Re: [H] restoring policy's ?
thanks, some of these I use ( or similar ) but I have been lazy about creating a PE disk. Have a really old superdisk but it is practically worthless except to retrieve data, Found a ismpack.exe. in a ism2 subfolder. Have not found the startup yet. Killed the process and deleted the files, will see if the pop up comes back. Fp At 07:20 PM 10/2/2007, Tharin Olsen Poked the stick with: In the last couple of weeks I've serviced several machines that had an internet speed monitor spyware installed file names were something like issm.exe. The files were in a subfolder of %ProgramFiles%. Of course this malware never seems to travel alone. It generally starts off with some sort of trojan that downloads more material into the computer and it only gets hairier from there. Additions to the Run keys in the registry are a given, along with addons to Internet Explorer's list of browser helper objects and toolbars. My kit of goodies for eliminating infections from computers consists of the following: Autoruns (use this instead of msconfig.exe) http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx HijackThis (conveniently displays reg entries that pertain to IE and startup apps) http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis EZPCFix (displays various settings of registry, can purge temp directories, etc.) http://www.ezpcfix.net/ LSPFix (manage your Layered Service Providers. eliminate NewDotNet, 3rd party firewall, etc) http://cexx.org/lspfix.htm WinsockXPFix by Option^Explicit (repairs/rebuilds winsock settings in Win9x,2K,XP) no official site im aware of, available on various file mirrors, google is your friend plus everything I mentioned previously (SmitRem, SDFix, AVG, Ad-aware, etc.) I would highly recommend you roll your own copy of the Ultimate Boot CD 4 Windows. It's a customized Bart PE bootable CD with just about every maintenance tool a techie would need, including most of the ones I've mentioned. Be sure you update the definitions for the virus scanners before creating the disc. You can use this cd to boot into a clean Windows environment that is loaded into the system memory. Go to http://www.ubcd4win.net for more info and the download links. Right now the trickiest things for me to find on my own are the malware that are installing themselves as drivers in the Services area of the registry. These entries won't be detected by the likes of HijackThis. This is where SDFix and Combofix have been saving my bacon. I always do a manual analysis of the following registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ..\RunOnce ..\runservices HKLM\Software\Microsoft\Windows\CurrentVersion\Run ..\RunOnce ..\RunEx\ ..\runservices HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon When hunting for infected files I find that they tend to be in these folders: %systemdrive% %systemroot% %systemroot%\system32 %systemroot%\system32\drivers %temp% %programfiles% A good way to identify them is when the file has a modified/creation date that is very recent. The exe and dll files often lack a version tab when you check the file properties. Files that can't be deleted because they are already active can sometimes be removed after you disable the readexecute attribute in the security permissions on the file. This only works on NTFS partitions. If you are ultimately successful in disabling the autostart of the malware then you can rely on the use of multiple AV and Malware scanners to handle any residue you couldnt find on your own. Good luck. -Tharin O. FP [EMAIL PROTECTED] wrote: some of these I had, the combofix did not. got my permissions bad. So far so good, looks like it might fly. Still had a persistant ( internet speed control ) or something to that affect. superspyware remover seems so far to have got that. I may still install my webroot sw and do another scan. running more av scans. gpedit is still defunc but no biggy. thanks fred - Original Message - From: mailto:[EMAIL PROTECTED]Tharin Olsen To: mailto:hardware@hardwaregroup.comThe Hardware List Sent: Tuesday, October 02, 2007 12:57 PM Subject: Re: [H] restoring policy's ? Download any of the tools below. I think the first two, SDFix and ComboFix, are the most recent. Essentially they are self-extracting archives with batch scripts that will reset the changed policy settings, scan for various trojans and malware, then give you a final report when its over. If you understand what details the report has it can clue you in on whether there is more material that needs to be dealt with. Run them while in safe mode. SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix.exe ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe SmitFraudFix http://siri.urz.free.fr/Fix/SmitfraudFix_En.php SmitRem http://noahdfear.geekstogo.com/ If its reeeaally messed up I'd recommend pulling the drive and scanning
Re: [H] restoring policy's ?
