I have decided to turn to this site for help instead of a Gun, I can always go back to the gun later.
ORIGINAL SYMPTOMS
1. have to type a key multiple times before the target letter appears
2. Trojan-Spy.HTML.Smitfraud.c background screen (wp.exe, wp.bmp)
3. IExplorer not operating properly, when accessing the delete cookie and other options it crashes
4. appearance of new web-links and folders in favourites menu e.g. Online Pharmacy, Gambling, Sexual Life, Adult, Cars, Shopping
5. continuous repopulation of registry key:
"hkey_classes_root\clsid\{ffffffff-ffff-ffff-ffff-fffffffff}"
6. continuous repopulation of IE registry keys with 'quicknavigate.com'
WHAT DID I DO NEXT
(a) used HijackThis to identify and remove certain items
(b) deleted the >wp.exe, wp.bmp< files,
(c ) ran AVG, NoAdware3, SpybotS&D, Cwshredder, Miniremoval_cws_smartkiller... ALL reportd Jack-SHIP!, i mean that nothing was found.
(d) de-installed lots of old programs in SAFE-MODE
(e) installed the FireFox browser
(f) turned off some non-essential system services
(g) tried removing the registry key at item 5 using "regedit" - it was repopulated the very next second
CURRENT SYMPTOMS (based on Original Symptoms list):
1. still typing delays
3. explorer still not operating properly
4. continuous repopulation of web-links and folders in favourites menu e.g. Online Pharmacy, Gambling, Sexual Life, Adult, Cars, Shopping
5. continuous repopulation of registry key:
"hkey_classes_root\clsid\{ffffffff-ffff-ffff-ffff-fffffffff}"
6. continuous repopulation of IE registry keys with 'quicknavigate.com'.
WHAT DID NO-ADWARE (NA) SAY:
NA01. Reports a Severe 'Adware.Umaxsearch' registry entry in
"hkey_classes_root\clsid\{ffffffff-ffff-ffff-ffff-fffffffff}"
NA02. It also says there are non-critical tracking cookies.
NA03. After I switched on all the "Configure Sheilds" (protect ie favs, ie hijack sheilds, hosts file shields, ie home page sheild), I then continuously received >"IE Settings Change" from whatever to 'quicknavigate.com' do you authorise this< type messages, they continuously kept popping up. Had to use TaskManager 'End Process Tree' to stop the messages.
--LOG001 HiJackThis as at time "UTC Sunday, 8 May 2005 at 06:58:21"--
Logfile of HijackThis v1.99.1
Scan saved at 16:55:11, on 8/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\system32\usrbridg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programs2\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Virus Hunter\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WLAN\Config.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ConnectState.exe
C:\Program Files\Nokia\PC Suite for Nokia 9210i Communicator\ECTaskScheduler.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Virus Hunter\NoAdware3\NoAdware3.exe
C:\Virus Hunter\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpD41A.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG_CC] C:\Programs2\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Virus Hunter\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\WLAN\Config.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~2\Grisoft\AVG6\avgserv.exe
O23 - Service: iDEX 361 Bolero Server (Bolero) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "Bolero" "Bolero (file missing)
O23 - Service: iDEX 361 CMS Server (Cms) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "Cms" "Cms (file missing)
O23 - Service: iDEX 361 Mercury Server (iDEX361) - Unknown owner - C:\Program Files\Allaire\JRun\bin\jrun.exe" -jrundir "C:\Program Files\Allaire\JRun" -nt "iDEX361" "iDEX361 (file missing)
O23 - Service: iDEXDemoApache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleOraHome1Agent - Oracle Corporation - C:\Program~1\Oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome1ClientCache - Unknown owner - C:\Program~1\Oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome1CMAdmin - Unknown owner - C:\Program~1\Oracle\ora81\BIN\CMADMIN.EXE
O23 - Service: OracleOraHome1CMan - Unknown owner - C:\Program~1\Oracle\ora81\BIN\CMGW.EXE
O23 - Service: OracleOraHome1DataGatherer - Oracle Corporation - C:\Program~1\Oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome1TNSListener - Unknown owner - C:\Program~1\Oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceIDEXDEMO - Oracle Corporation - c:\program~1\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe
--- LOG001 ENDS ---
Please help if you can.
Edited by dr1, 08 May 2005 - 01:30 AM.