• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mike33333

Hijacked by zrekg.dll

2 posts in this topic

I have always run spybot to make sure I had a clean system. Recently I have been redirected to res://zrekg.dll/index.html#37794 when opening IE. When I attempt to change this it reverts back to the address previously mentioned. I figured out that this is a coolwebsearch problem when i ran adaware. I have also been running norton 2004 pro and it has been finding a lot of malware files but is not able to delete them. The CWShredder DOESN"T pickup the fact that I have this CWS problem. Also everytime I open IE a new .exe is placed in my C:\Windows or C:\Windows\System32 file and placed in the startup section of the registry. When I try to delete these items they just reappear. Examples of these .exe's are: javaki32.exe, appcd.exe, and mfcnb.exe. Please help. This is the log from HijackThis:

 

StartupList report, 7/4/2004, 1:13:11 AM

StartupList version: 1.52.2

Started from : C:\Documents and Settings\Mike B\Desktop\HijackThis.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTSvcCDA.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Winamp3\winampa.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\ATI Multimedia\main\ATISched.EXE

C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Common Files\Symantec Shared\NMain.exe

C:\PROGRA~1\NORTON~1\navw32.exe

C:\WINDOWS\mfcnb.exe

C:\WINDOWS\javaki32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Mike B\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

ATIModeChange = Ati2mdxx.exe

zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe

EM_EXEC = C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

DVDSentry = C:\WINDOWS\System32\DSentry.exe

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe

WinampAgent = "C:\Program Files\Winamp3\winampa.exe"

SecureClean4RegManager = "C:\Program Files\WhiteCanyon\SecureClean Scanner\scregmanager4.exe"

SecureClean4Tray = "C:\Program Files\WhiteCanyon\SecureClean Scanner\sctray4.exe"

CTHelper = CTHELPER.EXE

AsioReg = REGSVR32.EXE /S CTASIO.DLL

SBDrvDet = C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

CTSysVol = C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

CTDVDDET = C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

mmtask = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

sdkhl32.exe = C:\WINDOWS\system32\sdkhl32.exe

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

Ad-aware = "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c

zSPGuard = c:\program files\pjw\spguard\spguard.exe /s

SpyHunter = C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

mfcnb.exe = C:\WINDOWS\mfcnb.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

javaki32.exe = C:\WINDOWS\javaki32.exe

appcd.exe = C:\WINDOWS\appcd.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

ATI Scheduler = C:\Program Files\ATI Multimedia\main\ATISched.EXE

Haee = C:\Documents and Settings\Mike B\Application Data\ssuu.exe

RemoteCenter = C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE

H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=*Registry value not found*

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\WINDOWS\sdkfk32.dll - {02B010E6-F55E-18F9-AFDC-5F03CBD884E6}

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Norton AntiVirus - Scan my computer - Mike B.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...ector/swdir.cab

 

[symantec AntiVirus scanner]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

 

[Office Update Installation Engine]

InProcServer32 = C:\WINDOWS\opuc.dll

CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

 

[WebProgramManager Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\HPISWebManager.dll

CODEBASE = http://isupport4.hp.com/awebui/jsp/answerw...SWebManager.CAB

 

[symantec RuFSI Utility Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

 

[installShield International Setup Player]

InProcServer32 = c:\windows\DOWNLO~1\isetup.dll

CODEBASE = http://www.installengine.com/engine/isetup.cab

 

[ActiveDataInfo Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll

CODEBASE = http://www.symantec.com/techsupp/activedata/SymAData.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[ActiveDataObj Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll

CODEBASE = http://www.symantec.com/techsupp/activedata/ActiveData.cab

 

[sDKInstall Class]

InProcServer32 = C:\WINDOWS\sdkinst.dll

CODEBASE = http://activex.microsoft.com/activex/contr...ate/sdkinst.cab

 

[iWinAmpActiveX Class]

InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.0\AmpX.dll

CODEBASE = http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: c:\windows\system32\msmb32.exe||c:\windows\system32\msmb32.exe||C:\DOCUME~1\MIKEB~1\LOCALS~1\Temp\GLB1A2B.EXE||C:\WINDOWS\TEMP\drmtemp1.htm||c:\windows\javaki32.exe||c:\windows\addiz.exe||c:\windows\system32\sdkjn32.exe||c:\windows\system32\appca32.exe

 

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: *Registry key not found*

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 10,459 bytes

Report generated in 0.032 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

  1. HijackThis ...
    • Double click on "My Computer" to open it.
    • Double click on the local "C-Drive" to open it.
    • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
    • Please download HijackThis from any of the following locations:

[*]Install/Unzip it into C:\HJT.

[*]Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.

[*]Run HijackThis, click on scan and wait for the scan to finish.

[*]The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.

[*]Notepad will open with a copy of the log.

  • Click on "Edit" => "Select All".
  • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.

[*]Please post your entire log here for analysis.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0