TechSpot

help check my hjt log?

By momok
Mar 4, 2007
  1. recently some weird problem appeared on my comp..

    when im googling around, when i click on the sites i get redirected to some other sites like casinoceaser.com, sestat.com, rpicamps.com, aicse.com etc amongst others.

    I have got SDD and Adaware SE installed and ran checks. They turned up nothing. So I followed the steps in the forum for removing malware and ran the checks again. this time AVG antispyware revealed 2 threats which i cleaned up and quarantined, after which i rebooted.

    I was happy n thought the problem was gone. Then it appeared again..
    I've attached my HJT log, pls do take a look! thank u very much!

    <edit> sorry i dint realise that I had not attached the AVG antispyware log too. here it is.

    Would somebody please help me.. I've scanned and rescanned and quarantined a few times. But the damned bug is back.. :(
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system has been hijacked.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Download and run the Blacklight programme. Follow all the instructions carefully. Then, follow the instructions below.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    PartyGaming.Net
    PartyPokerNet

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    MemMon.exe
    RunPF.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [MemMon] C:\Documents and Settings\All Users\Application Data\TREK\MemMon.exe

    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\zhiwei.low.2005\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe

    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D7A6DEF-61D0-42DF-96E1-6FD8E2FD7BBF}: NameServer = 85.255.116.167,85.255.112.168

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DCB9B2B-4529-4497-81C8-43A8F3E8A616}: NameServer = 85.255.116.167,85.255.112.168

    O17 - HKLM\System\CCS\Services\Tcpip\..\{507D2D25-13D1-4525-8A57-60B6432AABFC}: NameServer = 85.255.116.167,85.255.112.168

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E8FD0166-80E6-4847-9765-77BF8F5412D0}: NameServer = 85.255.116.167,85.255.112.168

    O17 - HKLM\System\CCS\Services\Tcpip\..\{ED12C29A-6384-4510-B3C5-86473047F876}: NameServer = 85.255.116.167,85.255.112.168

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.167 85.255.112.168

    O17 - HKLM\System\CS1\Services\Tcpip\..\{3D7A6DEF-61D0-42DF-96E1-6FD8E2FD7BBF}: NameServer = 85.255.116.167,85.255.112.168

    O17 - HKLM\System\CS2\Services\Tcpip\..\{3D7A6DEF-61D0-42DF-96E1-6FD8E2FD7BBF}: NameServer = 85.255.116.167,85.255.112.168

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.167 85.255.112.168

    The above 017 entries are the hijacker.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\PartyGaming.Net<Delete the entire folder.
    C:\Documents and Settings\All Users\Application Data\TREK<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know the results or the Blacklight scan.

    Regards Howard :wave: :wave:

    This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. momok

    momok TS Rookie Topic Starter Posts: 2,265

    Re:

    Hi Howard.

    Thank you for your help. I've done as you told me, and here's a fresh log from hijackthis and backlight.

    PS I tried added those ip entries into my hosts file. I'm not sure if it worked, but so far the problem (redirected from google site) has not appeared again.

    Thanks again! =)

    (edit) by the way, the partypoker application is a program I use to play poker online. I'm not sure if there was a fraud folder or some other rogue program masquerading as it, but would u discourage me from installing the app anew from the main site?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    However, I`m concerned about the entry Blacklight found. c:\WINDOWS\SYSTEM32\KDNSB.EXE

    Run Blacklight again and when it gives you the option to rename the file, do so.

    Let me know the results please.

    Regards Howard :)

    This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. momok

    momok TS Rookie Topic Starter Posts: 2,265

    Re:

    Hi..

    I've renamed that file as you suggested. I think the log is clean. Here it is..
    Thanks.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That looks ok.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...