Tech Support Forum - View Single Post

bry623 · 05-23-2005, 02:17 PM

Hello and Welcome to TSF!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WareOut

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - {761C0DDE-94A4-65C7-20A0-50FA40E61730} - sysconf16.dll (file missing)
O2 - BHO: Name - {5161DDA0-7CEA-11D9-9548-A0B659C1414A} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O2 - BHO: (no name) - {7EE26CE1-7CEA-11D9-9548-A0B61C55FFBD} - C:\WINDOWS\SYSTEM\QWSXP.DLL (file missing)
O2 - BHO: Name - {8F5EA544-BD9D-11D9-9549-A0D259C1F7FF} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O2 - BHO: Name - {C7C66083-C79D-11D9-9549-50F459C10300} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O2 - BHO: Name - {70D2FAE4-C7C5-11D9-9549-70D559C17BFE} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O4 - HKLM\..\Run: [pizda] DTOURS.exe
O4 - HKLM\..\Run: [driver32] stuffmon.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [ftbar] zantu.exe
O4 - HKCU\..\Run: [WinInitDll] ***CTF.exe
O4 - HKCU\..\Run: [new32] sysconf16.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 69.50.161.82 Unless You know what it is
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - <http://deposito.hostance.net/dialer/605687.exe>
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.31 Unless You know what it is
O18 - Filter: tœ†5òÏTÆR - {7EE26CE0-7CEA-11D9-9548-A0B673195A26} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O18 - Filter: tœ†5òRDÆR - {4F36D268-81EF-11D9-9548-10BEBDDD8B85} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O18 - Filter: tœ†5ò¯EÆR - {228901A2-81DD-11D9-9548-B0E02B41489E} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O18 - Filter: tœ†5ò^DÆR - {228901D2-81DD-11D9-9548-B0E0DFC002BA} - C:\WINDOWS\SYSTEM\QWSXP.DLL

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\WareOut
C:\WINDOWS\SYSTEM\MSDXI.DLL
C:\WINDOWS\SYSTEM\QWSXP.DLL
C:\WINDOWS\system32\wuclient.exe
DTOURS.exe <<<<<<<Do a search for and delete
stuffmon.exe <<<<<<<Do a search for and delete
zantu.exe <<<<<<<Do a search for and delete
***CTF.exe <<<<<<<Do a search for and delete
sysconf16.exe <<<<<<<Do a search for and delete
sysconf16.dll <<<<<<<Do a search for and delete

Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

05-23-2005, 02:17 PM	#2 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 11,587 OS: winxp pro sp2	Hello and Welcome to TSF! Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: WareOut Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R3 - URLSearchHook: (no name) - {761C0DDE-94A4-65C7-20A0-50FA40E61730} - sysconf16.dll (file missing) O2 - BHO: Name - {5161DDA0-7CEA-11D9-9548-A0B659C1414A} - C:\WINDOWS\SYSTEM\MSDXI.DLL O2 - BHO: (no name) - {7EE26CE1-7CEA-11D9-9548-A0B61C55FFBD} - C:\WINDOWS\SYSTEM\QWSXP.DLL (file missing) O2 - BHO: Name - {8F5EA544-BD9D-11D9-9549-A0D259C1F7FF} - C:\WINDOWS\SYSTEM\MSDXI.DLL O2 - BHO: Name - {C7C66083-C79D-11D9-9549-50F459C10300} - C:\WINDOWS\SYSTEM\MSDXI.DLL O2 - BHO: Name - {70D2FAE4-C7C5-11D9-9549-70D559C17BFE} - C:\WINDOWS\SYSTEM\MSDXI.DLL O4 - HKLM\..\Run: [pizda] DTOURS.exe O4 - HKLM\..\Run: [driver32] stuffmon.exe O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe" O4 - HKCU\..\Run: [ftbar] zantu.exe O4 - HKCU\..\Run: [WinInitDll] **CTF.exe O4 - HKCU\..\Run: [new32] sysconf16.exe O15 - Trusted Zone: .windupdates.com O15 - Trusted Zone: .crazywinnings.com O15 - Trusted Zone: .windupdates.com (HKLM) O15 - Trusted Zone: .skoobidoo.com (HKLM) O15 - Trusted Zone: .crazywinnings.com (HKLM) O15 - Trusted Zone: .iframedollars.biz (HKLM) O15 - Trusted IP range: 69.50.161.82 Unless You know what it is O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM) O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - <http://deposito.hostance.net/dialer/605687.exe> O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.31 Unless You know what it is* O18 - Filter: tœ†5òÏTÆR - {7EE26CE0-7CEA-11D9-9548-A0B673195A26} - C:\WINDOWS\SYSTEM\QWSXP.DLL O18 - Filter: tœ†5òRDÆR - {4F36D268-81EF-11D9-9548-10BEBDDD8B85} - C:\WINDOWS\SYSTEM\QWSXP.DLL O18 - Filter: tœ†5ò¯EÆR - {228901A2-81DD-11D9-9548-B0E02B41489E} - C:\WINDOWS\SYSTEM\QWSXP.DLL O18 - Filter: tœ†5ò^DÆR - {228901D2-81DD-11D9-9548-B0E0DFC002BA} - C:\WINDOWS\SYSTEM\QWSXP.DLL Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\WareOut C:\WINDOWS\SYSTEM\MSDXI.DLL C:\WINDOWS\SYSTEM\QWSXP.DLL C:\WINDOWS\system32\wuclient.exe DTOURS.exe <<<<<<<Do a search for and delete stuffmon.exe <<<<<<<Do a search for and delete zantu.exe <<<<<<<Do a search for and delete *CTF.exe <<<<<<<Do a search for and delete sysconf16.exe <<<<<<<Do a search for and delete sysconf16.dll <<<<<<<Do a search for and delete** Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply. __________________ I won a nobel prize too!!