Abs.Net web Page

Share Your Knowledge, Build your Network..

isi32.exe removal, in case it is not show up in your Task Manager

Posted by Hari Saryono on 11 February 2009


Well, this is the second part of my first isi32.exe removal. Unluckily, in my first post, my isi32.exe isn’t run in my memory yet, then I think this is false alarm. I really know that this is virus when I look at my friends computer and found isi32.exe there. Trying to straight delete in my Total Commander is failed, because virus still working. After trying a while, I found the way to remove this thread.

To cut my explanation short, you can’t use Task Manager, Extended Task Manager or such task manager program to see this virus. Instead, use the program i show you. But remember, USE THIS PROGRAM WITH DEEP CAUTION, because you only RUIN your WINDOWS if you DONE wrong.

a. Deleting Hidden Registry Start-up

  1. Make sure your computer infected by searching isi32.exe in your HARD DRIVE and USB DRIVE. Better use Total Commander.
  2. Unplug your USB Drive.
  3. Download the program here
  4. EXPLORE the zip file, double clicks AUTORUNS.exe
  5. click EVERYTHING tab, and push CTRL + F to find a file
  6. write isi32.exe on search box. You’ll find a registry in recyler bla bla bla pointing this file.
  7. Push DELETE and confirm
  8. (I don’t know if this virus triggering wscript.exe or not, but this step is just making sure). Repeat step 6, but search wscript.exe. Do step 7.
  9. CLOSE autoruns.exe

b. Searching Registry Trigger

  1. Open your registry by writing regedit in start/run
    • if message box inform that registry editing is disabled, enabled it with the script here
  2. Search every occurence of isi32.exe (there’s more than 5 in my computer), by pushing CTRL+F and write isi32.exe on it.
  3. Delete every occurence of isi32.exe
  4. Repeat this step using F3 key

c. Killing autorun function

It’s important to kill your autorun function in your computer, because many viruses use this function to spread. The only drawback is, when you insert your USB or CDROM, it won’t play automatically. I suggest to use Total Commander at first time opening file, to snapshot hidden file. Follow this step to turn off this function

  • a. On start-run write “gpedit.msc”. If you use Windows XP Home, gpedit isn’t available, please download here I found that using any tools I know, for windows home edition, it’s not success!. Any Ideas? (edited : March 19, 2009)
  • b. On gpedit, choose “computer configuration/administrative templates/system”
  • c. Click “turn off autoplay/choose enabled”
  • d. Choose ” all drives” at drop down menu
  • e. push “apply and OK”

When you finish steps above, please restart your computer. On computer restart, do this steps

  1. Plug your USB DRIVE
  2. Open Total Commander
  3. Search isi32.exe on Total Commander in your C: and USB drive
  4. Delete that file

If you still can’t use Total Commander, please see this overview.

Congratz, your computer is free from that virus.. If you’re not sure, check again using autoruns.exe.

3 Responses to “isi32.exe removal, in case it is not show up in your Task Manager”

  1. kevin said

    still same… i dont understand your last step about “total commander”. i done all the step after restart the recycler and isi32.exe still running.

  2. webmaster said

    OK Kevin, have you kill your autorun function in step c?. I suspect that your usb still attached, so the autorun.inf will trigger the virus again. Another way, please send me isi32.exe you’ve in zipped file, zip again and give it password, upload to
    http://filefront.com
    username : theviruskiller
    password : vkiller
    upload there, give me the password you’ve set in this file. I’ll infect my computer with yours and telling you the steps to clean it.

    regards,
    Harry

  3. […] } Do you have dir32.exe in your recycler?. If so, please reference to isi32.exe removal, this virus only it’s […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: