Highjackthis/valid file ext. for attacthments?

Just a quick question. When I ran hijackthis and saved a log of it, it was saved via wordpad and the extention was ".log". This wesite won't let me attacth this with my bigger problem. Is there a way to convert this document to .jpg or gif? Any other suggestions?

 

just double click on the file and it will open in notepad, then paste the text here

 

I know this is alot, but I am only interested in the first 3 "R1" lines. Only the Best?




Logfile of HijackThis v1.97.7
Scan saved at 5:37:39 PM, on 6/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\appga.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\WINDOWS\system32\ipmc.exe

C:\Documents and Settings\Jeff and Jules\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\srtfs.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://srtfs.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\srtfs.dll/sp.html#96676

O2 - BHO: (no name) - {AEEB8E59-9B25-8247-A3C5-C38674EF0D9F} - C:\WINDOWS\ipir32.dll

O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"

O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ipmc.exe] C:\WINDOWS\system32\ipmc.exe

O4 - HKLM\..\RunOnce: [ieft32.exe] C:\WINDOWS\ieft32.exe

O4 - HKLM\..\RunOnce: [crqf32.exe] C:\WINDOWS\system32\crqf32.exe

O4 - HKLM\..\RunOnce: [javaxt32.exe] C:\WINDOWS\javaxt32.exe

O4 - HKLM\..\RunOnce: [atlli32.exe] C:\WINDOWS\atlli32.exe

O4 - HKLM\..\RunOnce: [sysij.exe] C:\WINDOWS\sysij.exe

O4 - HKLM\..\RunOnce: [ipay.exe] C:\WINDOWS\system32\ipay.exe

O4 - HKLM\..\RunOnce: [atluq.exe] C:\WINDOWS\atluq.exe

O4 - HKLM\..\RunOnce: [mspf.exe] C:\WINDOWS\mspf.exe

O4 - HKLM\..\RunOnce: [atlhb32.exe] C:\WINDOWS\atlhb32.exe

O4 - HKLM\..\RunOnce: [ipjw32.exe] C:\WINDOWS\ipjw32.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

Dude,,,look at those RunOnce lines to...
and the Run lines...hmmm regshave ?
and the c:\ lines...whats going to happen there?

 

Wish I had a clue. I don't even know what RunOnce or Run lines are. Believe it or not, I have been on the phone for three days w/ microsoft techs and they still hav'nt figured it out. Getting a call Monday from one of thier "top" people . From what I've seen of other threads, those "R1" lines look like that "Only the Best" bug. Guess I need more help than I thought, eh?

 

Yeah I am sure that you will need to wipe out some of the runonce files on the pc...but google all the file names and see which ones are for sure bad ones.

 

OK will do it. I'll try to get rid of this using your method I read earlier. Thanks dude!