TechSpot

Need help with HJT

By toptop24
Mar 14, 2006
  1. Hi all,

    I have posted in the Windows OS forum my BSOD problems and they said to post my HJT txt files here. I hope I didn't "fix" something I shouldn't have or vice versa. Any help is appreciated. Please let me know if I need to post more info.

    My System is:
    Dell Dimension 2400
    Pentium 4 2.2 Ghz
    256 MB Ram

    Thanks.
     
  2. toptop24

    toptop24 TS Rookie Topic Starter

    Hi all once again,

    I previously ran HJT before the text file used above and forgot to save the log. In that scan I did some "fixing". But in the second one, the one attached above, I didn't do any "fixing". Just an FYI and hopefully I didn't do anything wrong. I am a newb to these things.

    Thanks again,
    toptop24
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go HERE and follow the instructions.

    Then post a fresh HJT log.

    Regards Howard :)
     
  4. toptop24

    toptop24 TS Rookie Topic Starter

    Fresh HJT txt file

    Here's a fresh HJT file. I was wondering if I should restore my backup since I wasn't 100% sure of what I was doing when I "fixed" stuff for the first time. Windows for the time being seems to be running fine as I hope I removed the virus.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type regsvr32 /u C:\WINDOWS\System32\nsj85.dll into the run box and press the enter key. Do this for the following entry as well.

    C:\WINDOWS\System32\irsmenzy.dll

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cwshredder.net/cwshredder/cwschronicles.html#smartsearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

    O2 - BHO: Katze - {2A611133-1C57-4DFB-A05C-07EE3BFE6D34} - C:\WINDOWS\System32\nsj85.dll
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmenzy.dll (file missing)

    O4 - HKLM\..\Run: [inst_] C:\WINDOWS\System32\inst_
    O4 - HKLM\..\Run: [loader.exeSetup.exeR] C:\WINDOWS\System32\loader.exeSetup.exeR
    O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64
    O4 - HKLM\..\Run: [mcspy.exeion.exeg] C:\WINDOWS\System32\mcspy.exeion.exeg
    O4 - HKLM\..\Run: [win.exeouter.exeg] C:\WINDOWS\System32\win.exeouter.exeg
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O17 - HKLM\System\CCS\Services\Tcpip\..\{A40AB765-2B6B-4979-B306-AEAA9B4B5E1D}: NameServer = 151.164.1.8,206.13.28.12 Only fix this entry, if it doesn`t belong to your ISP.

    O20 - AppInit_DLLs: repairs302972988.dll

    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\System32\nsj85.dll
    C:\WINDOWS\System32\irsmenzy.dll
    C:\WINDOWS\System32\inst_
    C:\WINDOWS\System32\loader.exeSetup.exeR
    C:\WINDOWS\System32\loadadv64
    C:\WINDOWS\System32\mcspy.exeion.exeg
    C:\WINDOWS\System32\win.exeouter.exeg

    Reboot into normal mode and turn system restore back on.

    Please post a fresh HJT log.

    Regards Howard :)
     
  6. toptop24

    toptop24 TS Rookie Topic Starter

    How do I know if doesn't belong to my ISP? Is there a way to locate it?

    -toptop24
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    If you`re not sure about the 017 entry, fix it.

    If you then have problems with your internet, you will need to restore that entry.

    To restore an entry with HJT, do the following.

    Open HJT and click on the config button, then on the backup button. Place a tick in the litle box next to the entry you wish to restore and click the restore button, followed by ok.

    Click the back button and click the scan button. You should now see the 017 entry you just restored back in the scan results.

    Regards Howard :)
     
  8. toptop24

    toptop24 TS Rookie Topic Starter

    When I did this I got the following message: DllUnregisterServer in C:\WINDOWS\System32\nsj85.dll failed. Return code was: 0x80070005

    When I did this I got this message:
    LoadLibrary("C:\WINDOWS\System32\irsmenzy.dll")failed - The specified module could not be found.

    When I ran HJT, this is the message I got:
    An unexpected error has occurred at Procedure:modBackup.MakeBackup(sItem=O20-AppInit_DLLs:repairs302972988.dll)
    Error #5 - Invalid procedure call or argument

    I then clicked OK to continue the rest of the scan.

    I was able to delete all the files except nsj85.dll and irsmenzy.dll because they weren't there.

    I rebooted and the free Antivirus Program: AVG Free Edition detected a virus in C:\DOCUME~1\SINAJO~1\LOCALS~1\Temp

    The file was: !update.exe and AVG Free detected the trojan horse: Downloader.Generic.TUC and I moved it into the Virus Vault but it couldn't be healed.

    I then tried to delete everything that was in that temp folder, but 6 files couldn't be deleted. Here they are:
    IadHide5.dll
    me_BmlIfzVbGyvWm9b
    me_JFQsKVoUxIuFMMe
    me_Jp2wBbLnhnBY9CB
    me_KVIqcDe8T39u45r
    me_RkImqwUoKw5pgKO

    I have yet to turn system restore back on. Is there any other Antivirus programs you recommend? I will post my HJT txt file.

    Thanks for all your help howard! I totally appreciate it.

    -toptop24
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your new HJT log is clean.

    It`s ok that you couldn`t find some of the files I asked you to delete. that`s why I said(if there).

    Is your pc now running better?

    Regards Howard :)
     
  10. toptop24

    toptop24 TS Rookie Topic Starter

    Hi Howard,

    I just cleaned it within the past hour or so. For the time being it seems to be working fine, but that's what I thought previously. I'll keep you posted and thanks again.

    -toptop24
     
  11. toptop24

    toptop24 TS Rookie Topic Starter

    Should I put System Restore back on or should I wait a little bit?
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes. Turn system restore back on.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...