thanks, some of these I use ( or similar ) but I have been lazy about creating a PE disk. Have a really old superdisk but it is practically worthless except to retrieve data,
Found a ismpack.exe. in a ism2 subfolder. Have not found the startup yet. Killed the process and deleted the files, will see if the pop up comes back. Fp At 07:20 PM 10/2/2007, Tharin Olsen Poked the stick with: >In the last couple of weeks I've serviced several machines that had an >"internet speed monitor" spyware installed file names were something like >issm.exe. The files were in a subfolder of %ProgramFiles%. Of course this >malware never seems to travel alone. It generally starts off with some sort of >trojan that downloads more material into the computer and it only gets hairier >from there. Additions to the Run keys in the registry are a given, along with >addons to Internet Explorer's list of browser helper objects and toolbars. > >My kit of goodies for eliminating infections from computers consists of the >following: > >Autoruns (use this instead of msconfig.exe) >http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx > >HijackThis (conveniently displays reg entries that pertain to IE and startup >apps) >http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis > >EZPCFix (displays various settings of registry, can purge temp directories, >etc.) >http://www.ezpcfix.net/ > >LSPFix (manage your Layered Service Providers. eliminate NewDotNet, 3rd party >firewall, etc) >http://cexx.org/lspfix.htm > >WinsockXPFix by Option^Explicit (repairs/rebuilds winsock settings in >Win9x,2K,&XP) >no official site im aware of, available on various file mirrors, google is >your friend > >plus everything I mentioned previously (SmitRem, SDFix, AVG, Ad-aware, etc.) > >I would highly recommend you roll your own copy of the "Ultimate Boot CD 4 >Windows". It's a customized Bart PE bootable CD with just about every >maintenance tool a techie would need, including most of the ones I've >mentioned. Be sure you update the definitions for the virus scanners before >creating the disc. You can use this cd to boot into a clean Windows >environment that is loaded into the system memory. Go to >http://www.ubcd4win.net for more info and the download links. > >Right now the trickiest things for me to find on my own are the malware that >are installing themselves as drivers in the Services area of the registry. >These entries won't be detected by the likes of HijackThis. This is where >SDFix and Combofix have been saving my bacon. > > >I always do a manual analysis of the following registry keys: > >HKCU\Software\Microsoft\Windows\CurrentVersion\Run > ..\RunOnce > ..\runservices >HKLM\Software\Microsoft\Windows\CurrentVersion\Run > ..\RunOnce > ..\RunEx\ > ..\runservices >HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon > > >When hunting for infected files I find that they tend to be in these folders: > >%systemdrive% >%systemroot% >%systemroot%\system32 >%systemroot%\system32\drivers >%temp% >%programfiles% > >A good way to identify them is when the file has a modified/creation date that >is very recent. The exe and dll files often lack a version tab when you check >the file properties. > >Files that can't be deleted because they are already active can sometimes be >removed after you disable the read&execute attribute in the security >permissions on the file. This only works on NTFS partitions. > >If you are ultimately successful in disabling the autostart of the malware >then you can rely on the use of multiple AV and Malware scanners to handle any >residue you couldnt find on your own. Good luck. > >-Tharin O. > >FP <[EMAIL PROTECTED]> wrote: >some of these I had, the combofix did not. got my permissions bad. So far so >good, looks like it might fly. Still had a persistant ( internet speed control >) or something to that affect. superspyware remover seems so far to have got >that. I may still install my webroot sw and do another scan. running more av >scans. gpedit is still defunc but no biggy. > >thanks >fred >----- Original Message ----- >From: <mailto:[EMAIL PROTECTED]>Tharin Olsen >To: <mailto:hardware@hardwaregroup.com>The Hardware List >Sent: Tuesday, October 02, 2007 12:57 PM >Subject: Re: [H] restoring policy's ? > >Download any of the tools below. I think the first two, SDFix and ComboFix, >are the most recent. Essentially they are self-extracting archives with batch >scripts that will reset the changed policy settings, scan for various trojans >and malware, then give you a final report when its over. If you understand >what details the report has it can clue you in on whether there is more >material that needs to be dealt with. Run them while in safe mode. > >SDFix >http://downloads.andymanchesta.com/RemovalTools/SDFix.exe > >ComboFix >http://download.bleepingcomputer.com/sUBs/ComboFix.exe > >SmitFraudFix >http://siri.urz.free.fr/Fix/SmitfraudFix_En.php > >SmitRem >http://noahdfear.geekstogo.com/ > >If its reeeaally messed up I'd recommend pulling the drive and scanning it >with a good computer with hopefully several antivirus tools i.e. AntiVir, AVG, >Avast, Panda, etc. And also sweep the drive with more than one Malware scanner >like Ad-aware, Spybot Search & Destroy, AVG AntiSpyware, or Webroot. Then >re-run one of the tools I posted the links for. If those steps dont take care >of it it may be better to just format and start over. > >-Tharin O. > >FORC5 <[EMAIL PROTECTED]> wrote: >Have a REALLY screwed up one. Spyware or something has basically locked out >everything. While I did get the control panel back none of the applets run. >gpedit.msc says file not found. > >can not manage users. Was able to fix this a little and it is better but some >of this needs to be restored. I suspect a whole system restore is needed to be >honest but I always respect a challenge. :-D > >Any suggestions will be helpful. ( or tools ) >fp > >-- >Tallyho ! ]:8) >Taglines below ! >-- >Nobody home but the lights, and they're out too. > > -- Tallyho ! ]:8) Taglines below ! -- Frankly my dear, I don't give a download. -Rhett Sysop.
