My HJT log

Status
Not open for further replies.
macdude425

macdude425

Member (again)
Messages
4,202
Location
Raul's Wild Kingdom...How 'bout that, huh?
Lately, I've been having lots of problems with a Dell my mom owns. So, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:21:08 AM, on 4/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\PSSVC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\3COM_DMI\3CDMINIC.EXE
C:\DMI\BIN\WIN32SL.EXE
C:\NOVELL\CLIENT32\WM95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\DMI\BIN\DELLDMI.EXE
C:\DMI\BIN\MONITOR.EXE
C:\DMI\BIN\NIC.EXE
C:\DMI\BIN\COO.EXE
C:\DMI\BIN\DNAR.EXE
C:\DMI\BIN\NODEMNGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SXGTKBAR.EXE
C:\WINDOWS\SYSTEM\DPMW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\NWLXKX.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\SNUYS.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES1.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.20.0.08:3128
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EspIEObj Class - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - C:\ESAFE\PROTECT\espie.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [NDPS] c:\windows\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [vptray] c:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\FTMRLK.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\NWLXKX.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [7DPmddt] C:\SNUYS.EXE
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\pxckdla.exe
O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [3Com DMI Agent] C:\WINDOWS\SYSTEM\3com_dmi\3CDMINIC.EXE
O4 - HKLM\..\RunServices: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i -p -r
O4 - HKLM\..\RunServices: [Workstation Scheduler] C:\novell\client32\wm95.exe
O4 - HKLM\..\RunServices: [rtvscn95] c:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O14 - IERESET.INF: START_PAGE_URL=http://education.dellnet.com/
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1001326.cab
 
Hello macdude425




1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

WEBREBATES1.EXE*
ISTSVC.EXE*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Web Rebates

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Download the Adware.Istbar removal utility from Symantec and following the instructions on the same page.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES1.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u SYSTB.DLL
regsvr32 /u YSB.DLL

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: EspIEObj Class - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - C:\ESAFE\PROTECT\espie.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL

O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_1001326.cab


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\PROGRAM FILES\WEB_REBATES
C:\PROGRAM FILES\ISTSVC
C:\PROGRA~1\YOURSI~1

files...

C:\WINDOWS\SYSTB.DLL

Search for...

\ISTsvc\istsvc.exe

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Post back a new log, and let me know how everything goes.

-

Lobos.
 
Remove entries at your own risk

C:\DMI\BIN\DNAR.EXE running process. (DNAR.EXE)
Unknown, except that it is not necessary. Tends to phone home a lot. DMI related - see here This is a nasty process! You should fix it and try to delete it manually!

C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE running process. (WEBREBATES0.EXE)
TrojanDownloader.Win32. Agent.y

C:\PROGRAM FILES\WEB_REBATES\WEBREBATES1.EXE running process. (WEBREBATES1.EXE)
TrojanDownloader.Win32. Agent.y

C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE running process. (ISTSVC.EXE)
ISTBar foistware

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Should be fixed.

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL Must be fixed!

O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL Must be fixed!

O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe" TrojanDownloader.Win32. Agent.y

O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe ISTBar foistware

O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm The entry Web Rebates has been identified as nasty.

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
Nasty This entry is possibly nasty. Should be fixed.

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_1001326.cab Should be fixed.
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
Back
Top Bottom