I used the modified versions of SAS.EXE, RUNSAS.EXE and the manual def updates (the spyware blocks the auto updater). It did not remove the malware. However using the re-naming trick I renamed SmitFraudFix.exe to SFF.exe and it ran and removed Total Secure 2009. Not all good news. What I believe is the loader for this malware was not removed by anything I ran. Symantec detects it and says it removes it, but it's back after every reboot. Typical useless Symantec. Nothing else even detects it. The file was TDSSPQLT.SYS. I have limits in how much time I can put into these so it has been punted for re-image. And, unfortunately 100% of my users are remote so safe-mode is a difficult thing for me to use. This week, and this malware, has resulted in my first two re-images in some 100 spyware removal cases. Damn I hate to lose.
There is a new Malware out within the last week that is very nasty. It appears to be along the same rogue lines as WinAntiVirusPro 2009, but much worse... First, it blocks all access to every useful AntiSpyware and AntiVirus site I know of, including SuperAntiSpyware, SmitFraudFix and MalwareBytes. Second, even if you have the utilities on hand, it prevents them from being installed/run by generating a Windows Crash every time you try. I have not been able to find a way around this one and have had to re-image every machine so far. Anyone else run across this? It's very recent. Within the last week, that this was released. The last infection I worked came from Facebook. TL