Originally Posted by HJThis

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

MsConfigs.exe
wintask.exe
exeser.exe
alpjpo.exe
p2pnetwork.exe
bWestFrontie r1002.exe
aeiee.exe
casclient.exe
Info.exe
regsync.exe
zmvsuwp.exe
skzw.exe
PSof1.exe
p2pnetwork.exe
VCMnet11.exe
pscan.exe
ersund(2).exe

CTRL + ALT + DEL does not work for some reason, ive said that a few times and posted a seperate topic on that problem in a diff section.

__________________________________________________ ____________
i deleted the items in the HJTLog you told me to


I did not find the items you told me to look for in the Add/Remove part of the control panel. and like i said some of the things i WANT to uninstal wont because it requires the INSTALL.LOG file that i cant find. (i posted another topic about this in the same section as the crtl/alt/del topic.


i entered safe mode and delted the files that you told me to as well as searched for and deleted the files you told me to search.

pop-ups havent appeared even once while i was typing this, the little "red sphere" is gone from my toolbar. so as far as AdWare and SpyWare my problems seem solved. I'm looking for help on the other problems in other sections.

Thank you for making it possible just to use this forum without restarting the computer every 10 minutes.
Here is a new HJT Log incase i missed anything.
Again... thanks for the help
______________________________





Logfile of HijackThis v1.99.1
Scan saved at 9:28:33 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\alpjpo.exe reg_run
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [zmvsuwp] C:\WINDOWS\System32\zmvsuwp.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [skzw] C:\WINDOWS\System32\skzw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/game...s/y/dot8_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hi,soundsev3n

If you look at what i posted i say if they are there so
if you don't find just move on as you did.now see if this helps

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it)You must kill them one at a time).

alpjpo.exe
zmvsuwp.exe
VCMnet11.exe
skzw.exe
p2pnetwork.exe

Then goto Control Panel Add/Remove Programs & Uninstall this item
p2pnetwork.exe

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\alpjpo.exe reg_run
O4 - HKLM\..\Run: [zmvsuwp] C:\WINDOWS\System32\zmvsuwp.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [skzw] C:\WINDOWS\System32\skzw.exe
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files in Red & folders in Blue IF still present:

C:\WINDOWS\System32\alpjpo.exe reg_run
C:\WINDOWS\System32\zmvsuwp.exe
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\System32\skzw.exe

Still in Safe Mode do a file Search for this item if found delete it
p2pnetwork.exe

Then do a reboot till us how it is & show new logfile.

HGD

Hey,soundsev3n

See if what i just posted is any help with your problem

HGD

i did the what you said again and i get the feeling that the stuff is coming back by itself. i got this window a few seconds ago and the pop-ups are coming back already...

(i clicked cancel...)

how do i stop these programs from downloading themselves ?

Hi,

This this here for me please

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot your computer into Safe Mode

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

HGD

i ran the scan and 20 minutes later the window was still there, i tried again and waited about another 20 and quit again
im going to run the scan a 3rd time when i go to sleep and ill post the log, if i have one, in the morning

C:\Documents and Settings\Owner.YOUR-B79WZ4ROSE\My Documents\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\actskin4.ocx: UPX!
C:\WINDOWS\system32\devil.dll: UPX!
C:\WINDOWS\system32\ilu.dll: UPX!
C:\WINDOWS\system32\ilut.dll: UPX!
C:\WINDOWS\system32\in6bdlFs.dll: UPX!
C:\WINDOWS\system32\Lycos.dll: UPX!
C:\WINDOWS\system32\msbb321.dll: UPX!
C:\WINDOWS\system32\pop.exe: UPX!
C:\WINDOWS\system32\SHAgentNew.dll: UPX!
C:\WINDOWS\system32\thin-138-1-x-x.exe: UPX!
C:\WINDOWS\system32\elitejhk32.exe: FSG!
C:\WINDOWS\system32\elitekmj32.exe: FSG!
C:\WINDOWS\system32\elitekyh32.exe: FSG!
C:\WINDOWS\system32\elitemxi32.exe: FSG!
C:\WINDOWS\system32\elitezkn32.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\epx30104.exe: PEC2
C:\WINDOWS\system32\epx30105.exe: PEC2
C:\WINDOWS\system32\eviq.exe: PEC2
C:\WINDOWS\system32\ggjxv.exe: PEC2
C:\WINDOWS\system32\kwcnt4l.sys: PEC2
C:\WINDOWS\system32\moneya1m.exe: PEC2
C:\WINDOWS\system32\moneyspm.exe: PEC2
C:\WINDOWS\system32\we4l8.exe: PEC2
C:\WINDOWS\kwcnt4l.sys: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\del.tmp: UPX!
C:\WINDOWS\hxmkkphc.exe: UPX!
C:\WINDOWS\nem220.dll: UPX!
C:\WINDOWS\polmx.exe: UPX!
C:\WINDOWS\tct101.dll: UPX!
C:\WINDOWS\thin-114-1-x-x.exe: UPX!
C:\WINDOWS\TMP_FILE_1.tmp: UPX!
C:\WINDOWS\sigldr.exe: FSG!
Finished
bye

Hi,soundsev3n

From what i'm looking at in this logfile Ewido should clean it up nice.
give it a try lit's see how well it will clean up here.

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

HGD