Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

a.exe and z.exe

Started by kithing , Jun 05 2005 12:41 PM

  • Please log in to reply

#1
kithing
Posted 05 June 2005 - 12:41 PM

kithing

    New Member

  • Member
  • Pip
  • 6 posts
I not been able to get rid of these exe. I have stop them, but I cannot get them from starting up.
Logfile of HijackThis v1.99.1
Scan saved at 11:33:12 AM, on 6/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\cisvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\z.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
D:\WINDOWS\system32\WISPTIS.EXE
D:\Documents and Settings\mica\My Documents\HyjackThis Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://ecampus.phoe...t.asp&Failed=No
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\system32\z.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - D:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.dot.pima....65/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111071302839
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\System32\HPHipm11.exe
  • 0

Advertisements

#2
Metallica
Posted 05 June 2005 - 12:54 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi kithing,

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop.

Reboot into safe mode and run HijackThis.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\system32\z.exe reg_run

*Double-click on the Killbox folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file name below to the "Full Path to File to Delete" box
D:\WINDOWS\system32\z.exe
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
*If the computer does not reboot by itself, do it manually.

Post a new HijackThis log when you are done.

Regards,
  • 0

#3
kithing
Posted 05 June 2005 - 01:47 PM

kithing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
his is the log after the above steps Pieter

Logfile of HijackThis v1.99.1
Scan saved at 12:39:03 PM, on 6/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\cisvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\a.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\mica\My Documents\HyjackThis Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://ecampus.phoe...t.asp&Failed=No
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\system32\z.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - D:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.dot.pima....65/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111071302839
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\System32\HPHipm11.exe

Mitch
  • 0

#4
Metallica
Posted 05 June 2005 - 01:59 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good job. It's no longer running. :tazz:

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\system32\z.exe reg_run

Then please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in safe mode and run RKFiles.bat. It may take a while. When it is finished a window should appear with a log.

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

Regards,
  • 0

#5
kithing
Posted 05 June 2005 - 04:57 PM

kithing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
It took a bit of time to get it to run, also I noticed it is in my startup noew that is the strings.exe

D:\f

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
D:\WINDOWS\system32\better0503.dll: UPX!
D:\WINDOWS\system32\blizzard.dll: UPX!
D:\WINDOWS\system32\golden513.dll: UPX!
D:\WINDOWS\system32\supdate.dll: UPX!
D:\WINDOWS\system32\u.dat: UPX!
D:\WINDOWS\system32\x.dll: UPX!
D:\WINDOWS\system32\z.exe: UPX!
D:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
D:\WINDOWS\del.tmp: UPX!
D:\WINDOWS\tsc.exe: UPX!
D:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye


Thanks
  • 0

#6
Metallica
Posted 06 June 2005 - 12:33 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Please download the Killboxand run Killbox by doubleclicking Killbox.exe
Select "Delete on Reboot".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
D:\WINDOWS\system32\better0503.dll
D:\WINDOWS\system32\blizzard.dll
D:\WINDOWS\system32\golden513.dll
D:\WINDOWS\system32\supdate.dll
D:\WINDOWS\system32\u.dat
D:\WINDOWS\system32\x.dll
D:\WINDOWS\system32\z.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

If strings.exe did not disappear from Startup by itself then please remove it.

Regards,
  • 0

#7
kithing
Posted 06 June 2005 - 09:26 AM

kithing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok I did the above without any error messages. I still have a.exe and z.exe starting up in my startup group.

I did another hyjackthislog as follows.

Logfile of HijackThis v1.99.1
Scan saved at 8:22:31 AM, on 6/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\a.exe
D:\WINDOWS\System32\cisvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\mica\My Documents\HyjackThis Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://ecampus.phoe...t.asp&Failed=No
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\system32\z.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - D:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.dot.pima....65/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111071302839
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\System32\HPHipm11.exe


Thanks for the Help Pieter

Mitchell
  • 0

#8
kithing
Posted 06 June 2005 - 10:43 AM

kithing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I went and ran a Qoologic log

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc D:\WINDOWS\System32\Z.EXE
* KavSvc D:\WINDOWS\System32\M.DLL
* KavSvc D:\WINDOWS\System32\SUPDATE.DLL
* KavSvc D:\WINDOWS\System32\X.DLL
* aspack D:\WINDOWS\System32\A.EXE
* aspack D:\WINDOWS\System32\MRT.EXE
* aspack D:\WINDOWS\System32\NTDLL.DLL
* aspack D:\WINDOWS\System32\REDIT.CPL
* UPX! D:\WINDOWS\System32\Z.EXE
* UPX! D:\WINDOWS\System32\SUPDATE.DLL
* UPX! D:\WINDOWS\System32\X.DLL
* aspack D:\WINDOWS\VSAPI32.DLL
* UPX! D:\WINDOWS\TSC.EXE
* UPX! D:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe D:\docume~1\alluse~1\startm~1\programs\startup\A.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
D:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
a.exe

User Startup:
D:\Documents and Settings\mica\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\y
<NO NAME> REG_SZ {02c05e04-3628-4eb8-a8e3-a28815aad863}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 09:24
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "D:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
  • 0

#9
Metallica
Posted 06 June 2005 - 11:35 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK. I'll give you a new set of files to remove with Killbox.
Use the same procedure as above.
D:\WINDOWS\System32\Z.EXE
D:\WINDOWS\System32\M.DLL
D:\WINDOWS\System32\SUPDATE.DLL
D:\WINDOWS\System32\X.DLL
D:\WINDOWS\System32\A.EXE
D:\WINDOWS\System32\REDIT.CPL

When the computer reboots make sure it goes to safe mode and fix:
O4 - HKLM\..\Run: [KavSvc] D:\WINDOWS\system32\z.exe reg_run

Let me know,
  • 0

#10
kithing
Posted 06 June 2005 - 01:16 PM

kithing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
It looks like it is all gone now after that last step I was able to see & delete the reg key.

Here is the last hijack this log. Thank for your help Pieter

Logfile of HijackThis v1.99.1
Scan saved at 12:12:44 PM, on 6/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\cisvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Documents and Settings\mica\My Documents\HyjackThis Software\HijackThis.exe
D:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://ecampus.phoe...t.asp&Failed=No
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - D:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.dot.pima....65/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111071302839
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\System32\HPHipm11.exe

Mitchell
  • 0

#11
Metallica
Posted 06 June 2005 - 01:30 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
That is one clean log.

Couldn't have done it without you Mitchell :tazz:

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP