I
its_my_dime
This was a real problem to clean up because it kept reinfecting itself and
it consists of more than a dozen different files and registry entries plus
some assorted popups.
Some hints. (and I'm not a techie so pardon the level of this discussion):
The bad stuff is all in the Windows/System32 file and in the registry.
The various *.exe files (ishost, ismini, isnotify etc.) need to be deleted
manually in safe mode
A group of *.dll files that keep changing names seem to carry the Trojans
and keep restoring them to the computer. These dll's can be identified by
sorting system32 by date; they are the most recent. Some can be easily
deleted; some cannot.
There are also a few files that write stuff to the registry (again, most
recent) but keep coming back.
Two programs: drweb-cureit and vundofix were able to delete the dll files
after reboot. ProcessExplorer (from Windows) (right click on explorer - go
to threads) can kill some of the active dll's and allow deletion.
I ran Spybot many times because it was helpful in finding some of the bad
files and registry entries that kept returning. Searching the registry for
bar888 found a bunch more. I used several other virus scanning programs
as well. smitfraudfix and smitrem may have been helpful; I ran them both
but am not sure what they did. The hijackthis log also showed some files to
be deleted that would not otherwise been obvious.
Semantec's web site gave TWO registry deletions for the returning and ever
present and mssmgr. .
You probably need to turn off restore points. I tried restoring the system
and it didn't work anyway.
Based on something I read, I put a clean copy of wininit.exe into system32.
There was a time that the computer would only boot in safe mode.
This was really a process of reducing the number of bad things almost one at
a time until the computer began to function again. At the end, it took
Defender and NAV about four passes each to get rid of the final pop-ups and
smaller issues.
Fortunately, I have a laptop and wireless network so that the various AV and
other files could be downloaded and moved (safe mode with networking) to the
infected
computer.
In summary: unless you really know what you are doing (I don't), it will
take the better part of a day; lots of web research (google); many
downloads, scans and reboots; and a lot of frustration to get rid of this
thing.
I appreciate everybody's help and feedback.
it consists of more than a dozen different files and registry entries plus
some assorted popups.
Some hints. (and I'm not a techie so pardon the level of this discussion):
The bad stuff is all in the Windows/System32 file and in the registry.
The various *.exe files (ishost, ismini, isnotify etc.) need to be deleted
manually in safe mode
A group of *.dll files that keep changing names seem to carry the Trojans
and keep restoring them to the computer. These dll's can be identified by
sorting system32 by date; they are the most recent. Some can be easily
deleted; some cannot.
There are also a few files that write stuff to the registry (again, most
recent) but keep coming back.
Two programs: drweb-cureit and vundofix were able to delete the dll files
after reboot. ProcessExplorer (from Windows) (right click on explorer - go
to threads) can kill some of the active dll's and allow deletion.
I ran Spybot many times because it was helpful in finding some of the bad
files and registry entries that kept returning. Searching the registry for
bar888 found a bunch more. I used several other virus scanning programs
as well. smitfraudfix and smitrem may have been helpful; I ran them both
but am not sure what they did. The hijackthis log also showed some files to
be deleted that would not otherwise been obvious.
Semantec's web site gave TWO registry deletions for the returning and ever
present and mssmgr. .
You probably need to turn off restore points. I tried restoring the system
and it didn't work anyway.
Based on something I read, I put a clean copy of wininit.exe into system32.
There was a time that the computer would only boot in safe mode.
This was really a process of reducing the number of bad things almost one at
a time until the computer began to function again. At the end, it took
Defender and NAV about four passes each to get rid of the final pop-ups and
smaller issues.
Fortunately, I have a laptop and wireless network so that the various AV and
other files could be downloaded and moved (safe mode with networking) to the
infected
computer.
In summary: unless you really know what you are doing (I don't), it will
take the better part of a day; lots of web research (google); many
downloads, scans and reboots; and a lot of frustration to get rid of this
thing.
I appreciate everybody's help and feedback.