As you can see by the screen shot below, a rogue antivirus program called Spyware Protect 2009 has blocked my attempt to browse the internet either by direct URL navigation or via search engine queries. Spyware Protect 2009 is just one example, I’ve seen over a dozen rogues that come bundled with TDSSERV rootkits (the TDSSERV rootkit redirects all queries to a fake page like the one below).
In most cases I’ll use Malwarebytes and SuperAntiSpyware to get rid of an infection like this, but about 20% of the time mbam and sas won’t even install. When this happens I’ll break out my UBCD4WIN (bootable Windows Environment) and perform a scan with SuperAntiSpyware. After the SAS scan completes the rootkits go bye-bye.
{ 19 comments… read them below or add one }
One thing is clear the rogues are here to stay as long there are people who buy only 1 or 2 percent of their bogus licenses.
If you knew that the install of mbam or sas could fail, why don’t you just use the ubcd4win all the time?
Ug. I’ve had that problem with Antivirus 2009 and Antivirus 2010
Most of the problams like that is AV 2009.. Most of my rogue in the virtual pc has the options to continue to browse site
Hey matt.
A new version of comodo internet security with AV heuristics is out with improved HIPS according to them.
IS there any way you can test it plzzzzz?
Thanks!
Hey Matt,
Have you tried pre-installing SuperAntiSpyware on a USB flash drive? You can do this by installing SuperAntiSpyware on your computer (laptop), and update it. Then just copy the SuperAntiSpyware folder from the computer to the USB flash drive. Then you would run the superantispyware.exe from the Flash drive after you plug it into the infected computer. You should be able to update it while running it from the flash drive (later) from your work laptop.
Have you tried using the Alternative Start? On the latest version of SUPERantispyware, in the all programs section there is an ‘alternative start’. This starts superantispyware with a completetly random process name, meaning it can’t be blocked (yet…)
@fsg – that’s for sure
@Jimmy James – UBCD4WIN is a slow loader. SAS quickscan usually are enough
@ComputerHelpGuy1 – yup, it seams like everyone of them these days.
AZLAN210396 – funny! I wonder why they would do that.
@ankit pasi – im testing it right now.
malcontent – no, I haven’t tried that! Thanks man!
Jimmy James – no, haven’t tried that either, but I will next time.
Spyware Protect 2009 is a combination of Antivirus 2009 and MS Antispyware 2009
Matt,
Comodo Internet Security 3.8 is out yes. However they are fixing the database and the full version of the database will be ready by tuesday. If you are going to test detection rate I’ll suggest you wait until Wed. If you are going to test prevention….be my guest!!!
all the rouges i have seen have a link that you click, and its like continue unprotected
and then you have to click through 2 popups
fortunately you can remove spyware protect 2009 manually.
Safe mode boot and the latest version of MBAM on a flash drive has worked for me every time. Quicker and no CD required. Flash drive with write protect switch is even better since it won’t get infected. If no hardware write protect, always scan the flash drive when you are done.