Author Topic: TopAntiSpyware please help! (Read 4450 times)

Guest_Alex_* · « **on:** February 08, 2005, 04:47:09 PM »

My desktop wallpaper has been replace with a giant link to TopAntiSpyware and my homepage keeps getting reset to http://www.search-paga.com/10040/. This evil intruder has even disabled my ability to open notepad files and I therefore I can't post a hijackthis log!

I ran CWS shredder, antivirus, Spybot Search and Destroy freezes upon attempting to remove the 18 items it finds. Also, upon reboot I get 2 internet explorer prompts that read "tmpll.tmp and shmyga.exe has encountered a problem and needs to close.

I don't know what to do. Please help! Thanks in advance

guestolo · « **Reply #1 on:** February 08, 2005, 04:55:34 PM »

On my way out soon, but you didn't supply enough info

Without a Hijackthis log and can't see what operating system your running

Can you go to Start>>run>>>type in notepad

Does that bring notepad up?

Can you reboot into safe mode and run a scan with Hijackthis?

Guest · « **Reply #2 on:** February 08, 2005, 06:15:38 PM »

Thanks for the response. I'm running Windows XP and even in safe mode it will not allow me to open a notepad file under any circumstances. But here are some of the Hijack entries that look questionable. Man, having to type these out manually sucks!

R0-HKCU\Software\Microsoft\Internet Explorer\Main, Start Page = http://www.search-paga.com/10040/

F3-REG:win.ini:run=C:\WINDOWS\inetm\services.exe

02-BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

04-HKLM\..\Run: [xp_system]C:\WINDOWS\inetm\services.exe

04-HKCU\..\Run: [xp_system]C:\WINDOWS\inetm\services.exe

016-DPF:{25365FF3-2746-42309DAY-163CCA318309}(GTDownloaderCtrl Class)- http://inst.c-wss.com/78/html/gtdownlr.cab

023- Service: Sub Connections- Unknown- C:\WINDOWS\System32\shmyga.exe

023- Service: Working Network Connections - Unknown- C:\WINDOWS\System32\hicom.exe

guestolo · « **Reply #3 on:** February 08, 2005, 06:24:13 PM »

I need more info than that

I just asked another poster the same question

Let me know if you see
Notepad.exe

In both these locations

C:\WINDOWS

and in
C:\WINDOWS\SYSTEM32 folder

You may not see the .exe extension
unless you you
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.

* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Guest · « **Reply #4 on:** February 08, 2005, 06:42:55 PM »

Yes I definitely see the files in those locations, I just can't open any notepad file.

guestolo · « **Reply #5 on:** February 08, 2005, 06:51:45 PM »

Can you navigate to where you saved the log
Right click on it and choose OPEN WITH
Choose program and open it with WordPad?

Guest · « **Reply #6 on:** February 08, 2005, 07:01:24 PM »

Yup..that did it. Thanks. Here's the log:

Logfile of HijackThis v1.99.0
Scan saved at 4:01:35 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\inetm\services.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\938664.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\hicom.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10040/
F3 - REG:win.ini: run=C:\WINDOWS\inetm\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - Global Startup: 938664.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/78/html/gtdownlr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/018f049977d5f7...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106783608342
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O21 - SSODL: eplrr - {524F2CE5-89CC-488F-B5E8-4AB40FCE8D53} - C:\WINDOWS\System32\eplrr3.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Manageer Network Connections - Unknown - C:\WINDOWS\System32\telcmd.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sub Connections - Unknown - C:\WINDOWS\System32\shmyga.exe
O23 - Service: Working Network Connections - Unknown - C:\WINDOWS\System32\hicom.exe

guestolo · « **Reply #7 on:** February 08, 2005, 07:11:07 PM »

You also have a few nasties in your services

Can you download the free trial version of TDS-3
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
This is good for 30 days
Install it and Restart your computer when prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database

IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3

If your unsure how to update it follow the instructions from this link
http://tds.diamondcs.com.au/index.php?page=update
Follow the Manual update procedure
Again, don't run a scan yet

Print this out or safe to a Notepad file for easy access

Restart into Safe mode without Network connection
You can do this by tapping the F8 key as The system is booting up

Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save this to a convienent location, I'll need to see it later

After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

Restart back to Normal mode
Post a fresh Hijackthis log and the scandump.txt from TDS-3

Also let me know if your still having Desktop problems

Guest · « **Reply #8 on:** February 09, 2005, 04:12:22 AM »

Did all that, still having the same problems. Desktop wallpaper is still replaced with that link.

