I had a chance to spend a lovely summer's day today with this new spyware
man was it a bitch to fight,

first off you cant boot into safemode
secondly it hooks the "HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* " key to make it execute everytime you open a program , plus that gave it a chance to check every program you opened and check it against a blacklist of apps and title names , combofix wouldnt even run , i ended up opening notepad and creating a batch file that renamed combofix.exe to combofix.com and got it to run and remove some of the infection, but it was still lingering on reboot


for some reason my trusty live cds didnt like this raid configuration of my clients computer,ultimatebootcd bluescreened on me,kaspaerksy live cd didnt like the video card nor the drives,neither did f-secure's, i was able to finally get hirens boot disk to work , but none of the tools on the minixp part of the disk work for offline drives

i usedthe file explorer to go into the windows directory and delete the newest modified files with funky names i didnt recognize

still no go when i rebooted

i tried dling a few more apps to clean it and eventually something gave and i was able to get kaspersky removal tool to remove some stuff and on reboot most of it was gone

im dling a few more apps for a final sweep but this bastard took all day between working on other computers to finally see the light of day

have fun if you encounter this bastard in the future :D
http://img32.imageshack.us/img32/7269/pcantispyware2010gui.jpg

It seems like this guy is spreading all over. I dealt with the same thing a while back, but with a different name. This sounds like it did the same things as the one I posted about. http://www.technibble.com/forums/showthread.php?t=7605

Sounds just like the one I found today on two computers. http://www.technibble.com/forums/showthread.php?t=8365
It blows my mind how it is preventing the boot cd's from working. I think we'll see more of this one on Technibble!

You need to build your own Windows PE based disc with Ez-PC-Fix and a registry editor. With that you could have removed this by hand in 5 minutes.

Building it yourself means you can include the latest possible drivers. For a good set of drivers use the Raid Slipstreamer latest build to add them into your WinPE disc: http://www.msfn.org/board/RAID-Slipstreamer-x86-x64-t85842.html

5.4 (latest) is only a few months old and has pretty much every driver you could need.

yea hirens doesnt have a regeditor
i was able to copy regedit to regedit.com after i cleaned some out to get the exeshell reg entry fixed so the virus wouldnt execute everytime i opened something, that helped the virus to know which programs it had to close

the computer was also infected with this so the combination of the 2 was a pain in the ass

http://img32.imageshack.us/img32/7044/windowsantiviruspro2gui.jpg

thisis part of the shellexecute code that detects the programs you open then tries to stop them from opening
http://img196.imageshack.us/img196/2627/windowsantivirusprofake.jpg

Rename the executable you want to run to a system file like ´svchost.exe´. It should then run, or you can use a renamed process explorer to stop the process

Thank you for this, i'm sure ill run into this one soon.

If anyone can remove this bastard securely, please share the procedure.

You need to build your own Windows PE based disc with Ez-PC-Fix and a registry editor. With that you could have removed this by hand in 5 minutes.

Building it yourself means you can include the latest possible drivers. For a good set of drivers use the Raid Slipstreamer latest build to add them into your WinPE disc: http://www.msfn.org/board/RAID-Slipstreamer-x86-x64-t85842.html

5.4 (latest) is only a few months old and has pretty much every driver you could need.

I have every boot disk worth having but these machines would not boot from anything. I had to format the drives in my bench computer and then was able to get the windows xp disk to boot and load windows. Removing viruses is not something new to me. My post was more or less to tell everyone to get ready for this one.

I wonder why Bleeping Computer and the Antispyware 2010 with simple steps to remove it.
They say that MBAM will remove it without issues. Last time I saw a similar tutorial in bleeping computer I followed it and the virus/spyware/root kit whatever it was laughed out loud and proceeded to make it self worse.

Is this the same one that you guys come across?
Link
http://www.bleepingcomputer.com/virus-removal/remove-pc-antispyware-2010

I have every boot disk worth having but these machines would not boot from anything. I had to format the drives in my bench computer and then was able to get the windows xp disk to boot and load windows.Did you reset the BIOS before trying to boot the CDs? I've had some real buggers and one that defied every tool I had, and had to back up the data, re-initialize the drive, full format, re-install. I'm not looking forward to running into this one anytime soon.

If anyone can tell me where to get infected on this one, I would like to run it on a test machine.

i think you guys are working too hard

if you can't work on the affected computer, yank that HD and do a/v scans from a clean computer




i've found malwarebytes anti-malware (MBAM) and combofix is a combination that works

connect the affected HD to your laptop (gonna have to start carrying a laptop w/ you now!) and run MBAM - put the HD back into the orig machine and run combofix on it

done!



for good measure, i leave AntiVir on their computer as i leave

(of course, i'll uninstall any a/v they currently have running - obviously it didn't work!)



also... these new bugs seem to be able to kill the ability to run EXE programs - makes life interesting

make life interesting for THEM by keeping this little tool within easy reach.... exefix_xp.com (google it!)



anyway... solved these guys in a little over an hour

longest job so far... 2hrs



good luck lil duck!
:cool:

I had a couple of these a while back.
I guess my customers computer was a little bit slow, so it took a minute or two for the virus to load. In the time, i was able to fire up Process Explorer, and suspend the process the virus was running.
After that Combofix worked fine.

It was the first time i've seen this type of virus, and it is truly a pain when it disables every single executable you try to run.

I had fun with the 2009 version when i first came across it on a customers computer ... its around awhile 2008/2009 and now 2010

It a bugger to get rid if you don't slave the drive to clean it.

I have to hand it to the creator it really does take over the machine (ransom-ware). But after experiencing it first hand before knowing about it it has thought me more about the tools i use.
I think its a good test for any tech to remove it without slaving it.

I just installed this on my main clients data server. Its so totally awesome, in the first few minutes it had already stopped over 1k virii! Well worth the 500 dollar license for life. The site was a little hard to read though, with so much chinese on it.

^^^^ lmfao

i'll try using all of the suggestions you have written above...wish me luck...God bless...:)

yes it work! MBAM and COMBOFIX...thanks...

glad we could help!
;)

Even with earlier versions I've seen infections so bad that MBAM/Combofix by themselves couldn't sort it.

Certainly just because you run these once - they find things and clean them - does not mean that the machine/drive is clean.

Nor is manual registry editing always successful, back along I posted a thread showing how to hide registry entries from regedit (and find them again from the command line)

No one replied.

In this thread I asked for a source of the 2010 variant, as I have not yet seen it.

Again no one replied.

Further back along I posted another different manual method I tend to use on stubborn infections, involving the system volume file.

No one was interested.

So how do you all prove that all the infection is gone?

A friend of mine is working a tool that will remove these. Check it out @ http://mal-aware.com/. Its brand new so it shouldn't show up on the program's radar at all!

Please let me know what you think of this tool at http://www.technibble.com/forums/showthread.php?t=8749.

New tools are always welcome but the introduction to this one suggests that it is rather limited in scope.

Mal-Aware is a basic Malware removal tool and is aimed at removing fraudulent Malware, also known as SmitFraud.

New tools are always welcome but the introduction to this one suggests that it is rather limited in scope.

You're correct. The scope is small but growing and the 2 tools listed in this thread are among its current targets. That is why I posted it.