[Fixed] hijackthis logs please help me

severum · 01-22-2006

Hi everyone I'm having problems getting rid of these viruses can anyone help me. Let me just say that this site is awsome and you guys are so helpful.

Hengis · 01-22-2006

Hi, welcome to the forum and thanks for the compliment.

Can you work thru the [Pre-Work] link in my signature as it may help to reduce the infections before you post your new logs back here for inspection.

joe5 · 01-22-2006

Hya Severum , lets see if we can fix that for you. :smiley:

Make sure you still have hidden files set to show , sysrestore disabled and that you still have ccleaner and ewido.

Then disable the windows Messenger service:

Please download Shoot The Messenger

Download and run the small (22 kbyte) "ShootTheMessenger.exe" utility. It will display the current status of your system's Messenger Service. The button near the bottom of its window will allow you to set the service to whichever state ? running or disabled ? that you desire.

If, for any reason, you should ever choose to re-enable the Windows Messenger Service, simply re-run ShootTheMessenger to do so.

Then uninstall UnSpyPC in add/remove programs. (not a legit anti spyware app)

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.p...50515010747824
Unzip it to the desktop but please do NOT run it yet.

Boot in Safe Mode (hit f8 when booting up) , and run the Nailfix by dubbleclicking on nailfix.cmd.

Then fix these with hjt:
(if still present)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=131164
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{39AE156A-8D6E-40EC-9B0F-F969F047DFF2}: NameServer = 85.255.115.154,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{6051DA72-9B1D-489A-9F60-C792F531AEA1}: NameServer = 85.255.115.154,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{61829C50-5B0F-4740-BDEE-0CC381E7D6B7}: NameServer = 85.255.115.154,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{82438DE3-6C27-4328-B75B-BC04A157C6AB}: NameServer = 85.255.115.154,85.255.112.234
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Then delete the files in bold , and run ccleaner.

After that run a new ewido scan and save the log from it.

Boot to normal mode and post the ewido log and a new hjt log please.

severum · 01-24-2006

Thanks guys for responding so quickly. Hengis I went through the the prework and removed so many spyware and trojans but there are still more hanging around.
Joe5 I've gone through the steps you instructed me to do but I'm having a few problems, the 1st is I've downloaded nailfix to my desktop and it's been in a zip file so I open it and drag the 2 programs to my desktop (nailfix and process) and that's all fine, the problem comes when I go into safemode then double click on nailfix (not the zipfile) it runs for a second and stops and then the windows is running in safemode press yes to go to safemode and no to go to system restore option screen comes up, so I thought I might try to remove the program and reinstall it but it isn't in the add/remove program.
You also told me to remove unspypc but that isn't in the add/remove either, bridge.dll is in the add/remove but won't let me remove it (error loading bridge.dll it can't be found) comes up when I try and remove it.
I don't know if I've done something wrong I'm an amateur when it comes to computers so please forgive me if I've done a stupid mistake.
Thanks

joe5 · 01-25-2006

Originally Posted by severum

the 1st is I've downloaded nailfix to my desktop and it's been in a zip file so I open it and drag the 2 programs to my desktop (nailfix and process) and that's all fine, the problem comes when I go into safemode then double click on nailfix (not the zipfile) it runs for a second and stops and then the windows is running in safemode press yes to go to safemode and no to go to system restore option screen comes up,

Thats not good.. try it in normal mode again.

so I thought I might try to remove the program and reinstall it but it isn't in the add/remove program.

No need to uninstall , you can just delete the folder and its gone.

You also told me to remove unspypc but that isn't in the add/remove either, bridge.dll is in the add/remove but won't let me remove it (error loading bridge.dll it can't be found) comes up when I try and remove it.

Then just leave the instruction to uninstall it and it will be removed manuall with hjt. Same for bridge.dll.

I don't know if I've done something wrong I'm an amateur when it comes to computers so please forgive me if I've done a stupid mistake.
Thanks

Nah , dont worry. This sort of things is normal with malware removal. :smiley:

severum · 01-27-2006

Hi again
I had a problem with the nailfix program I'm not sure if I've done something wrong because on normal windows (not safemode) I would click on it and my desktop icons would disappear and reappear which is normal but when I click on hijackthis there was nothing in bold letters. Could it be that I ran it from a temp folder if so how do I put it in a permanent file?
Anyway I deleted all the ones you told me to delete and my computer is running 20 times faster and I get no firewall popping up every 10 seconds.
Here is my hijackthis and scan report, can you please have a look at it for me.
Also the bridge.dll is still on my add/remove program and when I go to remove it an "error loading the specified module could not be found" pops up, is there anyway of getting rid of it or should I not bother.
Thanks.

joe5 · 01-27-2006

Originally Posted by severum

Hi again
I had a problem with the nailfix program I'm not sure if I've done something wrong because on normal windows (not safemode) I would click on it and my desktop icons would disappear and reappear which is normal

It went ok the nail infection is gone.

but when I click on hijackthis there was nothing in bold letters.

