Back in June 2012, I was looking at an infected PC, and after running Malwarebytes, it looked like the PC was clean.
But after a restart, Microsoft Security Essentials reported that it had found sirfef.y, and that it would remove it.
After removal, the computer would give a 60 second grace period before restarting.
I first thought that the 60 seconds was MSE forcing a restart.
But it was actually sirfef.y restarting the PC to prevent anything from removing it.
Since sirfef.y is a rootkit, most standard security tools struggle to remove it.
I tried a few different tools (all had to be run from safe mode, to avoid the 60 seconds before a reboot), but tdsskiller and a few others either wouldn’t detect it, or would not be able to remove it.
After a lot of research, I eventually had to use a tool like gmer… then interpret the results, and then manually remove the rootkit files responsible for the infection.
Certainly not something an average (or even an advanced) PC user would be able to do.
With infections like this on the rise, I’m starting to wonder how much worse this can get, and if the PC security companies can do anything to improve their products, to defend against this type of infection?
It seems that everyone who buys a recent WD external USB drive, will get lumbered with a virtual CD called SmartWare.
Now, there are many reasons to dislike SmartWare.
An extra drive letter in Windows explorer
Extra software on the Virtual CD that you cannot easily remove.
The extra letter can cause many problems with existing external drives that are being used as automated backup drives… I hate it (and most non-technical users get severely confused) when previously working backups to, say, drive E:, now don’t work any more.
Your computers drive layout is effectively changed without your permission.
An initial look for a solution resulted in a huge 20-step process (involving updating the firmware to each WD drive, then disabling the virtual CD).
It shouldn’t be so hard.
Then I found a much simpler solution:
in XP (you can use a similar process for Vista and W7):
Control Panel -> System -> Hardware -> Device Manager -> expand DVD/CD-ROM Drives -> right click on the “WD Virtual CD device” -> disable -> OK
I didn’t have time for a comprehensive test, so its possible for the VCD to re-appear if you plug the WD drive into a different USB port… but if this happens, just repeat the process.
I recently purchased another (I must be a masochist!) HP scanner. This time I went with a brand new scanjet 2400.
It works well, except the software that I got installed this really annoying icon on my desktop "share-to-web upload folder".
Hey, if I want to put my scanned images on my website, I'll use FTP, so I right-click on the icon (and I wait for the menu to popup, so I can select the delete option)… I wait, and I wait. Hmmm the computer feels like it has locked up.
I restart the PC, try to remove the software again, but it kinda freezes again… It looks like explorer.exe is locked up.