Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

populates registry keys continuously+typing delays[RESOLVED]


  • This topic is locked This topic is locked

#1
dr1

dr1

    New Member

  • Member
  • Pip
  • 6 posts
Hi, could someone please help me to get my toshiba back from the internet-demon it is suffering.

I have decided to turn to this site for help instead of a Gun, I can always go back to the gun later.

ORIGINAL SYMPTOMS
1. have to type a key multiple times before the target letter appears
2. Trojan-Spy.HTML.Smitfraud.c background screen (wp.exe, wp.bmp)
3. IExplorer not operating properly, when accessing the delete cookie and other options it crashes
4. appearance of new web-links and folders in favourites menu e.g. Online Pharmacy, Gambling, Sexual Life, Adult, Cars, Shopping
5. continuous repopulation of registry key:
"hkey_classes_root\clsid\{ffffffff-ffff-ffff-ffff-fffffffff}"
6. continuous repopulation of IE registry keys with 'quicknavigate.com'

WHAT DID I DO NEXT
(a) used HijackThis to identify and remove certain items
(b) deleted the >wp.exe, wp.bmp< files,
(c ) ran AVG, NoAdware3, SpybotS&D, Cwshredder, Miniremoval_cws_smartkiller... ALL reportd Jack-SHIP!, i mean that nothing was found.
(d) de-installed lots of old programs in SAFE-MODE
(e) installed the FireFox browser
(f) turned off some non-essential system services
(g) tried removing the registry key at item 5 using "regedit" - it was repopulated the very next second

CURRENT SYMPTOMS (based on Original Symptoms list):
1. still typing delays
3. explorer still not operating properly
4. continuous repopulation of web-links and folders in favourites menu e.g. Online Pharmacy, Gambling, Sexual Life, Adult, Cars, Shopping
5. continuous repopulation of registry key:
"hkey_classes_root\clsid\{ffffffff-ffff-ffff-ffff-fffffffff}"
6. continuous repopulation of IE registry keys with 'quicknavigate.com'.

WHAT DID NO-ADWARE (NA) SAY:
NA01. Reports a Severe 'Adware.Umaxsearch' registry entry in
"hkey_classes_root\clsid\{ffffffff-ffff-ffff-ffff-fffffffff}"
NA02. It also says there are non-critical tracking cookies.
NA03. After I switched on all the "Configure Sheilds" (protect ie favs, ie hijack sheilds, hosts file shields, ie home page sheild), I then continuously received >"IE Settings Change" from whatever to 'quicknavigate.com' do you authorise this< type messages, they continuously kept popping up. Had to use TaskManager 'End Process Tree' to stop the messages.

--LOG001 HiJackThis as at time "UTC Sunday, 8 May 2005 at 06:58:21"--
Logfile of HijackThis v1.99.1
Scan saved at 16:55:11, on 8/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\system32\usrbridg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programs2\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Virus Hunter\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WLAN\Config.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ConnectState.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ECTaskScheduler.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Virus Hunter\NoAdware3\NoAdware3.exe
C:\Virus Hunter\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpD41A.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG_CC] C:\Programs2\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Virus Hunter\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\WLAN\Config.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
O23 - Service: iDEX 361 Bolero Server (Bolero) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "Bolero" "Bolero (file missing)
O23 - Service: iDEX 361 CMS Server (Cms) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "Cms" "Cms (file missing)
O23 - Service: iDEX 361 Mercury Server (iDEX361) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "iDEX361" "iDEX361 (file missing)
O23 - Service: iDEXDemoApache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleOraHome1Agent - Oracle Corporation - C:\Program~1\Oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome1ClientCache - Unknown owner - C:\Program~1\Oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome1CMAdmin - Unknown owner - C:\Program~1\Oracle\ora81\BIN\CMADMIN.EXE
O23 - Service: OracleOraHome1CMan - Unknown owner - C:\Program~1\Oracle\ora81\BIN\CMGW.EXE
O23 - Service: OracleOraHome1DataGatherer - Oracle Corporation - C:\Program~1\Oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome1TNSListener - Unknown owner - C:\Program~1\Oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIDEXDEMO - Oracle Corporation - c:\program~1\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe
--- LOG001 ENDS ---

Please help if you can.

Edited by dr1, 08 May 2005 - 01:30 AM.

  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Before we fix anything, could you please mail me a (preferably zipped ) copy of these files:
C:\WINDOWS\System32\hpD41A.tmp
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
Please send it to pieterATwilderssecurity.org (replace AT with @)

Then copy the part in bold below into notepad and save it as smitfraudnew.reg

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn...t/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn...t/srchcust.htm"
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"
"Search Page"="http://www.microsoft...ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.co...n-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsof...earch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="http://search.msn.co...om/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""


Doubleclick the file we made.
Confirm you want to merge it with the registry and reboot.

Post a new HijackThis log when you are done.

Regards,
  • 0

#3
dr1

dr1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,
Did not find >C:\WINDOWS\System32\hpD41A.tmp
did find >C:\WINDOWS\System32\hpB21B.tmp

I have sent u the 3 files zipd.

Ran the Registry change and the background reappeared (rather than a black screen).

BUG-NOTE: The keyboard mapping seems pretty buggerd, when typing the keys the letters appear after numerous attempts and delays, a 'StickyKeys' msg pops up each time i use Shift or Ctrl.
I write all this because when in the Sys32 dir i noticed that there was a hotkeys.exe.tmp, like the original had been replaced. R they related?

--LOG002 HiJackThis as at time "UTC Sunday, 8 May 2005 at 23:00:18"--
Logfile of HijackThis v1.99.1
Scan saved at 08:52:28, on 9/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\system32\usrbridg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programs2\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WLAN\Config.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ConnectState.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ECTaskScheduler.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\Virus Hunter\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpB492.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG_CC] C:\Programs2\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\WLAN\Config.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
O23 - Service: iDEX 361 Bolero Server (Bolero) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "Bolero" "Bolero (file missing)
O23 - Service: iDEX 361 CMS Server (Cms) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "Cms" "Cms (file missing)
O23 - Service: iDEX 361 Mercury Server (iDEX361) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "iDEX361" "iDEX361 (file missing)
O23 - Service: iDEXDemoApache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleOraHome1Agent - Oracle Corporation - C:\Program~1\Oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome1ClientCache - Unknown owner - C:\Program~1\Oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome1CMAdmin - Unknown owner - C:\Program~1\Oracle\ora81\BIN\CMADMIN.EXE
O23 - Service: OracleOraHome1CMan - Unknown owner - C:\Program~1\Oracle\ora81\BIN\CMGW.EXE
O23 - Service: OracleOraHome1DataGatherer - Oracle Corporation - C:\Program~1\Oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome1TNSListener - Unknown owner - C:\Program~1\Oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIDEXDEMO - Oracle Corporation - c:\program~1\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe
--- LOG002 ENDS ---
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download this file: http://www.bleepingc...g/smitfraud.reg
(improved version of what we used before)

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the processes that were identified as related and any of the processes named in the list a bit further down.
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe


Doubleclick smitfraud.reg and confirm you want to merge it with the regsitry.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\bws.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\System32\hpB492.tmp
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpB492.tmp

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: DelDomains.inf
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

Post back with a new HijackThis log when you are done.

Regards,
  • 0

#5
dr1

dr1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi, thanks for your help so far.

## Outcomes from instructions follow because one had an ERROR. Also typing delays still exist ##

1. Found and deleted - Virtual Maid (did not find: Security IGuard, Search Maid)

2. Found and ended all of the following processes:
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe

3. Smitfraud.reg installed successfully.

4. KillBox ran successfully (copied Code into memory to run on reboot).

5. Rebooted in Safe Mode.

6. Ran HijackThis and successfully removed all nominated files.

7. Found and deleted:
C:\Windows\System32\Log Files

Did not find the following:
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard

8. Rebooted in normal mode.

9. Ran Hoster, pressed "Make Hosts ReadOnly?"
then pressed "Restore Original Hosts" and pressed "OK"
## ERROR ## Hoster reported "File Access Denied" ##

10. Right-click-installed DelDomains.inf successfully.

11. Ran CleanUp successfully!

--LOG003 HiJackThis as at time "UTC Monday, 9 May 2005 at 12:10:23"--
Logfile of HijackThis v1.99.1
Scan saved at 21:49:34, on 9/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\system32\usrbridg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programs2\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WLAN\Config.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ConnectState.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ECTaskScheduler.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\Virus Hunter\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG_CC] C:\Programs2\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\WLAN\Config.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
O23 - Service: iDEX 361 Bolero Server (Bolero) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "Bolero" "Bolero (file missing)
O23 - Service: iDEX 361 CMS Server (Cms) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "Cms" "Cms (file missing)
O23 - Service: iDEX 361 Mercury Server (iDEX361) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "iDEX361" "iDEX361 (file missing)
O23 - Service: iDEXDemoApache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleOraHome1Agent - Oracle Corporation - C:\Program~1\Oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome1ClientCache - Unknown owner - C:\Program~1\Oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome1CMAdmin - Unknown owner - C:\Program~1\Oracle\ora81\BIN\CMADMIN.EXE
O23 - Service: OracleOraHome1CMan - Unknown owner - C:\Program~1\Oracle\ora81\BIN\CMGW.EXE
O23 - Service: OracleOraHome1DataGatherer - Oracle Corporation - C:\Program~1\Oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome1TNSListener - Unknown owner - C:\Program~1\Oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIDEXDEMO - Oracle Corporation - c:\program~1\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe
--- LOG003 ENDS ---
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Looks good to me. :tazz:

Is your computer behaving as well?

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0

#7
dr1

dr1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
thnkx pieter, stil workn on keyboard drvr fix,
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Is that a special keyboard? Wireless or anything.
Or just standard XP compatible?

Try installing SP2 and let me know if that helps.

Regards,
  • 0

#9
dr1

dr1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

Finally completed the SP2 installation, which is hard with a laptop keyboard that doesn't work. I'm sending this from my HP laptop.

LAPTOP KEYBOARD INTERMITTENTLY ACCEPTING KEY STROKES:
Unable to Type fluently. I'll hit a key, nothin, hit it again and again until the target letter appears. Man it is so frustrating, it is impossible to work with the laptop.

The SHIFT and CTRL keys barely work.

Using the SHIFT key brings up a STICKY KEYS dialogue which then relentlessly wont go away when you hit Cancel or the top-right-red-X-window-close-box it just keeps comin back, like the shift is stuck in the key buffer or what ever. To get rid of the dialogue I hit the escape key.
Dialogue says

Pressing the SHIFT key 5 times turns on StickyKeys. StickyKeys lets you use SHIFT, CTRL, ALT, or Windows Logo keys by pressing one key at a time. ...etc


The ESC, F1, ... ,F12 keys seem to work fine.

Rebooted into SAFE MODE: Keyboard typing still stuffed.
BOOT from Windows 98 CD: Keyboard typing still stuffed.

Gettin desperate, but thinkin maybe these buggers are corrupted... I copied the following from my HP Compaq NC6000 laptop directly over the ones on the TOSH:
WINDOWS\inf\keyboard.inf (right-click installed)
WINDOWS\system\Keyboard.drv
WINDOWS\system32\Keyboard.drv
WINDOWS\system32\Keyboard.sys
WINDOWS\system32\dllcache\Keyboard.drv
WINDOWS\system32\dllcache\Keyboard.sys
...nah, keyboard typing still stuffed.

STUFFED COMPUTER DETAILS:
LAPTOP Toshiba Satellite 2450-S402
Keyboard driver - Standard 101/102-Key or Microsoft-Natural PS/2 keyboard
Provider: microsoft
Driver-Date: 1/07/2001
Driver-Version: 5.1.2600.1106
Driver-Files:
C:\WINDOWS\system32\DRIVERS\i8042prt.sys
C:\WINDOWS\system32\DRIVERS\kbdclass.sys

LATES LOG - AFTER SP2 INSTALLATION:

--LOG004 HiJackThis as at time "UTC Sunday, 15 May 2005 at 02:54:55"--
Logfile of HijackThis v1.99.1
Scan saved at 12:12:55, on 15/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\system32\usrbridg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Programs2\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WLAN\Config.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ConnectState.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ECTaskScheduler.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\Virus Hunter\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG_CC] C:\Programs2\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\WLAN\Config.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe
--- LOG004 ENDS ---
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
I think this is not a software problem. Either one key is hanging or there is a short circuit somewhere.
Is there anyway you can take out the keyboard and clean it out?

Regards,
  • 0

#11
dr1

dr1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

I hooked up my wireless Genius keyboard and that allowed me to type just perfectly (should've done that sooner).

I unscrewed the laptop's keyboard out of its holding and that seemed to make a difference momentarily. I will pull the keyboard apart and try to clean it up.

It was pretty coincidental that this occurred around the same time the malware did. Maybe I banged the keys a bit too hard in frustration.

Anyway, I reckon that should close the thread off.

Thanks a lot for your time and effort. It was very much appreciated.
:tazz:
With thanks
David.
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP