| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 80711 | 2007-07-03 01:35:00 | Sir Speedy: What Do You See Here? HJT Log | SurferJoe46 (51) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 565216 | 2007-07-03 01:35:00 | Got this from a friend in New Jersey...I only see a trio of problems..what do you think? Logfile of HijackThis v1.99.1 Scan saved at 5:38:38 PM, on 7/2/07 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\pctspk.exe C:\Program Files\Juno\exec.exe C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr. exe C:\Program Files\Vinsoft\Forget\forget.exe C:\Program Files\Webshots\webshots.scr C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Rhapsody\rhaphlpr.exe C:\Program Files\123 Free Solitaire\123FreeSolitaire.exe C:\Program Files\Juno\exec.exe C:\Program Files\Juno\qsacc\x1exec.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\Documents and Settings\Mom.SDION-O42ZNT5KW\My Documents\My Pictures\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = my.juno.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = my.juno.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = my.juno.com R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Juno\SearchEnh1.dll O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\DOCUME~1\MOM~1.SDI\LOCALS~1\Temp\ImInstaller\In crediMail\incredimail_install.exe -startup -product IncrediMail -report -cluster 2 O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\xtras\mssysmgr. exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr. exe O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\Juno\qsacc\x1exec.exe" O4 - Startup: Forget Me Not.lnk = C:\Program Files\Vinsoft\Forget\forget.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Startup: WT Library.lnk = C:\Documents and Settings\Mom.SDION-O42ZNT5KW\Desktop\Watchtower Library 2005\e\wtlib.exe O4 - Startup: wtlib.lnk = C:\Documents and Settings\Mom.SDION-O42ZNT5KW\Desktop\Watchtower Library 2005\e\wtlib.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno\qsacc\appres.dll/228" O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno\qsacc\appres.dll/227" O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - tools.ebayimg.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - spaces.msn.com O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - mail.lycos.com O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - by127fd.bay127.hotmail.msn.com O17 - HKLM\System\CCS\Services\Tcpip\..\{FBC99CAB-EE84-4632-987A-AB5015C8A196}: NameServer = 64.136.28.120 64.136.44.73 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe |
SurferJoe46 (51) | ||
| 565217 | 2007-07-03 02:10:00 | Those three entries marked in red come from his ISP (Juno). They are not really a problem unless he would prefer to have some other default search engine such as google. Personally, I don't like the ISP dictating what search engine to use ... :) | Jen (38) | ||
| 565218 | 2007-07-03 02:11:00 | Put HJT in its own folder, run it again tick these entries then tick fix checked. Close browser/s. I dont know what this is C:\Program Files\Vinsoft\Forget\forget.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = my.juno.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = my.juno.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = my.juno.com R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Juno\SearchEnh1.dll O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - Startup: Forget Me Not.lnk = C:\Program Files\Vinsoft\Forget\forget.exe O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\xtras\mssysmgr. exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr. exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE I dont know why this is running from this folder, even tho it maybe legit. O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\DOCUME~1\MOM~1.SDI\LOCALS~1\Temp\ImInstaller\In crediMail\incredimail_install.exe -startup -product IncrediMail -report -cluster 2 - Is this actually working?? This looks like an install file. I take it, theyre using WINE? Not too sure if these can be deleted as well. - If this is working, I would leave these entries here. But cant say I've seen too many programs, running from this folder on startup. O4 - Startup: WT Library.lnk = C:\Documents and Settings\Mom.SDION-O42ZNT5KW\Desktop\Watchtower Library 2005\e\wtlib.exe O4 - Startup: wtlib.lnk = C:\Documents and Settings\Mom.SDION-O42ZNT5KW\Desktop\Watchtower Library 2005\e\wtlib.exe |
Speedy Gonzales (78) | ||
| 565219 | 2007-07-03 04:29:00 | C:\Program Files\Vinsoft\Forget\forget . exe I don't know this either . . . R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = . juno . com/s/search?r=minisearch" target="_blank">my . juno . com I had these three R1's killed R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = . juno . com/s/search?r=minisearch" target="_blank">my . juno . com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = . juno . com/s/search?r=minisearch" target="_blank">my . juno . com R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Juno\SearchEnh1 . dll this is part of their ISP . . garbage I think . O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO . dll more ISP garbage O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) this got removed too O4 - Startup: Forget Me Not . lnk = C:\Program Files\Vinsoft\Forget\forget . exe again . . . a mystery too O4 - HKCU\ . . \Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\xtras\mssysmgr . exe this is a drugstore (apothacary NZ) that prints photos from you online . . it's OK here in the States . O4 - HKCU\ . . \Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr . exe more Walgreen's drugstore pix stuff O4 - Global Startup: Microsoft Office . lnk = C:\Program Files\Microsoft Office\Office\OSA9 . EXE I dont know why this is running from this folder, even tho it maybe legit . I'll look into this a little more . O4 - HKLM\ . . \Run: [zzz_ImInstaller_IncrediMail] I had her kill IncrediMail and it's gone now that was a partial install that kept on coming back to haunt her . C:\DOCUME~1\MOM~1 . SDI\LOCALS~1\Temp\ImInstaller\In crediMail\incredimail_install . exe -startup -product IncrediMail -report -cluster2 I had her kill IncrediMail and it's gone now . . that was a partial install that kept on coming back to haunt her . - Is this actually working?? This looks like an install file . It was . I take it, theyre using WINE? Wow . . I never suspected that! Not too sure that they even know about WINE ~ I'll ask her tonight Not too sure if these can be deleted as well . - If this is working, I would leave these entries here . But cant say I've seen too many programs, running from this folder on startup . These two I can vouch for . . they are a harddisk install of a library for research . O4 - Startup: WT Library . lnk = C:\Documents and Settings\Mom . SDION-O42ZNT5KW\Desktop\Watchtower Library 2005\e\wtlib . exe O4 - Startup: wtlib . lnk = C:\Documents and Settings\Mom . SDION-O42ZNT5KW\Desktop\Watchtower Library 2005\e\wtlib . exe |
SurferJoe46 (51) | ||
| 565220 | 2007-07-03 04:38:00 | ...and thanks JEN...always a pleasure to here from you.... | SurferJoe46 (51) | ||
| 1 | |||||