Ishost, ISsearch, Isnotify, Ismon

[Dethgigas]

God, i hate this. Another form of the damn toolbar888 which i had not too long ago.

Ok, it started out i was shutting down my pc, than something attacked. I noticed these 4 things.

Please help me. My cpu is very slow, i would like to kill them all + that sys.com bull****. Please help me. I would like a fast response. I will be gone at 12:30PM, 1 hour from now. Please help me. I need proper instructions without downloading too many things. Is there a possible way i can regain my CPU from this *****?

P.S. I'm 14, but im having trouble. PLEASE HELP ME. My parents are pretty mad...lol

Ok, Looks like i got more. I have DSL and it disconnects and encounters a problem automatically. Most of the time, every 15 - 20 minutes, the programs encounter a problem and closes. This has happened for about 3 days now...


Another one is, StaccatoSys. I see that Sys is also relevant to Ishost, Isnotify, ismon, and issearch. These things are driving me crazy, my computer is going abnormally slow. Please help.


One more thing. These generic.tmp files keep being found as trojans by my McAFee. Please help me.


Need help IMMEDIATELY because i need this CPU in 2 weeks. I hope to kill this crap in 3 days or less.

Thank You and God Bless,
Dethgigas

 

[howard_hopkinso]

Hello and welcome to Techspot.

Download and run these four tools. Follow the instructions for using each tool carefully.

Tool1 Tool2 Tool3 Tool4

Then go and read this thread HERE.

Post a fresh HJT log as an attachment into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of Dethgigas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dethgigas]

Do i need WinRar for this?Because it tells me to extract and i cant...And i just did that thing to post a new one. And it said to close the window and it didnt do anything

 

[howard_hopkinso]

Winra/Winzip etc is a requirement. You can get Winra HERE.

Regards Howard

 

[Dethgigas]

Sorry for double post. But it says Attachment In Progress

 

[howard_hopkinso]

What says "attachment in progress"?

Regards Howard

 

[Dethgigas]

There is the one before the tools.

Alright i went to extract..where do i extract to?It says um...Extract without confirmation. But when i do that, McAFee shows a trojan...



Tool1 wont work

[08/27/2006, 16:03:35] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\My Documents\My Downloads\VirtumundoBeGone.exe" )
[08/27/2006, 16:03:40] - Detected System Information:
[08/27/2006, 16:03:40] - Windows Version: 5.1.2600, Service Pack 2
[08/27/2006, 16:03:40] - Current Username: Owner (Admin)
[08/27/2006, 16:03:40] - Windows is in NORMAL mode.
[08/27/2006, 16:03:40] - Searching for Browser Helper Objects:
[08/27/2006, 16:03:40] - BHO 1: {873eb32d-ae1a-4183-89bd-45a77f761be4} ()
[08/27/2006, 16:03:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2006, 16:03:40] - No filename found. Continuing.
[08/27/2006, 16:03:40] - BHO 2: {E4B75DE6-A871-4C82-B2D7-C45EAFF7B008} ()
[08/27/2006, 16:03:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/27/2006, 16:03:40] - Checking for HKLM\...\Winlogon\Notify\pmnnn
[08/27/2006, 16:03:40] - Key not found: HKLM\...\Winlogon\Notify\pmnnn, continuing.
[08/27/2006, 16:03:40] - Finished Searching Browser Helper Objects
[08/27/2006, 16:03:40] - Finishing up...
[08/27/2006, 16:03:40] - Nothing found! Exiting...

That is from Tool#2

 

[howard_hopkinso]

It`s very important, you run the tools in the order they are given.

You can extract them to your desktop if you like, or anywhere else you want.

Follow the instructions exactly for using all the tools, especially tool1.

Regards Howard

 

[Dethgigas]

Howard - I did tool 2,3, and 4. Look2Me already deleted the files and turned down my CPU. I followed what it said. it says to extract all files. But i cant for some reason. VundoFix V6.1.2 is running right now...Tool1 wont work for me mate. But ill keep trying



Also when i start my CPU, it says like...Hkafuh.exe in a black command box. It says it isn't compatible and to either close or ignore it. It happens every time

Reply Soon,
Dethgigas

 

[Dethgigas]

Wtf I keep getting that a trojan has been detected and clean!


Now. i Can't do tool 1. Ill tell you why. I go into Winrar, click the folder on it. I right click SmitFraud.Cmd, like it says to. It says things like...Extract to the specified folder. I press ok. After it is done, i double click it. A black window pops up and goes away after about a 5th of a second. Tool1 wont work for some reason. Please help

 

[howard_hopkinso]

I don`t know why you`re having trouble running tool1, but leave it for now and follow the rest of the instructions.

Post a fresh HJT log after that.

Regards Howard

 

[Dethgigas]

Okie, here comes the new log.

