Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need Help Please, Best offers Removal

Started by Atomic , Nov 03 2005 04:24 AM

Please log in to reply

#1
Atomic

Posted 03 November 2005 - 04:24 AM

New Member

Member
2 posts

Hi there, im having problems removing some spyware/malware. The original problem seem to to stem from the "Best Offers" Network!

I have ran all the programs mentioned in the groundwork section and seem to have removed some, but not all of the problems. Any help would be really cool, thanks.

Here is my Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 14:34:32, on 02/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SWEEPSRV.SYS
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\Remote Management System\ALCAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sophos\AutoUpdate\almon.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\MSTMON_P.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\windows\system32\zfjolz.exe
C:\WINDOWS\system32\accwiz.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SERVER1:8080
R3 - Default URLSearchHook is missing
O1 - Hosts: re.com
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor2300WStatusDisplay] C:\WINDOWS\System32\MSTMON_P.EXE
O4 - HKLM\..\Run: [TrigoldInstaller] C:\Documents and Settings\davidb\Local Settings\Temp\{D41886F2-F66C-4BF2-B47C-BC00551B012B}\{576762e1-ea8a-45ab-93a3-97cef3e09246}\slh.exe -flags=00000 -file=CDManifest.dat -base=D:\
O4 - HKLM\..\Run: [zfjolz] c:\windows\system32\zfjolz.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BT Voyager Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} (ExWebClientUtils Class) - http://exweb.exchang...ies/texInfo.CAB
O16 - DPF: {034DA761-EDB7-11D7-A20A-000802318089} (EWGPHI.desInput) - http://exweb.exchang...ries/EWGPHI.CAB
O16 - DPF: {090EC279-1378-44B7-B521-888980212E7E} (Complist3 Class) - http://exweb.exchang...ebCListCtl3.CAB
O16 - DPF: {397F65A6-FD3C-438B-A7EB-3D2C0655189C} (EWGPensions.desInput) - http://exweb.exchang...EWGPensions.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {511835FF-EDC9-11D7-A20A-000802318089} (EWGWholeLife.desInput) - http://exweb.exchang...WGWholeLife.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {59A910DE-EE9A-11D7-A20A-000802318089} (EWGCombinedTerm.desInput) - http://exweb.exchang...rmAssurance.CAB
O16 - DPF: {61DA056C-EDE7-11D7-A20A-000802318089} (EWGBonds.desInput) - http://exweb.exchang...es/EWGBonds.CAB
O16 - DPF: {70D86F3C-BA4D-11D2-80F5-006008B066EE} (VSPrefMgmt Class) - https://www.osis.uk....ise/vspcakm.cab
O16 - DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} (VersionInfo.clsVersionInfo) - http://exweb.exchang...VersionInfo.CAB
O16 - DPF: {91F82BFF-F70C-11D2-BB68-0008C7E9C2C6} (TEXNBSHELL.ProposalForm) - http://exweb.exchang.../texnbshell.cab
O16 - DPF: {A74D724A-AB17-11D2-A96A-006097E20477} (eXwebUtils.HTMLUtils) - http://exweb.exchang.../eXwebUtils.CAB
O16 - DPF: {A98277A1-A141-11D5-98B9-00508B64538B} (Complist2 Class) - http://exweb.exchang...ebCListCtl2.CAB
O16 - DPF: {AB5ED422-DE26-11D3-AD7A-0050044495F0} (WholeLife.desWOLBlank) - http://exweb.exchang...s/WholeLife.CAB
O16 - DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} (PrintComponent.clsVersionInfo) - http://exweb.exchang...es/printdll.CAB
O16 - DPF: {E0DE65BF-4655-11D3-BBBB-0008C7E9C2C6} (TEXInstall.InstallForm) - http://exweb.exchang.../TEXInstall.CAB
O16 - DPF: {E7FF5332-854E-11D2-A952-006097E20477} (eXwebOccList.clsOccRes) - http://exweb.exchang...es/eXwebOcc.CAB
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (ProtoView DataTable Control 7.0 (OLEDB)) - http://exweb.exchang...ries/pvdt70.CAB
O16 - DPF: {FAF10F23-0AC1-1213-A139-0F032B2112CA} - http://uk.global-acc...dpower/nat2.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Mountguard.local
O17 - HKLM\Software\..\Telephony: DomainName = Mountguard.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{98FBC795-F14B-4E7D-84D1-AD45555CDD4D}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Mountguard.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Mountguard.local
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\c0002admgd0a2.dll
O23 - Service: Sophos AutoUpdate Service (ActiveLinkClient) - Unknown owner - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGF2aWRi\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ALCAgent.exe" -service -name ALC (file missing)
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router (file missing)
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SWEEPSRV.SYS

Edited by Atomic, 04 November 2005 - 02:49 AM.

