Burchwords

I had a server heavily infected by malware and spyware. After the regular run through of my arsenal of software. I wiped out my hijackthis and went to town. I couldn’t find anything. I had hijackthis.de anaylze the results and everything looked clean.

When I rebooted the server it would try to open up two sites with the urls:

1. f6.cookingluck.com
2. http://us01.xmlsearch.findwhat.com/bin/findwhat.dll?clickthrough&y=67669&x=

So, I posted on bleepingcomputer.com and no one posted anything. I got tired of waiting (that took all the matter of 5 minutes) and started to really examine each file in the hijackthis log. I ran across this entry:

O21 - SSODL: VolumeChk - {64dadcd6-a4df-400c-ac90-6180af4b35fa} - C:\WINDOWS\Installer\{64dadcd6-a4df-400c-ac90-6180af4b35fa}\VolumeChk.dll

(more…)

If you are in the IT field, like me, you know how anti virus companies become less effective the more they become popular. In my younger days I used Norton Anti virus software. After getting a couple of viruses I checked into a free software that came with a motherboard I had purchased. PC-cillen by Trend Micro. It seemed to be more responsive and did NOT hog my system resources. I love PC-Cillen until they came out with the 2006 version. Then I noticed a long time to load the software on startup. Trend Miro had come to meet or beat Norton on being a system resource hog.

I believe the life cycle is this;

New AV Company –> Great Product –> Catches 99% of the Viruses –>New AV Company Becomes Popular –> Adds More Features to Product — Slows Down Just a Little —>AV Company is no longer “New” and people trust the brand name —-| Product is now flashy with new colors and bench mark time is completely too slow because they put every known protection feature they can think of… —> End of Life for the software usefulness.

AV companies such as Norton can still sell products because of young and old automatically recognize their name for security. I reality I have to remove their software from computers weekly because they fail to actually catch viruses.

How many times have I took Norton off the computer, install avg and before I can even get my updates AVG Free edition is catching everything known to man.

Trend Mirco is becoming the same way. There product was really good in the being, then when they became popular its like they forgot how to program or something? Maybe everybody got drunk and went home and left the design team to do everything. Anyhoo, I hate to see Trend Micro go as Norton has.

Just yesterday I removed Norton 360 from a friend of mine computer. With Norton it took over 30 seconds for him to login with his finance software. Now after removing Norton the login time is a fast 3 seconds.

Does anybody really truly believe in Norton anymore?

Hardware: Dell Laptop Latitude D520
Software: Trend Micro Antivirus 2006, and WinAntiSpyware
Operating System: Windows XP Home Sp2

One customer brought me a laptop saying the wifi wouldn’t work and that it had some type of virus. So, I booted up and I saw signs of sure enough adware and infections. So, I tried to boot into safe mode where I do a lot of my removal programs.

When safe mode comes up you usually have the message box that comes up asking

Welcome to safe mode, do you want to run a system restore YES OR NO” Yes for safe mode and no for system restore”

If you hit yes or no, some how safe mode keeps restarting or becoming unstable. Its like something is killing the host and it prompts again. You can keep hitting yes or no and finally your desktop is gone and you need to reboot the pc.

More than likely you can access normal windows mode.
If so then run this tool, you can fix the safe mode problem later on when pc is rid of vundo infection.

1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the “Scan for Vundo” button.
* Once it’s done scanning, click the “Remove Vundo” button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encounters a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from “Click the Scan for Vundo button.” when
VundoFix appears at reboot.

sources: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_22759438.html?eeSearch=true

Over on www.claydawg.com he suspects that vundo actually is contained in the WinAntiSpyware program. I do believe he is right.

Today I came across a computer that didn’t have task manager or control panel working. When you try to access something it would say something about “permissions” and “policies”. I did some searching and found lots of people have this trouble with spyware. Basically the spyware/malware edits the registry disabling the control panel and task manager. My two resources for this problem came from Tech Support Guys and Help2Go forums. I knew that the pop-ups were due to smitfraud. If you don’t know how to get rid of smitfraud check out this guide.

I logged into Administrator, but I still wasn’t able to access control panel and task manager. I thought that Administrator would be a work around, but it wasn’t. This is where the policy editor came in.

If you check out the two links above they use a policy editor to change the registry key’s back so you can access them.

I used a policy changer: REMpolicy
Its just a script you run on your computer and it changes the registry keys back so you can access the cp and task manager.

Notes: Keep in mind that you always want to turn system restore off and boot into safe mode when removing spyware and malware.