Completed 8 Steps

By kuraudo · 14 replies
Jul 13, 2009
  1. My google searches seem to be redirecting me to other search engines. Any assistance is appreciated. Thanks.

    Attached Files:

  2. cosmido

    cosmido TS Rookie Posts: 20


    Many of these following proposal lines to fix, are for improve the performance of your PC.
    The lines 04- are processus who start automatically when the Pc start.
    Some of these processus aren't necessary to start like that.
    And somes other ones, can have a shortcut on desktop, to be use by double-click when the user need it.

    Open HijackThis
    • Select [Do a system scan only],
    • Close Internet exporer and all other apps,
    • Put a hook in front of each following lines ([​IMG] = infection),
    • And press [Fix Checked].

    [​IMG] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    Enable if you overclock your card "into the Bios". Else fix it
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    Fix it.
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

    As you want - Can create a shorcut on your desktop.
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

    As you want - Related to Power Scheme from SIS Corporation. Responsible for power management
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent

    Fix it.
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    [​IMG] O8 - Extra context menu item: &Search -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

    • Restart the computer.

    Optimization too
    • Open Command Prompt (Start Menu --> All programs --> Accessory..)
    • Copy/Paste following lines into "Command Prompt" and press <Enter> (for each line) :
    Ad-Remover : Download (de C_XX) [​IMG]

    Disactivate your antivirus.
    • Install Ad-remover , a shortcut will be create on your desktop [​IMG]
    • Run Ad-remover --> select E. English,
    • Disconnect Internet and quit all open apps,
    • Select [S – Scanner] press <Enter>,
    >> Wait..,
    Post the report (C:\Ad-Report-SCAN.log)

    Reactivate your antivirus.

    Update Adobe Acrobat
    • Use Update Checker for checked regulary that kind of updates.

    • Post another hijackthis report.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I suggest you hold off on the Ad-Remover. Do not deactivate the AV.(until you read the directions in Combofix)

    Instead, please run a full system scan, save the log and attach it to next reply. I am not sure the program is fully functional as there are some of the usually seen entries missing.

    And a note about the Services> the 023 entries. You can have HijackThis stop them now, but if they are set to Automatic Startup type, they will start as soon as you reboot. It is better to reset the Services to Manual.

    I don't see anything in the current logs to account for the redirect, so I'd like you to run Combofix:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please attach the Combofix report to next reply.

    Avira: Run, save scan and attach log
    Combofix: Run, attach log
    HijackThis: rescan and attach new log.
  4. cosmido

    cosmido TS Rookie Posts: 20

    Malwarebytes was not update : 1.36 should be at 1.39

    Continue with Bobbye..
  5. kuraudo

    kuraudo TS Rookie Topic Starter

    Thanks for your replies. Fixed only infected files w/ hijackthis, and didnt use ad-remover as suggested. Logs attached, and mbam is updated.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Please disable and stop these Services:
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: npkcmsvc - Unknown owner - C:\Program Files\Mabinogi\npkcmsvc.exe (file missing)

    (Command: GameMon.des>
    Description: Added by the Trojan.Downexec.C Trojan. Trojan.Downexec.C is a Trojan horse that may download files and steal information from the compromised computer.)

    To do that: Start> Run> type in services.msc> double click on each service> change the Startup type for each to Disabled> Stop the Service> Close:
    nProtect GameGuard Service (npggsvc)

    If you get an error message doing this in Normal Mode, boot into Safe Mode to do it.

    I recommend that you changes all of your passwords, monitor any online financial transactions.

    P2P Warning.

    I notice that you are using P2P- files sharing- programs:


    The use of these programs will add to the malware and I encourage you to uninstall them. If you choose not to. please do not use them while cleaning.

    You have globally open ports for these- that's like leaving your front door open for all the passers by: I strongly suggest that you close these ports:
    "14251:TCP"= 14251:TCP:BitComet 14251 TCP
    "14251:UDP"= 14251:UDP:BitComet 14251 UDP
    "58136:TCP"= 58136:TCP:pando Media Booster
    "58136:UDP"= 58136:UDP:pando Media Booster

    Question: are you aware of these Services? Did you install the software they represent?
    O23 - Service: wampapache - Apache Software Foundation - C:\Program Files\wamp\bin\apache\apache2.2.8\bin\httpd.exe
    O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe
    O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

    On the last Service,more file sharing. Suggest you Disable and Stop this Service also.

    Although there is much to deal with, so far I have not seen the entries that usually go with redirects.

    Please do this online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Can you describe more clearly what the problem is with the system? Are you being redirected to specific sites? Are you getting ads or pop-ups of a specific nature?
  7. kuraudo

    kuraudo TS Rookie Topic Starter

    Hi, Bobbye.

    I looked in services.msc and couldnt find GameMon.des. I stopped + disabled the other two, though.

    Hmm, I had uninstalled bitcomet quite a long time ago, Im not too sure why it's still there. Pando is uninstalled and so is uTorrent.

    I dont know how to close these ports, could you tell me? Thanks.

    I did in fact install both wampapache and wampmysqld, but I just uninstalled them since I dont use them anymore. I dont know about Windows Media Player Network Sharing Service, I mean I do have Windows Media Player. Disabled this service as you suggested.

    Actually, after ComboFix, I havent noticed any google redirects.

    Ill get back to you with the scan tommorow.

    I am very grateful for the help you are giving me. Thanks so much.

    Edit : Today, I'm noticing that I'm being asked to download this screensaver or something, while I'm online. This is the only problem so far. Im not sure if it's an ad or anything, though.
  8. kuraudo

    kuraudo TS Rookie Topic Starter

    Okay, here are the scan results. Thanks.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36


    Reopen or rescan with the Eset online scanner. Check to remove what it finds> the MyWebSearch Toolbar.
  10. kuraudo

    kuraudo TS Rookie Topic Starter

    Alright, removed the toolbar.

    Oh and uhh,
    Thanks for your help.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

  12. kuraudo

    kuraudo TS Rookie Topic Starter


    Well, I couldnt get past step 3 'cause ZoneAlarm Free doesnt have an expert tab in the firewall category. Although I did block them in the program controls category. Help?

    Many thanks. =)
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    That should do it!
  14. kuraudo

    kuraudo TS Rookie Topic Starter

    Great! Is there any other problems or are we done? Again, thanks so much for all the help youve given me.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Follow my Post #24 here:
    beginning with the words "However I would suggest............" and follow with "Clean the..."

    Those should finish you up..

    Ignore the rest of the posts and the thread content. Sorry, don't mean to sound mysterious, but some training I'm taking now does not permit me to do any malware cleaning anywhere, until I'm through.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...