#2
Buckeye_Sam

Posted 05 November 2005 - 06:55 AM

Malware Expert

Member
10,019 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

#3
Atomic

Posted 07 November 2005 - 09:00 AM

New Member

Topic Starter
Member
2 posts

Thanks for getting back to me,

Here is the log again.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SWEEPSRV.SYS
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\Remote Management System\ALCAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sophos\AutoUpdate\almon.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\MSTMON_P.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\windows\system32\zfjolz.exe
C:\WINDOWS\system32\accwiz.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SERVER1:8080
R3 - Default URLSearchHook is missing
O1 - Hosts: re.com
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor2300WStatusDisplay] C:\WINDOWS\System32\MSTMON_P.EXE
O4 - HKLM\..\Run: [TrigoldInstaller] C:\Documents and Settings\davidb\Local Settings\Temp\{D41886F2-F66C-4BF2-B47C-BC00551B012B}\{576762e1-ea8a-45ab-93a3-97cef3e09246}\slh.exe -flags=00000 -file=CDManifest.dat -base=D:\
O4 - HKLM\..\Run: [zfjolz] c:\windows\system32\zfjolz.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BT Voyager Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} (ExWebClientUtils Class) - http://exweb.exchang...ies/texInfo.CAB
O16 - DPF: {034DA761-EDB7-11D7-A20A-000802318089} (EWGPHI.desInput) - http://exweb.exchang...ries/EWGPHI.CAB
O16 - DPF: {090EC279-1378-44B7-B521-888980212E7E} (Complist3 Class) - http://exweb.exchang...ebCListCtl3.CAB
O16 - DPF: {397F65A6-FD3C-438B-A7EB-3D2C0655189C} (EWGPensions.desInput) - http://exweb.exchang...EWGPensions.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {511835FF-EDC9-11D7-A20A-000802318089} (EWGWholeLife.desInput) - http://exweb.exchang...WGWholeLife.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {59A910DE-EE9A-11D7-A20A-000802318089} (EWGCombinedTerm.desInput) - http://exweb.exchang...rmAssurance.CAB
O16 - DPF: {61DA056C-EDE7-11D7-A20A-000802318089} (EWGBonds.desInput) - http://exweb.exchang...es/EWGBonds.CAB
O16 - DPF: {70D86F3C-BA4D-11D2-80F5-006008B066EE} (VSPrefMgmt Class) - https://www.osis.uk....ise/vspcakm.cab
O16 - DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} (VersionInfo.clsVersionInfo) - http://exweb.exchang...VersionInfo.CAB
O16 - DPF: {91F82BFF-F70C-11D2-BB68-0008C7E9C2C6} (TEXNBSHELL.ProposalForm) - http://exweb.exchang.../texnbshell.cab
O16 - DPF: {A74D724A-AB17-11D2-A96A-006097E20477} (eXwebUtils.HTMLUtils) - http://exweb.exchang.../eXwebUtils.CAB
O16 - DPF: {A98277A1-A141-11D5-98B9-00508B64538B} (Complist2 Class) - http://exweb.exchang...ebCListCtl2.CAB
O16 - DPF: {AB5ED422-DE26-11D3-AD7A-0050044495F0} (WholeLife.desWOLBlank) - http://exweb.exchang...s/WholeLife.CAB
O16 - DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} (PrintComponent.clsVersionInfo) - http://exweb.exchang...es/printdll.CAB
O16 - DPF: {E0DE65BF-4655-11D3-BBBB-0008C7E9C2C6} (TEXInstall.InstallForm) - http://exweb.exchang.../TEXInstall.CAB
O16 - DPF: {E7FF5332-854E-11D2-A952-006097E20477} (eXwebOccList.clsOccRes) - http://exweb.exchang...es/eXwebOcc.CAB
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (ProtoView DataTable Control 7.0 (OLEDB)) - http://exweb.exchang...ries/pvdt70.CAB
O16 - DPF: {FAF10F23-0AC1-1213-A139-0F032B2112CA} - http://uk.global-acc...dpower/nat2.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Mountguard.local
O17 - HKLM\Software\..\Telephony: DomainName = Mountguard.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{98FBC795-F14B-4E7D-84D1-AD45555CDD4D}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Mountguard.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Mountguard.local
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\c0002admgd0a2.dll
O23 - Service: Sophos AutoUpdate Service (ActiveLinkClient) - Unknown owner - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZGF2aWRi\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ALCAgent.exe" -service -name ALC (file missing)
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router (file missing)
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SWEEPSRV.SYS

Marc

#4
Buckeye_Sam

Posted 07 November 2005 - 06:33 PM

Malware Expert

Member
10,019 posts

Let's see what we can do for you. :tazz:

Please follow these steps:

Please make sure that you can View Hidden Files
- Click Start -> My Computer
- Select Tools -> Folder options
- Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
- Also make sure that 'Display the contents of system folders' is checked.
- For more info on how to show hidden files click here.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - Default URLSearchHook is missing
O1 - Hosts: re.com
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)
O4 - HKLM\..\Run: [TrigoldInstaller] C:\Documents and Settings\davidb\Local Settings\Temp\{D41886F2-F66C-4BF2-B47C-BC00551B012B}\{576762e1-ea8a-45ab-93a3-97cef3e09246}\slh.exe -flags=00000 -file=CDManifest.dat -base=D:\
O4 - HKLM\..\Run: [zfjolz] c:\windows\system32\zfjolz.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {FAF10F23-0AC1-1213-A139-0F032B2112CA} - http://uk.global-acc...dpower/nat2.exe
Please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- If you have trouble getting into Safe mode go here for more info.
Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):

c:\windows\system32\zfjolz.exe
C:\WINDOWS\iccontrol.exe