G. Morgan <G_Morgan@easy.com> wrote in
news:ejc9v6l4nsje4kr612qfnm3jeq8tqbif1b@Osama-is-dead.net:

> I received the dreaded "Windows Anti-Spyware 2011" malware. It's a
> pretty nasty sucker. I found it running "as" if it were Flashget,
> but the process was a hidden file that turned off real-time Avira,
> changed all the file ownerships it could to: "Trusted Installer" and
> left Admin AND System group members with only read access to the
> files. I found the process manually and termed it, then shredded
> it. That stopped the pop-up from coming up, but the damage
> remained. I documented much of my steps as I did it, but it's on
> the other machine that's turned off at the moment. Full report with
> questions are likely pending. But I'd like to make it re-producible
> for the researchers, since I 'm not 100% sure that was the 'only'
> badware I got.

Here's whats going on.. You were close tho.

It actually sets all files from root down to hidden. You lose your
desktop icons and your programs menu has no entries. It's also
redirecting (via registry edit) executables to be launched thru it, so
if you do remove the executable you get the infamous open with box when
you try to run something. You edit the registry to fix this... It's one
line. ;p

Reset your file attributes with attrib.

> Oh yeah, it also eventually led to a DNS poisoning on that machine.
> But it may be unrelated to the one that I was focused on. The

I haven't seen DNS poisioning, You likely had the rootkit TDL4 as well.
It's a ***** too, man. Patches key windows files.
> Some of the best software is free though. I'm really disappointed
> Avira (free) failed to catch it and halt it, even more so since this
> bugger was able to turn off it's RT protection.

It turns off the RT the same way you would via the gui man. You
can't fault avira for that. Poor avira doesn't know it's not you
clicking away.

> The day will come when some company manages to build a decent
> program that does both, but I've been waiting on that for a decade.
> Many have tried, all have miserably failed to be a one-proggy
> protection schema.

You aren't going to find one anytime soon. These malware programs are
mainly trojans. Thousands pumped out via poly server side work daily.
No program is ever going to catch them all.



--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again