No, someone like my mom doesn’t have a standard “line of business” SRP for her computers, and I’m not sure it matters. She is running ThreatFire, finds it easy to use, and is confident that she can work and play online!

Thanks for your comment, we’ll look further into it. But first, if we assume that most users don’t run under limited accounts, and following the discussion that Vista’s UAC prompts excessively, it seems more relevant to focus on commonly used account permissions and the setup that the malware targets (the content in the post).

Btw, there are multiple ways to evade account limitations for spyware. It seems that it’s just not necessary for the malware authors to implement at this point.

SRP should prevent the user from writing where they can execute or executing where they can write, it should also block most registry writes. This is reasonably good protection from web based attacks and protects against many hacked/cracked installs. Does it still work in win7?

A co-worker reported removing this threat from a PC that had been infected via a limited user account. While logged on to the LU account sdra64.exe and associated registry entries were not visible. They were visible and easily removed from the admin account however.

Good points, thanks for your comment.

Regarding the abuse of HKCU to circumvent UAC, yes, that in part is what is going on. Nothing hidden here, you are in a position to review the behavior of the malware, because example ThreatExpert report links are included in the post for interested technical folk like you. You can look in the post for the link in “Protection System FakeAv variants” and you’ll find the information that you may be seeking.
It is relevant because this sort of UAC evasion is mentioned on multiple “underground” blackhat interest forums. It sells.

And the intent of the message regarding the reported uninstall behavior was not to imply anything misleading about its behavior on Windows 7. It’s the opposite. There are reports on the web that make no distinction in the malware’s ability to uninstall security software per OS, so the clarification that the behavior was not observed on Win7 in the lab was made.

Thanks again!

Syaing “It’s reported to attempt uninstall on other security products, which was not observed on lab machines” is a nice way of implying that it can do more than it really can. Of course it can’t uninstall your security software without either admin privileges or UAC or both.

Have you test with a software restricted policy like http://mechbgon.com/srp/ ?

Sorry to see that you are having what appears to be an extra-ordinary problem. We'd like to see you helped, but this blog is not our support forum. Our support guys are responsive on our forum, please post a description of the problem here:

http://www.pctools.com/forum/forumdisplay.php?f=59

Thanks!