several problems...

soundsev3n · #1 (**permalink**) 22-07-2005, 06:40 AM

i have been having problems with my computer for a long time, but usually ive found my way around to resolving them. however, the past few days ive been completely overwhelmed.

i'm getting pop-ups at a rate that im suprised my pc can actually handle without crashing. its a "close one, get two" kind of thing except its more like 1:7.

i cannot view my processes... (ctrl+alt+del does nothing at all)

i cannot delete or even find certain files i believe are disrupting my computer even tho i know where they should be. (also i cannot delete bad files that are in use, because i cannot view and then stop certain processes)

i have a small red sphere in my little box where the date and time are that i cannot remove (probly another thing that i could solve by viewing and ending certain processes)

i've looked for protection but most of the programs i have identify eachother as a program with "hidden attachments" that cause even more pop-ups. so they basically call eachother the problem. so i dont know what programs to trust.

i'm sure i could go on and on but i'll leave it at this for now. anyone that could help plz email me at Removed by HJThis or instant message me on AIM at POTZOMBIE69. Obviously you can respond in here but id just find it easier to do on IM's. ANY help will be VERYmuch appreciated.

PLZ HELP

-Brian

Hi,Brian

It's not a good idea to post your E-Mail out in the open like this.

soundsev3n · #2 (**permalink**) 22-07-2005, 06:59 AM

((i checked out the pages suggested by jephree and only got help from CCleaner. it removed some files i couldnt delete at first but thats it. i'm still having all the other problems.))

jephree · #3 (**permalink**) 22-07-2005, 07:05 AM

Please post a HijackThis Log

http://www.isecurity.org.uk/downloads/hijackthis.zip

soundsev3n · #4 (**permalink**) 22-07-2005, 07:26 AM

Logfile of HijackThis v1.99.1
Scan saved at 2:25:30 AM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\System32\exeser.exe
C:\WINDOWS\System32\alpjpo.exe
C:\WINDOWS\System32\p2pnetwork.exe
C:\WINDOWS\System32\apisvc.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\system\imuiiqq.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ersund(2).exe
C:\Program Files\Cas\Client\casclient.exe
C:\PROGRA~1\COMMON~1\rmfo\rmfom.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\System32\w?wexec.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\PROGRA~1\COMMON~1\rmfo\rmfoa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.YOUR-B79WZ4ROSE\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {CE4EBD6C-0588-7278-DCEA-7382BE1A789D} - C:\WINDOWS\System32\iztcuw.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MsConfigs] C:\Program Files\MsConfigs\MsConfigs.exe
O4 - HKLM\..\Run: [zmvsuwp] C:\WINDOWS\System32\zmvsuwp.exe
O4 - HKLM\..\Run: [skzw] C:\WINDOWS\System32\skzw.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [0FtV3nj] exeser.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\alpjpo.exe reg_run
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\System32\hclean32.exe
O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [dmctq.exe] C:\WINDOWS\System32\dmctq.exe
O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [Ho29RhH5e] ersund(2).exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [rmfo] C:\PROGRA~1\COMMON~1\rmfo\rmfom.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Tocknhik] C:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/game...s/y/dot8_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{705BA8FE-618C-482E-BDAC-355316D665E3}: NameServer = 69.50.184.86,85.255.112.9
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\nktapi.dll
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

jephree · #5 (**permalink**) 22-07-2005, 07:34 AM

Owen or HJThis should be about later in the day to analyze this & that.

soundsev3n · #6 (**permalink**) 22-07-2005, 07:37 AM

thank you for your help

HJThis · #7 (**permalink**) 22-07-2005, 07:40 PM

Hello,soundsev3n & Welcome

Please move HijackThis to a folder in C:\Drive like so C:\HJT

You have a ton of work to do here so lit's get going.

Please download ewido security suite please look to the bottom of my post for info
on how to install update & run.

do not run a scan just yet look to the bottom of my post for
settings & how to use.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
MsConfigs.exe<--NOTE: Please it's this one not the legit one here-->MsConfig.exe
exeser.exe
alpjpo.exe
p2pnetwork.exe
apisvc.exe
intel32.exe
wintask.exe
imuiiqq.exe
casclient.exe
rmfom.exe
wtta.exe
w?wexec.exe
rmfoa.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
MsConfigs
Cas Or Cas Client
apsi
p2pnetwork
WareOut
rmfo
rmfoa

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {CE4EBD6C-0588-7278-DCEA-7382BE1A789D} - C:\WINDOWS\System32\iztcuw.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)

O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [MsConfigs] C:\Program Files\MsConfigs\MsConfigs.exe
O4 - HKLM\..\Run: [zmvsuwp] C:\WINDOWS\System32\zmvsuwp.exe
O4 - HKLM\..\Run: [skzw] C:\WINDOWS\System32\skzw.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [0FtV3nj] exeser.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\alpjpo.exe reg_run
O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [dmctq.exe] C:\WINDOWS\System32\dmctq.exe
O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [rmfo] C:\PROGRA~1\COMMON~1\rmfo\rmfom.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Tocknhik] C:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\nktapi.dll

