Virus problem.

Status
Not open for further replies.
D

docter

Posts: 9   +0
ismon and ishost.exe from Trojan

Hello,

I think I have a similar problem. I have a Trojan Zlob virus that keeps infecting more and more files. Spyware Blaster has stopped the pop ups but my Virus protection keeps adding files to the quarentine. I followed the procedure in Tool1 from the post, but figured I should find out if this is the right thing to do before proceeding. The following files are infected:
DWH58FC.TMP
DWHCB14.TMP
apqbeb.tmp
APQF7C.tmp
apq1a1.tmp
ismon.exe
ishost.exe
h91746.exe
win5D9.tmp
win317.tmp

Any advice would be greatly appreciated.

Doctor
 
Hello and welcome to Techspot.

I have moved your post to it`s own thread, in order to save any confusion.

Go HERE and follow all the instructions exactly.

Post a fresh HJT log as a .txt attachment into this thread, only after doing the above.

Regards Howard :wave: :wave:

Edit: I`ve just noticed you have another thread running for this problem. I have deleted that thread and you should continue to post in this thread untill your problem is solved. I looked at your HJT log and you need to follow the instructions in the above link.
 
Howard,

I followed the posts. I did not find anything on the HJT log name on the list for removal. Also, my virus infected files were in quarentine during all the cleans/scans. Would that prevent them from being cleaned?

Thanks,
Andrew
 
Download the Pocket Killbox programme from HERE. Extract it, but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run a full system scan with your antivirus programme and delete whatever it finds, including anything in quarantine.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

MyWaySA

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

arpa.exe
OOL32~1.EXE
31fa4a5b.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://account.netzero.net/s/landing?group=quick-start&cf=qs

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - (no file)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)

O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Andy\MYDOCU~1\MCROSO~1\arpa.exe" -vt ndrv

O4 - HKCU\..\Run: [Lgxdkaz] C:\PROGRA~1\YMBOLS~1\OOL32~1.EXE

O4 - HKCU\..\Run: [31fa4a5b.exe] C:\Documents and Settings\Andy\Local Settings\Application Data\31fa4a5b.exe

O20 - AppInit_DLLs:

O20 - Winlogon Notify: winwly32 - C:\WINDOWS\SYSTEM32\winwly32.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\Andy\Local Settings\Application Data\31fa4a5b.exe
C:\PROGRA~1\YMBOLS~1\OOL32~1.EXE
C:\DOCUME~1\Andy\MYDOCU~1\MCROSO~1\arpa.exe
C:\Program Files\MyWaySA

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winwly32.dll

Once your system has rebooted, turn system restore back on and post a fresh HJT log.

Let us know how your system is running.

Regards Howard :)

This thread is for the use of docter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Howard,

I did as you instructed. When I ran anti-virus, it did not find anything, but when I ran Spy Sweeper after restarting, it found a Trojan Virus winlogon hook which I deleted. Also, when I ran HJT to clean the files you specified, I got an error #5 Invalid procedure call or arguement. mod Backup-makeBackup (sItem=020 AppInit_dlls) and when I ran killbox and typed in the file location it said it could not find the file. This could be my fault though, because before running Killbox, I emptied the recycle bin. Sorry I'm new to this kind of thing. I truly do appreciate all your help, hopefully I can convince my super cheap boss to make a donation. Any suggestions?

Thanks,
Andrew
 
I`d like you to run these three tools. Follow the instructions for using each tool carefully.

Tool1. Tool2. Tool3.

Post a fresh HJT log, only after doing the above.

There`s no need for a donation as we`re a commercial site paid for by advertising. Thanks for the offer anyway.

Regards Howard :)
 
howard,

just to make sure. everything has gone crazy all over again. The viruses and popups are back. should i start over and do the previous things again and then run those tools with the internet disabled?

thanks,
andy
 
I want you to run Killbox again, this should get rid of this file.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winwly32.dll

Once your system has rebooted, please post a fresh HJT log.

Regards Howard :)
 
ok. It would not allow me to do a standard file kill, but I believe it worked with the "delete on reboot"

thanks,
andrew
 
It did say in the instructions I gave you, to use the delete file on reboot option. Anyway it`s gone now.

Follow these instructions exactly.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programme in your control panel and uninstall anything to do with(if there).

ipwins
ToolBar888

Close Control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ipwins.exe
arpa.exe
e?plorer.exe The question mark in this file=a random letter or number.. Do not end the process for explorer.exe or this will crash your system

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - (no file)

O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll

O4 - HKLM\..\Run: [IpWins] "C:\Program Files\ipwins\ipwins.exe"

O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Andy\MYDOCU~1\MCROSO~1\arpa.exe" -vt yazr

O4 - HKCU\..\Run: [Xopb] C:\WINDOWS\SYSTEM32\??sembly\e?plorer.exe

O20 - AppInit_DLLs:

O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\SYSTEM32\??sembly\e?plorer.exe The question marks can be any random letter or number.
C:\DOCUME~1\Andy\MYDOCU~1\MCROSO~1\arpa.exe
C:\Program Files\ipwins
C:\Program Files\ToolBar888

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of docter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Well done. Your HJT log is now clean.

If you have any further virus/spyware problems, please post them in this thread.

Regards Howard :)

This thread is for the use of docter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Howard,

Thank you so much for your help, however, it appears that I still have much spyware and a trojan virus unless the anti-virus and spyware tools that haven't been working before start working. Do you think I should reformat?

Andrew
 
Reformatting would certainly clean you system from any nasties. Though I can`t see any In your last HJT log.

If that`s what you want to do then that`s fine by me.

Regards Howard :)
 
I have a theory that SPY SWEEPER was causing my problems to continue. I had a 14 day trial edition that started automatically on startup. When I turned it off, pop ups poured in. Also, it was always the first program to find the Trojan Virus. When I uninstalled it and restarted, it was still running in my processes at 14MB and would not allow me to end it. Now that I've gotten rid of it, things seem fine. Please spread the gospel. SPY SWEEPER IS BAD
 
Spysweeper is normally thought of as being a very reputable piece of software.

However, it`s possible the programme may have been corrupt or it`s been giving you false positives. Did you download it from the official webroot site?

http://www.webroot.com/consumer/products/spysweeper/

I`ve never heard of any problems with Spysweeper, but I guess there`s always a first time lol.

Regards Howard :)
 
docter, may I suggest you d/l SpyBot S&D (Search & Destroy) v1.4, which can be downloaded at http://www.safer-networking.org/en/index.html
This app specializes in going after malware of just about every type.
As you install this, you'll want to click the green arrow after each of the steps are completed. Let me know if you've decided to install it, and I'll give you instructions on *tweaking* it for maximum effect... Good Luck :). ~Shadowhawk
 
SS&D is undoubtably a very good application. However, like all other antivirus/antispyware apps, it has it`s limitations. In docter`s case one of the infections he had was a variant of the Smitfraud infection. As far as I`m aware, SS&D won`t do anything agains this particular variant ot Smitfraud.

I am very interested to hear what you have to say about tweaking SS&D for maximum effect.

If you would be so kind as to provide details, It would be appreciated.

Regards Howard :)
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
530
Mark Fuller
M
A
Pirated Windows installer found to contain crypto-hijacker, exploit EFI partition
Replies
11
Views
692
AndreV
A
midian182
OneDrive users must justify why they are closing the app before exiting (Updated)
Replies
17
Views
537
Nobina
Nobina

Latest posts

Back