Need help with HJT

[toptop24]

Hi all,

I have posted in the Windows OS forum my BSOD problems and they said to post my HJT txt files here. I hope I didn't "fix" something I shouldn't have or vice versa. Any help is appreciated. Please let me know if I need to post more info.

My System is:
Dell Dimension 2400
Pentium 4 2.2 Ghz
256 MB Ram

Thanks.

 

[toptop24]

Hi all once again,

I previously ran HJT before the text file used above and forgot to save the log. In that scan I did some "fixing". But in the second one, the one attached above, I didn't do any "fixing". Just an FYI and hopefully I didn't do anything wrong. I am a newb to these things.

Thanks again,
toptop24

 

[howard_hopkinso]

Go HERE and follow the instructions.

Then post a fresh HJT log.

Regards Howard

 

[toptop24]

Fresh HJT txt file

Here's a fresh HJT file. I was wondering if I should restore my backup since I wasn't 100% sure of what I was doing when I "fixed" stuff for the first time. Windows for the time being seems to be running fine as I hope I removed the virus.

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type regsvr32 /u C:\WINDOWS\System32\nsj85.dll into the run box and press the enter key. Do this for the following entry as well.

C:\WINDOWS\System32\irsmenzy.dll

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cwshredder.net/cwshredder/cwschronicles.html#smartsearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

O2 - BHO: Katze - {2A611133-1C57-4DFB-A05C-07EE3BFE6D34} - C:\WINDOWS\System32\nsj85.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmenzy.dll (file missing)

O4 - HKLM\..\Run: [inst_] C:\WINDOWS\System32\inst_
O4 - HKLM\..\Run: [loader.exeSetup.exeR] C:\WINDOWS\System32\loader.exeSetup.exeR
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64
O4 - HKLM\..\Run: [mcspy.exeion.exeg] C:\WINDOWS\System32\mcspy.exeion.exeg
O4 - HKLM\..\Run: [win.exeouter.exeg] C:\WINDOWS\System32\win.exeouter.exeg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O17 - HKLM\System\CCS\Services\Tcpip\..\{A40AB765-2B6B-4979-B306-AEAA9B4B5E1D}: NameServer = 151.164.1.8,206.13.28.12 Only fix this entry, if it doesn`t belong to your ISP.

O20 - AppInit_DLLs: repairs302972988.dll

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\WINDOWS\System32\nsj85.dll
C:\WINDOWS\System32\irsmenzy.dll
C:\WINDOWS\System32\inst_
C:\WINDOWS\System32\loader.exeSetup.exeR
C:\WINDOWS\System32\loadadv64
C:\WINDOWS\System32\mcspy.exeion.exeg
C:\WINDOWS\System32\win.exeouter.exeg

Reboot into normal mode and turn system restore back on.

Please post a fresh HJT log.

Regards Howard

 

[toptop24]

O17 - HKLM\System\CCS\Services\Tcpip\..\{A40AB765-2B6B-4979-B306-AEAA9B4B5E1D}: NameServer = 151.164.1.8,206.13.28.12 Only fix this entry, if it doesn`t belong to your ISP.

How do I know if doesn't belong to my ISP? Is there a way to locate it?

-toptop24

 

[howard_hopkinso]

If you`re not sure about the 017 entry, fix it.

If you then have problems with your internet, you will need to restore that entry.

To restore an entry with HJT, do the following.

Open HJT and click on the config button, then on the backup button. Place a tick in the litle box next to the entry you wish to restore and click the restore button, followed by ok.

Click the back button and click the scan button. You should now see the 017 entry you just restored back in the scan results.

Regards Howard

 

[toptop24]

Click start/run and type regsvr32 /u C:\WINDOWS\System32\nsj85.dll into the run box and press the enter key.

When I did this I got the following message: DllUnregisterServer in C:\WINDOWS\System32\nsj85.dll failed. Return code was: 0x80070005

Do this for the following entry as well.

C:\WINDOWS\System32\irsmenzy.dll

When I did this I got this message:
LoadLibrary("C:\WINDOWS\System32\irsmenzy.dll")failed - The specified module could not be found.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

When I ran HJT, this is the message I got:
An unexpected error has occurred at Procedure:modBackup.MakeBackup(sItem=O20-AppInit_DLLs:repairs302972988.dll)
Error #5 - Invalid procedure call or argument

I then clicked OK to continue the rest of the scan.

Locate and delete the following bold files(if there).

C:\WINDOWS\System32\nsj85.dll
C:\WINDOWS\System32\irsmenzy.dll
C:\WINDOWS\System32\inst_
C:\WINDOWS\System32\loader.exeSetup.exeR
C:\WINDOWS\System32\loadadv64
C:\WINDOWS\System32\mcspy.exeion.exeg
C:\WINDOWS\System32\win.exeouter.exeg

I was able to delete all the files except nsj85.dll and irsmenzy.dll because they weren't there.

Reboot into normal mode and turn system restore back on.

I rebooted and the free Antivirus Program: AVG Free Edition detected a virus in C:\DOCUME~1\SINAJO~1\LOCALS~1\Temp

The file was: !update.exe and AVG Free detected the trojan horse: Downloader.Generic.TUC and I moved it into the Virus Vault but it couldn't be healed.

I then tried to delete everything that was in that temp folder, but 6 files couldn't be deleted. Here they are:
IadHide5.dll
me_BmlIfzVbGyvWm9b
me_JFQsKVoUxIuFMMe
me_Jp2wBbLnhnBY9CB
me_KVIqcDe8T39u45r
me_RkImqwUoKw5pgKO

I have yet to turn system restore back on. Is there any other Antivirus programs you recommend? I will post my HJT txt file.

Thanks for all your help howard! I totally appreciate it.

-toptop24

 

[howard_hopkinso]

Your new HJT log is clean.

It`s ok that you couldn`t find some of the files I asked you to delete. that`s why I said(if there).

Is your pc now running better?

Regards Howard

 

[toptop24]

Hi Howard,

I just cleaned it within the past hour or so. For the time being it seems to be working fine, but that's what I thought previously. I'll keep you posted and thanks again.

-toptop24

 

[toptop24]

Should I put System Restore back on or should I wait a little bit?

 

[howard_hopkinso]

Yes. Turn system restore back on.

Regards Howard