Logfile of HijackThis v1.99.0
Scan saved at 1:11:27 AM, on 2/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\hicom.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\938664.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.exe

F3 - REG:win.ini: run=C:\WINDOWS\inetm\services.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: 938664.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/78/html/gtdownlr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/018f049977d5f7...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106783608342
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O21 - SSODL: eplrr - {655D066F-0B8A-40FA-BFDF-9B452FAD6DB9} - C:\WINDOWS\System32\eplrr3.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Manageer Network Connections - Unknown - C:\WINDOWS\System32\telcmd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sub Connections - Unknown - C:\WINDOWS\System32\shmyga.exe
O23 - Service: Working Network Connections - Unknown - C:\WINDOWS\System32\hicom.exe

ScanDump

Scan Control Dumped @ 17:33:10 08-02-05
RegVal Trace: TrojanDownloader.Win32.Keyw: HKEY_CURRENT_USER
File: Software\Microsoft\Windows\CurrentVersion\Run [xp_system=C:\WINDOWS\inetm\services.exe]

RegVal Trace: TrojanDownloader.Win32.Keyw: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [xp_system=C:\WINDOWS\inetm\services.exe]

Positive identification: TrojanProxy.Win32.Agent.cx1
File: c:\windows\system32\telcmd.exe

Positive identification (DLL): Adware.BiSpy.t (dll)
File: c:\documents and settings\alex\desktop\hijack this\backups\backup-20050103-170630-486.dll

Positive identification (DLL): Adware.Adstart.c2 (dll)
File: c:\documents and settings\alex\desktop\hijack this\backups\backup-20050103-170630-660.dll

Positive identification (embedded in file): Trojan.Win32.Delf.cf (Unpacked)
File: c:\documents and settings\alex\desktop\hijack this\backups\backup-20050103-170630-767.dll

Positive identification (DLL): Trojan.Win32.Delf.cf8 (dll)
File: c:\documents and settings\alex\desktop\hijack this\backups\backup-20050103-170630-767.dll

Positive identification: Trojan.Win32.Delf.cf8
File: c:\documents and settings\alex\local settings\temp\27vc.sys

Positive identification (embedded in file): Trojan.Win32.Delf.cf (Unpacked)
File: c:\documents and settings\alex\local settings\temp\temp.fr7914

Positive identification (DLL): Trojan.Win32.Delf.cf8 (dll)
File: c:\documents and settings\alex\local settings\temp\temp.fr7914

Positive identification (embedded in file): Trojan.Win32.Delf.cf (Unpacked)
File: c:\documents and settings\alex\local settings\temp\temp.fr855b

Positive identification (DLL): Trojan.Win32.Delf.cf8 (dll)
File: c:\documents and settings\alex\local settings\temp\temp.fr855b

Positive identification: TrojanProxy.Win32.Small.ah2
File: c:\documents and settings\alex\local settings\temp\tmp10.tmp

Positive identification: TrojanProxy.Win32.Small.ah2
File: c:\documents and settings\alex\local settings\temp\tmp13.tmp

Positive identification: TrojanProxy.Win32.Small.ah2
File: c:\documents and settings\alex\local settings\temp\tmp17.tmp

Positive identification: TrojanProxy.Win32.Small.ah2
File: c:\documents and settings\alex\local settings\temp\tmp19.tmp

