Halleynet Headspace

Posts Tagged ‘Bug fixes’

A client asked me to look at a PC that had been infected by a “virus”. In fact what it had been infected by was a particularly abhorrent bit of malware called Ant Spyware Soft.

It was probably inadvertantly installed by my client by clicking on one of thos warning boxes that splash up in some browser windows warning you you have an infected machine- the box looks very like a windows error but its actually not.

An article in PC Pro recently was saying this type of malware is serviced by Russian Mafia types as a way to effectively extort sums from web users by installing their dodgy AV software which then watches their internet history recoding Credit card numbers etc and relaying to the ” mother ship”.

The PC was installed with F Secure 2010 AV but the damage was done probably byt he client authorising the install unwittingly. F Secure could detect the system modification attempt by a service effectively a random string name. But it could not detect the virus it seemed nor stop its troublesome attempts to scare the user.

It did a number of bad things.

1) It kept warning that it had detected an intrusion attempt- funny as when I had the machine it was not even connected to the internet- worth a test if you ever see such a warning- disconnect and see if it persists. I always disconnect any infected machines when I am awar eof them and recommend you do too.

2)It kept flagging up spurious process crashes.

3) It disabled access to services.msc- the control panel services applet and taskmgr.exe (so you could neither id or disable it by conventional means)

4) Once you opened a IE8 browser window it went mental – constant alerts resulting in many red shields inthe system tray, and sometimes a Windows AV type window saying AntiSpyware Soft – click to purchase and enable- to sort tht eproblem. of course you would be mental to. It also sent the web browser to dodgy websites like p*rno.com and vi*gra.com (and probably others) Heightening the fear factor or the client!

5) I did a bit research onthe web (as you do and the best info i found was on www.spywareremove.com) It gae free, manual removal instructions which were spot on and worked a treat. I would say – you need to use Safe Mode to do the steps listed and be happy inthe registry. I found a couple of key s that differed from their instructions but they were easy to spot and I put it down to the variable behaviour of the malware)

6) With the files deleted its back t normal, but I have installed Google Chrome on the machine as its less susceptible to some of the aspects of such malware.

Just encountered an issue with the Transcend JF220 Secure USB stick. This stick uses a finger print reader to secure the partitioned USB stick.The stick works fine in my Windows XP system but once used with my Vista system I noticed that the main icons off the Start button stopped working. How odd?

I got hold of a utility called ShellExView from Nirsoft which allows you to see which shell extensions are running on your platform and to selectively disable them. Be warned disable them one at a time and only those you suspect. If your not sure ask a PC savvy friend!

Anyway working chronologically backwards- ie newest first I noticed an Icon Handler extension supplied by Arachnoid Biometrics Identification Group Corp. Disabling this restored the icon function onthe start button.

Unfortunately I see no easy way to uninstall this as it has no entry in the Control Panel. Looks like a manual/ registry hack job for later.

I need to look into if there is a fix for this first though. Perhaps an updated driver for the Transcend USB stick.