (poof) vanished after thinking about my problem.

If you happen to get this strain, kiss your buttocks good-bye. And hope you
have a recovery option of sorts. This was a serious bit of malicious
coding.

Net-Link Blue

 

[Peter Foldes]

SuperAntiSpyware has the capability for this PC_AntiSpyware2010. Few people used it
for the same malware and all had success with it.

 

[NetLink_Blue]

SuperAntiSpyware has the capability for this PC_AntiSpyware2010. Few
people used it for the same malware and all had success with it.

I had SuperAntiSpyware installed. I tried to use it. It fared no better
than the other programs mentioned below. SaS also has something called an
"alternate" start link. Using that, I could at least see a startup window.
Seconds after I hit the "scan" button. pffft ...

This new strain is some serious MoJo. What 2010 was doing on these key
program files was changing permissions to a single user named "EveryBody"
( right-click file / security tab / insane rubix-cube of technical poop).
%UserName% (me) was still the "owner" of the file. No help there. As soon
as I would rename the correct users for permissions, and run the file it
would reset back to "Everybody". And I would be locked out again.

In safe mode, the computer would only spin the blue circle after
right-clicking on a file. Nasty.

Net_L :~(

 

[Mike Hall - MVP]

I had SuperAntiSpyware installed. I tried to use it. It fared no better
than the other programs mentioned below. SaS also has something called an
"alternate" start link. Using that, I could at least see a startup
window. Seconds after I hit the "scan" button. pffft ...

This new strain is some serious MoJo. What 2010 was doing on these key
program files was changing permissions to a single user named "EveryBody"
( right-click file / security tab / insane rubix-cube of technical poop).
%UserName% (me) was still the "owner" of the file. No help there. As
soon as I would rename the correct users for permissions, and run the file
it would reset back to "Everybody". And I would be locked out again.

In safe mode, the computer would only spin the blue circle after
right-clicking on a file. Nasty.

Net_L :~(

It is unfortunate that malware is good enough to force a full system
recovery. It is even more unfortunate that the majority of home users still
fail to back up their important stuff..

 

[Kerry Brown]

It's the nature of a root kit that it can't be stopped or deleted while it's
running. If you boot from the hard drive there is a good chance it is
running. You have to identify the files as best as possible while it's
running then boot from a Linux CD and delete them. This often takes several
iterations and often causes a lot of collateral damage such that Windows
won't boot. The best thing to do with severe infections is to nuke the box
and rebuild.