A look at this please

[Melodi]

Logfile of HijackThis v1.99.0
Scan saved at 3:19:07 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Windows AdStatus\WinStat.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\temp\salm.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\WINDOWS\System32\SahAgent.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\ckc_fmt.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\cfglace.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\IBM\Client Access\cwblmsrv.exe
C:\PROGRA~1\Citrix\ICACLI~1\Wfcrun32.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\WINDOWS\System32\wisptis.exe
C:\WINDOWS\System32\wuauclt.exe
A:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [Only Registered and Activated Users Can See Links. Click Here To Register...]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [Only Registered and Activated Users Can See Links. Click Here To Register...]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [Only Registered and Activated Users Can See Links. Click Here To Register...]
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [twrqr] C:\WINDOWS\twrqr.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [o3tP3nQ] ckc_fmt.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Z02FRhc3Q] cfglace.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://intranet/Index.cfm
O16 - DPF: SEAGULL J Walk Java Client 4_0C6 - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Dohmen.com
O17 - HKLM\Software\..\Telephony: DomainName = Dohmen.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Dohmen.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Dohmen.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: iSeries Access for Windows Remote Command - IBM Corporation - C:\WINDOWS\CWB**D.EXE
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

[Mobo]

For this one rescan again with hijack, insert a check nest to each of the following then close all other open windows and click "fix checked"

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll


O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll


O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [twrqr] C:\WINDOWS\twrqr.exe

O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [o3tP3nQ] ckc_fmt.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [Z02FRhc3Q] cfglace.exe


O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - [Only Registered and Activated Users Can See Links. Click Here To Register...]


O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe


Then reboot into safe mode [Only Registered and Activated Users Can See Links. Click Here To Register...]

Set the system to show hidden files and folders [Only Registered and Activated Users Can See Links. Click Here To Register...]

pen windows explorer, find then delete"
C:\WINDOWS\zeta.exe
C:\Program Files\AutoUpdate
C:\Program Files\BullsEye Network
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\twrqr.exe
C:\Program Files\Internet Optimizer
C:\Program Files\Windows AdStatus

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin


Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore on all Drives.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Then run a full adaware scan

[Melodi]

Okee dokee will let you know what happens, it's for a puter at work. thanks

[Mobo]

I figured as much as your cautious on your personal systems.. [img]style_emoticons/<#EMO_DIR#>/blink.gif[/img]

[Melodi]

I only wish everyone at work were as cautious as I [img]style_emoticons/<#EMO_DIR#>/sad.gif[/img] . I have a whole slew of computers to clean up. This one is done, user has been lectured :vertag: . Thanks!

[Mobo]

Only too glad to assist :icon_thumb: