|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-8-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry My HJT logGo to the Tech-Forums Discussion Home PagePosted by: macdude425 Lately, I've been having lots of problems with a Dell my mom owns. So, here's the log: Logfile of HijackThis v1.99.1 Scan saved at 7:21:08 AM, on 4/14/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\NOVELL\CLIENT32\NWRECMSG.EXE C:\WINDOWS\PSSVC.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\3COM_DMI\3CDMINIC.EXE C:\DMI\BIN\WIN32SL.EXE C:\NOVELL\CLIENT32\WM95.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\DMI\BIN\DELLDMI.EXE C:\DMI\BIN\MONITOR.EXE C:\DMI\BIN\NIC.EXE C:\DMI\BIN\COO.EXE C:\DMI\BIN\DNAR.EXE C:\DMI\BIN\NODEMNGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\MOUSE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\SXGTKBAR.EXE C:\WINDOWS\SYSTEM\DPMW32.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\SYSTEM\NWLXKX.EXE C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE C:\SNUYS.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\PROGRAM FILES\WEB_REBATES\WEBREBATES1.EXE C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://education.dellnet.com/[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.20.0.08:3128 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: EspIEObj Class - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - C:\ESAFE\PROTECT\espie.dll (file missing) O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe O4 - HKLM\..\Run: [NDPS] c:\windows\SYSTEM\dpmw32.exe O4 - HKLM\..\Run: [vptray] c:\Program Files\Norton AntiVirus\vptray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\FTMRLK.exe O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\NWLXKX.exe O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe" O4 - HKLM\..\Run: [7DPmddt] C:\SNUYS.EXE O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\pxckdla.exe O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [3Com DMI Agent] C:\WINDOWS\SYSTEM\3com_dmi\3CDMINIC.EXE O4 - HKLM\..\RunServices: [DMILDR] C:\DMI\bin\dmildr.exe O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i -p -r O4 - HKLM\..\RunServices: [Workstation Scheduler] C:\novell\client32\wm95.exe O4 - HKLM\..\RunServices: [rtvscn95] c:\Program Files\Norton AntiVirus\rtvscn95.exe O4 - HKLM\..\RunServices: [defwatch] c:\Program Files\Norton AntiVirus\defwatch.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm O14 - IERESET.INF: START_PAGE_URL=http://education.dellnet.com/ O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe[/url] O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - [url]http://www.ysbweb.com/ist/softwares/v4.0/ysb_1001326.cab[/url] Posted by: macdude425 BUMP Posted by: Lobos Hello macdude425 1) Click "[b][i]Start | Search[/i][/b]", then search for each of these program's [i]base name(s)[/i], in all files and folders: [b][color=#ff0000]WEBREBATES1.EXE*[/color][/b] [b][color=#ff0000]ISTSVC.EXE*[/color][/b] 2) Then if any are found in the '[i]prefetch[/i]' folder, delete them. Look closely, since the '[i]base[/i]' name will have a bunch of random numbers and letters attached to it. =============== Go to [b]Add/Remove programs[/b] and remove(uninstall) the following, if present: [b][color=#ff0000]Web Rebates[/color][/b] The above could appear anywhere within the entry. Be careful not to remove any [i]personal[/i] or [i]system[/i] software. =============== Download the [url=http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html]Adware.Istbar[/url] removal utility from Symantec and following the instructions on the same page. =============== Run [b]HiJackThis[/b] then: 1. Click "[b][i]Config...[/i][/b]" 2. Click "[b][i]Misc Tools[/i][/b]" 3. Click "[b][i]Open Process manager[/i][/b]" - Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following: [b][color=#000000]C:\PROGRAM FILES\WEB_REBATES\[/color][color=#ff0000]WEBREBATES0.EXE[/color][/b] [b][color=#000000]C:\PROGRAM FILES\WEB_REBATES\[/color][color=#ff0000]WEBREBATES1.EXE[/color][/b] [b][color=#000000]C:\PROGRAM FILES\ISTSVC\[/color][color=#ff0000]ISTSVC.EXE[/color][/b] Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain. =============== Now, let's open a [b]command prompt[/b] and unregister the dll(s) we're going to remove, by entering the following: [b][color=#000099]regsvr32 /u[/color] [color=#ff0000]SYSTB.DLL[/color][/b] [b][color=#000099]regsvr32 /u[/color] [color=#ff0000]YSB.DLL[/color][/b] It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing. =============== Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present: [color=#9933cc][b] R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) [/b][/color] [color=#9933cc][b] O2 - BHO: EspIEObj Class - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - C:\ESAFE\PROTECT\espie.dll (file missing) [/b][/color] [color=#9933cc][b] O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL [/b][/color] [color=#9933cc][b] O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL [/b][/color] [color=#9933cc][b] O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe" [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe [/b][/color] [color=#9933cc][b] O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52...meInstaller.exe[/url] [/b][/color] [color=#9933cc][b] O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - [url]http://www.ysbweb.com/ist/softwares...ysb_1001326.cab[/url] [/b][/color] Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]". =============== Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders: [i]folders...[/i] [b]C:\PROGRAM FILES\[color=#ff0000]WEB_REBATES[/color][/b] [b]C:\PROGRAM FILES\[color=#ff0000]ISTSVC[/color][/b] [b]C:\PROGRA~1\[color=#ff0000]YOURSI~1[/color][/b] [i]files...[/i] [b]C:\WINDOWS\[color=#ff0000]SYSTB.DLL[/color][/b] [i]Search for...[/i] [b][color=#ff0000]\ISTsvc\istsvc.exe[/color][/b] ...using "[b][i]Start | Search...[/i][/b]". - Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '[i]in use[/i]', try deleting them from "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]". =============== Post back a new log, and let me know how everything goes. - Lobos. Posted by: Warez Monster Remove entries at your own risk C:\DMI\BIN\DNAR.EXE running process. (DNAR.EXE) Unknown, except that it is not necessary. Tends to phone home a lot. DMI related - see here This is a nasty process! You should fix it and try to delete it manually! C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE running process. (WEBREBATES0.EXE) TrojanDownloader.Win32. Agent.y C:\PROGRAM FILES\WEB_REBATES\WEBREBATES1.EXE running process. (WEBREBATES1.EXE) TrojanDownloader.Win32. Agent.y C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE running process. (ISTSVC.EXE) ISTBar foistware R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Should be fixed. O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL Must be fixed! O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL Must be fixed! O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe" TrojanDownloader.Win32. Agent.y O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe ISTBar foistware O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm The entry Web Rebates has been identified as nasty. O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52...meInstaller.exe[/url] Nasty This entry is possibly nasty. Should be fixed. O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - [url]http://www.ysbweb.com/ist/softwares...ysb_1001326.cab[/url] Should be fixed. Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |