• The Forums are now open to new registrations, adverts are also being de-tuned.

HijackThis

Birdman

Birdman

Active Member
Joined
Dec 16, 2004
Messages
908
Location
Oxford, Oxfordshire
Car
E55 & Phaeton
I got just a bit ambitious with a shareware product called HijackThis. Stuffed a few files in the process that I want back. Does anyone know the product and whether there are controls to reinstate the system from the original logfiles I carefully made!
There is a user forum but am having troubles with passwords - which is probably linked to where things first began to go pear-shaped...
But at least I am now a trojan-free zone.:)
 
Do you know the name of the files you want back? If you do, you should be able to find them by typing them into 'google'.

Failing that, if you go into HiJackThis! and select the options bit, there is a 'backup' tab. This lists all the processes/files that you can reinstate. There will only be files here if you have selected 'backup' all fixed files before hand - it's worth a chance though.

Tank
 
Backup is enabled in HiJackThis! by default. In the folder/desktop that you have the program (the dynamite & plunger) you should see a folder called backups. If that's there you can undo any changes you've made.

Run HJT again and choose view list of backups. Find the item you want to return and click restore.

#edit#
-----------------------------------------------
Couple of other suggestions:
1) When you use HJT cut & paste a copy of the results into the page at www.hijackthis.de which can analyse it for you for nasties & also keeps an online record for 3 days that you can post as a link if you need advice.

2) It's never a good idea to run system editing tools at 3 o'clock in the morning! ;)
-----------------------------------------------
 
Last edited:
Thanks for the help. I'll have a go at restoring it to pristine tonight (right around midnight, probbly) :D
 
The 'make backups before fixing items' box is indeed the checked default. BUT when I click on the 'Backups' button there are no lists - nothing, zilch!
The 'Ignorelist' has items I want - 38 of them.Is it that being ignored, they have been there all the time?

I'm a bit puzzled about the missing Backups list. I have a 7kb logfile that has about six more items in it than the Ignorelist. Can I use that to rescue the system?

It's only 02:39 so the night is young...
 
The ignore list is just that, it contains items from your HJT log that you have told the program no longer need to be checked. If you delete items from the ignore list they will reappear in the main scan (but you haven't restored them they were always there).

You can't use the logfile to restore the missing lines but you can use it to help.

You need to find the Backups folder if possible. If you ran HJT from a temporary folder (like from within the Zip) I'm afraid you're stuffed. You really should always make a dedicated folder and unzip the HJT exe into it. Then run it.

If you ran it from your desktop you may find a folder there. In any event it's worth running a search of your computer for backups but if it's not visible in the place you ran HJT from you are probably out of luck.

If you post the half a dozen lines that you now want back it's possible that they can be reinstalled manually.

Did you set a system restore point before deleting? Can you check the most recent system restore date on your PC?
 
masqueraid said:
You need to find the Backups folder if possible. If you ran HJT from a temporary folder (like from within the Zip) I'm afraid you're stuffed. You really should always make a dedicated folder and unzip the HJT exe into it. Then run it.
Click to expand...

I'm afraid that is what happened. I tried ineffectually to place the programme into the 'Programs' menu but there you go.

If you post the half a dozen lines that you now want back it's possible that they can be reinstalled manually.
Click to expand...

Post them where?

Did you set a system restore point before deleting? Can you check the most recent system restore date on your PC?
Click to expand...

How to do this?

As you see, I should not be playing with these powerful tools. Fortunately, the only (visible) problems I have are: the printer has gone offline and the printer diagnostics are not up to sorting the problem, obviously. And I get these occasional app errors 'the memory could not be read XXXXX' from wmiprvse.exe (isn't life fun for systems programmers?).
 
Open your HijackThis logfile in Notepad and cut and paste the lines that you want recovered onto this page.

Sounds like simply reinstalling your printer may solve the biggest of your problems.

wmiprvse.exe is either the legitimate Windows system file but from what you've said already could also be evidence of a Trojan.Gletta.A infection which if you have got a Trojan is particularly unpleasant news as it records keystrokes on your computer (like banking passwords) and transmits them. You do have updated antivirus software installed??

If you use any banking or other important passwords and you have removed Trojan.Gletta.A it would be prudent to change your passwords.
 
On Trojan.Gletta.A, I have SpywareGuard/Blaster, Spybot and TrojanHunter installed, alongside Zone Alarm and AVG anti-virus software.
Admittedly, while ZA and AVG were installed from day one the rest went in after the infection hijacked my IE homepage. At that point I started using Mozilla as my sole browser as a precaution.

All scans by these anti-malware products have always been negative but that didn't give me back my IE homepage which keeps reverting to MSN regardless. I tried HijackThis! in order to recover my browser homepage (which used to be the BBC before the hijack after which it always reverted to msn no matter what!).

I confess I'm a bit concerned about the possibility of a spyware trojan operated by criminals but Trojan.Gletta.A was first reported in June 2004 and I find it difficult to believe it would not have been picked up by one of the proprietary packeages I use to regularly scan all files. But these things happen, I guess.



These are the lines that appear in the first log file I made which are not on the other lists which appear in Hijack this and which I assume have been deleted by me.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

These are the lost boys!
 
Last edited:
At first glance this looks OK, if this was before you made any changes I wonder what you removed. There's no home page hijacker shown.


These lines could be trouble unless you are using KEME.Net in Ipswich
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB7D0B38-AEA5-45AF-86D8-88A82CD81347}: NameServer = 62.121.10.2 62.121.0.2

But it might be you have a fixed IP address with your service provider

And if you don't have any Broadcom devices then these should also go:

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\basfipm.exe


Have you:
- Got your homepage back?
- Removed & reinstalled printer?
- Still got the wmiprvse.exe error?
 
I just modified my previous post, as you can see, just as yours went up!

I'm relieved to hear there's nothing too obvious wrong. KEME is my ISP and Broadcom supply the broadband stuff. A printer reinstall might get me back to the point where everything is OK - except the silliness of IE being locked into msn as my homepage. Maybe a reinstall would solve that. I suppose it could cure the random error messages too!

I have a theory that computers often resolve their problems when a technical person gets involved even if they don't DO anything. Rather like the presence of a policeman at a street party. Anyway, many thanks and I'll post up the outcome - I'm away for a week so it will be a little while yet.
 
Cracked it! After all the grief sorting our my system, last night I got a message from ZoneLabs to update ZoneAlarm since there was a bug in the previous version that "may cause the Homepage to lockup". Grrr!!!! :devil: But at least the problem is solved now. Plus, my system has been swept more often than Sweepy's carpet. :)

Again, thanx for the help masqueraid
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)

Similar threads

C
New CLA AMG 35 - magno paint help
Replies
3
Views
696
fabes
fabes
J
Mercades 250d 66plate w205
Replies
0
Views
350
jon89
J
c63jke
Tapping / ticking and rattle on start-up
Replies
6
Views
798
TC350
TC350
P
RAC
Replies
16
Views
810
MSG2004
MSG2004
biofuelsuk
Best APC for interior?
Replies
5
Views
1K
ALFAitalia
ALFAitalia
Back
Top Bottom