Help with HJT log Please

[tigsboy]

Hi all,
I have performed all the standard tasks before posting this, CWShreddar, Adaware, Spybot, SpywareBlaster, SWG and Virus Scan. I can see some suspect entries and would like to clean up completely and then see if there are any other problems. Any help would be much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 8:34:51 AM, on 20/05/05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SNMP.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\OPTIONS\CABS\CDOCK.EXE
C:\PROGRAM FILES\COMPAQ\EASYACCESSBUTTONS\CPQEK.EXE
C:\PROGRAM FILES\COMPAQ\POWERCON ENHANCEMENTS\CPQACDC.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\WINDOWS\SYSTEM\WPSPSW.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\COMPAQ\SECURITY\SECURE32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM32\XPSP2FW.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my-link.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - {761C0DDE-94A4-65C7-20A0-50FA40E61730} - sysconf16.dll (file missing)
F1 - win.ini: load=WPSHRC.EXE
O2 - BHO: Name - {5161DDA0-7CEA-11D9-9548-A0B659C1414A} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O2 - BHO: (no name) - {7EE26CE1-7CEA-11D9-9548-A0B61C55FFBD} - C:\WINDOWS\SYSTEM\QWSXP.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Name - {8F5EA544-BD9D-11D9-9549-A0D259C1F7FF} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: Name - {C7C66083-C79D-11D9-9549-50F459C10300} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O2 - BHO: Name - {70D2FAE4-C7C5-11D9-9549-70D559C17BFE} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Check Dock] c:\Windows\Options\Cabs\cdock.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\EasyAccessButtons\cpqek.exe
O4 - HKLM\..\Run: [Hibernation] C:\Program Files\COMPAQ\PWRCON\HIB32.EXE
O4 - HKLM\..\Run: [CPQCalib] C:\Program Files\COMPAQ\PWRCON\CPQCALIB.EXE
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Compaq Computer Security] C:\PROGRA~1\COMPAQ\SECURITY\Secure32.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [pizda] DTOURS.exe
O4 - HKLM\..\Run: [driver32] stuffmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SNMP agent] SNMP.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [ftbar] zantu.exe
O4 - HKCU\..\Run: [WinInitDll] ***CTF.exe
O4 - HKCU\..\Run: [new32] sysconf16.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 69.50.161.82
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605687.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.31
O18 - Filter: tœ†5�òÏTÆR - {7EE26CE0-7CEA-11D9-9548-A0B673195A26} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O18 - Filter: tœ†5�òRDÆR - {4F36D268-81EF-11D9-9548-10BEBDDD8B85} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O18 - Filter: tœ†5�ò¯EÆR - {228901A2-81DD-11D9-9548-B0E02B41489E} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O18 - Filter: tœ†5�ò^DÆR - {228901D2-81DD-11D9-9548-B0E0DFC002BA} - C:\WINDOWS\SYSTEM\QWSXP.DLL

[bry623]

Hello and Welcome to TSF!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WareOut

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - {761C0DDE-94A4-65C7-20A0-50FA40E61730} - sysconf16.dll (file missing)
O2 - BHO: Name - {5161DDA0-7CEA-11D9-9548-A0B659C1414A} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O2 - BHO: (no name) - {7EE26CE1-7CEA-11D9-9548-A0B61C55FFBD} - C:\WINDOWS\SYSTEM\QWSXP.DLL (file missing)
O2 - BHO: Name - {8F5EA544-BD9D-11D9-9549-A0D259C1F7FF} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O2 - BHO: Name - {C7C66083-C79D-11D9-9549-50F459C10300} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O2 - BHO: Name - {70D2FAE4-C7C5-11D9-9549-70D559C17BFE} - C:\WINDOWS\SYSTEM\MSDXI.DLL
O4 - HKLM\..\Run: [pizda] DTOURS.exe
O4 - HKLM\..\Run: [driver32] stuffmon.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [ftbar] zantu.exe
O4 - HKCU\..\Run: [WinInitDll] ***CTF.exe
O4 - HKCU\..\Run: [new32] sysconf16.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 69.50.161.82 Unless You know what it is
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - <http://deposito.hostance.net/dialer/605687.exe>
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.31 Unless You know what it is
O18 - Filter: tœ†5�òÏTÆR - {7EE26CE0-7CEA-11D9-9548-A0B673195A26} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O18 - Filter: tœ†5�òRDÆR - {4F36D268-81EF-11D9-9548-10BEBDDD8B85} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O18 - Filter: tœ†5�ò¯EÆR - {228901A2-81DD-11D9-9548-B0E02B41489E} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O18 - Filter: tœ†5�ò^DÆR - {228901D2-81DD-11D9-9548-B0E0DFC002BA} - C:\WINDOWS\SYSTEM\QWSXP.DLL



Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\WareOut
C:\WINDOWS\SYSTEM\MSDXI.DLL
C:\WINDOWS\SYSTEM\QWSXP.DLL
C:\WINDOWS\system32\wuclient.exe
DTOURS.exe <<<<<<<Do a search for and delete
stuffmon.exe <<<<<<<Do a search for and delete
zantu.exe <<<<<<<Do a search for and delete
***CTF.exe <<<<<<<Do a search for and delete
sysconf16.exe <<<<<<<Do a search for and delete
sysconf16.dll <<<<<<<Do a search for and delete

Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

[tigsboy]

Here is the updated log that has been analyzed.

Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:21:05 PM, on 25/05/05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SNMP.EXE
C:\WINDOWS\OPTIONS\CABS\CDOCK.EXE
C:\PROGRAM FILES\COMPAQ\EASYACCESSBUTTONS\CPQEK.EXE
C:\PROGRAM FILES\COMPAQ\POWERCON ENHANCEMENTS\CPQACDC.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\PROGRAM FILES\COMPAQ\SECURITY\SECURE32.EXE
C:\WINDOWS\SYSTEM32\XPSP2FW.EXE
C:\WINDOWS\SYSTEM\WPSPSW.EXE
C:\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my-link.ws/
F1 - win.ini: load=WPSHRC.EXE
O4 - HKLM\..\Run: [Check Dock] c:\Windows\Options\Cabs\cdock.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\EasyAccessButtons\cpqek.exe
O4 - HKLM\..\Run: [Hibernation] C:\Program Files\COMPAQ\PWRCON\HIB32.EXE
O4 - HKLM\..\Run: [CPQCalib] C:\Program Files\COMPAQ\PWRCON\CPQCALIB.EXE
O4 - HKLM\..\Run: [CPQAcDc] C:\Program Files\Compaq\PowerCon Enhancements\CPQAcDc.Exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [Compaq Computer Security] C:\PROGRA~1\COMPAQ\SECURITY\Secure32.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\RunServices: [SNMP agent] SNMP.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe


End of KRC HijackThis Analyzer Log.
===================================================================

[bry623]

Your log is clean

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools/programs provided.

[tigsboy]

Thanks for the help again everyone!!