ishost.exe & isnotisfy.exe - HJT log included

Status
Not open for further replies.
Z

zicon

Hi

ive had problems with ishost.exe, isnotify.exe and ismon.exe

i have looked at some of the threads on this site and have run the following programs.

smitfraud fix
virtumundobegone
look2me destroyer
cwshredder
adaware
spybot search & destroy

I managed to get rid of everything on thursday but then all the spyware and adware come back again on friday so i think there is something that i am missing but i am not sure what. can you help please??

I have run HJT and attached the log file that has been created.
 
Hello and welcome to Techspot.

Please install a firewall. The free Zonealarm or the free Kerio firewalls are both very good. You can get them HERE and HERE.

Then, go HERE and follow the instructions exactly.

Post a fresh HJT log into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of zicon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks i have carried out the instructions in the threads you specified.

I have attached my latest HJT log file.

The problems i notice that are still there are there is still a process running called update.exe

Also Kerio firewall comes up with an intrusion attempt from winlogon.exe every now and then. I removed the values for winlogon using HJT (all the ones starting with the number 020) in safe mode but when i restarted they have re-appeared.
 
Download the Pocket Killbox programme from HERE. Extract it, but don`t run it yet.

Download and run this tool HERE. This is not the same Vundo removal tool that you`ve already used.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msdtc.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {3E292959-61A7-430D-B89C-3CC8E7099917} - (no file)

O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - (no file)

O2 - BHO: (no name) - {F4FC7C4E-B391-4801-9208-0B2E08CE5D7A} - (no file)

O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\WNSXS~1\msdtc.exe" -vt yazr

O17 - HKLM\System\CCS\Services\Tcpip\..\{8B2A4C3D-95C1-43B6-87A6-D3788A4843FC}: NameServer = 194.168.4.100,194.168.8.100<Only fix this, if it doesn`t belong to your ISP.

O20 - Winlogon Notify: awvtq - C:\WINDOWS\

O20 - Winlogon Notify: jkkjg - C:\WINDOWS\

O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\WNSXS~1

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\winwea32.dll

Once your system has rebooted, turn system restore back on.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of zicon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
The vundo removal tool dint find any files.

msdtc.exe was not running as a process.

I ran HJT as you stated:

* i left 017 as the IP addresses are for my ISP
* i ticked all the others for removal

The directory C:\WINDOWS\system32\WNSXS~1 does not exist. However, there is a directory c:\windows\system32\WinSxS. Shall i delete this or is this a legitimate directory?

I then deleted the winwea32.dll file, rebooted and enabled system restore again. Some files keep re-appearing in windows\temp and some of the entries i removed using HJT have re-appeared too. I have attached the new log file :)
 
If this looks like a repeat of my above instructions, it, only with a few changes.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msdtc.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll

O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\WNSXS~1\msdtc.exe" -vt yazr

O20 - Winlogon Notify: awvtq - C:\WINDOWS\

O20 - Winlogon Notify: jkkjg - C:\WINDOWS\

O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

c:\windows\system32\WinSxS

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\SYSTEM32\awvtq.dll
C:\WINDOWS\SYSTEM32\jkkjg.dll

Once your system has rebooted, turn system restore back on and post a fresh HJT log.

Regards Howard :)
 
Status
Not open for further replies.

Similar threads

D
Solved High ram and no process in explorer, + hot cpu
2
Replies
38
Views
5K
Broni
Broni
J
Solved Temp folder .exe files
Replies
24
Views
14K
Broni
Broni
N
Solved Computer infected with Ads by SalesChecker
Replies
20
Views
5K
Broni
Broni

Latest posts

Back