TechSpot

ishost.exe & ismon.exe

By Irish1980
Aug 29, 2006
  1. Hi all,

    Long time reader first time poster :eek:...

    I was stoopid enough to run an untrusted *.exe and now am suffering the consequences.

    I am posting from my computer, and it was on my wifes computer that i ran the *.exe and now have a mess.

    I am running NAV2005 (i know... need to change) and it is going spastic trying to stop attacks.

    I have downloaded HJT, and am ready to post as required.

    Please help - because i am terrified of these freeky-deeky viruses and want to get it sorted.

    Cheers :D
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Download and run these four tools, Follow the instructions for using each tool.

    Tool1 Tool2 Tool3 Tool4


    Download and install Ewido http://www.ewido.net/en/download/
    Double-click the Ewido icon on your desktop to run it.

    On the top of the main screen click Shield. Click the word active to change it to inactive.

    On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
    If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-signatures-full-current.exe
    When you have finished updating, exit Ewido.

    Make sure all windows are closed. Run Ewido.
    Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
    When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
    Then click 'Apply all actions'.
    Once finished, click the 'Save report' button. Then click 'Save Report As' and save it to your desktop.

    Reboot into normal mode and turn system restore back on.

    Post the Ewido report and a fresh HJT log as attachments. See HERE for HJT instructions.

    Regards Howard :wave: :wave:

    This thread is for the use of Irish1980 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Irish1980

    Irish1980 TS Rookie Topic Starter

    Howard,

    Thank you for your speedy response.

    I have come a cropper at the first jump...

    I am running Tool 1, no problem - however 'Notepad' seems to be missing from the PC in question - is it possible to redirect to 'Wordpad' or do i need to try and source a 'Notepad' install???

    Thanking you in advance.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Click start/run and type notepad.exe and hit the enter key.

    See if notpad pops up.

    If that doesn`t work, then by all means use wordpad.

    Regards Howard :)
     
  5. Irish1980

    Irish1980 TS Rookie Topic Starter

    Never mind...

    I was able to steal/borrow notepad.exe from my machine and placed in c:/windows/...

    All isok.

    Proceeding with tools 1-4.


    Thnx again.
     
  6. Irish1980

    Irish1980 TS Rookie Topic Starter

    Howard,

    I have worked through tools 1 and 2, no worries... and it seems that the ishost.exe & ismon.exe processes have stopped (at this stage).

    I am posting this because i am trying to get to steps 3 and 4, but www.atribune.org is not responding???

    Are you experiencing any issues with those links at your end?

    Regards,
    Irish
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All the links are working fine for me.

    Regards Howard :)
     
  8. Irish1980

    Irish1980 TS Rookie Topic Starter

    After i walked away in disgust... and came back after 5 mins... the page had finally loaded - must be slow server response or something ???

    so i guess all this is waisting your time - i will perserver some more with the steps outlined above.... and hopefully just repost with a result.


    Cheers.
     
  9. Irish1980

    Irish1980 TS Rookie Topic Starter

    Howard,

    Sorry, ran out of time last night (Aussie time of course)...

    Here is reports.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

    O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

    O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

    O20 - Winlogon Notify: winwim32 - C:\WINDOWS\SYSTEM32\winwim32.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winwim32.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Irish1980 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Irish1980

    Irish1980 TS Rookie Topic Starter

    Howard,

    how do i know which file i am deleting?
    Which file should i delete?


    Irish :giddy:
     
  12. Irish1980

    Irish1980 TS Rookie Topic Starter

    oh dear, i think i just answered my ?


    the filepath you have type "C:\Windows\syste...." etc???
     
  13. Irish1980

    Irish1980 TS Rookie Topic Starter

    Here is the fresh HJT log.

    EDIT: BTW... i should add that the computer is running faster and NAV hasn't "Yet" poped an alert

    Further to this... after reading the posts on NAV.... i am uninstalling it and installing AVG and Zone Alarm.


    Cheer mate,

    Thanks for all the help - i hope this is it :)
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix the following entries.

    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)

    O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)

    Click the fix checked button and close HJT.

    Other than the above, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Irish1980 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. Irish1980

    Irish1980 TS Rookie Topic Starter

    All seems clean, thanks again.

    Irish :wave:
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...