TechSpot

Virus problem.

By docter
Jul 27, 2006
  1. ismon and ishost.exe from Trojan

    Hello,

    I think I have a similar problem. I have a Trojan Zlob virus that keeps infecting more and more files. Spyware Blaster has stopped the pop ups but my Virus protection keeps adding files to the quarentine. I followed the procedure in Tool1 from the post, but figured I should find out if this is the right thing to do before proceeding. The following files are infected:
    DWH58FC.TMP
    DWHCB14.TMP
    apqbeb.tmp
    APQF7C.tmp
    apq1a1.tmp
    ismon.exe
    ishost.exe
    h91746.exe
    win5D9.tmp
    win317.tmp

    Any advice would be greatly appreciated.

    Doctor
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I have moved your post to it`s own thread, in order to save any confusion.

    Go HERE and follow all the instructions exactly.

    Post a fresh HJT log as a .txt attachment into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    Edit: I`ve just noticed you have another thread running for this problem. I have deleted that thread and you should continue to post in this thread untill your problem is solved. I looked at your HJT log and you need to follow the instructions in the above link.
     
  3. docter

    docter TS Rookie Topic Starter

    Howard,

    I followed the posts. I did not find anything on the HJT log name on the list for removal. Also, my virus infected files were in quarentine during all the cleans/scans. Would that prevent them from being cleaned?

    Thanks,
    Andrew
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it, but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run a full system scan with your antivirus programme and delete whatever it finds, including anything in quarantine.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    MyWaySA

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    arpa.exe
    OOL32~1.EXE
    31fa4a5b.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://account.netzero.net/s/landing?group=quick-start&cf=qs

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

    O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - (no file)

    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)

    O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Andy\MYDOCU~1\MCROSO~1\arpa.exe" -vt ndrv

    O4 - HKCU\..\Run: [Lgxdkaz] C:\PROGRA~1\YMBOLS~1\OOL32~1.EXE

    O4 - HKCU\..\Run: [31fa4a5b.exe] C:\Documents and Settings\Andy\Local Settings\Application Data\31fa4a5b.exe

    O20 - AppInit_DLLs:

    O20 - Winlogon Notify: winwly32 - C:\WINDOWS\SYSTEM32\winwly32.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\Andy\Local Settings\Application Data\31fa4a5b.exe
    C:\PROGRA~1\YMBOLS~1\OOL32~1.EXE
    C:\DOCUME~1\Andy\MYDOCU~1\MCROSO~1\arpa.exe
    C:\Program Files\MyWaySA

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winwly32.dll

    Once your system has rebooted, turn system restore back on and post a fresh HJT log.

    Let us know how your system is running.

    Regards Howard :)

    This thread is for the use of docter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. docter

    docter TS Rookie Topic Starter

    Howard,

    I did as you instructed. When I ran anti-virus, it did not find anything, but when I ran Spy Sweeper after restarting, it found a Trojan Virus winlogon hook which I deleted. Also, when I ran HJT to clean the files you specified, I got an error #5 Invalid procedure call or arguement. mod Backup-makeBackup (sItem=020 AppInit_dlls) and when I ran killbox and typed in the file location it said it could not find the file. This could be my fault though, because before running Killbox, I emptied the recycle bin. Sorry I'm new to this kind of thing. I truly do appreciate all your help, hopefully I can convince my super cheap boss to make a donation. Any suggestions?

    Thanks,
    Andrew
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`d like you to run these three tools. Follow the instructions for using each tool carefully.

    Tool1. Tool2. Tool3.

    Post a fresh HJT log, only after doing the above.

    There`s no need for a donation as we`re a commercial site paid for by advertising. Thanks for the offer anyway.

    Regards Howard :)
     
  7. docter

    docter TS Rookie Topic Starter

    howard,

    just to make sure. everything has gone crazy all over again. The viruses and popups are back. should i start over and do the previous things again and then run those tools with the internet disabled?

    thanks,
    andy
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No. Just run those tools as instructed, then post a fresh HJT log.

