• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
monabu

strange res

6 posts in this topic

My homepage keeps defaulting to res://ecmzf.dll/index.html#27063. I've read the FAQ on this site and followed the instructions for running the latest version of SpyBot and also AdAware 6.0 Build 181 with reference file 01R325 27.06.2004 and CWShredder, but it still keeps coming up. HELP PLEASE!!

Following is the log from hijack this.

 

Logfile of HijackThis v1.97.7

Scan saved at 08:40:37, on 30/06/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\S24EvMon.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

C:\WINNT\system32\basfipm.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\RegSrvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\Network Associates\VirusScan\Webscanx.exe

C:\WINNT\system32\ZCfgSvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\1XConfig.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINNT\system32\carpserv.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINNT\system32\PRPCUI.exe

C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\system32\DSentry.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\SYSTEM32\CDPLAYER.EXE

C:\WINNT\iepz.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ecmzf.dll/sp.html#27063

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ecmzf.dll/index.html#27063

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ecmzf.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ecmzf.dll/sp.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ecmzf.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ecmzf.dll/sp.html#27063

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {513C7E39-8F3D-1C3C-3AC3-4063E9EFEDCA} - C:\WINNT\mslo.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [bascstray] BascsTray.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"

O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"

O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\SYSTEM32\CDPLAYER.EXE -tray

O4 - HKLM\..\Run: [iepz.exe] C:\WINNT\iepz.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Lots of ppl having that problem lately huh. I had it too, but menaged to get rid of it yesterday; takes a while though.

 

Alright first get AboutBuster => http://tools.zerosrealm.com/AboutBuster.zip

Unzip it somewhere in C:\Program Files\AboutBuster\ or so.

 

You might want to to print this out, if you're not sure you're gonna remember all of it, since you'll need to close all window explorer and internet explorer windows.

 

1. Close all internet explorer and window explorer windows.

 

2. Click ctrl+alt+del and in the process tab search for a file called iepz.exe. Click the file and click 'stop proces' button. (I'm not sure that's the exact right name for the button, since my windows is in dutch).

 

3. Goto Start=>Run and type "Services.msc" (without quotes) then hit OK. Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open window.

 

4. Run HijackThis and place a check mark next to the following items:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ecmzf.dll/sp.html#27063

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ecmzf.dll/index.html#27063

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ecmzf.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ecmzf.dll/sp.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ecmzf.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ecmzf.dll/sp.html#27063

O2 - BHO: (no name) - {513C7E39-8F3D-1C3C-3AC3-4063E9EFEDCA} - C:\WINNT\mslo.dll

O4 - HKLM\..\Run: [iepz.exe] C:\WINNT\iepz.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Press 'Fix Checked' and exit HijackThis.

 

5. Reboot in Save Mode (=reboot and click F8 a couple of times while your pc is starting up), and run AboutBuster. Let it finish scanning and deleting the files necessary to delete.

 

6. Reboot in Normal Mode and run this online Antivirus Scan => http://housecall.antivirus.com ... let it scan all your harddrives (C:\, D:\, ..), and delete the files it found.

 

7. Adjust your security settings for ActiveX: Go to configuration screen->Internet Options. When you have the internet options window opened, goto Security->Internet, press 'default level', then OK. Now press 'Custom Level'. In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt'; set the second option, 'Download unsigned controls', to 'Disable'; and finally set 'Initialize and Script ActiveX not marked as safe' to 'Disable'.

 

8. It is also possible that the infection may have deleted up to three files from your system.

 

8.1 http://www.spywareinfo.com/~merijn/winfiles.html#control : Download the version of control.exe for your operating system and copy it to c:\winnt\system32\.

 

8.2 http://members.aol.com/toadbee/hoster.zip : Download the hoster, unzip it and run it. Press 'Restore Original Hosts' and press OK.

 

8.3 If you have Spybot Search & Destroy installed, you may also need to replace one file: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper : download SDHelper.dll and copy it to the mail Spybot S&D folder, which is usually C:\Program Files\ Spybot - Search & Destroy\.

 

9. Check your ActiveX security settings again (see step 7)

 

10. Run Lavasoft Ad Aware 6 (assuming you already downloaded it, and updated it). Goto settings (the gear at the top) and then 'Scanning' and checkmark these items so they appear green:

 

Scan within archives

Scan my IE Favorites for banned URLS

Scan my hosts files

 

Click 'Proceed' to save settings. Go back to the settings and click 'Tweak' and check mark this to appear green also:

 

Automatically try to unregister objects prior to deletion

 

Click on 'Proceed'. Next from the main screen, click 'Start' and put a dot in the box next to 'use Custom scanning options'; then click 'Next' to start your scan. Let it finish scanning, then checkmark any items found and remove them. Reboot your pc and scan again with Lavasoft Ad Aware 6. Repeat this process untill no further items are found as bad (this might take a while).

 

11. Run HijackThis and post a new log in this thread, which will be checked to see if there are still problems (my pc was clean after those 10 steps).

Share this post


Link to post
Share on other sites

See The various helper groups here.

 

This fix is believed to work well:

 

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

 

O2 - BHO: (no name) - {513C7E39-8F3D-1C3C-3AC3-4063E9EFEDCA} - C:\WINNT\mslo.dll

O4 - HKLM\..\Run: [iepz.exe] C:\WINNT\iepz.exe

 

Download About:Buster from either of the following locations.

 

http://www.atribune.org/downloads/AboutBuster.zip

or

http://tools.zerosrealm.com/AboutBuster.zip

 

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

 

Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

 

Reboot and post a new HijackThis log along with the two reports from About:Buster.

Share this post


Link to post
Share on other sites

I had the same problem with 27063. Tried everything. Finally got rid of it (it appears) by booting in safe mode, unchecking the enable third party block in IE, booting in safe mode, running updated AdAware, Spybot S&D, and HijackThis in that order, and rebooting in normal mode. The exact instructions I followed were from a post by "animaldr".

 

Have since followed suggestions at this site of adding Spyware Blaster, Browser Hijack Blaster and changed to Mozilla.

 

Good luck.

Share this post


Link to post
Share on other sites

I've followed the instruction in both of the above replies and I think everything's ok. Following are the logs from Hijack This and About Buster as instructed. THANKS for the help. Can you let me know if I'm ok.

 

Logfile of HijackThis v1.97.7

Scan saved at 23:44:44, on 30/06/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\system32\S24EvMon.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

C:\WINNT\system32\basfipm.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\RegSrvc.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\Network Associates\VirusScan\Webscanx.exe

C:\WINNT\system32\ZCfgSvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\1XConfig.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINNT\system32\carpserv.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINNT\system32\PRPCUI.exe

C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\system32\DSentry.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\SYSTEM32\CDPLAYER.EXE

C:\WINNT\svchost.exe

C:\WINNT\system32\internat.exe

C:\HJT\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [bascstray] BascsTray.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"

O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"

O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\SYSTEM32\CDPLAYER.EXE -tray

O4 - HKLM\..\Run: [sVCHOST] C:\WINNT\svchost.exe 12

O4 - HKCU\..\Run: [internat.exe] internat.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:osuch.mht!http://69.50.191.139/winsearchie32.chm::/winsearchie32.exe

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} (DDSC Class) - http://lanet-corkcoco/intranet/Portal/resources/msddsc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corkcoco.localgov

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corkcoco.localgov

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corkcoco.localgov

 

Log 1 from About Buster

 

About:Buster Version 1.23

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

Log 2 from About Buster

 

About:Buster Version 1.23

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0