does anyone know what these files do?

[Guest]

I've just installed ZoneAlarm onto my system and it keeps telling me that the
following files are trying to gain access to the internet from my computer
and do I wish to allow or deny them:

C:\WINDOWS\System32\dpsnfo.exe
C:\WINDOWS\System32\drmhz.exe

Does anyone know what they are? The reason I'm asking is I got infected by
that IST toolbar scumbag and it installed loads of spyware onto my system.
I've spent the last 2 days trying to disinfect my computer and (touch wood)
I've succeeded but I just want to make sure these files aren't connected to
the spyware and if they aren't is it safe to allow them access.

Cheers

 

[David H. Lipman]

From: "gort" <[email protected]>

| I've just installed ZoneAlarm onto my system and it keeps telling me that the
| following files are trying to gain access to the internet from my computer
| and do I wish to allow or deny them:
|
| C:\WINDOWS\System32\dpsnfo.exe
| C:\WINDOWS\System32\drmhz.exe
|
| Does anyone know what they are? The reason I'm asking is I got infected by
| that IST toolbar scumbag and it installed loads of spyware onto my system.
| I've spent the last 2 days trying to disinfect my computer and (touch wood)
| I've succeeded but I just want to make sure these files aren't connected to
| the spyware and if they aren't is it safe to allow them access.
|
| Cheers

Looks like you stuill are infected with malware !

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache
Tools --> Options --> Privacy --> Cache --> Clear

1) Download TrendMicro Sysclean by one of the following 2 methods

Trend Sysclean Method 1
---------------------------------------
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt584.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
---------------------------------------
Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe

2) Download Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Update Ad-aware with the latest definitions.
3) Reboot your PC into Safe Mode and shutdown as many applications as possible.
4) Using both the Trend Sysclean utility and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
5) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware

* * * Please report back your results * * *

 

[T. Waters]

Since they do not Google at all, there is a good chance that they are
malware.

 

[Kelly]

Run this combo:

Run Ad-Aware SE, Spybot, CWShredder and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update the first two programs, once installed, before running.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

Good luck and keep us posted!

--
In memory of our dear friend, MVP Alex Nichol: http://www.dts-l.org/

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

 

[Guest]

Run this combo:

Run Ad-Aware SE, Spybot, CWShredder and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update the first two programs, once installed, before running.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

Good luck and keep us posted!

Well its been a long and very boring day. Here's what I've done so far:

I'd already installed AD-Aware SE a couple of days ago as well as
Microsoft's own beta Antispyware programme and run several full scans and
they found a number of nasties but it was pretty clear they hadn't got rid of
everything. I then took some advice found elsewhere on this forum and deleted
everything in the Windows Prefetch folder which was something new to me cos I
aint no technomeister when it comes to computers. Today I installed CW
Shredder which found nothing and then installed Spybot - I did have Spybot on
my system until a couple of weeks ago but deleted it cos it was an old
version that for some reason wouldn't let me update from the web. I
downloaded the latest version and updates and did a full scan. That
discovered 10 new nasties - all from that flamin' ist_toolbar. I then did a
full online Trend Micro scan (which I've used before - cracking tool) and it
finally discovered the 3 files which I presume have been the source of all my
woes:

ysbactivex.dll - which the scan said was the source ist_toolbar file and was
in my Downloaded Program Files folder and the 2 files I mentioned in my
original posting - dpsnfo.exe & drmhz.exe, which were in my System32 folder
and appear to be the ist_toolbar uploader files. Trend asked me if I wanted
to delete these files - I said yes but it could only delete the
ysbactivex.dll file as the other 2 were in use. I presume this was because I
was on-line. I just need to check if it's now safe to delete these 2
remaining files manually as they're still on my system. ZoneAlarm's denying
them access to the net but I REALLY would rather they weren't there at all.

 

[Malke]

Well its been a long and very boring day. Here's what I've done so
far:

I'd already installed AD-Aware SE a couple of days ago as well as
Microsoft's own beta Antispyware programme and run several full scans
and they found a number of nasties but it was pretty clear they hadn't
got rid of everything. I then took some advice found elsewhere on this
forum and deleted everything in the Windows Prefetch folder which was
something new to me cos I aint no technomeister when it comes to
computers. Today I installed CW Shredder which found nothing and then
installed Spybot - I did have Spybot on my system until a couple of
weeks ago but deleted it cos it was an old version that for some
reason wouldn't let me update from the web. I downloaded the latest
version and updates and did a full scan. That discovered 10 new
nasties - all from that flamin' ist_toolbar. I then did a full online
Trend Micro scan (which I've used before - cracking tool) and it
finally discovered the 3 files which I presume have been the source of
all my woes:

ysbactivex.dll - which the scan said was the source ist_toolbar file
and was in my Downloaded Program Files folder and the 2 files I
mentioned in my original posting - dpsnfo.exe & drmhz.exe, which were
in my System32 folder and appear to be the ist_toolbar uploader files.
Trend asked me if I wanted to delete these files - I said yes but it
could only delete the ysbactivex.dll file as the other 2 were in use.
I presume this was because I was on-line. I just need to check if it's
now safe to delete these 2 remaining files manually as they're still
on my system. ZoneAlarm's denying them access to the net but I REALLY
would rather they weren't there at all.

You need to do all scanning and malware removal work in Safe Mode. Then
you will be able to delete the malware files.

Malke

 

[Guest]

You need to do all scanning and malware removal work in Safe Mode. Then
you will be able to delete the malware files.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.

cheers for letting me know Malke. I've never gone into Safe Mode before.
'Scuse ignorance but how exactly do I do that from when I boot-up? I checked
on-line help for info and it says the following:

"In the Shut Down Windows dialog box, click Restart, and then click OK.
When you see the message Please select the operating system to start, press
F8."

The problem is when I click Restart it just goes straight into Windows and I
don't get the above-mentioned opportunity to select the operating system.

 

[Malke]

cheers for letting me know Malke. I've never gone into Safe Mode
before. 'Scuse ignorance but how exactly do I do that from when I
boot-up? I checked on-line help for info and it says the following:

"In the Shut Down Windows dialog box, click Restart, and then click
OK. When you see the message Please select the operating system to
start, press F8."

The problem is when I click Restart it just goes straight into Windows
and I don't get the above-mentioned opportunity to select the
operating system.

No problem - always better to ask; that's what we're here for. As the
computer is restarting, repeatedly tap the F8 key and this will get you
to the proper menu to choose Safe Mode (not Safe Mode With Networking).
After you've done your work in Safe Mode, simply reboot the computer as
usual to get back into Regular Mode.

Malke

 

[Guest]

No problem - always better to ask; that's what we're here for. As the
computer is restarting, repeatedly tap the F8 key and this will get you
to the proper menu to choose Safe Mode (not Safe Mode With Networking).
After you've done your work in Safe Mode, simply reboot the computer as
usual to get back into Regular Mode.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.

thanks for replying Malke. I managed to delete the 2 offending files and
hopefully that's the problem finally solved and I'm at last spyware free.
That IST toolbar really is an insidious little piece of work. If it was from
a hacker it would be bad enough but it originates from what would appear to
be a legitimate company - Integrated Search Technologies. If that's the case
can't this company be prosecuted for what they're doing? Scumbags.