Do it :) It will take a whole 30 min. of your life to make one if you've got a broadband connection. You'll wonder how you ever got along without one. So far I haven't had any success in creating a BartPE flash drive. I'm tired of burning new cd-rs every few weeks and to create a bootable flash drive with BartPE would be most excellent. -Tharin O. FORC5 [EMAIL PROTECTED] wrote: thanks, some of these I use ( or similar ) but I have been lazy about creating a PE disk. Have a really old superdisk but it is practically worthless except to retrieve data,
Re: [H] restoring policy's ?
Wayne Johnson [EMAIL PROTECTED] wrote: At 11:27 10-03-2007, Tharin Olsen typed: I'm tired of burning new cd-rs every few weeks and to create a bootable flash drive with BartPE would be most excellent. With the latest version of UltraIso you can edit the BartPE.iso file directly instead of using PE Builder to recreate the same thing over over again plus using CDRW disks are cheaper in the long run. I too have NOT been able to create a bootable USB flash drive w/ BartPE Lord knows I've tried. That reminds me I need to update the apps that I use on my XpPe disks. Good tip on the UltraISO I remember using that program some years ago. I need to check it out again. If it were for private or limited I'd use CD-RW but the odds of a CD-RW not working in some random persons optical drive is higher than that of a good quality CD-R. I own an on-site computer repair/service company for residential and commercial end-users which means I have to work on all sorts of systems everyday. Some cheap drives won't read a disc that barely has a scuff on it. I've tried a few times to get a bootable flash drive with BartPE but haven't managed to get it to work yet. Most instructions involve the use of a special format utility from the likes of HP or to use Win98 because the way XP formats them doesn't seem to work. Once I get a chance to spend some time with it again I will share what I learned with the list. That is if I manage to get it to work. :) -Tharin O.
[H] restoring policy's ?
Have a REALLY screwed up one. Spyware or something has basically locked out everything. While I did get the control panel back none of the applets run. gpedit.msc says file not found. can not manage users. Was able to fix this a little and it is better but some of this needs to be restored. I suspect a whole system restore is needed to be honest but I always respect a challenge. :-D Any suggestions will be helpful. ( or tools ) fp -- Tallyho ! ]:8) Taglines below ! -- Nobody home but the lights, and they're out too.
RE: [H] restoring policy's ?
Does the computer run in safe mode? If so you can see if anything runs there. Also, Check the Task Manager and see if there is any software running that looks fishy (Pun intended). There is a lot of Spyware that locks computers down and do not let you run certain utilities. I have seen this in the past. The funny thing is the person who owns the computer has no idea how they got in there. Good luck, Tim The Beave Lider E-mail: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FORC5 Sent: Tuesday, October 02, 2007 9:43 AM To: hardware@hardwaregroup.com Subject: [H] restoring policy's ? Have a REALLY screwed up one. Spyware or something has basically locked out everything. While I did get the control panel back none of the applets run. gpedit.msc says file not found. can not manage users. Was able to fix this a little and it is better but some of this needs to be restored. I suspect a whole system restore is needed to be honest but I always respect a challenge. :-D Any suggestions will be helpful. ( or tools ) fp -- Tallyho ! ]:8) Taglines below ! -- Nobody home but the lights, and they're out too.
RE: [H] restoring policy's ?
thanks Tim Been removing stuff but hadn't even though of safe mode. ( my bad ) Biggest baddy is something called avsystemcare. Have gotten rid of some of the pop ups but without control panel access and add remove programs. crap. I got control panel ( registry nocontrolpanel 0 ) but it vanished again but when I had it non of the applets worked. real bad one. I'm sure my head will be sore b4 I do what I know needs to be done. :-[ thanks Fred At 10:00 AM 10/2/2007, Tim \The Beave\ Lider Poked the stick with: Does the computer run in safe mode? If so you can see if anything runs there. Also, Check the Task Manager and see if there is any software running that looks fishy (Pun intended). There is a lot of Spyware that locks computers down and do not let you run certain utilities. I have seen this in the past. The funny thing is the person who owns the computer has no idea how they got in there. Good luck, Tim The Beave Lider E-mail: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] -- Tallyho ! ]:8) Taglines below ! -- Laws are like sausages, it is better to not see them made
Re: [H] restoring policy's ?
FORC5 [EMAIL PROTECTED] wrote: Have a REALLY screwed up one. snip Any suggestions will be helpful. ( or tools ) Put the drive in a known clean machine and scan? al -- Al [EMAIL PROTECTED]
RE: [H] restoring policy's ?
Is it really worth it to try to clean? Are you sure a nice clean re-install wouldn't be better? I always suggest people stay away from remediation because your only depending on tools and their signatures and trust me even the best AV doesn't have very good coverage. Most malware these days are also web based so they download newer versions from the web. So 1 piece of malware will usually result in 5-10 new pieces of malware downloaded. Thanks, -- Ali Mesdaq Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FORC5 Sent: Tuesday, October 02, 2007 9:43 AM To: hardware@hardwaregroup.com Subject: [H] restoring policy's ? Have a REALLY screwed up one. Spyware or something has basically locked out everything. While I did get the control panel back none of the applets run. gpedit.msc says file not found. can not manage users. Was able to fix this a little and it is better but some of this needs to be restored. I suspect a whole system restore is needed to be honest but I always respect a challenge. :-D Any suggestions will be helpful. ( or tools ) fp -- Tallyho ! ]:8) Taglines below ! -- Nobody home but the lights, and they're out too.
Re: [H] restoring policy's ?
I agree, but sometimes the journey is educational. In the end, fdisk is the answer :) fp - Original Message - From: Mesdaq, Ali [EMAIL PROTECTED] To: The Hardware List hardware@hardwaregroup.com Sent: Tuesday, October 02, 2007 12:06 PM Subject: RE: [H] restoring policy's ? Is it really worth it to try to clean? Are you sure a nice clean re-install wouldn't be better? I always suggest people stay away from remediation because your only depending on tools and their signatures and trust me even the best AV doesn't have very good coverage. Most malware these days are also web based so they download newer versions from the web. So 1 piece of malware will usually result in 5-10 new pieces of malware downloaded. Thanks, -- Ali Mesdaq Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FORC5 Sent: Tuesday, October 02, 2007 9:43 AM To: hardware@hardwaregroup.com Subject: [H] restoring policy's ? Have a REALLY screwed up one. Spyware or something has basically locked out everything. While I did get the control panel back none of the applets run. gpedit.msc says file not found. can not manage users. Was able to fix this a little and it is better but some of this needs to be restored. I suspect a whole system restore is needed to be honest but I always respect a challenge. :-D Any suggestions will be helpful. ( or tools ) fp -- Tallyho ! ]:8) Taglines below ! -- Nobody home but the lights, and they're out too.
Re: [H] restoring policy's ?
FWIW even in safe mode countrol panel applets do not work. Anyway to access add remove programs directly ? fp - Original Message - From: FORC5 [EMAIL PROTECTED] To: The Hardware List hardware@hardwaregroup.com Sent: Tuesday, October 02, 2007 10:32 AM Subject: RE: [H] restoring policy's ? thanks Tim Been removing stuff but hadn't even though of safe mode. ( my bad ) Biggest baddy is something called avsystemcare. Have gotten rid of some of the pop ups but without control panel access and add remove programs. crap. I got control panel ( registry nocontrolpanel 0 ) but it vanished again but when I had it non of the applets worked. real bad one. I'm sure my head will be sore b4 I do what I know needs to be done. :-[ thanks Fred At 10:00 AM 10/2/2007, Tim \The Beave\ Lider Poked the stick with: Does the computer run in safe mode? If so you can see if anything runs there. Also, Check the Task Manager and see if there is any software running that looks fishy (Pun intended). There is a lot of Spyware that locks computers down and do not let you run certain utilities. I have seen this in the past. The funny thing is the person who owns the computer has no idea how they got in there. Good luck, Tim The Beave Lider E-mail: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] -- Tallyho ! ]:8) Taglines below ! -- Laws are like sausages, it is better to not see them made
Re: [H] restoring policy's ?