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\WINDOWS\cfgmgr52.dll<---This file
C:\WINDOWS\System32\vbrundll.dll<---This file
C:\WINDOWS\System32\iztcuw.dll<---This file
C:\WINDOWS\System32\msbe.dll<---This file
C:\WINDOWS\System32\regsync.exe<---This file
C:\Program Files\MsConfigs\<---This folder
C:\WINDOWS\System32\zmvsuwp.exe<---This file
C:\WINDOWS\System32\skzw.exe<---This file
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\<--Clean out this folder do not delete the folder it's self
C:\WINDOWS\System32\PSof1.exe<---This file
C:\WINDOWS\System32\alpjpo.exe<---This file
C:\WINDOWS\System32\apisvc.exe<---This file
C:\WINDOWS\System32\intel32.exe<---This file
C:\WINDOWS\System32\wintask.exe<---This file
C:\WINDOWS\VCMnet11.exe<---This file
C:\WINDOWS\System32\dmctq.exe<---This file
C:\Program Files\Cas\<---This folder
C:\PROGRA~1\COMMON~1\rmfo\<---This folder the name maybe longer
C:\Program Files\apsi\<---This folder
C:\WINDOWS\System32\w?wexec.exe<---This file
C:\Program Files\WareOut\<---This folder
C:\WINDOWS\system32\nktapi.dll<---This file

Still in Safe Mode do a file Search for these if found delete them
exeser.exe
AUNPS2.DLL
p2pnetwork.exe

After doing all of the above run Ewido Security Suite

Please download ewido security suite it is a trial version of the program.

Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

Click on scanner
Make sure the following boxes are checked before scanning:
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop

Then do a reboot till us how the PC is & show us a new logfile.

HGD

soundsev3n · #8 (**permalink**) 24-07-2005, 07:20 AM

ok so long story short, i lost my internet connection for a day or so and couldnt check the forum. in an attempt to fix the prolem of lost connection, i restored the computer to thursday afternoon. [Thurs. July21 2005]

as a result some of the things from my very first CCleaner Scan are back on the computer. So i ran it again and it barely deleted anything. i dont know exactly whats going on with that.

Im REALLY sorry if you took a lot of time to go over that scan log but im just gunna post a current one and let you look THAT one over instead of removing anything. this is because some of the items on the list you said to remove are not there or are in a different spot maybe.i didnt wanna mess with it if i wasnt sure.

when i try to remove some programs like AdDestroyer through Add/Remove it doesnt work bacause of, umm... this...

You said --- "After doing all of the above run Ewido Security Suite"
I didnt do "all of the above" so... i didnt run the scan. i aquired the program and umpdated but didnt scan yet. i will if and when you tell me to again.

This basically covers your entire post so I'm sorry i set us back. Iposted the more recent HJThis Log in the next post.

Oh and another thing... (ctl+alt+del) doesnt work remember ?

Thanks you,
Brian

soundsev3n · #9 (**permalink**) 24-07-2005, 07:24 AM

Logfile of HijackThis v1.99.1
Scan saved at 2:26:53 AM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\exeser.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\alpjpo.exe
C:\WINDOWS\System32\p2pnetwork.exe
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\bWestFrontie r1002.exe
C:\WINDOWS\system\aeiee.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ersund(2).exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\securitysuite.exe
D:\Info.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [MsConfigs] C:\Program Files\MsConfigs\MsConfigs.exe
O4 - HKLM\..\Run: [zmvsuwp] C:\WINDOWS\System32\zmvsuwp.exe
O4 - HKLM\..\Run: [skzw] C:\WINDOWS\System32\skzw.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [0FtV3nj] exeser.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\alpjpo.exe reg_run
O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\bWestFrontie r1002.exe run
O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [Ho29RhH5e] ersund(2).exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/game...s/y/dot8_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

HJThis · #10 (**permalink**) 24-07-2005, 03:17 PM

Hi,soundsev3n

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

MsConfigs.exe
wintask.exe
exeser.exe
alpjpo.exe
p2pnetwork.exe
bWestFrontie r1002.exe
aeiee.exe
casclient.exe
Info.exe
regsync.exe
zmvsuwp.exe
skzw.exe
PSof1.exe
p2pnetwork.exe
VCMnet11.exe
pscan.exe
ersund(2).exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
MsConfigs.exe
p2pnetwork.exe
Privacy Champion
EliteToolBar
Cas

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [MsConfigs] C:\Program Files\MsConfigs\MsConfigs.exe
O4 - HKLM\..\Run: [zmvsuwp] C:\WINDOWS\System32\zmvsuwp.exe
O4 - HKLM\..\Run: [skzw] C:\WINDOWS\System32\skzw.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [0FtV3nj] exeser.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\alpjpo.exe reg_run
O4 - HKLM\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\bWestFrontie r1002.exe run
O4 - HKLM\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [Ho29RhH5e] ersund(2).exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files in Red & folders in Blue IF still present:

C:\WINDOWS\System32\regsync.exe
C:\Program Files\MsConfigs\<--NOTE please it's this file not this one-->Msconfig<--This one
C:\WINDOWS\System32\zmvsuwp.exe
C:\WINDOWS\System32\skzw.exe
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\alpjpo.exe
C:\WINDOWS\VCMnet11.exe
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\<--Clean out this folder do not delete the folder it's self
C:\Program Files\Privacy Champion\
C:\Program Files\Cas\

Still in Safe Mode do a file Search for these if found delete them
exeser.exe
p2pnetwork.exe
ersund(2).exe

HGD