In the last couple of weeks I've serviced several machines that had an "internet speed monitor" spyware installed file names were something like issm.exe. The files were in a subfolder of %ProgramFiles%. Of course this malware never seems to travel alone. It generally starts off with some sort of trojan that downloads more material into the computer and it only gets hairier from there. Additions to the Run keys in the registry are a given, along with addons to Internet Explorer's list of browser helper objects and toolbars.
My kit of goodies for eliminating infections from computers consists of the following: Autoruns (use this instead of msconfig.exe) http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx HijackThis (conveniently displays reg entries that pertain to IE and startup apps) http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis EZPCFix (displays various settings of registry, can purge temp directories, etc.) http://www.ezpcfix.net/ LSPFix (manage your Layered Service Providers. eliminate NewDotNet, 3rd party firewall, etc) http://cexx.org/lspfix.htm WinsockXPFix by Option^Explicit (repairs/rebuilds winsock settings in Win9x,2K,&XP) no official site im aware of, available on various file mirrors, google is your friend plus everything I mentioned previously (SmitRem, SDFix, AVG, Ad-aware, etc.) I would highly recommend you roll your own copy of the "Ultimate Boot CD 4 Windows". It's a customized Bart PE bootable CD with just about every maintenance tool a techie would need, including most of the ones I've mentioned. Be sure you update the definitions for the virus scanners before creating the disc. You can use this cd to boot into a clean Windows environment that is loaded into the system memory. Go to http://www.ubcd4win.net for more info and the download links. Right now the trickiest things for me to find on my own are the malware that are installing themselves as drivers in the Services area of the registry. These entries won't be detected by the likes of HijackThis. This is where SDFix and Combofix have been saving my bacon. I always do a manual analysis of the following registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ..\RunOnce ..\runservices HKLM\Software\Microsoft\Windows\CurrentVersion\Run ..\RunOnce ..\RunEx\ ..\runservices HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon When hunting for infected files I find that they tend to be in these folders: %systemdrive% %systemroot% %systemroot%\system32 %systemroot%\system32\drivers %temp% %programfiles% A good way to identify them is when the file has a modified/creation date that is very recent. The exe and dll files often lack a version tab when you check the file properties. Files that can't be deleted because they are already active can sometimes be removed after you disable the read&execute attribute in the security permissions on the file. This only works on NTFS partitions. If you are ultimately successful in disabling the autostart of the malware then you can rely on the use of multiple AV and Malware scanners to handle any residue you couldnt find on your own. Good luck. -Tharin O. FP <[EMAIL PROTECTED]> wrote: some of these I had, the combofix did not. got my permissions bad. So far so good, looks like it might fly. Still had a persistant ( internet speed control ) or something to that affect. superspyware remover seems so far to have got that. I may still install my webroot sw and do another scan. running more av scans. gpedit is still defunc but no biggy. thanks fred ----- Original Message ----- From: Tharin Olsen To: The Hardware List Sent: Tuesday, October 02, 2007 12:57 PM Subject: Re: [H] restoring policy's ? Download any of the tools below. I think the first two, SDFix and ComboFix, are the most recent. Essentially they are self-extracting archives with batch scripts that will reset the changed policy settings, scan for various trojans and malware, then give you a final report when its over. If you understand what details the report has it can clue you in on whether there is more material that needs to be dealt with. Run them while in safe mode. SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix.exe ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe SmitFraudFix http://siri.urz.free.fr/Fix/SmitfraudFix_En.php SmitRem http://noahdfear.geekstogo.com/ If its reeeaally messed up I'd recommend pulling the drive and scanning it with a good computer with hopefully several antivirus tools i.e. AntiVir, AVG, Avast, Panda, etc. And also sweep the drive with more than one Malware scanner like Ad-aware, Spybot Search & Destroy, AVG AntiSpyware, or Webroot. Then re-run one of the tools I posted the links for. If those steps dont take care of it it may be better to just format and start over. -Tharin O. FORC5 <[EMAIL PROTECTED]> wrote: Have a REALLY screwed up one. Spyware or something has basically locked out everything. While I did get the control panel back none of the applets run. gpedit.msc says file not found. can not manage users. Was able to fix this a little and it is better but some of this needs to be restored. I suspect a whole system restore is needed to be honest but I always respect a challenge. :-D Any suggestions will be helpful. ( or tools ) fp -- Tallyho ! ]:8) Taglines below ! -- Nobody home but the lights, and they're out too.