Im still getting trojans detected + cleaned. Is there any time in life that it won't happen?lol

It's Generic Downloader.be and a whole bunch of others


And i tried again for Tool1. it says to extract all files. I did extract + yet i still get the damn black window instead of blue. It dissapears in a 5th of a second. Any help is appreciated

 

[howard_hopkinso]

Your system is still infected with all kinds of crap.

Go HERE and follow all the instructions exactly.

Post a fresh HJT log, only after doing the above. You really need to find a way of running SmitFraudfix.

If you can`t follow the instructions, maybe you should ask your mum or dad to do it for you.

Regards Howard

 

[Dethgigas]

Ok, ill use 3 of the 4 scanners. or 4...lol

Anyhow. I appreciate the help howard, sorry for taking up so much of ur time. Ill post again with a fresh HJT log soon

 

[howard_hopkinso]

No problem. Just be aware, that it might take you quite some time to follow the instructions.

I really want to help, but obviously I`m relying on you to follow the instructions properly.

Regards Howard

This thread is for the use of Dethgigas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dethgigas]

Thank you Howard,

I hope i can finish in around 4 hours. 2 Scanners are completed. BitDefender + Trend Micro Housecall. 2 more to run than on to the next instruction.


Thank You,
Dethgigas

 

[Dethgigas]

Alright, i've done everything you have asked. For some reason, i can't get rid of one of the Vundo trojans. It keeps infecting my files...Any help?

 

[howard_hopkinso]

Did you manage to get the SmitFraudfix to work?

Please post a fresh HJT log.

Regards Howard

 

[Dethgigas]

I did not, and i asked around...But no luck. Ill post a fresh one. One moment

 

[howard_hopkinso]

Download the Smitrem.exe from HERE. Follow the instructions exactly. This is not the same SmitFraud removal tool.

Then post a fresh HJT log.

Regards Howard

 

[Dethgigas]

Here is the fresh one. But i can't seem to get rid of this damn Vundo trojan. It keeps infecting my Files + McAFee is deleting them. Now, it says when i go to My Connections, it isn't Firewalled anymore...

 

[Dethgigas]

Alright, i gotta reboot in Safe Mode. Be back in about an hour i hope.


Alright, it worked. Now i'm back.


Here's my next logfile...

Also im running VundoFix V6.1.2 Right Now

 

[Dethgigas]

Mm...I guess im gonna get off. Cya tomorrow Howard...Still cannot get rid of Vundo Trojan

 

[howard_hopkinso]

Your system is still riddled with nasties.

I`m going to try and manually get rid of the nasties. However, I can`t gurantee it`s going to work.

You must follow these instructions exactly.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Network Monitor
ISTsvc
Rtpyll

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Network Monitor

Close the services window.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

jpxnfns.exe
Tykyfj.exe
sbbvcyu.exe

istsvc.exe
sbbvcyu.exe
209khcmp.exe

wmdptsvc.exe
n3jpn0ej.exe
hkafuh.exe

wexatcha.exe
uqzum.exe
armgb.exe

f96dae2465682e73497dad5c8bf230ac_35.exe
netmon.exe
winfix.chm


Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: Shell=Explorer.exe,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jpxnfns.exe

O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)

O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)

O4 - HKLM\..\Run: [Mjxmme] C:\Program Files\Rtpyll\Tykyfj.exe

O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sbbvcyu.exe

O4 - HKLM\..\Run: [209khcmp] C:\WINDOWS\system32\209khcmp.exe

O4 - HKLM\..\Run: [43sO33U] wmdptsvc.exe

O4 - HKLM\..\Run: [n3jpn0ej] C:\WINDOWS\system32\n3jpn0ej.exe

O4 - HKLM\..\Run: [hcewuf] "C:\WINDOWS\system32\hkafuh.exe" reg_run

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [L03ERTYtQ] wexatcha.exe

O4 - HKCU\..\Run: [uqzu] C:\PROGRA~1\COMMON~1\uqzu\uqzum.exe

O4 - HKCU\..\Run: [dylxv] "C:\WINDOWS\system32\hkafuh.exe" reg_run

O4 - Global Startup: armgb.exe

O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/f96dae2465682e73497dad5c8bf230ac_35.exe

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab

O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/databases/actimage40803.cab

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mkMSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeI nstall.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Filter: text/html - (no CLSID) - (no file)

O20 - AppInit_DLLs:

O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)

O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Network Monitor
C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm
C:\WINDOWS\system32\userinit.exe,jpxnfns.exe

C:\Program Files\Rtpyll
C:\Program Files\ISTsvc
C:\WINDOWS\sbbvcyu.exe

C:\WINDOWS\system32\209khcmp.exe
C:\PROGRA~1\COMMON~1\uqzu\uqzum.exe
C:\WINDOWS\system32\hkafuh.exe

C:\WINDOWS\system32\n3jpn0ej.exe

Search your system for the files below and delete all instances of them.

wexatcha.exe
armgb.exe
wmdptsvc.exe

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard