Completed 8 Steps

Status
Not open for further replies.

kuraudo

Posts: 7   +0
My google searches seem to be redirecting me to other search engines. Any assistance is appreciated. Thanks.
 

Attachments

  • hijackthis.log
    9.9 KB · Views: 8
  • mbam-log-2009-07-13 (17-32-07).txt
    842 bytes · Views: 5
  • SUPERAntiSpyware Scan Log - 07-13-2009 - 18-29-34.log
    465 bytes · Views: 6
Hi,

Optimization
Many of these following proposal lines to fix, are for improve the performance of your PC.
The lines 04- are processus who start automatically when the Pc start.
Some of these processus aren't necessary to start like that.
And somes other ones, can have a shortcut on desktop, to be use by double-click when the user need it.

Open HijackThis
• Select [Do a system scan only],
• Close Internet exporer and all other apps,
• Put a hook in front of each following lines (
crochetrouge.jpg
= infection)
,
• And press [Fix Checked].

crochetrouge.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Enable if you overclock your card "into the Bios". Else fix it
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

Fix it.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

As you want - Can create a shorcut on your desktop.
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

As you want - Related to Power Scheme from SIS Corporation. Responsible for power management
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent

Fix it.
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
crochetrouge.jpg
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk121DHCA
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

  • Restart the computer.
_______________________________________________________________________________________

Optimization too
• Open Command Prompt (Start Menu --> All programs --> Accessory..)
• Copy/Paste following lines into "Command Prompt" and press <Enter> (for each line) :
sc config "FLEXnet Licensing Service" start= demand
sc config JavaQuickStarterService start= demand
sc config NVSvc start= demand
sc config WMPNetworkSvc start= demand
_______________________________________________________________________________________
Ad-Remover : Download (de C_XX)
adremovericne.png


Disactivate your antivirus.
• Install Ad-remover , a shortcut will be create on your desktop
adremovericne.png

• Run Ad-remover --> select E. English,
• Disconnect Internet and quit all open apps,
• Select [S – Scanner] press <Enter>,
>> Wait..,
Post the report (C:\Ad-Report-SCAN.log)

Reactivate your antivirus.
_______________________________________________________________________________________

Update Adobe Acrobat
• Use Update Checker for checked regulary that kind of updates.


  • Post another hijackthis report.
.
 
I suggest you hold off on the Ad-Remover. Do not deactivate the AV.(until you read the directions in Combofix)

Instead, please run a full system scan, save the log and attach it to next reply. I am not sure the program is fully functional as there are some of the usually seen entries missing.

And a note about the Services> the 023 entries. You can have HijackThis stop them now, but if they are set to Automatic Startup type, they will start as soon as you reboot. It is better to reset the Services to Manual.

I don't see anything in the current logs to account for the redirect, so I'd like you to run Combofix:
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please attach the Combofix report to next reply.

Summary:
Avira: Run, save scan and attach log
Combofix: Run, attach log
HijackThis: rescan and attach new log.
 
Thanks for your replies. Fixed only infected files w/ hijackthis, and didnt use ad-remover as suggested. Logs attached, and mbam is updated.
 
Please disable and stop these Services:
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - Unknown owner - C:\Program Files\Mabinogi\npkcmsvc.exe (file missing)

(Command: GameMon.des>
Description: Added by the Trojan.Downexec.C Trojan. Trojan.Downexec.C is a Trojan horse that may download files and steal information from the compromised computer.)

To do that: Start> Run> type in services.msc> double click on each service> change the Startup type for each to Disabled> Stop the Service> Close:
npkcmsvc
GameMon.des
nProtect GameGuard Service (npggsvc)


If you get an error message doing this in Normal Mode, boot into Safe Mode to do it.

I recommend that you changes all of your passwords, monitor any online financial transactions.

P2P Warning.

I notice that you are using P2P- files sharing- programs:

uTorrent
BitComet
Pando.

The use of these programs will add to the malware and I encourage you to uninstall them. If you choose not to. please do not use them while cleaning.

You have globally open ports for these- that's like leaving your front door open for all the passers by: I strongly suggest that you close these ports:
"14251:TCP"= 14251:TCP:BitComet 14251 TCP
"14251:UDP"= 14251:UDP:BitComet 14251 UDP
"58136:TCP"= 58136:TCP:pando Media Booster
"58136:UDP"= 58136:UDP:pando Media Booster


Question: are you aware of these Services? Did you install the software they represent?
O23 - Service: wampapache - Apache Software Foundation - C:\Program Files\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)


On the last Service,more file sharing. Suggest you Disable and Stop this Service also.

Although there is much to deal with, so far I have not seen the entries that usually go with redirects.

Please do this online scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Can you describe more clearly what the problem is with the system? Are you being redirected to specific sites? Are you getting ads or pop-ups of a specific nature?
 
Hi, Bobbye.

I looked in services.msc and couldnt find GameMon.des. I stopped + disabled the other two, though.

Hmm, I had uninstalled bitcomet quite a long time ago, Im not too sure why it's still there. Pando is uninstalled and so is uTorrent.

"14251:TCP"= 14251:TCP:BitComet 14251 TCP
"14251:UDP"= 14251:UDP:BitComet 14251 UDP
"58136:TCP"= 58136:TCP:pando Media Booster
"58136:UDP"= 58136:UDP:pando Media Booster

I dont know how to close these ports, could you tell me? Thanks.

I did in fact install both wampapache and wampmysqld, but I just uninstalled them since I dont use them anymore. I dont know about Windows Media Player Network Sharing Service, I mean I do have Windows Media Player. Disabled this service as you suggested.

Actually, after ComboFix, I havent noticed any google redirects.

Ill get back to you with the scan tommorow.

I am very grateful for the help you are giving me. Thanks so much.

Edit : Today, I'm noticing that I'm being asked to download this screensaver or something, while I'm online. This is the only problem so far. Im not sure if it's an ad or anything, though.
 
Today, I'm noticing that I'm being asked to download this screensaver or something, while I'm online. This is the only problem so far. Im not sure if it's an ad or anything, though.

Don't!

Reopen or rescan with the Eset online scanner. Check to remove what it finds> the MyWebSearch Toolbar.
 
Hi.

Well, I couldnt get past step 3 'cause ZoneAlarm Free doesnt have an expert tab in the firewall category. Although I did block them in the program controls category. Help?

Many thanks. =)
 
Great! Is there any other problems or are we done? Again, thanks so much for all the help youve given me.
 
Follow my Post #24 here: https://www.techspot.com/vb/topic125501-2.html
beginning with the words "However I would suggest............" and follow with "Clean the..."

Those should finish you up..

Ignore the rest of the posts and the thread content. Sorry, don't mean to sound mysterious, but some training I'm taking now does not permit me to do any malware cleaning anywhere, until I'm through.
 
Status
Not open for further replies.
Back