Download any of the tools below. I think the first two, SDFix and ComboFix, are the most recent. Essentially they are self-extracting archives with batch scripts that will reset the changed policy settings, scan for various trojans and malware, then give you a final report when its over. If you understand what details the report has it can clue you in on whether there is more material that needs to be dealt with. Run them while in safe mode. SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix.exe ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe SmitFraudFix http://siri.urz.free.fr/Fix/SmitfraudFix_En.php SmitRem http://noahdfear.geekstogo.com/ If its reeeaally messed up I'd recommend pulling the drive and scanning it with a good computer with hopefully several antivirus tools i.e. AntiVir, AVG, Avast, Panda, etc. And also sweep the drive with more than one Malware scanner like Ad-aware, Spybot Search Destroy, AVG AntiSpyware, or Webroot. Then re-run one of the tools I posted the links for. If those steps dont take care of it it may be better to just format and start over. -Tharin O. FORC5 [EMAIL PROTECTED] wrote: Have a REALLY screwed up one. Spyware or something has basically locked out everything. While I did get the control panel back none of the applets run. gpedit.msc says file not found. can not manage users. Was able to fix this a little and it is better but some of this needs to be restored. I suspect a whole system restore is needed to be honest but I always respect a challenge. :-D Any suggestions will be helpful. ( or tools ) fp -- Tallyho ! ]:8) Taglines below ! -- Nobody home but the lights, and they're out too.
RE: [H] restoring policy's ?
I don't know about accessing add/remove programs directly but to uninstall most applications that were installed via installshield there is regkeys that save information about the uninstall string. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ you can just paste the uninstall strings into the run box and proceed that way. Thanks, -- Ali Mesdaq Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FP Sent: Tuesday, October 02, 2007 12:35 PM To: The Hardware List Subject: Re: [H] restoring policy's ? FWIW even in safe mode countrol panel applets do not work. Anyway to access add remove programs directly ? fp - Original Message - From: FORC5 [EMAIL PROTECTED] To: The Hardware List hardware@hardwaregroup.com Sent: Tuesday, October 02, 2007 10:32 AM Subject: RE: [H] restoring policy's ? thanks Tim Been removing stuff but hadn't even though of safe mode. ( my bad ) Biggest baddy is something called avsystemcare. Have gotten rid of some of the pop ups but without control panel access and add remove programs. crap. I got control panel ( registry nocontrolpanel 0 ) but it vanished again but when I had it non of the applets worked. real bad one. I'm sure my head will be sore b4 I do what I know needs to be done. :-[ thanks Fred At 10:00 AM 10/2/2007, Tim \The Beave\ Lider Poked the stick with: Does the computer run in safe mode? If so you can see if anything runs there. Also, Check the Task Manager and see if there is any software running that looks fishy (Pun intended). There is a lot of Spyware that locks computers down and do not let you run certain utilities. I have seen this in the past. The funny thing is the person who owns the computer has no idea how they got in there. Good luck, Tim The Beave Lider E-mail: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] -- Tallyho ! ]:8) Taglines below ! -- Laws are like sausages, it is better to not see them made
Re: [H] restoring policy's ?
some of these I had, the combofix did not. got my permissions bad. So far so good, looks like it might fly. Still had a persistant ( internet speed control ) or something to that affect. superspyware remover seems so far to have got that. I may still install my webroot sw and do another scan. running more av scans. gpedit is still defunc but no biggy. thanks fred - Original Message - From: Tharin Olsen To: The Hardware List Sent: Tuesday, October 02, 2007 12:57 PM Subject: Re: [H] restoring policy's ? Download any of the tools below. I think the first two, SDFix and ComboFix, are the most recent. Essentially they are self-extracting archives with batch scripts that will reset the changed policy settings, scan for various trojans and malware, then give you a final report when its over. If you understand what details the report has it can clue you in on whether there is more material that needs to be dealt with. Run them while in safe mode. SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix.exe ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe SmitFraudFix http://siri.urz.free.fr/Fix/SmitfraudFix_En.php SmitRem http://noahdfear.geekstogo.com/ If its reeeaally messed up I'd recommend pulling the drive and scanning it with a good computer with hopefully several antivirus tools i.e. AntiVir, AVG, Avast, Panda, etc. And also sweep the drive with more than one Malware scanner like Ad-aware, Spybot Search Destroy, AVG AntiSpyware, or Webroot. Then re-run one of the tools I posted the links for. If those steps dont take care of it it may be better to just format and start over. -Tharin O. FORC5 [EMAIL PROTECTED] wrote: Have a REALLY screwed up one. Spyware or something has basically locked out everything. While I did get the control panel back none of the applets run. gpedit.msc says file not found. can not manage users. Was able to fix this a little and it is better but some of this needs to be restored. I suspect a whole system restore is needed to be honest but I always respect a challenge. :-D Any suggestions will be helpful. ( or tools ) fp -- Tallyho ! ]:8) Taglines below ! -- Nobody home but the lights, and they're out too.
Re: [H] restoring policy's ?
In the last couple of weeks I've serviced several machines that had an internet speed monitor spyware installed file names were something like issm.exe. The files were in a subfolder of %ProgramFiles%. Of course this malware never seems to travel alone. It generally starts off with some sort of trojan that downloads more material into the computer and it only gets hairier from there. Additions to the Run keys in the registry are a given, along with addons to Internet Explorer's list of browser helper objects and toolbars. My kit of goodies for eliminating infections from computers consists of the following: Autoruns (use this instead of msconfig.exe) http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx HijackThis (conveniently displays reg entries that pertain to IE and startup apps) http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis EZPCFix (displays various settings of registry, can purge temp directories, etc.) http://www.ezpcfix.net/ LSPFix (manage your Layered Service Providers. eliminate NewDotNet, 3rd party firewall, etc) http://cexx.org/lspfix.htm WinsockXPFix by Option^Explicit (repairs/rebuilds winsock settings in Win9x,2K,XP) no official site im aware of, available on various file mirrors, google is your friend plus everything I mentioned previously (SmitRem, SDFix, AVG, Ad-aware, etc.) I would highly recommend you roll your own copy of the Ultimate Boot CD 4 Windows. It's a customized Bart PE bootable CD with just about every maintenance tool a techie would need, including most of the ones I've mentioned. Be sure you update the definitions for the virus scanners before creating the disc. You can use this cd to boot into a clean Windows environment that is loaded into the system memory. Go to http://www.ubcd4win.net for more info and the download links. Right now the trickiest things for me to find on my own are the malware that are installing themselves as drivers in the Services area of the registry. These entries won't be detected by the likes of HijackThis. This is where SDFix and Combofix have been saving my bacon. I always do a manual analysis of the following registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ..\RunOnce ..\runservices HKLM\Software\Microsoft\Windows\CurrentVersion\Run ..\RunOnce ..\RunEx\ ..\runservices HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon When hunting for infected files I find that they tend to be in these folders: %systemdrive% %systemroot% %systemroot%\system32 %systemroot%\system32\drivers %temp% %programfiles% A good way to identify them is when the file has a modified/creation date that is very recent. The exe and dll files often lack a version tab when you check the file properties. Files that can't be deleted because they are already active can sometimes be removed after you disable the readexecute attribute in the security permissions on the file. This only works on NTFS partitions. If you are ultimately successful in disabling the autostart of the malware then you can rely on the use of multiple AV and Malware scanners to handle any residue you couldnt find on your own. Good luck. -Tharin O. FP [EMAIL PROTECTED] wrote: some of these I had, the combofix did not. got my permissions bad. So far so good, looks like it might fly. Still had a persistant ( internet speed control ) or something to that affect. superspyware remover seems so far to have got that. I may still install my webroot sw and do another scan. running more av scans. gpedit is still defunc but no biggy. thanks fred - Original Message - From:Tharin Olsen To: The Hardware List Sent: Tuesday, October 02, 2007 12:57PM Subject: Re: [H] restoring policy's? Download any of the tools below. I think the first two, SDFixand ComboFix, are the most recent. Essentially they are self-extractingarchives with batch scripts that will reset the changed policy settings, scanfor various trojans and malware, then give you a final report when its over.If you understand what details the report has it can clue you in on whetherthere is more material that needs to be dealt with. Run them while in safemode. SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix.exe ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe SmitFraudFix http://siri.urz.free.fr/Fix/SmitfraudFix_En.php SmitRem http://noahdfear.geekstogo.com/ Ifits reeeaally messed up I'd recommend pulling the drive and scanning it with agood computer with hopefully several antivirus tools i.e. AntiVir, AVG, Avast,Panda, etc. And also sweep the drive with more than one Malware scanner likeAd-aware, Spybot Search Destroy, AVG AntiSpyware, or Webroot. Thenre-run one of the tools I posted the links for. If those steps dont take careof it it may be better to just format and start over