Positive identification: TrojanProxy.Win32.Small.ah2
File: c:\documents and settings\alex\local settings\temp\tmp1c.tmp

Positive identification: TrojanProxy.Win32.Small.ah2
File: c:\documents and settings\alex\local settings\temp\tmp4.tmp

Positive identification: TrojanProxy.Win32.Small.ah2
File: c:\documents and settings\alex\local settings\temp\tmp7.tmp

Positive identification: TrojanProxy.Win32.Small.ah2
File: c:\documents and settings\alex\local settings\temp\tmpa.tmp

Positive identification: TrojanProxy.Win32.Small.ah2
File: c:\documents and settings\alex\local settings\temp\tmpd.tmp

Positive identification (embedded in file): Adware.DelphinMediaViewer.c
File: c:\documents and settings\alex\local settings\temp\vmstmp\vmstmp.exe

Positive identification (DLL): Adware.MiniBug (dll)
File: c:\program files\aws\weatherbug\minibugtransporter.dll

Positive identification: Trojan.Win32.Delf.cf8
File: c:\windows\27vc.sys

Positive identification: Worm.Delf.i
File: c:\windows\ef.exe

Positive identification (embedded in file): TrojanDownloader.Win32.Delf.dg
File: c:\windows\pd7.exe

Positive identification: TrojanClicker.Win32.Small.cx
File: c:\windows\r.exe

Positive identification: TrojanClicker.Win32.Small.cx
File: c:\windows\s.exe

Positive identification: Adware.BetterInternet
File: c:\windows\bundles\thin-8-1-x-x.exe

Positive identification: TrojanClicker.Win32.Small.cx
File: c:\windows\inetm\pvtkil.exe

Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
File: c:\windows\inetm\services.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\system32\aaiejcyp.exe

Positive identification: Adware.Adstart.c2
File: c:\windows\system32\blwvrd.exe

Positive identification: Adware.Adstart.b2
File: c:\windows\system32\blwvrf.exe

Positive identification (DLL): TrojanProxy.Win32.Small.ah (dll)
File: c:\windows\system32\eplrr3.dll

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\system32\glklqaaa.exe

Positive identification: Adware.Adstart.c2
File: c:\windows\system32\hqlpdd.exe

Positive identification: Adware.Adstart.b2
File: c:\windows\system32\hqlpdf.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\system32\jglbaaaa.exe

Positive identification (embedded in file): Trojan.Win32.Delf.cf6
File: c:\windows\system32\k5o9o0.dll

Positive identification (DLL): Trojan.Win32.Delf.cf5 (dll)
File: c:\windows\system32\k5o9o0.dll

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\system32\mcdtaaaa.exe

Positive identification: Trojan.Win32.Delf.cf5
File: c:\windows\system32\moneyspm.exe

Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
File: c:\windows\system32\notepad.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\system32\shxuiiac.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\system32\sydoyaaa.exe

Positive identification: TrojanProxy.Win32.Agent.cx1
File: c:\windows\system32\telcmd.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\system32\vqwomaaa.exe

Positive identification: TrojanClicker.Win32.Agent.bd
File: c:\windows\system32\wtl32a.exe

Guest · « **Reply #9 on:** February 09, 2005, 05:30:34 PM »

Ok here's an update. After my last post, I got some pop-ups from AVG telling me it had found a few viruses and I went ahead and deleted them. But now when I reboot, my desktop is completely inactive. No icons or folders, no task bar or start menu, nothing. I can't even left or right click. The only way I can open a program is by using control alt delete and opening a program manually. Is there anyway to fix this?? I'd hate to have to buy a new hard drive and reinstall windows then transfer my files over!

guestolo · « **Reply #10 on:** February 09, 2005, 05:55:48 PM »

Let's see what we can clean out
First>>
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a Restore point
Name it and click Create
This is just to ensure you have a backup from this point on

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When Installing it may download and start running a scan
Allow to update, but Don't run a scan yet

Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup
Install for now but Don't run a scan yet

Download Pocket Killbox
UNZIP the files to the folder of your choice.

I've uploaded a couple files at the bottom of this reply box
Can you save the zipped files to your desktop please
Rkfiles.zip
IMPORTANT>>Create a new folder and UNZIP the contents to that new folder
Notepad_XP.zip just leave it on the desktop for now

I understand that you can't use Notepad
Can you open up Wordpad and save these instructions to it please and save it on your desktop
Or print this out, After that is done, please disconnect from the Internet

===Next: Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Working Network Connections if found

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
Do the same for this one
Sub Connections

===Open Hijackthis>>Open Misc tools section>>open process manager and kill these processes if still running
C:\WINDOWS\System32\hicom.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\938664.exe

Do another scan with Hijackthis and put a check next to these entries:

F3 - REG:win.ini: run=C:\WINDOWS\inetm\services.exe

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe

O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - Global Startup: 938664.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/018f049977d5f7...ip/RdxIE601.cab

O21 - SSODL: eplrr - {655D066F-0B8A-40FA-BFDF-9B452FAD6DB9} - C:\WINDOWS\System32\eplrr3.dll

O23 - Service: Manageer Network Connections - Unknown - C:\WINDOWS\System32\telcmd.exe (file missing)
O23 - Service: Sub Connections - Unknown - C:\WINDOWS\System32\shmyga.exe
O23 - Service: Working Network Connections - Unknown - C:\WINDOWS\System32\hicom.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

# Open Registry Editor. Click Start>Run, type REGEDIT
, then press Enter.
# In the left panel, expand(+) the following
+HKEY_CURRENT_USER
+Software
+Microsoft
+Internet Explorer
+Desktop
+Components
# Still in the left panel, locate and Right click on and delete the subkey:
0
# Close Registry Editor.

Double-click on Killbox.exe to run it
Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, one at a time
Put a mark next to "Delete on Reboot"
For any .dll file, additionally put a mark next to "Unregister .dll before deleting"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\938664.exe

C:\WINDOWS\inetm\services.exe

C:\WINDOWS\System32\hicom.exe

C:\WINDOWS\System32\spoolsrv32.exe

When you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot
But Please restart into safe mode

In safe mode
Ensure that all these files or folders to not exist, if they do try deleting them
FILES
c:\windows\system32\telcmd.exe
c:\windows\27vc.sys
c:\windows\ef.exe
c:\windows\pd7.exe
c:\windows\r.exe
c:\windows\s.exe
c:\windows\bundles\thin-8-1-x-x.exe
c:\windows\system32\aaiejcyp.exe
c:\windows\system32\blwvrd.exe
c:\windows\system32\blwvrf.exe
c:\windows\system32\eplrr3.dll
c:\windows\system32\glklqaaa.exe
c:\windows\system32\hqlpdd.exe
c:\windows\system32\jglbaaaa.exe
c:\windows\system32\k5o9o0.dll
c:\windows\system32\mcdtaaaa.exe
c:\windows\system32\moneyspm.exe
c:\windows\system32\notepad.exe
c:\windows\system32\shxuiiac.exe
c:\windows\system32\sydoyaaa.exe
c:\windows\system32\telcmd.exe
c:\windows\system32\vqwomaaa.exe
c:\windows\system32\wtl32a.exe
C:\WINDOWS\System32\spoolsrv32.exe <--careful, just the exact name
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\938664.exe

Navigate to this file if found
C:\WINDOWS\System32\shmyga.exe >>right click on it and rename it to
shmyga.old
Then right click on it and copy it and paste it to your MyDocuments folder
Then go back and delete the file>>This is just for backup purposes

Also Using Windows Explorer and/or Search, locate and delete the following files
they are in bold >>>Not all may exist, but are related too Smart Security
• C:\WINDOWS\desktop.html '
C:\WINDOWS\Web\desktop.html
•C:\WINDOWS\SSICO.ICO
• C:\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
•C:\Documents and Settings\<current user>\Favorites\! Smart Security.url
• C:\Documents and Settings\<current user>\Recent\! Smart Security.url
• C:\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url

