1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

I've been badly trojanned ishost, winfix ect

By ZetaPoint ยท 5 replies
Sep 10, 2006
  1. Note: Just incase my HJT log isn't enough to diagnose the problems I have included more information regarding the problems I have been having below. Don't be intimidated by this and feel free to just check out the log and skip this text wall.

    Sicne some time last night I ahve been getting some quite bad problems with what seems to be some kind of a trojan that my norton hasn't been able to pick up. It seems to keep downloading other malware/spyware whcih norton has caught but I seem to have a bigger underlying casue considering the multitube of problems I keep getting.

    The problems thau I tend to get are:

    When booting up my account I get an error saying there was a problem with winlogon.exe and askign if I would like to send an error report. If I later run an adware scan afetr this error. I get a system reference memory error to due with winlogon and then get a fatal systme error resulting in a blue screen similar to a bluescreen of death.

    Often when opening IE or anything using normal explorer (my computer or any other system file browsing but not desktop) the procress, Iexplorer.exe or explorer.exe, will close itself and in the case of explorer will automatically restart itself on the desktop. Firefox however continues to work correctly. Sometimes after a restart this won't happen but other times even just after a fresh boot this will happen.

    When IE does manage to open whatever I have set as the homepage, google for instance, will always redirect me to http//:www.uptodateportection.com. While all other sites contine to work whatever the homepage is will redirect there. This includes if I set it to a balnk page.

    Out of the things that norton did pickup and presumibly delete was soem spyware called Winfix witch I beleive might have not been completely gone due to the IE problems. I have checked the registry for signs of it according to the mannual removal instrution that symantec had on their sight, but I couln't find any of it's values or keys in the reg editor.

    I also had the series of process ishost, ismini, issearch, and isnotify whcih I managed to track down to .exe files in my system 32 and which I deleted. I beilieve that adaware picked up the toher files related to those aswell.

    Any help would be greatly appreciated.
  2. Samstoned

    Samstoned TechSpot Paladin Posts: 1,018

    I had a heck of a time with issearch ismini and the likes
    if your system is compartized best do a reinstall save the time and head headache
    gather your files on the main system that you really need run them through he virus checker and save
    I don't keep much on my main for this reason
    does not happen to me much
    the above I did on purpose to try and remove this trojun
    all fixs on net did not work I did get it stable for awhile then went to trendmicro and fireworks started ewido just crashed spybot SD kept deleting the same files over and over again
    good luck
    PS I don't use AV on my other machines no virus or trojuns for over a year now.
    keep safe
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions exactly.

    Post fresh HJT and Ewido logs into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of ZetaPoint only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. ZetaPoint

    ZetaPoint TS Rookie Topic Starter

    I just spent the better part of my day working through all those tools/ full system scans. From what I've seen all of the noticable problems were solved but I'd still like to be sure that I don't have any thing unnoticed compormising my system security.

    Here's the log files

    As the edwido file has quite massive (436 quarantined files I bielive) I spilt it into 2 files to fit the 100kb file upload limit.
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    PowerReg Scheduler V3.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

    O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)

    O2 - BHO: CPub Object - {CA70AF0D-0D07-4b80-9ECE-B0F1BEFC5822} - C:\Program Files\Byteswarm\DLInterceptor.dll (file missing)

    O4 - Startup: PowerReg Scheduler V3.exe

    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab

    O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/

    O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    PowerReg Scheduler V3.exe Search your system for this file and delete all instances of it.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Other than the above, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of ZetaPoint only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. ZetaPoint

    ZetaPoint TS Rookie Topic Starter

    Thanks for the help I'll get on that firts thing tommorow.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...