Help my HTPC has been hijacked(RESOLVED)

**jradams76** · 22-05-2006

I dl'ed ewido and ran it in safe mode and it cleaned a bunch of items but after rebooting I still get random popups. Here is my log from hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 9:05:11 PM, on 5/21/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\HTPC User\My Documents\?ssembly\n?tepad.exe
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\System32\RACLE~1\mshta.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HTPC User\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{056C3B8D-8941-A1E5-46D2-F5CAEE27B2CA} - (no file)
R3 - URLSearchHook: (no name) - {91536B92-8151-AFA9-5473-FA3A815125C3} - C:\WINDOWS\System32\gpskztup.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\jtujv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tpcngoe. exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [w0041190.dll] RUNDLL32.EXE w0041190.dll,I2 000fb9c700041190
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ir41_qc] C:\WINDOWS\system32\ir41_qc.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe
O4 - HKCU\..\Run: [Uka] C:\Documents and Settings\HTPC User\My Documents\?ssembly\n?tepad.exe
O4 - HKCU\..\Run: [Qcuz] C:\Documents and Settings\HTPC User\My Documents\?ppPatch\t?skmgr.exe
O4 - HKCU\..\Run: [West] "C:\WINDOWS\System32\RACLE~1\mshta.exe" -vt ndrv
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133585855702
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D04507-7562-4B23-82B7-500CC38EC535}: NameServer = 192.168.1.1
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\p84u0ih9e84.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SFRQQw\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dbyfbsl.exe (file missing)

Please help this is on my HTPC and it sux trying to watch tv with popups sad.gif Any ideas for in the future to prevent this?

TIA

**Neal** · 23-05-2006

Welcome to DAL,

This should get rid of the popups:

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find Command Service.

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Next:

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Command Service and press OK. OK any prompts, close HijackThis, and restart your computer.

Then:

Please download Look2Me-Remover.exe by Atribune to your desktop.

Close all windows before continuing.
Double-click Look2Me-Remover.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

**jradams76** · 24-05-2006

Hi Thanks alot I think the popups have stopped but the computer is still slow booting up at the login screen? I then get a "error loading w0041190.dll Specific module could not be found" after I login. I press ok and continue logging in.

Here is the Look2Me text file:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/23/2006 7:29:06 PM

Infected! C:\WINDOWS\system32\g2jo0c13ef.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000023.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000027.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000050.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000054.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000074.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000087.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000090.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000123.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000127.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000133.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000137.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000139.dll
Infected! C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000143.dll
Infected! C:\WINDOWS\system32\fp8403lqe.dll
Infected! C:\WINDOWS\system32\g2jo0c13ef.dll
Infected! C:\WINDOWS\system32\mzhtmled.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\g2jo0c13ef.dll
C:\WINDOWS\system32\g2jo0c13ef.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000023.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000023.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000027.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000027.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000050.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000050.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000054.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000054.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000074.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000074.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000087.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000087.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000090.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000090.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000123.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000123.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000127.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000127.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000133.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000133.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000137.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000137.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000139.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000139.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000143.dll
C:\System Volume Information\_restore{99AE2350-C63B-48CE-B4F1-4364A54AD487}\RP1\A0000143.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fp8403lqe.dll
C:\WINDOWS\system32\fp8403lqe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\g2jo0c13ef.dll
C:\WINDOWS\system32\g2jo0c13ef.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mzhtmled.dll
C:\WINDOWS\system32\mzhtmled.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{32714800-2E5F-11d0-8B85-00AA0044F941}"
HKCR\Clsid\{32714800-2E5F-11d0-8B85-00AA0044F941}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{47D06903-A8A2-4D04-8D60-799939C6E0CC}"
HKCR\Clsid\{47D06903-A8A2-4D04-8D60-799939C6E0CC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Here is the hijackthis log file:
Logfile of HijackThis v1.99.1
Scan saved at 8:08:00 PM, on 5/23/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\HTPC User\My Documents\?ssembly\n?tepad.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HTPC User\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{056C3B8D-8941-A1E5-46D2-F5CAEE27B2CA} - (no file)
R3 - URLSearchHook: (no name) - {91536B92-8151-AFA9-5473-FA3A815125C3} - C:\WINDOWS\System32\gpskztup.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\jtujv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tpcngoe. exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [w0041190.dll] RUNDLL32.EXE w0041190.dll,I2 000fb9c700041190
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ir41_qc] C:\WINDOWS\system32\ir41_qc.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe
O4 - HKCU\..\Run: [Uka] C:\Documents and Settings\HTPC User\My Documents\?ssembly\n?tepad.exe
O4 - HKCU\..\Run: [Qcuz] C:\Documents and Settings\HTPC User\My Documents\?ppPatch\t?skmgr.exe
O4 - HKCU\..\Run: [West] "C:\WINDOWS\System32\RACLE~1\mshta.exe" -vt ndrv
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133585855702
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D04507-7562-4B23-82B7-500CC38EC535}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dbyfbsl.exe (file missing)

**Neal** · 24-05-2006

OK,

Now you do not have any microsoft updates, go get service pack 1 only, do not install service pack 2 on an infected computer.

Also go to the link below and get an anti-virus program, AVG or AVAST, also get spybot and adaware.

http://www.d-a-l.com/help/showthread.php?t=32403

Come back with service pack 1 and the above programs and post a new hijackthis log.

Thanks.

You are highly infected and going any further without the above programs and service pack 1 will not work as you will continually get infected all the time.