<current user> =Alex> the user having problems with there desktop, I'm assuming this user profile

And remove these folders if found
C:\WINDOWS\inetm <--folder
c:\program files\aws

Stay in safe mode

You must be in safe mode with Windows set to show hidden files and folders
In safe mode
Open that new folder you created for Rkfiles.zip
Double click on rkfiles.bat to run it.
Sit back and WAIT until the dos Window closes

Once that is done

Open up Windows CleanUp! that you installed earlier
START>>ALL programs>>CleanUp
Click the CleanUp button
Let it finish scanning for files, when it's done it will prompt you to Log off
DON'T at this time
Instead

Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to Normal mode to finish the cleaning process

When your back in Windows
We saved Notepad.zip to desktop
Can you UNZIP the contents to the C:\Windows folder
and also the C:\Windows\System32 folder

Post back a fresh hijackthis log afterwards, could you also let me know if notepad is working
Could you also
Could you Download ServiceFilter.zip
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

[attachment=20:attachment][attachment=21:attachment]

guestolo · « **Reply #11 on:** February 09, 2005, 05:58:47 PM »

Hold up Alex, I was working on your log when you were posting

Can you bring up the TaskManager
In Task Manger click on FILE
NEW TASK(RUN)
in the box type in
explorer.exe
hit OK

Does that bring back the desktop
If so, before following any of the above instructions
Please post back a fresh hijackthis log
Let me know what file AVG found and deleted

Guest · « **Reply #12 on:** February 09, 2005, 06:10:32 PM »

"Windows cannot find explorer.exe." is the prompt that I get. I have no idea what files I deleted, but I can open AVG and list the trojans in the vault. Should I follow the instrucions in your previous post or wait to solve the desktop issue first?

guestolo · « **Reply #13 on:** February 09, 2005, 06:14:06 PM »

Yes please, might give us a clue

EDIT>>>Can you also try ending task on anything you don't recognize and try bringing up Explorer.exe with the file>>>New task option

These are legit
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.exe

The above are OK to leave for now

mkl · « **Reply #14 on:** February 19, 2005, 02:10:52 PM »

[quote name=\'Guest_Alex_*\' date=\'Feb 8 2005, 04:47 PM\']My desktop wallpaper has been replace with a giant link to TopAntiSpyware and my homepage keeps getting reset to http://www.search-paga.com/10040/. This evil intruder has even disabled my ability to open notepad files and I therefore I can't post a hijackthis log!

I ran CWS shredder, antivirus, Spybot Search and Destroy freezes upon attempting to remove the 18 items it finds. Also, upon reboot I get 2 internet explorer prompts that read "tmpll.tmp and shmyga.exe has encountered a problem and needs to close.

I don't know what to do. Please help! Thanks in advance

[post=\"23975\"]<{POST_SNAPBACK}>[/post]

[/quote]

guestolo · « **Reply #15 on:** February 19, 2005, 02:15:27 PM »

I'm locking this topic
As the original poster has not returned

mkl, can you please start your own post in this forum
You have just quoted the original poster, is that suppose to mean something?

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: TopAntiSpyware please help! (Read 4450 times)

Guest_Alex_*

TopAntiSpyware please help!

guestolo

TopAntiSpyware please help!

Guest

TopAntiSpyware please help!

guestolo

TopAntiSpyware please help!

Guest

TopAntiSpyware please help!

guestolo

TopAntiSpyware please help!

Guest

TopAntiSpyware please help!

guestolo

TopAntiSpyware please help!

Guest

TopAntiSpyware please help!

Guest

TopAntiSpyware please help!

guestolo

TopAntiSpyware please help!

guestolo

TopAntiSpyware please help!

Guest

TopAntiSpyware please help!

guestolo

TopAntiSpyware please help!

mkl

TopAntiSpyware please help!

guestolo

TopAntiSpyware please help!