Jump to content


Hijacked by zrekg.dll

  • Please log in to reply
1 reply to this topic

#1 mike33333



  • New Member
  • Pip
  • 1 posts

Posted 04 July 2004 - 12:14 AM

I have always run spybot to make sure I had a clean system. Recently I have been redirected to res://zrekg.dll/index.html#37794 when opening IE. When I attempt to change this it reverts back to the address previously mentioned. I figured out that this is a coolwebsearch problem when i ran adaware. I have also been running norton 2004 pro and it has been finding a lot of malware files but is not able to delete them. The CWShredder DOESN"T pickup the fact that I have this CWS problem. Also everytime I open IE a new .exe is placed in my C:\Windows or C:\Windows\System32 file and placed in the startup section of the registry. When I try to delete these items they just reappear. Examples of these .exe's are: javaki32.exe, appcd.exe, and mfcnb.exe. Please help. This is the log from HijackThis:

StartupList report, 7/4/2004, 1:13:11 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Mike B\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options

Running processes:

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike B\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe


Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

ATIModeChange = Ati2mdxx.exe
zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
DVDSentry = C:\WINDOWS\System32\DSentry.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe
WinampAgent = "C:\Program Files\Winamp3\winampa.exe"
SecureClean4RegManager = "C:\Program Files\WhiteCanyon\SecureClean Scanner\scregmanager4.exe"
SecureClean4Tray = "C:\Program Files\WhiteCanyon\SecureClean Scanner\sctray4.exe"
SBDrvDet = C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
CTSysVol = C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
CTDVDDET = C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
mmtask = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
sdkhl32.exe = C:\WINDOWS\system32\sdkhl32.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
Ad-aware = "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
zSPGuard = c:\program files\pjw\spguard\spguard.exe /s
SpyHunter = C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
mfcnb.exe = C:\WINDOWS\mfcnb.exe


Autorun entries from Registry:

javaki32.exe = C:\WINDOWS\javaki32.exe
appcd.exe = C:\WINDOWS\appcd.exe


Autorun entries from Registry:

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ATI Scheduler = C:\Program Files\ATI Multimedia\main\ATISched.EXE
Haee = C:\Documents and Settings\Mike B\Application Data\ssuu.exe
RemoteCenter = C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\sdkfk32.dll - {02B010E6-F55E-18F9-AFDC-5F03CBD884E6}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}


Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Mike B.job
Symantec NetDetect.job


Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...ector/swdir.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

CODEBASE = http://a1540.g.akama...meInstaller.exe

[WebProgramManager Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HPISWebManager.dll
CODEBASE = http://isupport4.hp....SWebManager.CAB

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[InstallShield International Setup Player]
InProcServer32 = c:\windows\DOWNLO~1\isetup.dll
CODEBASE = http://www.installen...gine/isetup.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = http://www.symantec....ta/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = http://www.symantec..../ActiveData.cab

[SDKInstall Class]
InProcServer32 = C:\WINDOWS\sdkinst.dll
CODEBASE = http://activex.micro...ate/sdkinst.cab

[IWinAmpActiveX Class]
InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.0\AmpX.dll
CODEBASE = http://cdn.digitalci...illama/ampx.cab


Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\windows\system32\msmb32.exe||c:\windows\system32\msmb32.exe||C:\DOCUME~1\MIKEB~1\LOCALS~1\Temp\GLB1A2B.EXE||C:\WINDOWS\TEMP\drmtemp1.htm||c:\windows\javaki32.exe||c:\windows\addiz.exe||c:\windows\system32\sdkjn32.exe||c:\windows\system32\appca32.exe


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: *Registry key not found*
SysTray: C:\WINDOWS\System32\stobject.dll

End of report, 10,459 bytes
Report generated in 0.032 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#2 PGPhantom


    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 31 August 2004 - 03:39 PM

  • HijackThis ...
    • Double click on "My Computer" to open it.
    • Double click on the local "C-Drive" to open it.
    • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
    • Please download HijackThis from any of the following locations:
    • spywareinfo.com
    • subratam.org
    • tools.zerosrealm.com
  • Install/Unzip it into C:\HJT.
  • Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis, click on scan and wait for the scan to finish.
  • The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.
  • Notepad will open with a copy of the log.
    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.
  • Please post your entire log here for analysis.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button