ishost.exe & ismon.exe

[Irish1980]

Hi all,

Long time reader first time poster ...

I was stoopid enough to run an untrusted *.exe and now am suffering the consequences.

I am posting from my computer, and it was on my wifes computer that i ran the *.exe and now have a mess.

I am running NAV2005 (i know... need to change) and it is going spastic trying to stop attacks.

I have downloaded HJT, and am ready to post as required.

Please help - because i am terrified of these freeky-deeky viruses and want to get it sorted.

Cheers

 

[howard_hopkinso]

Hello and welcome to Techspot.

Download and run these four tools, Follow the instructions for using each tool.

Tool1 Tool2 Tool3 Tool4


Download and install Ewido http://www.ewido.net/en/download/
Double-click the Ewido icon on your desktop to run it.

On the top of the main screen click Shield. Click the word active to change it to inactive.

On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-signatures-full-current.exe
When you have finished updating, exit Ewido.

Make sure all windows are closed. Run Ewido.
Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
Then click 'Apply all actions'.
Once finished, click the 'Save report' button. Then click 'Save Report As' and save it to your desktop.

Reboot into normal mode and turn system restore back on.

Post the Ewido report and a fresh HJT log as attachments. See HERE for HJT instructions.

Regards Howard :wave: :wave:

This thread is for the use of Irish1980 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Irish1980]

Howard,

Thank you for your speedy response.

I have come a cropper at the first jump...

I am running Tool 1, no problem - however 'Notepad' seems to be missing from the PC in question - is it possible to redirect to 'Wordpad' or do i need to try and source a 'Notepad' install???

Thanking you in advance.

 

[howard_hopkinso]

Click start/run and type notepad.exe and hit the enter key.

See if notpad pops up.

If that doesn`t work, then by all means use wordpad.

Regards Howard

 

[Irish1980]

Never mind...

I was able to steal/borrow notepad.exe from my machine and placed in c:/windows/...

All isok.

Proceeding with tools 1-4.


Thnx again.

 

[Irish1980]

Howard,

I have worked through tools 1 and 2, no worries... and it seems that the ishost.exe & ismon.exe processes have stopped (at this stage).

I am posting this because i am trying to get to steps 3 and 4, but www.atribune.org is not responding???

Are you experiencing any issues with those links at your end?

Regards,
Irish

 

[howard_hopkinso]

All the links are working fine for me.

Regards Howard

 

[Irish1980]

After i walked away in disgust... and came back after 5 mins... the page had finally loaded - must be slow server response or something ???

so i guess all this is waisting your time - i will perserver some more with the steps outlined above.... and hopefully just repost with a result.


Cheers.

 

[Irish1980]

Howard,

Sorry, ran out of time last night (Aussie time of course)...

Here is reports.

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O20 - Winlogon Notify: winwim32 - C:\WINDOWS\SYSTEM32\winwim32.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winwim32.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of Irish1980 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Irish1980]

Howard,

how do i know which file i am deleting?
Which file should i delete?


Irish :giddy:

 

[Irish1980]

oh dear, i think i just answered my ?


the filepath you have type "C:\Windows\syste...." etc???

 

[Irish1980]

Here is the fresh HJT log.

EDIT: BTW... i should add that the computer is running faster and NAV hasn't "Yet" poped an alert

Further to this... after reading the posts on NAV.... i am uninstalling it and installing AVG and Zone Alarm.


Cheer mate,

Thanks for all the help - i hope this is it

 

[howard_hopkinso]

Have HJT fix the following entries.

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)

O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)

Click the fix checked button and close HJT.

Other than the above, your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Irish1980 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Irish1980]

All seems clean, thanks again.

Irish :wave: