TechSpot

I'm slowly dying, Isnotify, win??.tmp.exe, and others

By rjenkins
Sep 6, 2006
  1. I saw a similar post and ran the recommended tools, smitfraud, virtumundo, vindofix, look2me, as well as trojan hunter, adaware, spybot, AVG and a slew of others.

    They always find things to clean and they always come back. Mostly I get win???.tmp.exe and Pakes.U and Generic.WUE I also get Isnotify, Issearch etc.

    They are getting more and more aggressive. After trying to run virtumundo my system crashed and I could no longer start in Safe Mode. Please help, and thanks in advance!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions exactly.

    Post fresh HJT and Ewido logs into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. rjenkins

    rjenkins TS Rookie Topic Starter

    Thanks for replying!. I ran the tools & uploaded the new hijack and ewido report. I did have a problem with the 2nd tool virtumundo. When I ran it my system locked up. I did a hard boot into safe mode. However I couldn't get my desktop or any windows functions to load. I was able to run of the suggested tools out of the Task Manager window though (except virtumundo). Here's what I got!

    So am I hopeless?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Delete the files in Ewido quarantine.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint\Viewpoint Manager
    Symantec\LiveUpdate

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Automatic LiveUpdate Scheduler
    LiveUpdate

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ALCXMNTR.EXE
    ViewMgr.exe
    ALUSchedulerSvc.exe
    LUCOMS~1.EX

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

    O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab

    O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://vpn.wpi.edu/nortel_cacheable/NetDirect.cab

    O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://vpn.wpi.edu/nortel_cacheable/iewiper.cab

    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab

    O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

    O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Symantec

    ALCXMNTR.EXE search your system for this file and delete all instances of it.

    C:\Program Files\Viewpoint

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Rename the HijackThis.exe file to HijackThis1991.exe. Run a fresh scan with HJT and post the log please. This is because new malware is hiding from HijackThis.exe, but not from Hijackthis1991.exe.

    Regards Howard :)

    This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. rjenkins

    rjenkins TS Rookie Topic Starter

    All as instructed. New Hijack post after saving as hijackthis1991
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s better, now the nasties are revealed.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {69883F62-7202-4405-ABFF-6C7683730386} - C:\WINDOWS\system32\ddcya.dll

    O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)

    O2 - BHO: MSEvents Object - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\urqpmki.dll (file missing)

    O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll

    O20 - Winlogon Notify: winyvo32 - C:\WINDOWS\SYSTEM32\winyvo32.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filpaths you need to enter into Killbox.

    C:\WINDOWS\SYSTEM32\winyvo32.dll

    C:\WINDOWS\system32\ddcya.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. rjenkins

    rjenkins TS Rookie Topic Starter

    No Joy with getting rid of the ddcya.dll file. After fixing with Hijack it kept coming back (I was in Safe Mode). Using kiilbox I got this message
    "PendingFileRemovalOpeartions Registry Data has been removed by External Process!" When trying to delete manually it said something was running which prevented me access to it.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download and run this tool. Follow the instructions for using the tool.

    Tool1

    Post a fresh HJT log after doing the above.

    Regards Howard :)
     
  9. rjenkins

    rjenkins TS Rookie Topic Starter

    I ran it but it said it didn't find anything.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    This is one hell of a stubborn bugger.

    Double-click VundoFix.exe to run it.
    Put a check next to Run VundoFix as a task.
    You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    When VundoFix re-opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
    Select “[7b]Add More Files?” from the menu that comes up. This will open a new VundoFix window.
    In the Window: copy and paste next in the first field: C:\WINDOWS\system32\ddcya.dll
    Click the “Add Files” button.
    Click the "Close Window" button.
    Click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.

    See if that helps.

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. rjenkins

    rjenkins TS Rookie Topic Starter

    Man, I feel bad making you work this hard but believe me when I say thanks. I don't have an option to run as a task. Only a scan and remove button. (the Look2me tool however has this box available)
     
  12. rjenkins

    rjenkins TS Rookie Topic Starter

    oh wait, I ran it again & it found it plus many of his friends, I'll try to get rid of 'em an post a new log.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s obviously a new version of Vundofix. Do the following.

    Run vundofix and right click in the window, select add more files.

    Copy and paste this into the top window box.

    C:\WINDOWS\system32\ddcya.dll

    Click the add files button. Click the close window button and click the remove vundo button.

    See if that helps. If not, repeat the above, but after you`ve closed the window, click the scan for vundo button.

    Post a fresh HJT log.

    Regards Howard :)

    EDIT: Just seen your last post.

    I look forward to seeing your fresh HJT log.

    This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. rjenkins

    rjenkins TS Rookie Topic Starter

    Ok before I get giddy, it found it, rebooted and reran before anything was able to load. It found it again & this time was able to remove it. I ran a new hijack and saw it there but this time it said "file missing". So i fixed it, ran hijack again & this is my post.
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s excellent news.

    Your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of rjenkins only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. rjenkins

    rjenkins TS Rookie Topic Starter

    Dude you're my hero. Who do I write to to recommend you for a raise? Seriously thanks for the rapid replies. I was expecting to have to wait days between posts. This was an enjoyable recovery!

    Randy
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...