- Community Home
- >
- Servers and Operating Systems
- >
- Legacy
- >
- Internet Products
- >
- Re: Id like some help with a hijackthis log
Internet Products
1819795
Members
3055
Online
109607
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-07-2005 04:49 PM
тАО02-07-2005 04:49 PM
Id like some help with a hijackthis log
Using Rons answers to threads here, I've been able to get rid of most spyware/adware,
but not all of it :( Here's my HijackThis log
Logfile of HijackThis v1.99.0
Scan saved at 12:16:46 AM, on 02/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\EpStsSrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\vquvvq.exe
C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\DIGIMARC\IMAGEB~1\WMCACHE.EXE
C:\Documents and Settings\Mark\My Documents\My Received Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar http://search.search-exe.com/nph-search.cgi?tcodeexebar1&looksbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar http://search.search-exe.com/nph-search.cgi?tcodeexebar1&looksbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride localhost
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: GoBack.lnk C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O23 - Service: EPSON ESC/POS Status Service - Unknown - EpStsSrv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
Just when I think everything is clear, the spyware/adware comes back :(
I'd be very greatful for all help
Thanks Steve.
but not all of it :( Here's my HijackThis log
Logfile of HijackThis v1.99.0
Scan saved at 12:16:46 AM, on 02/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\EpStsSrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\vquvvq.exe
C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\DIGIMARC\IMAGEB~1\WMCACHE.EXE
C:\Documents and Settings\Mark\My Documents\My Received Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar http://search.search-exe.com/nph-search.cgi?tcodeexebar1&looksbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar http://search.search-exe.com/nph-search.cgi?tcodeexebar1&looksbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride localhost
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: GoBack.lnk C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O23 - Service: EPSON ESC/POS Status Service - Unknown - EpStsSrv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
Just when I think everything is clear, the spyware/adware comes back :(
I'd be very greatful for all help
Thanks Steve.
1 REPLY 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-08-2005 09:49 AM
тАО02-08-2005 09:49 AM
Re: Id like some help with a hijackthis log
Next time please attach your log. As you see it causes problems with the forum when what looks like a URL has an equal sign at the end.
Since you've been reading my earlier posts I hope you have your copy of winsockxpfix.exe just in case.
Boot into Safe Mode (F8) and check the following and hit Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar http://search.search-exe.com/nph-search.cgi?tcodeexebar1&looksbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar http://search.search-exe.com/nph-search.cgi?tcodeexebar1&looksbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride localhost
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O23 - Service: EPSON ESC/POS Status Service - Unknown - EpStsSrv.exe (file missing)
The last one was probably harmless but something ate its file. Appears to be something with your printer. Might as well kill it off too.
Don't reboot yet. Do Start then Run and type cmd then hit Enter. That will bring up a DOS like CMD window. Type the following commands with an Enter after each line. Lines with ( ) are comments:
C:
cd \windows\system32
dir vquvvq.exe
(Note the time and date)
dir /ogd > \junk.txt
erase /f /q vquvvq.exe
notepad \junk.txt
(This will open a notepad file that lists the files in your System32 folder. Locate the vquvvq.exe and see if you have any other files with the same date and time +/- 5 minutes. Note their filenames and switch back to the CMD window and do erase /f /q filename for each of them. Close notepad and go back to the CMD window.)
del /q c:\windows\prefetch\*.*
(above line cleans your prefetch folder which can hold files that you don't want to run.)
exit
(closes the CMD window)
Right click on Start and select Explore then find the folder C:\Program Files.
Find the folder SE under C:\Program Files and highlight it then hit Delete and if it asks you if you want to delete the folder and all its files then say Yes.
Repeat for VBouncer
Now reboot and run another scan and post it as an attachment and let's see how we did.
Ron
Since you've been reading my earlier posts I hope you have your copy of winsockxpfix.exe just in case.
Boot into Safe Mode (F8) and check the following and hit Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar http://search.search-exe.com/nph-search.cgi?tcodeexebar1&looksbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar http://search.search-exe.com/nph-search.cgi?tcodeexebar1&looksbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) http://search.search-exe.com/nph-search.cgi?tcodeexesrch1&lookstmpl1&fw
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride localhost
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O23 - Service: EPSON ESC/POS Status Service - Unknown - EpStsSrv.exe (file missing)
The last one was probably harmless but something ate its file. Appears to be something with your printer. Might as well kill it off too.
Don't reboot yet. Do Start then Run and type cmd then hit Enter. That will bring up a DOS like CMD window. Type the following commands with an Enter after each line. Lines with ( ) are comments:
C:
cd \windows\system32
dir vquvvq.exe
(Note the time and date)
dir /ogd > \junk.txt
erase /f /q vquvvq.exe
notepad \junk.txt
(This will open a notepad file that lists the files in your System32 folder. Locate the vquvvq.exe and see if you have any other files with the same date and time +/- 5 minutes. Note their filenames and switch back to the CMD window and do erase /f /q filename for each of them. Close notepad and go back to the CMD window.)
del /q c:\windows\prefetch\*.*
(above line cleans your prefetch folder which can hold files that you don't want to run.)
exit
(closes the CMD window)
Right click on Start and select Explore then find the folder C:\Program Files.
Find the folder SE under C:\Program Files and highlight it then hit Delete and if it asks you if you want to delete the folder and all its files then say Yes.
Repeat for VBouncer
Now reboot and run another scan and post it as an attachment and let's see how we did.
Ron
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP