TechSpot

ishost.exe & isnotisfy.exe - HJT log included

By zicon
Aug 7, 2006
  1. Hi

    ive had problems with ishost.exe, isnotify.exe and ismon.exe

    i have looked at some of the threads on this site and have run the following programs.

    smitfraud fix
    virtumundobegone
    look2me destroyer
    cwshredder
    adaware
    spybot search & destroy

    I managed to get rid of everything on thursday but then all the spyware and adware come back again on friday so i think there is something that i am missing but i am not sure what. can you help please??

    I have run HJT and attached the log file that has been created.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Please install a firewall. The free Zonealarm or the free Kerio firewalls are both very good. You can get them HERE and HERE.

    Then, go HERE and follow the instructions exactly.

    Post a fresh HJT log into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of zicon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. zicon

    zicon TS Rookie Topic Starter

    Thanks i have carried out the instructions in the threads you specified.

    I have attached my latest HJT log file.

    The problems i notice that are still there are there is still a process running called update.exe

    Also Kerio firewall comes up with an intrusion attempt from winlogon.exe every now and then. I removed the values for winlogon using HJT (all the ones starting with the number 020) in safe mode but when i restarted they have re-appeared.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it, but don`t run it yet.

    Download and run this tool HERE. This is not the same Vundo removal tool that you`ve already used.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msdtc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {3E292959-61A7-430D-B89C-3CC8E7099917} - (no file)

    O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - (no file)

    O2 - BHO: (no name) - {F4FC7C4E-B391-4801-9208-0B2E08CE5D7A} - (no file)

    O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\WNSXS~1\msdtc.exe" -vt yazr

    O17 - HKLM\System\CCS\Services\Tcpip\..\{8B2A4C3D-95C1-43B6-87A6-D3788A4843FC}: NameServer = 194.168.4.100,194.168.8.100<Only fix this, if it doesn`t belong to your ISP.

    O20 - Winlogon Notify: awvtq - C:\WINDOWS\

    O20 - Winlogon Notify: jkkjg - C:\WINDOWS\

    O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\WNSXS~1

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winwea32.dll

    Once your system has rebooted, turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of zicon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. zicon

    zicon TS Rookie Topic Starter

    The vundo removal tool dint find any files.

    msdtc.exe was not running as a process.

    I ran HJT as you stated:

    * i left 017 as the IP addresses are for my ISP
    * i ticked all the others for removal

    The directory C:\WINDOWS\system32\WNSXS~1 does not exist. However, there is a directory c:\windows\system32\WinSxS. Shall i delete this or is this a legitimate directory?

    I then deleted the winwea32.dll file, rebooted and enabled system restore again. Some files keep re-appearing in windows\temp and some of the entries i removed using HJT have re-appeared too. I have attached the new log file :)
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    If this looks like a repeat of my above instructions, it, only with a few changes.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msdtc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll

    O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\WNSXS~1\msdtc.exe" -vt yazr

    O20 - Winlogon Notify: awvtq - C:\WINDOWS\

    O20 - Winlogon Notify: jkkjg - C:\WINDOWS\

    O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    c:\windows\system32\WinSxS

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\awvtq.dll
    C:\WINDOWS\SYSTEM32\jkkjg.dll

    Once your system has rebooted, turn system restore back on and post a fresh HJT log.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...