Burchwords

I had a server heavily infected by malware and spyware. After the regular run through of my arsenal of software. I wiped out my hijackthis and went to town. I couldn’t find anything. I had hijackthis.de anaylze the results and everything looked clean.

When I rebooted the server it would try to open up two sites with the urls:

1. f6.cookingluck.com
2. http://us01.xmlsearch.findwhat.com/bin/findwhat.dll?clickthrough&y=67669&x=

So, I posted on bleepingcomputer.com and no one posted anything. I got tired of waiting (that took all the matter of 5 minutes) and started to really examine each file in the hijackthis log. I ran across this entry:

O21 - SSODL: VolumeChk - {64dadcd6-a4df-400c-ac90-6180af4b35fa} - C:\WINDOWS\Installer\{64dadcd6-a4df-400c-ac90-6180af4b35fa}\VolumeChk.dll

(more…)

Today I came across a computer that didn’t have task manager or control panel working. When you try to access something it would say something about “permissions” and “policies”. I did some searching and found lots of people have this trouble with spyware. Basically the spyware/malware edits the registry disabling the control panel and task manager. My two resources for this problem came from Tech Support Guys and Help2Go forums. I knew that the pop-ups were due to smitfraud. If you don’t know how to get rid of smitfraud check out this guide.

I logged into Administrator, but I still wasn’t able to access control panel and task manager. I thought that Administrator would be a work around, but it wasn’t. This is where the policy editor came in.

If you check out the two links above they use a policy editor to change the registry key’s back so you can access them.

I used a policy changer: REMpolicy
Its just a script you run on your computer and it changes the registry keys back so you can access the cp and task manager.

Notes: Keep in mind that you always want to turn system restore off and boot into safe mode when removing spyware and malware.