Noticing Counter Measures

[HowardD]

On Jan 10, we ran into our first case of loading MS-
AntiSpy on a PC that already had a downloader installed
on it and the downloader had apparently already updated
itsself to prevent the Real Time Protection from running.

This morning on the 13th, 3 out of 3 PCs we've installed
MSAS on so far are having this same problem. You can
download and install AS fine, even run a scan and it
detects and removes spyware, but after the scan, the
realtime protection was deactivated. Actually, we just
ran into one that prevents the scanning from even
happening.

 

[Ron Kinner]

Did you try running in Safe Mode?

Which downloader was it by the way? If you still have it
and want to get rid of it run HijackThis and SCAN your
system then SAVE LOG and send me the log.

Ron Kinner

rkinner AT att DOT net

or post to the HP forum with Hijack in the subject

http://forums1.itrc.hp.com/service/forums/familyhome.do?
familyId=116

 

[Guest]

Thanks for the offer. I'm familiar with Hijack this and
will be able to get it off eventually. Didn't see
anything suspicous in there. There were the following
processes running: TSA2.exe, TSA.exe and GCCRNR.EXE I
did kill these using MSAS's advanced tools. Not as much
spyware came back after that.

I did run the MSAS in safe mode, along with an update
spybot and adaware in safe mode.

The spyware that kept getting reinstalled was a VX2.eserv
variant and eUniverse.

 

[Kent W. England]

HowardD wrote on 13-Jan-2005 8:23 AM:

On Jan 10, we ran into our first case of loading MS-
AntiSpy on a PC that already had a downloader installed
on it and the downloader had apparently already updated
itsself to prevent the Real Time Protection from running.

This morning on the 13th, 3 out of 3 PCs we've installed
MSAS on so far are having this same problem. You can
download and install AS fine, even run a scan and it
detects and removes spyware, but after the scan, the
realtime protection was deactivated. Actually, we just
ran into one that prevents the scanning from even
happening.

There will always be the possibility of counter-measures, but I expect
this to improve, probably after the beta. Think SP1 when most MS tools
work well for the first time.

That said, if you can remove the infection and then get MSAS installed
and providing real-time protection, you have a good chance of preventing
the infection that was disabling the anti-spyware real-time protection.