**jradams76** · 25-05-2006

Great highly infected

I still get the dll error and ewido asks me to clean a file at every boot

hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 7:03:08 PM, on 5/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\HTPC User\My Documents\?ssembly\n?tepad.exe
C:\Program Files\WinTV\Ir.exe
C:\Documents and Settings\HTPC User\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{056C3B8D-8941-A1E5-46D2-F5CAEE27B2CA} - (no file)
R3 - URLSearchHook: (no name) - {91536B92-8151-AFA9-5473-FA3A815125C3} - C:\WINDOWS\System32\gpskztup.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tpcngoe. exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [w0041190.dll] RUNDLL32.EXE w0041190.dll,I2 000fb9c700041190
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ir41_qc] C:\WINDOWS\system32\ir41_qc.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe
O4 - HKCU\..\Run: [Uka] C:\Documents and Settings\HTPC User\My Documents\?ssembly\n?tepad.exe
O4 - HKCU\..\Run: [Qcuz] C:\Documents and Settings\HTPC User\My Documents\?ppPatch\t?skmgr.exe
O4 - HKCU\..\Run: [West] "C:\WINDOWS\System32\RACLE~1\mshta.exe" -vt ndrv
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133585855702
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D04507-7562-4B23-82B7-500CC38EC535}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**Neal** · 25-05-2006

Excellent on getting those programs, hope you ran scans with each one, very important.

Next Step:

Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

**jradams76** · 25-05-2006

hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:29 PM, on 5/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\HTPC User\My Documents\?ssembly\n?tepad.exe
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HTPC User\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{056C3B8D-8941-A1E5-46D2-F5CAEE27B2CA} - (no file)
R3 - URLSearchHook: (no name) - {91536B92-8151-AFA9-5473-FA3A815125C3} - C:\WINDOWS\System32\gpskztup.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [w0041190.dll] RUNDLL32.EXE w0041190.dll,I2 000fb9c700041190
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ir41_qc] C:\WINDOWS\system32\ir41_qc.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe
O4 - HKCU\..\Run: [Uka] C:\Documents and Settings\HTPC User\My Documents\?ssembly\n?tepad.exe
O4 - HKCU\..\Run: [Qcuz] C:\Documents and Settings\HTPC User\My Documents\?ppPatch\t?skmgr.exe
O4 - HKCU\..\Run: [West] "C:\WINDOWS\System32\RACLE~1\mshta.exe" -vt ndrv
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133585855702
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D04507-7562-4B23-82B7-500CC38EC535}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**Neal** · 25-05-2006

Sweet, good job qoologic trojan is now gone.

Next step:

Go to Start>Control Panel>Add/Remove Programs and look for PuritySCAN By OIN, , OIN or clickspring , click on it and click remove.

If not listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Reboot when done and delete this folder if found:
C:\Program Files\PurityScan

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)

Run hijackthis and click on scan button and put checks next to these:

R3 - URLSearchHook: (no name) - _{056C3B8D-8941-A1E5-46D2-F5CAEE27B2CA} - (no file)
R3 - URLSearchHook: (no name) - {91536B92-8151-AFA9-5473-FA3A815125C3} - C:\WINDOWS\System32\gpskztup.dll (file missing)

O4 - HKLM\..\Run: [w0041190.dll] RUNDLL32.EXE w0041190.dll,I2 000fb9c700041190
O4 - HKCU\..\Run: [ir41_qc] C:\WINDOWS\system32\ir41_qc.exe
O4 - HKCU\..\Run: [Uka] C:\Documents and Settings\HTPC User\My Documents\?ssembly\n?tepad.exe
O4 - HKCU\..\Run: [Qcuz] C:\Documents and Settings\HTPC User\My Documents\?ppPatch\t?skmgr.exe
O4 - HKCU\..\Run: [West] "C:\WINDOWS\System32\RACLE~1\mshta.exe" -vt ndrv

Make sure nothing is open but hijackthis and click on " fix checked"

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

w0041190.dll
C:\WINDOWS\system32\ir41_qc.exe

DELETE FOLDERS
C:\Documents and Settings\HTPC User\My Documents\?ssembly---something in front of ssembly

C:\Documents and Settings\HTPC User\My Documents\?ppPatch---something in front of ppPatch

Reboot normal mode and tell me how your computer is running now and a new hijackthis log please. Thanks.

**jradams76** · 25-05-2006

The .dll error is gone now and things look better its still slow on starting up which maybe all the adware scanners i have now and ewido?

hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:24:16 PM, on 5/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinTV\Ir.exe
C:\Documents and Settings\HTPC User\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133585855702
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D04507-7562-4B23-82B7-500CC38EC535}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**Neal** · 25-05-2006

Hi,

Your log is clean.

You can uninstall Ewido if you want, might make a difference. I would keep adaware se for sure and spybot is valuable.

Let's do an online scan at kaspersky just in case something else is hiding in the bushes:

http://www.kaspersky.com/virusscanner

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
o Scan Options:
- Scan Archives
- Scan Mail Bases
* Click OK
*Now under select a target to scan:
o Select My Computer
* This program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste that information in your next post.

Help my HTPC has been hijacked(RESOLVED)

Help my HTPC has been hijacked(RESOLVED)

Similar Threads

Hijacked???? Im Not Sure Xx (RESOLVED)

Browser Hijacked (Resolved)

Hijacked browser (Resolved)

hijacked browser (Resolved)

Ive been hijacked by the looking-for.cc spy (Resolved)