Isnotify... is killing my computer.

Status
Not open for further replies.

VirusHata

Posts: 13   +0
Hello,

Let me start off by saying that I "HATE" viruses... but anyway... The virus isnotify along with an assortment of other "is*" files have infected my computer (all present in the .../Windows/System32 folder) and I doubt plan on leaving by means of: Ad-Aware/F-Secure/Ewido...

I've downloaded HijackThis and also four Tools already:

1. Smitfraud
2. Virtumundo
3. VundoFix
4. Look2Me

Looking forward to a "prompt" reply, heh.

Thanks in advance,

-VirusHater

p.s That caution symbol (picture) pops up in my toolbar every so often as well... apparently another thing from this virus...
 
Hello and welcome to Techspot.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as an attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks for the prompt reply!!

I've been steadily working on all the steps above... funny thing is... I reached the step JUST before having to turn off system restore and found out that I can no longer connect to the internet using that computer... I wonder, is that a "side-effect" of rebooting the computer after scanning with Look2Me-Defender??? Because right after the reboo.... oh wait! Is it because I'm in safe mode?? Heh.. Well, just posting a reply to inform you I'm hard at work! Will have these reports attached a.s.a.p. Thanks again,

-VirusHata
 
Being in safe mode would indeed stop you from accessing the net lol.

The instructions I have given you should help you to get rid of that nasty isnotify.

I look forward to seeing your fresh logs.

Regards Howard :)
 
Logs and whatnot

Ok, finally!

After falling asleep twice and countless virus scans... I have those logs!
 
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

weatherbug
viewpoint
viewpoint manager
emma

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewMgr.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {07B2A214-93E1-8F41-7EFB-06ABEE598E5D} - C:\WINDOWS\system32\oybhlxk.dll

O2 - BHO: (no name) - {61672AFC-155B-4946-9C7F-E6CEDFAD6963} - C:\WINDOWS\system32\sstqo.dll (file missing)

O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\asyvyxix.dll (file missing)

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)

O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [zzreszd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zzreszd.dll,mfyjone

O4 - Startup: emma.lnk = C:\Program Files\emma\runEMMA.bat

O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://my.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGa dget/LocalExec.CAB

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\emma
C:\Program Files\Viewpoint
C:\Program Files\Common Files\Real\WeatherBug


Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\oybhlxk.dll
C:\WINDOWS\system32\zzreszd.dll,mfyjone

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :)

This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hmm, another problem... was wondering if you could assist me with this...

Occationaly, after so many minutes of being idle... my Anti-Virus client (F-Secure) finds a Trojan on my computer... "Downloader_TrojanWin32" or something similar... When I try to Delete/Disinfect the trojan... F-Secure is unable to. I just viewed my Task Manager (Ctrl + Alt + Delete) and saw this process:

B111.exe

which, stayed for about 10 or so seconds before it disappeared (without me having to end the process)... I googled the .exe file and saw that it was a piece to my lil' Trojan problem...

Anyway, I'm trying to scan my computer with Ad-Aware SE, hoping that will rid of my problem.

Well, look forward to hearing back,

-VirusHata.
 
Use killbox to try and delete the B111.exe file.

You will need to find out it`s full filepath.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok...

Thanks for the, again, prompt reply...

I tried to use KillBox to delete it... but...

When I tried Standard File Kill:

"This file does not seem to exist."

When I tried Delete on Reboot:

"PendingFileRenameOperations Registry Data has been Removed by External Process!"

HJT log included...
 
Your HJT log is clean.

Can you give me the filepath to the file your antivirus programme finds?

Regards Howard :)

This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Well, I did a complete scan... and it found nothing...
I guess, if I ever receive that popup alert again... I'll copy the filepath and post it...


Thanks again.
 
Well, I just received a different popup... Was on my screen when I woke up this morning, heh..

Malicious code found in file C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\B111.EXE
Infection: Trojan-Downloader.Win32.VB.afa
Action: The File was deleted.


From the looks of it.. sounds like the problem was fixed but... you never know with these sneaky viruses!

-VH.
 
That`s weird, it`s ok that the virus was cleaned, but where the hell are they getting in?

I`m wondering if you`ve got a rootkit infection.

Go HERE and follow the instructions.

Please let me know the results.

Regards Howard :)

This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok...

Here we go... well, it's apparent that the virus (Trojan) isn't really fixed because when I awoke again this morning... the same popup was present:

Malicious code found in file C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\B111.EXE
Infection: Trojan-Downloader.Win32.VB.afa
Action: The File was deleted.


But here are the two logs...


P.S. The sysclean program found an error as well... in case you wanted to see it as well... I've included it.

Thanks again,

-VH.
 
Just as I feared, you have a rootkit infection.

There is some software that claims to be able to get rid of rootkits. It`s called Unhackme. I can`t comment on it`s effectiveness as I`ve never had a rootkit.

If you decide to try the above software, please let me know the outcome.

The only other way I know of getting rid of a rootkit infection, is to back up your important data and reformat and reinstall from scatch.

Regards Howard :(

This thread is for the use of VirusHata only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back