Please help with attached HijackThis log - with attachment

[Bob Greene]

Difficult to get a file from an infected laptop that has no floppy!

Please take a look and let me know what you see.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Take a look at This Thread by RBS it will help you.

Regards Howard :wave: :wave:

 

[RealBlackStuff]

After running through all of my post (as advised by Howard), boot into safe mode.

Uninstall Ghostsurf whatever that is
Uninstall whatever is left of PCTools Site Guard

Run HJT on its own and let it "fix":

C:\WINDOWS\System32\??rvices.exe
C:\WINDOWS\System32\winpack.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: (no name) - {52DC9EC1-35A9-4914-98D9-D568A9854DA2} - C:\WINDOWS\System32\guguya.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {6FABEA37-358A-4054-958B-B4EC5E76E2D8} - C:\WINDOWS\System32\hkef.dll
O2 - BHO: (no name) - {7B7A1CDA-A798-4EF3-B084-921D1EDBDE9B} - C:\WINDOWS\System32\vijarip.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll (file missing)
O2 - BHO: (no name) - {ED61CEB4-255E-088C-0646-0805EA03549A} - C:\WINDOWS\System32\jfarear.dll
O4 - HKCU\..\Run: [C:\WINDOWS\System32\iaiiora.dll] C:\WINDOWS\System32\iaiiora.dll /c del ÉÂ >nul
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [Wqjd] C:\WINDOWS\System32\??rvices.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093801768436
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BEEC85B-1385-47CD-B787-91ACF654FC9D}: NameServer = 205.231.144.10,205.231.144.20

Afterwards, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Delete everuthing in: C:\DOCUME~1\Owner\LOCALS~1\Temp

 

[Bob Greene]

Seems to be fixe, but a couple more questions..

Thanks much for the help - all seems to be well now - I can get to websites, and the variuos tools are reporting clean.

I still have a big, white rectangle on top of the wallpaper - where the trojan screen was. Persists even if I change wallpaper or theme.

Any idea of what the corrupted file may be? I'm trying to get replacement restore disks from HP, but get transferred aroung in circles... How does walpaper1.bmp get generated by windows?

Also, do you want to see the "fixed" HJT file?

Again - thanks for the help.

 

[Virginiageek]

Re. the white rectangle on your desktop

Right click blank spot on your desktop click properties
Display properties > Desktop > customize desktop > click the WEB tab > uncheck Lock desktop items and delete everything but "my home page" and delete anything that may be in the my home page box.

 

[Bob Greene]

Thanks for reply....

I woun't be able to try your fix, but it sounds good....

I finally threw in the towel, ordered replacement restore disks (via India and Canada!), and rebuilt the disk. All's well with my customer, except for a couple of missing programs...