TechSpot

Ishost, ISsearch, Isnotify, Ismon

By Dethgigas
Aug 27, 2006
  1. God, i hate this. Another form of the damn toolbar888 which i had not too long ago.

    Ok, it started out i was shutting down my pc, than something attacked. I noticed these 4 things.

    Please help me. My cpu is very slow, i would like to kill them all + that sys.com bull****. Please help me. I would like a fast response. I will be gone at 12:30PM, 1 hour from now. Please help me. I need proper instructions without downloading too many things. Is there a possible way i can regain my CPU from this *****?

    P.S. I'm 14, but im having trouble. PLEASE HELP ME. My parents are pretty mad...lol

    Ok, Looks like i got more. I have DSL and it disconnects and encounters a problem automatically. Most of the time, every 15 - 20 minutes, the programs encounter a problem and closes. This has happened for about 3 days now...


    Another one is, StaccatoSys. I see that Sys is also relevant to Ishost, Isnotify, ismon, and issearch. These things are driving me crazy, my computer is going abnormally slow. Please help.


    One more thing. These generic.tmp files keep being found as trojans by my McAFee. Please help me.


    Need help IMMEDIATELY because i need this CPU in 2 weeks. I hope to kill this crap in 3 days or less.

    Thank You and God Bless,
    Dethgigas
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Download and run these four tools. Follow the instructions for using each tool carefully.

    Tool1 Tool2 Tool3 Tool4

    Then go and read this thread HERE.

    Post a fresh HJT log as an attachment into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of Dethgigas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Do i need WinRar for this?Because it tells me to extract and i cant...And i just did that thing to post a new one. And it said to close the window and it didnt do anything
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Winra/Winzip etc is a requirement. You can get Winra HERE.

    Regards Howard :)
     
  5. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Sorry for double post. But it says Attachment In Progress
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    What says "attachment in progress"?

    Regards Howard :)
     
  7. Dethgigas

    Dethgigas TS Rookie Topic Starter

    There is the one before the tools.

    Alright i went to extract..where do i extract to?It says um...Extract without confirmation. But when i do that, McAFee shows a trojan...



    Tool1 wont work :(

    [08/27/2006, 16:03:35] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\My Documents\My Downloads\VirtumundoBeGone.exe" )
    [08/27/2006, 16:03:40] - Detected System Information:
    [08/27/2006, 16:03:40] - Windows Version: 5.1.2600, Service Pack 2
    [08/27/2006, 16:03:40] - Current Username: Owner (Admin)
    [08/27/2006, 16:03:40] - Windows is in NORMAL mode.
    [08/27/2006, 16:03:40] - Searching for Browser Helper Objects:
    [08/27/2006, 16:03:40] - BHO 1: {873eb32d-ae1a-4183-89bd-45a77f761be4} ()
    [08/27/2006, 16:03:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [08/27/2006, 16:03:40] - No filename found. Continuing.
    [08/27/2006, 16:03:40] - BHO 2: {E4B75DE6-A871-4C82-B2D7-C45EAFF7B008} ()
    [08/27/2006, 16:03:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [08/27/2006, 16:03:40] - Checking for HKLM\...\Winlogon\Notify\pmnnn
    [08/27/2006, 16:03:40] - Key not found: HKLM\...\Winlogon\Notify\pmnnn, continuing.
    [08/27/2006, 16:03:40] - Finished Searching Browser Helper Objects
    [08/27/2006, 16:03:40] - Finishing up...
    [08/27/2006, 16:03:40] - Nothing found! Exiting...

    That is from Tool#2
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s very important, you run the tools in the order they are given.

    You can extract them to your desktop if you like, or anywhere else you want.

    Follow the instructions exactly for using all the tools, especially tool1.

    Regards Howard :)
     
  9. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Howard - I did tool 2,3, and 4. Look2Me already deleted the files and turned down my CPU. I followed what it said. it says to extract all files. But i cant for some reason. VundoFix V6.1.2 is running right now...Tool1 wont work for me mate. But ill keep trying



    Also when i start my CPU, it says like...Hkafuh.exe in a black command box. It says it isn't compatible and to either close or ignore it. It happens every time

    Reply Soon,
    Dethgigas
     
  10. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Wtf I keep getting that a trojan has been detected and clean!


    Now. i Can't do tool 1. Ill tell you why. I go into Winrar, click the folder on it. I right click SmitFraud.Cmd, like it says to. It says things like...Extract to the specified folder. I press ok. After it is done, i double click it. A black window pops up and goes away after about a 5th of a second. Tool1 wont work for some reason. Please help
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I don`t know why you`re having trouble running tool1, but leave it for now and follow the rest of the instructions.

    Post a fresh HJT log after that.

    Regards Howard :)
     
  12. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Okie, here comes the new log.

    Im still getting trojans detected + cleaned. Is there any time in life that it won't happen?lol

    It's Generic Downloader.be and a whole bunch of others


    And i tried again for Tool1. it says to extract all files. I did extract + yet i still get the damn black window instead of blue. It dissapears in a 5th of a second. Any help is appreciated
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is still infected with all kinds of crap.

    Go HERE and follow all the instructions exactly.

    Post a fresh HJT log, only after doing the above. You really need to find a way of running SmitFraudfix.

    If you can`t follow the instructions, maybe you should ask your mum or dad to do it for you.

    Regards Howard :)
     
  14. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Ok, ill use 3 of the 4 scanners. or 4...lol

    Anyhow. I appreciate the help howard, sorry for taking up so much of ur time. Ill post again with a fresh HJT log soon
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem. Just be aware, that it might take you quite some time to follow the instructions.

    I really want to help, but obviously I`m relying on you to follow the instructions properly.

    Regards Howard :)

    This thread is for the use of Dethgigas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Thank you Howard,

    I hope i can finish in around 4 hours. 2 Scanners are completed. BitDefender + Trend Micro Housecall. 2 more to run than on to the next instruction.


    Thank You,
    Dethgigas
     
  17. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Alright, i've done everything you have asked. For some reason, i can't get rid of one of the Vundo trojans. It keeps infecting my files...Any help?
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Did you manage to get the SmitFraudfix to work?

    Please post a fresh HJT log.

    Regards Howard :)
     
  19. Dethgigas

    Dethgigas TS Rookie Topic Starter

    I did not, and i asked around...But no luck. Ill post a fresh one. One moment
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Smitrem.exe from HERE. Follow the instructions exactly. This is not the same SmitFraud removal tool.

    Then post a fresh HJT log.

    Regards Howard :)
     
  21. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Here is the fresh one. But i can't seem to get rid of this damn Vundo trojan. It keeps infecting my Files + McAFee is deleting them. Now, it says when i go to My Connections, it isn't Firewalled anymore...
     
  22. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Alright, i gotta reboot in Safe Mode. Be back in about an hour i hope.


    Alright, it worked. Now i'm back.


    Here's my next logfile...

    Also im running VundoFix V6.1.2 Right Now
     
  23. Dethgigas

    Dethgigas TS Rookie Topic Starter

    Mm...I guess im gonna get off. Cya tomorrow Howard...Still cannot get rid of Vundo Trojan
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is still riddled with nasties.

    I`m going to try and manually get rid of the nasties. However, I can`t gurantee it`s going to work.

    You must follow these instructions exactly.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Network Monitor
    ISTsvc
    Rtpyll

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Network Monitor

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    jpxnfns.exe
    Tykyfj.exe
    sbbvcyu.exe

    istsvc.exe
    sbbvcyu.exe
    209khcmp.exe

    wmdptsvc.exe
    n3jpn0ej.exe
    hkafuh.exe

    wexatcha.exe
    uqzum.exe
    armgb.exe

    f96dae2465682e73497dad5c8bf230ac_35.exe
    netmon.exe
    winfix.chm


    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

    F2 - REG:system.ini: Shell=Explorer.exe,
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jpxnfns.exe

    O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)

    O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)

    O4 - HKLM\..\Run: [Mjxmme] C:\Program Files\Rtpyll\Tykyfj.exe

    O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sbbvcyu.exe

    O4 - HKLM\..\Run: [209khcmp] C:\WINDOWS\system32\209khcmp.exe

    O4 - HKLM\..\Run: [43sO33U] wmdptsvc.exe

    O4 - HKLM\..\Run: [n3jpn0ej] C:\WINDOWS\system32\n3jpn0ej.exe

    O4 - HKLM\..\Run: [hcewuf] "C:\WINDOWS\system32\hkafuh.exe" reg_run

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

    O4 - HKCU\..\Run: [L03ERTYtQ] wexatcha.exe

    O4 - HKCU\..\Run: [uqzu] C:\PROGRA~1\COMMON~1\uqzu\uqzum.exe

    O4 - HKCU\..\Run: [dylxv] "C:\WINDOWS\system32\hkafuh.exe" reg_run

    O4 - Global Startup: armgb.exe

    O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/f96dae2465682e73497dad5c8bf230ac_35.exe

    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab

    O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab

    O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/databases/actimage40803.cab

    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:mad:MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeI nstall.cab

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O18 - Filter: text/html - (no CLSID) - (no file)

    O20 - AppInit_DLLs:

    O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)

    O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Network Monitor
    C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm
    C:\WINDOWS\system32\userinit.exe,jpxnfns.exe

    C:\Program Files\Rtpyll
    C:\Program Files\ISTsvc
    C:\WINDOWS\sbbvcyu.exe

    C:\WINDOWS\system32\209khcmp.exe
    C:\PROGRA~1\COMMON~1\uqzu\uqzum.exe
    C:\WINDOWS\system32\hkafuh.exe

    C:\WINDOWS\system32\n3jpn0ej.exe

    Search your system for the files below and delete all instances of them.

    wexatcha.exe
    armgb.exe
    wmdptsvc.exe

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...