    Regards Howard :)
     
  9. docter

    docter TS Rookie Topic Starter

    ok. here she is.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I want you to run Killbox again, this should get rid of this file.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winwly32.dll

    Once your system has rebooted, please post a fresh HJT log.

    Regards Howard :)
     
  11. docter

    docter TS Rookie Topic Starter

    ok. It would not allow me to do a standard file kill, but I believe it worked with the "delete on reboot"

    thanks,
    andrew
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It did say in the instructions I gave you, to use the delete file on reboot option. Anyway it`s gone now.

    Follow these instructions exactly.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programme in your control panel and uninstall anything to do with(if there).

    ipwins
    ToolBar888

    Close Control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ipwins.exe
    arpa.exe
    e?plorer.exe The question mark in this file=a random letter or number.. Do not end the process for explorer.exe or this will crash your system

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

    O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - (no file)

    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll

    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)

    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll

    O4 - HKLM\..\Run: [IpWins] "C:\Program Files\ipwins\ipwins.exe"

    O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Andy\MYDOCU~1\MCROSO~1\arpa.exe" -vt yazr

    O4 - HKCU\..\Run: [Xopb] C:\WINDOWS\SYSTEM32\??sembly\e?plorer.exe

    O20 - AppInit_DLLs:

    O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\SYSTEM32\??sembly\e?plorer.exe The question marks can be any random letter or number.
    C:\DOCUME~1\Andy\MYDOCU~1\MCROSO~1\arpa.exe
    C:\Program Files\ipwins
    C:\Program Files\ToolBar888

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of docter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. docter

    docter TS Rookie Topic Starter

    ok. none of the files i was to delete were found

    andrew
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done. Your HJT log is now clean.

    If you have any further virus/spyware problems, please post them in this thread.

    Regards Howard :)

    This thread is for the use of docter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. docter

    docter TS Rookie Topic Starter

    Howard,

    Thank you so much for your help, however, it appears that I still have much spyware and a trojan virus unless the anti-virus and spyware tools that haven't been working before start working. Do you think I should reformat?

    Andrew
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Reformatting would certainly clean you system from any nasties. Though I can`t see any In your last HJT log.

    If that`s what you want to do then that`s fine by me.

    Regards Howard :)
     
  17. docter

    docter TS Rookie Topic Starter

    I have a theory that SPY SWEEPER was causing my problems to continue. I had a 14 day trial edition that started automatically on startup. When I turned it off, pop ups poured in. Also, it was always the first program to find the Trojan Virus. When I uninstalled it and restarted, it was still running in my processes at 14MB and would not allow me to end it. Now that I've gotten rid of it, things seem fine. Please spread the gospel. SPY SWEEPER IS BAD
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Spysweeper is normally thought of as being a very reputable piece of software.

    However, it`s possible the programme may have been corrupt or it`s been giving you false positives. Did you download it from the official webroot site?

    http://www.webroot.com/consumer/products/spysweeper/

    I`ve never heard of any problems with Spysweeper, but I guess there`s always a first time lol.

    Regards Howard :)
     
  19. Shadowhawk

    Shadowhawk TS Rookie

    docter, may I suggest you d/l SpyBot S&D (Search & Destroy) v1.4, which can be downloaded at http://www.safer-networking.org/en/index.html
    This app specializes in going after malware of just about every type.
    As you install this, you'll want to click the green arrow after each of the steps are completed. Let me know if you've decided to install it, and I'll give you instructions on *tweaking* it for maximum effect... Good Luck :). ~Shadowhawk
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    SS&D is undoubtably a very good application. However, like all other antivirus/antispyware apps, it has it`s limitations. In docter`s case one of the infections he had was a variant of the Smitfraud infection. As far as I`m aware, SS&D won`t do anything agains this particular variant ot Smitfraud.

    I am very interested to hear what you have to say about tweaking SS&D for maximum effect.

    If you would be so kind as to provide details, It would be appreciated.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...