TechSpot

Isnotify... is killing my computer.

By VirusHata
Oct 7, 2006
  1. Hello,

    Let me start off by saying that I "HATE" viruses... but anyway... The virus isnotify along with an assortment of other "is*" files have infected my computer (all present in the .../Windows/System32 folder) and I doubt plan on leaving by means of: Ad-Aware/F-Secure/Ewido...

    I've downloaded HijackThis and also four Tools already:

    1. Smitfraud
    2. Virtumundo
    3. VundoFix
    4. Look2Me

    Looking forward to a "prompt" reply, heh.

    Thanks in advance,

    -VirusHater

    p.s That caution symbol (picture) pops up in my toolbar every so often as well... apparently another thing from this virus...
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as an attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. VirusHata

    VirusHata TS Rookie Topic Starter

    Thanks for the prompt reply!!

    I've been steadily working on all the steps above... funny thing is... I reached the step JUST before having to turn off system restore and found out that I can no longer connect to the internet using that computer... I wonder, is that a "side-effect" of rebooting the computer after scanning with Look2Me-Defender??? Because right after the reboo.... oh wait! Is it because I'm in safe mode?? Heh.. Well, just posting a reply to inform you I'm hard at work! Will have these reports attached a.s.a.p. Thanks again,

    -VirusHata
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Being in safe mode would indeed stop you from accessing the net lol.

    The instructions I have given you should help you to get rid of that nasty isnotify.

    I look forward to seeing your fresh logs.

    Regards Howard :)
     
  5. VirusHata

    VirusHata TS Rookie Topic Starter

    Logs and whatnot

    Ok, finally!

    After falling asleep twice and countless virus scans... I have those logs!
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    weatherbug
    viewpoint
    viewpoint manager
    emma

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewMgr.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: (no name) - {07B2A214-93E1-8F41-7EFB-06ABEE598E5D} - C:\WINDOWS\system32\oybhlxk.dll

    O2 - BHO: (no name) - {61672AFC-155B-4946-9C7F-E6CEDFAD6963} - C:\WINDOWS\system32\sstqo.dll (file missing)

    O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\asyvyxix.dll (file missing)

    O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)

    O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [zzreszd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zzreszd.dll,mfyjone

    O4 - Startup: emma.lnk = C:\Program Files\emma\runEMMA.bat

    O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://my.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGa dget/LocalExec.CAB

    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab

    O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\emma
    C:\Program Files\Viewpoint
    C:\Program Files\Common Files\Real\WeatherBug


    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\system32\oybhlxk.dll
    C:\WINDOWS\system32\zzreszd.dll,mfyjone

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. VirusHata

    VirusHata TS Rookie Topic Starter

    Running pretty darn smoothly!

    Well,

    I've done as you instructed... here's the logs.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. VirusHata

    VirusHata TS Rookie Topic Starter

    Thank you very much!
     
  10. VirusHata

    VirusHata TS Rookie Topic Starter

    Hmm, another problem... was wondering if you could assist me with this...

    Occationaly, after so many minutes of being idle... my Anti-Virus client (F-Secure) finds a Trojan on my computer... "Downloader_TrojanWin32" or something similar... When I try to Delete/Disinfect the trojan... F-Secure is unable to. I just viewed my Task Manager (Ctrl + Alt + Delete) and saw this process:

    B111.exe

    which, stayed for about 10 or so seconds before it disappeared (without me having to end the process)... I googled the .exe file and saw that it was a piece to my lil' Trojan problem...

    Anyway, I'm trying to scan my computer with Ad-Aware SE, hoping that will rid of my problem.

    Well, look forward to hearing back,

    -VirusHata.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Use killbox to try and delete the B111.exe file.

    You will need to find out it`s full filepath.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. VirusHata

    VirusHata TS Rookie Topic Starter

    Ok...

    Thanks for the, again, prompt reply...

    I tried to use KillBox to delete it... but...

    When I tried Standard File Kill:

    "This file does not seem to exist."

    When I tried Delete on Reboot:

    "PendingFileRenameOperations Registry Data has been Removed by External Process!"

    HJT log included...
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Can you give me the filepath to the file your antivirus programme finds?

    Regards Howard :)

    This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. VirusHata

    VirusHata TS Rookie Topic Starter

    When it next pops up, yes.
    Running a Scan with it (F-Secure) now.
     
  15. VirusHata

    VirusHata TS Rookie Topic Starter

    Well, I did a complete scan... and it found nothing...
    I guess, if I ever receive that popup alert again... I'll copy the filepath and post it...


    Thanks again.
     
  16. VirusHata

    VirusHata TS Rookie Topic Starter

    Well, I just received a different popup... Was on my screen when I woke up this morning, heh..

    Malicious code found in file C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\B111.EXE
    Infection: Trojan-Downloader.Win32.VB.afa
    Action: The File was deleted.


    From the looks of it.. sounds like the problem was fixed but... you never know with these sneaky viruses!

    -VH.
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s weird, it`s ok that the virus was cleaned, but where the hell are they getting in?

    I`m wondering if you`ve got a rootkit infection.

    Go HERE and follow the instructions.

    Please let me know the results.

    Regards Howard :)

    This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. VirusHata

    VirusHata TS Rookie Topic Starter

    Ok...

    Here we go... well, it's apparent that the virus (Trojan) isn't really fixed because when I awoke again this morning... the same popup was present:

    Malicious code found in file C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\B111.EXE
    Infection: Trojan-Downloader.Win32.VB.afa
    Action: The File was deleted.


    But here are the two logs...


    P.S. The sysclean program found an error as well... in case you wanted to see it as well... I've included it.

    Thanks again,

    -VH.
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Just as I feared, you have a rootkit infection.

    There is some software that claims to be able to get rid of rootkits. It`s called Unhackme. I can`t comment on it`s effectiveness as I`ve never had a rootkit.

    If you decide to try the above software, please let me know the outcome.

    The only other way I know of getting rid of a rootkit infection, is to back up your important data and reformat and reinstall from scatch.

    Regards Howard :(

    This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. VirusHata

    VirusHata TS Rookie Topic Starter

    Heh, according to Unhackme... I don't have a Rootkit Trojan...

    Thanks for everything!

    -VH.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...