Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions


MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.


Unread postby Vanella » October 7th, 2010, 2:52 am

Hello, recently I discovered my google search results leading from wherever I wanted to go to igoogle. I noticed the address right before it hit igoogle, it said ohtgnoenriga in it. All search results suggest STOPzilla and Malwarebytes but neither of those work. Well firstly the scan from STOPzilla didn't have anything related to ohtgnoenriga in it and I'm not going to buy a program that could fake suspicious entries just so you buy their stupid product.

Anyway, this has to be the most difficult thing to get rid of I've ever encountered and I've spent days cleaning out my parents computer.

Someone please help, the usual symptoms, google search, click a link, the link redirects to igoogle.

This is my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:52 AM, on 10/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\vanella\Local Settings\Application Data\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\vanella\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\winamp\winamp.exe
C:\Documents and Settings\vanella\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\vanella\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: patch.gameguard.gpotato.eu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\vanella\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshoo ... aptest.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8282999484
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MS Netns(NET System Application) (MS Netns) - Unknown owner - C:\WINDOWS\system32\netns.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

End of file - 7205 bytes

Any help would be more then appreciated, thanks for reading
Active Member
Posts: 3
Joined: October 7th, 2010, 2:40 am
Register to Remove

Re: ohtgnoenriga

Unread postby deltalima » October 8th, 2010, 6:00 am

Checking your log - back soon.
User avatar
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ohtgnoenriga

Unread postby deltalima » October 8th, 2010, 6:18 am

Hi Vanella,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    BitTorrent DNA

  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Uninstall List
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.

Security Check
Please download Security Check ... by screen317. Save it to your desktop.
Alternate download site: Link 2
  1. Double click the SecurityCheck.exe icon to begin.
  2. Press the Space Bar when you see the "press any key to continue..." message.
    A Notepad results file will open automatically called checkup.txt
  3. Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
  4. Please copy/paste the entire contents of the checkup.txt file into your next reply.
User avatar
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ohtgnoenriga

Unread postby Vanella » October 8th, 2010, 8:14 pm

Thank you for the reply and your time, deltalima, I really appreciate it!
The P2P program I use only to legitimately download MMO clients from their official sites ><

Also for HijackThis, here is the log:
(There are tons of things I noticed here that I don't use anymore or are doubles..>_<)

7-Zip 4.42
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 2.0
Adobe Illustrator CS
Adobe Photoshop CS2
Adobe Photoshop Elements 4.0
Adobe Reader 7.0
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Akamai NetSession Interface
Andrea VoiceCenter
ArcSoft Panorama Maker 4
AstroPop Deluxe 1.1
Bejeweled 2 Deluxe 1.1
Bejeweled Twist 1.0.3
Chuzzle Deluxe 1.01
ClassicPro© v1.12
Color Schemer Studio
Conexant D850 56K V.9x DFVc Modem
Corel Painter Essentials 3
Corel Painter IX
Corel Photo Album 6
DDS Thumbnail Viewer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Photo AIO Printer 924
Digital Line Detect
Diskeeper Professional Edition
DivX Content Uploader
DivX Web Player
Documentation & Support Launcher
Download Accelerator Plus (DAP)
FairUse Wizard 2
File Uploader
Google Talk Plugin
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Intel Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™
J2SE Runtime Environment 5.0 Update 6
Jasc Animation Shop 3
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_18
Java(TM) 6 Update 21
Java(TM) 6 Update 7
K-Lite Mega Codec Pack 1.59
Macromedia Flash 8
Macromedia FreeHand MXa
Magic ISO Maker v5.3 (build 0221)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft LifeCam
Microsoft Office Small Business Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.0.19)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero Lite
nik Color Efex Pro 2.0 IE
Nikon Message Center
Nikon Transfer
NVIDIA Drivers
NVIDIA Photoshop Plug-ins
openCanvas4.06E Plus
PodUtil 3.0.3 iPod Distribution
PremiumSoft Navicat MySQL 7.2
RAD Video Tools
RealPlayer Basic
River Past Video Cleaner Pro
Segoe UI
Sonic Activation Module
Sonic Advanced Decoder
Sonic Encoders
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Demo
Sound Blaster Audigy ADVANCED MB Product Registration
Spybot - Search & Destroy
Tamagotchi 1.0
ThumbsPlus version 7.0
TitansLUNA 3.0
Update Manager
Update Rollup 2 for Windows XP Media Center Edition 2005
USB Network Driver
Ventrilo Client
Viewpoint Media Player
VLC media player 1.1.4
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB908246

