Discuss Juno Hooks? in the Antivirus Protection forum on Dev Shed. Juno Hooks? Antivirus Protection forum discussing issues relating to antivirus programs, spyware, hijack protection, and personal firewalls for all operating systems. Keep your systems protected from hackers and other hazards.
The ASP Free website provides in-depth information on the latest developer tools available from Microsoft. Our cadre of writers, highly experienced industry experts, reveals the best ways to use established technologies as well as new and emerging technologies. Our coverage of Microsoft's development and administration technologies is among the most respected in the IT industry today.
ASP Free and Iron Speed Designer are giving away $5,500+ in FREE licenses. Iron Speed's RAD CASE toolset can save up to 80% of your coding time. One free license per week, one perpetual license per month! Download and Activate to enter!
Intel® Graphics Performance Analyzers is a powerful tool suite for analyzing and optimizing your games, media, and graphics-intensive applications. Used by some of the best developers on the planet, Intel GPA lets you maximize your app’s performance.
Posts: 10
Time spent in forums: 3 h 11 m 26 sec
Reputation Power: 0
Juno Hooks?
When I arrived here at my parents a week ago, this pc was barely crawling. (Dev Shed to the rescue) I have spent a lot of time getting rid of the intruders, but something is still not rt.
There is a data line that is used for the Juno internet. They have bought sbc/yahoo dsl that is coming in on the data line with wk scheduled to transfer this to the main ph. line 5/31/05 so they can cancel the data line and Juno along w/ it. However, something won't let me register the yahoo. I was on the ph. w/ sbc and they walked me thru the installation process only to fail when I tried to 'agree' w/ the terms. I clicked agree, but no indication that I had clicked. I suspect Juno is interfering.
Logfile of HijackThis v1.99.1
Scan saved at 1:11:20 AM, on 05/24/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Posts: 10
Time spent in forums: 3 h 11 m 26 sec
Reputation Power: 0
So I go to "add/remv prog" (to remv Juno) and all I get is the window frame. Plus where the word 'close' would be, it's spelled Clo8e...or smthg like that.
Last wk. I was able to ck for windows updates and 44 were needed. I got it down to 31 but now it won't ck. for updates as of today. I get to the page...and the window doesn't change...a few scattered clicks...but no 33%, 66%...like it did last week.
If you see any hair around this thread I'm sorry. It probably came from that which I have physically extracted on a premature basis.
Posts: 3,431
Time spent in forums: 4 Weeks 1 Day 21 h 34 m 19 sec
Reputation Power: 160
hi blubyu
Quote:
O4 - HKLM\..\Run: [sm] C:\WINNT\sr_exe.exe
this file is malware and is a sign that you have been infected with the lukuspam trojan.
I notice you have Norton Antivirus on your system, so please follow the removal instructions posted on the symantec site which i linked to above and post a fresh hijackthis log.
as for the juno problem, there are a few malware (NSIS) that use the /juno/bin directory, but i cant see them listed.
when you are in safe more run the hijackthis scan and fix the follwoing entries.
on a side note: do you know what this program is ? syng32.exe
I dont feel its legitimate.. but lets leave it till after you post your new hijackthis llog.
__________________
Nigel
..Seeking code free nirvana... Nigel Fernandes Blog
Never argue with fools. They will bring you down to their level and beat you with experience.
Manchester United Forever
Last edited by oneMSBi : May 24th, 2005 at 06:13 AM.
Posts: 10
Time spent in forums: 3 h 11 m 26 sec
Reputation Power: 0
oneMSBi-
I love your quote about the fools. Sounds like something i would run with.
Norton was on this cpu at one time but it's asking for a disk that doesn't seem to be here. So, maybe there is another way. I hate to 'experiment' in this regard.
I deleted (fixed) the 2 files you indicated f/ the "Hijack This" log.
I have no idea what that 'mystery' file is about and would take great pleasure disposing of it in any fashionable manner. Just give me the 'ok'
Here is my new 'ht' sans the 2 files I deleted. (cpu seems to be running better so you've got me quite excited).
Logfile of HijackThis v1.99.1
Scan saved at 2:53:54 PM, on 05/24/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Posts: 3,431
Time spent in forums: 4 Weeks 1 Day 21 h 34 m 19 sec
Reputation Power: 160
hello once again blubyu,
thanks for the remark on the quote. its my favorite
unfortunately the two entries i directed you to fix are only the tip of the iceberg. any performance change you are feeling is only likely to be temporary. I would love to be able to help you further, but cleaning up such an infection is a beyond me at the moment. I will not risk you your pc, in attempting to clean it up. I'm still learining to parse Hijackthis logs.
however i can give you the advice mentioned in the symantec site i posted a link to. if you did not already go to that site here is the link again
http://www.symantec.com/avcenter/venc/data/trojan.lukuspam.html
if you have a decent internet connection speed, please do an online scan of your system at http://housecall.trendmicro.com it takes a while so let it run overnight if you can.
******* Do the following actions at your own risk... ok ? ******
Re boot into safe mode and trun off system restore if it is enabled. i cannot remeber if system restore is a feature present on windwos 2000. it may not be so dont be alarmed if it is not there.
delete this file c:\WINNT\sr_exe.exe
then fix these with hijackthis. (make sure the make backups option is set in hijackthis in case we want to undo any fo this.)
run this command "sfc /scannow" from the run prompt while still in safe mode.
then reboot and post a fresh log
************************************************
Please have patience and check this thread regularily over the next few days. one of the other moderators Tom Myboy is very proficient in cleaning out such infections and i expect he will post here with directions to help you out.
My regrets at not being able to help you in greater detail. If you have any questions please dont hesitate to post here or send me a private message.
Last edited by oneMSBi : May 24th, 2005 at 05:06 PM.
Posts: 3,431
Time spent in forums: 4 Weeks 1 Day 21 h 34 m 19 sec
Reputation Power: 160
although i asked you to fix this files entry in the registry with hijackthis we have not yet deleted it form your computer.
syng32.exe
do not delete it yet. please navigate to it in your /winnt/system32 folder but DO NOT click it. rt click it and post any manufacturer details and version no etc.
do you know the following files ?
C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
please treat them with caution because we do not knwo what they are. navigate to the .exe but dont click it. rt click it and post the version and manufaturers details in your next post.
Posts: 10
Time spent in forums: 3 h 11 m 26 sec
Reputation Power: 0
I try to navigate to syng.exe by rt. click C drive(explore).......I have a folder that is capital letters WINNT but when i rt click that it is empty, so i'm not sure if i'm going the rt. way. I know enough to be dangerous w/ a cpu...nothing more. Please be patient w/ me for i try real hard but sometimes can't get the fog to lift.
As for the saitek files, that is a cpu/gamepad i have installed just recently. This has worked properly for me.
Posts: 3,431
Time spent in forums: 4 Weeks 1 Day 21 h 34 m 19 sec
Reputation Power: 160
umm .. please proceed with extreme caution. I hope TomMyboy can stop by this thread later and help you out. I can see several threats on your system but I am very reluctant help out because you will require expert guidance, which i cannot provide.
it seems like you have traces of PWSTEAL.FORMGLIEDER TROJAN and a dialer: Installed with Verizon DSL accounts. IP Insight is a Quality of Service monitor and diagnostic tool that isn't required - constantly "phones home" and wastes resources.
Please be very cautious and check this thread regularily.
Last edited by oneMSBi : May 28th, 2005 at 05:26 PM.
Posts: 2,491
Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 17
You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.
If you have any questions before starting the fix, please don't hesitate to ask!
I am assuming you want to remove Juno. If so, fix the items in RED also.
Please go to Start > Control Panel > Add/Remove programs and remove:
Download it to your Desktop. Run the program, copy and paste the first file listed below into the window. Click the Delete on Reboot button. Click End Explorer Shell While Killing File. Then press Delete file (The Red X). Answer yes to "All listed files will be deleted on next reboot". Answer No to the question "Do you want to reboot now?".
Then repeat the above instructions for the rest of the files listed. Once the final file has been entered, answer Yes to the question "Do you want to reboot now?".
Be careful this is a powerful tool and is unforgiving once you instruct it to delete something.
Next...
Logoff your internet/network connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked".
It is OK if some of these items are no longer listed.
RED
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Juno Online Services, Inc
O9 - Extra button: Juno - {0D84F24E-06F9-454C-A3FE-959825827F28} - juno.exe (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECBA222B-1B22-41C9-B35B-4E4BC6FA79BD}: NameServer = 64.136.20.121 64.136.28.121
Do you have any idea what this is? If not, please browse to the file, right-click the file > select properties is there a version tab? If so what information is displayed? Please treat this file with caution, it may be malware.
Posts: 10
Time spent in forums: 3 h 11 m 26 sec
Reputation Power: 0
Hi Tom, and thanks for your assistance.
I have ignored the 'red' for 2 reasons. I'm worried if I delete Juno I may not be able to get back on line and I'm unable to access the "Add/Rmv Programs window in the control panel. The frame comes up, but remains blank. At least that's the way it was a few days ago.
i removed the very big quote of toms post.
Last edited by oneMSBi : May 30th, 2005 at 10:55 AM.
Reason: removed the very big quote :)
Posts: 10
Time spent in forums: 3 h 11 m 26 sec
Reputation Power: 0
Here's the new ht log:
Logfile of HijackThis v1.99.1
Scan saved at 12:33:27 PM, on 05/29/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
I don't know what that [MISSetup] file is. and I don't know how to browse to it. I tried to search for it and get "Invalid File." When I click on "get info on selected file" in the ht results, it says smthg like:...looks for suspicious entries that autoload when windows start...possibly causing IE start page, search page/bar/asst to revert back to a hijackers page after a reboot...also a DLL file can be loaded that can hook into system parts.
You say treat this file w/ caution. I think I want to torture it before I delete it.
Posts: 2,491
Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 17
Quote:
You say treat this file w/ caution. I think I want to torture it before I delete it.
Hang it from the highest tree
Logoff your internet/network connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked".
O4 - HKLM\..\Run: [MISSetup] D:\Mis\Enu\setup.exe
Browse to D:\Mis\Enu and delete setup.exe
Next...
Let's do some more cleaning up:
Download Ad-Aware SE Personal Edition version 1.06 from:
Run Adaware, click the "Check for Updates now" link. Install the latest reference file
Perform a full system scan with Adaware, allow it to remove anything it finds. It may ask if it can run the next time your computer boots, allow it to do so.
Make sure you are online, run Spybot - Search & Destroy, click the "Check for Updates now" link. Install the latest reference file
Scan and fix all items checked in RED.
Next...
Start downloading those Windows Updates!
You are seriously behind on Windows Updates. This leaves your computer open to many threats. You will just get infected again if you don't install these! You need (at the minimum, W2K Service Pack 4, Internet Explorer Service Pack 1 and all the critical updates that go along with them).
Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available".
Please post a final HijackThis log.
Tom
Last edited by Tom Myboy : June 1st, 2005 at 12:04 AM.
Posts: 10
Time spent in forums: 3 h 11 m 26 sec
Reputation Power: 0
My oh my, the patient is no longer on life support and has actually gotten up and walked around w/ no assistance.
Adaware found a cpl of data miners which i remved but that's it. Spybot congratulated me upon conclusion of it's search.
I have all the critical window updates.
I have tried to remove the Juno components as the dsl is wking great. Now we can discontinue the data line that Juno was using. Hopefully Juno will recognize defeat and go quietly or else I kidnap it and see if there is anyone foolish enough to pay the ransom.
Here is the fresh ht log:
Logfile of HijackThis v1.99.1
Scan saved at 6:24:56 PM, on 06/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
The prognosis must be good and this pleases us to the nth degree. I had prepared everyone for the worst so they all thot we were gonna lose the poor thing. Now they think I'm a genius. HA!..... I won't argue w/ them about that...heheh... but am quick to explain I had online help. This doesn't mean much to them cuz they old and only see the cpu running much better. So I let them think they deserve credit for raising a genius son, and for cultivating his magical aptitudes.
Posts: 2,491
Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 17
Quote:
The prognosis must be good and this pleases us to the nth degree. I had prepared everyone for the worst so they all thot we were gonna lose the poor thing. Now they think I'm a genius. HA!..... I won't argue w/ them about that...heheh... but am quick to explain I had online help. This doesn't mean much to them cuz they old and only see the cpu running much better. So I let them think they deserve credit for raising a genius son, and for cultivating his magical aptitudes.
lol, isn't that great?
Logoff your internet/network connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked".
It is OK if some of these items are no longer listed.
Posts: 10
Time spent in forums: 3 h 11 m 26 sec
Reputation Power: 0
I remvd the 9 f/ your list on the ht
The firewall...yes...I installed zone alarm when I first got here along w/ the other helpful programs but I was having difficulty accessing the internet and I wasn't sure if that was the problem. So I uninstalled it and proceeded to go to Dev Shed and initiate the fixes that have done such a good job.
When you mentioned that you didn't see a firewall I installed the full version of McAfee f/ my sister's disc. Well this caused more headaches than it was worth behind it would identify "Hijack This" "Ad Aware" "Spybot" as intruders and insisted on their removal.
I remvd McAfee...heheh...
I have now reinstalled zone alarm. It prompts quite a bit about internet access (this will freak my parents out) but I'm hoping to minimize this before I leave. (Jun 7)
There is an icon on the desktop, Wild Tangent...I can't get rid of cuz it says it's being used...even in safe mode.
When I run Ad Aware it always finds a few criticals and about 10 negligibles. So I'm concerned about this.
Task Manager/Processes I have 'svchost.exe' 3 times also, Task Mgr/Performance about every 10 sec. it jumps f/ 0 to 13 (I don't know if this is significant)
Here is my fresh ht:
Logfile of HijackThis v1.99.1
Scan saved at 1:26:36 PM, on 06/03/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Any idea what this is? 023 - Service: Ati HotKey Poller....
One more thing, i noticed an improvement after i ran a registry cleaner...but it will fix only so much. I started to uninstall the program and it threatened to put back the errors that it fixed...terrorist!...any recomendations for registry aid?
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
