TechSpot

Please help with attached HijackThis log - with attachment

By Bob Greene
Jan 9, 2005
Topic Status:
Not open for further replies.
  1. Difficult to get a file from an infected laptop that has no floppy!

    Please take a look and let me know what you see.

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Take a look at This Thread by RBS it will help you.

    Regards Howard :wave: :wave:
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    After running through all of my post (as advised by Howard), boot into safe mode.

    Uninstall Ghostsurf whatever that is
    Uninstall whatever is left of PCTools Site Guard

    Run HJT on its own and let it "fix":

    C:\WINDOWS\System32\??rvices.exe
    C:\WINDOWS\System32\winpack.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
    O2 - BHO: (no name) - {52DC9EC1-35A9-4914-98D9-D568A9854DA2} - C:\WINDOWS\System32\guguya.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
    O2 - BHO: (no name) - {6FABEA37-358A-4054-958B-B4EC5E76E2D8} - C:\WINDOWS\System32\hkef.dll
    O2 - BHO: (no name) - {7B7A1CDA-A798-4EF3-B084-921D1EDBDE9B} - C:\WINDOWS\System32\vijarip.dll
    O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll (file missing)
    O2 - BHO: (no name) - {ED61CEB4-255E-088C-0646-0805EA03549A} - C:\WINDOWS\System32\jfarear.dll
    O4 - HKCU\..\Run: [C:\WINDOWS\System32\iaiiora.dll] C:\WINDOWS\System32\iaiiora.dll /c del ÉÂ >nul
    O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
    O4 - HKCU\..\Run: [Wqjd] C:\WINDOWS\System32\??rvices.exe
    O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
    O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
    O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
    O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
    O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
    O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093801768436
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3BEEC85B-1385-47CD-B787-91ACF654FC9D}: NameServer = 205.231.144.10,205.231.144.20

    Afterwards, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Delete everuthing in: C:\DOCUME~1\Owner\LOCALS~1\Temp
  4. Bob Greene

    Bob Greene TS Rookie Topic Starter

    Seems to be fixe, but a couple more questions..

    Thanks much for the help - all seems to be well now - I can get to websites, and the variuos tools are reporting clean.

    I still have a big, white rectangle on top of the wallpaper - where the trojan screen was. Persists even if I change wallpaper or theme.

    Any idea of what the corrupted file may be? I'm trying to get replacement restore disks from HP, but get transferred aroung in circles... How does walpaper1.bmp get generated by windows?

    Also, do you want to see the "fixed" HJT file?

    Again - thanks for the help.
  5. Virginiageek

    Virginiageek TS Rookie

    Re. the white rectangle on your desktop

    Right click blank spot on your desktop click properties
    Display properties > Desktop > customize desktop > click the WEB tab > uncheck Lock desktop items and delete everything but "my home page" and delete anything that may be in the my home page box.
  6. Bob Greene

    Bob Greene TS Rookie Topic Starter

    Thanks for reply....

    I woun't be able to try your fix, but it sounds good....

    I finally threw in the towel, ordered replacement restore disks (via India and Canada!), and rebuilt the disk. All's well with my customer, except for a couple of missing programs...
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.