SecurityCheck log:

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 6 Out of date!
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
HijackThis 2.0.2
River Past Video Cleaner Pro
Java(TM) 6 Update 21
Java(TM) 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_18
Out of date Java installed!
Adobe Flash Player
Adobe Reader 7.0
Out of date Adobe Reader installed!
Process Check:
objlist.exe by Laurent

HiJackThis Trend Micro HiJackThis HiJackThis.exe
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Thank you again!
Last edited by Vanella on October 9th, 2010, 4:52 pm, edited 1 time in total.
Active Member
Posts: 3
Joined: October 7th, 2010, 2:40 am

Re: ohtgnoenriga

Unread postby deltalima » October 9th, 2010, 9:33 am

Hi Vanella,

Please do not include a quote of the full post in future replies as it makes the posts longer than necessary.

You are using P2P with unsupported versions of Internet Explorer and Windows XP and No Antivirus program.

It is vital that you install antivirus software immediately, Internet Explorer and Windows will be updated once the infections have been removed.

No anti-virus

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors.

Note: You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Please run a full scan and post the log in your next reply.

The P2P program I use only to legitimately download MMO clients

It is a condition of receiving help on this forum that all P2P programs are removed, if you do not wish to continue please let me know and this thread will be closed.


  • Please download CKScanner from here to your Desktop.
  • Make sure that CKScanner.exe is on the your Desktop before running the application!
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved
  • Double-click on the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.


  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.
User avatar
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ohtgnoenriga

Unread postby Vanella » October 10th, 2010, 6:39 pm

Hello! I downloaded the Avast! Anti-virus program, ran it and it found 1 single highly dangerous .dll file. I don't remember the name to be exact but I deleted it, restarted and my redirecting issue seems to be gone. I have the FireFox add-on that lets you preview websites before you click them (A little preview image) and when I had ohtgnoenriga my google search image results were all distorted but now they are clear as well as no more redirecting. I think Avast fixed everything. I suppose you can close this now! Hopefully it doesn't come back, but if it does and you don't mind I'll make a new post and have all the further information ready you previously requested.

Just to let anyone know who has this same virus, try Avast!, it may be the answer. STOPzilla, Malwarebytes and those other suggested programs won't find it. Just thought I'd mention that since I found this forum when looking for a solution to this and hope it may help someone who stumbles onto this topic.

Also a very big thank you to you deltalima for taking the time to help me with this issue, without you I might of ended up reformatting (which my computer could probably use anyway). I really appreciate your help. This is a really great place with nice people!

Thank you again ^^
Active Member
Posts: 3
Joined: October 7th, 2010, 2:40 am

Re: ohtgnoenriga

Unread postby deltalima » October 11th, 2010, 3:25 am

Hi Vanella,

my redirecting issue seems to be gone

Good to hear that the issue seems to be fixed!

Although the initial symptoms may have gone it is likely that there are more infections hiding that need to be found and cleaned. Also the computer is in desperate need of updating various vulnerable programs.

Please confirm that the P2P application has been removed and continue with the scans requested in my previous post and post the logs in your next reply.
User avatar
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ohtgnoenriga

Unread postby Gary R » October 14th, 2010, 9:01 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Posts: 21810
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Register to Remove

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware