Jump to content


Photo

cant get rid of ECPE.exe


  • Please log in to reply
8 replies to this topic

#1 dfedewa

dfedewa

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 July 2004 - 06:33 PM

Hello - very greatful if anyone can help

Have run adaware and spybot - still having a problem with porn lists that launch themselves. I suspect a file called ECPE.exe- when I end it with the task manager it somehow starts back up. I deleted it using hijack this and it comes back

Here is the log file:

Logfile of HijackThis v1.98.0
Scan saved at 12:30:33 AM, on 7/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\mcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\program files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Microsoft IntelliPoint\Point32.exe
C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\javaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\David Fedewa\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 53.122.34.115:80
R3 - URLSearchHook: (no name) - _{FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 16
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINDOWS\System32\X470SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Msmon] c:\windows\system32\msmon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ECPE.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Dialpad Webphone - https://www.dialpad....update/cham.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab

Any help is highly appreciated

#2 Sensei Meta

Sensei Meta

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 28 July 2004 - 07:54 AM

Hello. I will process this request. But I will have to run it past one of the more experienced volunteers before I post my recommendations. Please bear with me as we go through the process.

Thanks,
Sensei

#3 dfedewa

dfedewa

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 July 2004 - 10:46 AM

THANKS!!!

#4 dfedewa

dfedewa

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 August 2004 - 12:26 PM

Hello?? any luck so far?

#5 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 06 August 2004 - 11:26 PM

Hello dfedewa,

Sorry for the long delay. If you still have your concerns, let's do this:


:alarm: You need to get to Windows Update to get SP1 and all the latest security patches that apply to your PC.
_ _ _ _ _ _

Please download and run a Free Trial of Trojan Hunter

Next, take a free Online Virus scan at HouseCall or eTrust or both.
_ _ _ _ _ _

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these files:

mcc.exe
msmon.exe


Then close task manager.
_ _ _ _ _ _ _ _

Open Hijackthis, click Scan, then put a check next to the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - _{FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll

O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [Msmon] c:\windows\system32\msmon.exe
O4 - Global Startup: ECPE.EXE



Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".


Then, reboot to Safe mode
Tap F8 while restarting, and delete these files:

C:\WINDOWS\System32\mcc.exe
c:\windows\system32\msmon.exe
C:\WINDOWS\System32\wins32t.dll

And this folder:

C:\DOCUME~1\ALLUSE~1

Note: Under no circumstances remove the All Users folder:lpp

Make sure you can view hidden and system files: hidden files

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then, reboot normally and please post a new HJT log.
There has been an update to hijackthis (V1.98.1)
Open HJT, click Config... then Misc Tools, then Check for Update online, and get v1.98.1
Or you can get it here: HijackThis.zip

Edited by LoPhatPhuud, 06 August 2004 - 11:42 PM.


#6 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 06 August 2004 - 11:33 PM

Autodad,

You told him to delete ALLUSE~1\ that would be bad. Thats for all user accounts..you want him to delete the IESERVICE folder.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#7 dfedewa

dfedewa

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 August 2004 - 02:27 PM

many thanks!!

so i delete ieservice then?

#8 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 09 August 2004 - 02:50 PM

Yes, do that. :cool:




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#9 dfedewa

dfedewa

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 12 August 2004 - 10:15 PM

autodad and pomp - THANKS!!!!!

THAT WORKED




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button