That is correct , i made some files show up bold myself. Those file names in bold are the files that you manually have to delete after fixing them with hjt. Have you deleted those?

Anyway I deleted all the ones you told me to delete and my computer is running 20 times faster and I get no firewall popping up every 10 seconds.
Here is my hijackthis and scan report, can you please have a look at it for me.

Yup , its looking much better :smiley: but still some more to fix.

Also the bridge.dll is still on my add/remove program and when I go to remove it an "error loading the specified module could not be found" pops up, is there anyway of getting rid of it or should I not bother.
Thanks.

To get rid of that entry:

1. Start Registry Editor (Regedit.exe).

2. Locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall

3. Locate the key to be deleted by locating the key name created by the program. If the name of the key is not apparent, browse through each key and note the value for DisplayName. This is the viewable string in the Add/Remove Programs tool.

4. Using the Registry menu, export the selected registry key to make a backup. Store the .reg file in a safe location in case you need to import it at a later date.

5. Delete the selected registry key and its values. Do not delete the entire Uninstall key.

6. Quit Registry Editor.

7. Verify that the reference in the Add/Remove Programs tool is no longer visible.

Then fix these with hjt:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=131164
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{39AE156A-8D6E-40EC-9B0F-F969F047DFF2}: NameServer = 85.255.115.154,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{6051DA72-9B1D-489A-9F60-C792F531AEA1}: NameServer = 85.255.115.154,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{61829C50-5B0F-4740-BDEE-0CC381E7D6B7}: NameServer = 85.255.115.154,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{82438DE3-6C27-4328-B75B-BC04A157C6AB}: NameServer = 85.255.115.154,85.255.112.234

And then post a new hjt log to check please.

01-22-2006	#2
Hengis PCHF Founder & Owner Join Date: Jan 2004 Location: The PCHF Bunker Posts: 15,665 PC Experience: Microsoft Certified Professional	Hi, welcome to the forum and thanks for the compliment. Can you work thru the [Pre-Work] link in my signature as it may help to reduce the infections before you post your new logs back here for inspection. __________________ Handy Links: Pre-Work \| System File Checker \| Promote PCHF! \| Post your BSOD \| Post a screenshot

01-22-2006	#3
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,021	Hya Severum , lets see if we can fix that for you. :smiley: Make sure you still have hidden files set to show , sysrestore disabled and that you still have ccleaner and ewido. Then disable the windows Messenger service: Please download Shoot The Messenger Download and run the small (22 kbyte) "ShootTheMessenger.exe" utility. It will display the current status of your system's Messenger Service. The button near the bottom of its window will allow you to set the service to whichever state ? running or disabled ? that you desire. If, for any reason, you should ever choose to re-enable the Windows Messenger Service, simply re-run ShootTheMessenger to do so. Then uninstall UnSpyPC in add/remove programs. (not a legit anti spyware app) Please download Nailfix from here: http://www.noidea.us/easyfile/file.p...50515010747824 Unzip it to the desktop but please do NOT run it yet. Boot in Safe Mode (hit f8 when booting up) , and run the Nailfix by dubbleclicking on nailfix.cmd. Then fix these with hjt: (if still present) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=131164 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe" O17 - HKLM\System\CCS\Services\Tcpip\..\{39AE156A-8D6E-40EC-9B0F-F969F047DFF2}: NameServer = 85.255.115.154,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{6051DA72-9B1D-489A-9F60-C792F531AEA1}: NameServer = 85.255.115.154,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{61829C50-5B0F-4740-BDEE-0CC381E7D6B7}: NameServer = 85.255.115.154,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{82438DE3-6C27-4328-B75B-BC04A157C6AB}: NameServer = 85.255.115.154,85.255.112.234 O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) Then delete the files in bold , and run ccleaner. After that run a new ewido scan and save the log from it. Boot to normal mode and post the ewido log and a new hjt log please. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

01-25-2006	#5
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,021	Originally Posted by severum the 1st is I've downloaded nailfix to my desktop and it's been in a zip file so I open it and drag the 2 programs to my desktop (nailfix and process) and that's all fine, the problem comes when I go into safemode then double click on nailfix (not the zipfile) it runs for a second and stops and then the windows is running in safemode press yes to go to safemode and no to go to system restore option screen comes up, Thats not good.. try it in normal mode again. so I thought I might try to remove the program and reinstall it but it isn't in the add/remove program. No need to uninstall , you can just delete the folder and its gone. You also told me to remove unspypc but that isn't in the add/remove either, bridge.dll is in the add/remove but won't let me remove it (error loading bridge.dll it can't be found) comes up when I try and remove it. Then just leave the instruction to uninstall it and it will be removed manuall with hjt. Same for bridge.dll. I don't know if I've done something wrong I'm an amateur when it comes to computers so please forgive me if I've done a stupid mistake. Thanks Nah , dont worry. This sort of things is normal with malware removal. :smiley: __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

01-27-2006	#7
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,021	Originally Posted by severum Hi again I had a problem with the nailfix program I'm not sure if I've done something wrong because on normal windows (not safemode) I would click on it and my desktop icons would disappear and reappear which is normal It went ok the nail infection is gone. but when I click on hijackthis there was nothing in bold letters. That is correct , i made some files show up bold myself. Those file names in bold are the files that you manually have to delete after fixing them with hjt. Have you deleted those? Anyway I deleted all the ones you told me to delete and my computer is running 20 times faster and I get no firewall popping up every 10 seconds. Here is my hijackthis and scan report, can you please have a look at it for me. Yup , its looking much better :smiley: but still some more to fix. Also the bridge.dll is still on my add/remove program and when I go to remove it an "error loading the specified module could not be found" pops up, is there anyway of getting rid of it or should I not bother. Thanks. To get rid of that entry: 1. Start Registry Editor (Regedit.exe). 2. Locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall 3. Locate the key to be deleted by locating the key name created by the program. If the name of the key is not apparent, browse through each key and note the value for DisplayName. This is the viewable string in the Add/Remove Programs tool. 4. Using the Registry menu, export the selected registry key to make a backup. Store the .reg file in a safe location in case you need to import it at a later date. 5. Delete the selected registry key and its values. Do not delete the entire Uninstall key. 6. Quit Registry Editor. 7. Verify that the reference in the Add/Remove Programs tool is no longer visible. Then fix these with hjt: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=131164 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O17 - HKLM\System\CCS\Services\Tcpip\..\{39AE156A-8D6E-40EC-9B0F-F969F047DFF2}: NameServer = 85.255.115.154,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{6051DA72-9B1D-489A-9F60-C792F531AEA1}: NameServer = 85.255.115.154,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{61829C50-5B0F-4740-BDEE-0CC381E7D6B7}: NameServer = 85.255.115.154,85.255.112.234 O17 - HKLM\System\CCS\Services\Tcpip\..\{82438DE3-6C27-4328-B75B-BC04A157C6AB}: NameServer = 85.255.115.154,85.255.112.234 And then post a new hjt log to check please. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
[Pending] HiJackThis and Ewido Logs	Jsurf	[Fixed] Hijackthis! Logs	3	09-26-2005 09:53 AM
[Tech News] MPAA sifts through tracker logs for lawsuit ammo	merlin	The Lounge	2	08-29-2005 08:32 PM

01-24-2006	#4
severum PCHF $ Donor Join Date: Jan 2006 Posts: 12	Thanks guys for responding so quickly. Hengis I went through the the prework and removed so many spyware and trojans but there are still more hanging around. Joe5 I've gone through the steps you instructed me to do but I'm having a few problems, the 1st is I've downloaded nailfix to my desktop and it's been in a zip file so I open it and drag the 2 programs to my desktop (nailfix and process) and that's all fine, the problem comes when I go into safemode then double click on nailfix (not the zipfile) it runs for a second and stops and then the windows is running in safemode press yes to go to safemode and no to go to system restore option screen comes up, so I thought I might try to remove the program and reinstall it but it isn't in the add/remove program. You also told me to remove unspypc but that isn't in the add/remove either, bridge.dll is in the add/remove but won't let me remove it (error loading bridge.dll it can't be found) comes up when I try and remove it. I don't know if I've done something wrong I'm an amateur when it comes to computers so please forgive me if I've done a stupid mistake. Thanks

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode