[my log..] -
my log..
Discuss my log..
Posted by: rythemposition
Logfile of HijackThis v1.99.0
Scan saved at 7:17:19 PM, on 3/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\rundll32.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Thomas\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Thomas\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {B9FEFADB-B5E0-4A04-BD5C-64264185619B} - C:\WINDOWS\System32\meogg.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Thomas\LOCALS~1\Temp\se.dll,DllInstall
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - [url]http://www.creative.com/su/ocx/12119/CTSUEng.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095814659909[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - [url]http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab[/url]
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319[/url]
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url]http://www.creative.com/su/ocx/12119/CTPID.cab[/url]
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - [url]http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{8ED8F6A0-F952-4EAA-BB82-6345941FED4C}: NameServer = 205.152.144.23 205.152.132.23
O18 - Filter: text/html - {D2AE4CE5-A1C1-4EAE-88D7-7CE4C0C4CB80} - C:\WINDOWS\System32\meogg.dll
O18 - Filter: text/plain - {D2AE4CE5-A1C1-4EAE-88D7-7CE4C0C4CB80} - C:\WINDOWS\System32\meogg.dll
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Posted by: shuaibao
I put some stuff you should take notice in red....
[QUOTE][i]Originally posted by rythemposition [/i]
[B]Logfile of HijackThis v1.99.0
Scan saved at 7:17:19 PM, on 3/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\rundll32.exe
C:\HJT\HijackThis.exe
[COLOR=darkred]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Thomas\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Thomas\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
[/COLOR]
O2 - BHO: (no name) - {B9FEFADB-B5E0-4A04-BD5C-64264185619B} - C:\WINDOWS\System32\meogg.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Thomas\LOCALS~1\Temp\se.dll,DllInstall
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - [url]http://www.creative.com/su/ocx/12119/CTSUEng.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095814659909[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - [url]http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab[/url]
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319[/url]
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url]http://www.creative.com/su/ocx/12119/CTPID.cab[/url]
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - [url]http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{8ED8F6A0-F952-4EAA-BB82-6345941FED4C}: NameServer = 205.152.144.23 205.152.132.23
O18 - Filter: text/html - {D2AE4CE5-A1C1-4EAE-88D7-7CE4C0C4CB80} - C:\WINDOWS\System32\meogg.dll
O18 - Filter: text/plain - {D2AE4CE5-A1C1-4EAE-88D7-7CE4C0C4CB80} - C:\WINDOWS\System32\meogg.dll
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe [/B][/QUOTE]
Get rid of searchassistant....
use google to search for counterspy in my sig.
Posted by: rythemposition
thanks
Posted by: shuaibao
No problem. Don't delte it though, but scan using a spyware scanner.
Posted by: Warez Monster
Remove entries at your own risk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Thomas\LOCALS~1\Temp\se.dll/sp.html
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Thomas\LOCALS~1\Temp\se.dll/sp.html
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
Nasty This entry should be fixed by HijackThis!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank This entry should be fixed by HijackThis!
O2 - BHO: (no name) - {B9FEFADB-B5E0-4A04-BD5C-64264185619B} - C:\WINDOWS\System32\meogg.dll Unknown application.
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Thomas\LOCALS~1\Temp\se.dll,DllInstall Unknown application.
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url] This entry is possibly nasty. Should be fixed
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - [url]http://cdn.digitalcity.com/_media/dalaillama/ampx.cab[/url]
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O17 - HKLM\System\CCS\Services\Tcpip\..\{8ED8F6A0-F952-4EAA-BB82-6345941FED4C}: NameServer = 205.152.144.23 205.152.132.23
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain '205.152.144.23 205.152.132.23'? If not, fix this entry.
O18 - Filter: text/html - {D2AE4CE5-A1C1-4EAE-88D7-7CE4C0C4CB80} - C:\WINDOWS\System32\meogg.dll
Possibly nasty Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.
O18 - Filter: text/plain - {D2AE4CE5-A1C1-4EAE-88D7-7CE4C0C4CB80} - C:\WINDOWS\System32\meogg.dll Check if you know this site and fix it if you do not.