to stop spyware and malware popups: Moved from WinNT by Murray

[padmee]

Hi I have a problem in my pc,window2000.I am receving countless popups on spyware and malwares protection advertisments.My home page change to their url by auto.Even the firefox and google tool unable to help.Can you advise me on this please thanks.The url for the popups is
[virusprotectionproonline]

[Jintan]

Howdy padmee,


Welcome to CTH. Let's start with seeing what all is loaded there.


Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.


Also go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. You can use separate posts here if needed.

[padmee]

Hi Tom
Thanks for your reply,I'm sending you the result of the scannings:



"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Window Washer" = "C:\Program Files\Webroot\Washer\wwDisp.exe" ["Webroot Software"]
"RoboForm" = ""C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"" ["Siber Systems"]
"Free Download Manager" = "C:\Program Files\Free Download Manager\fdm.exe -autorun" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"(Default)" = "(empty string)" [file not found]
"ippop" = ""C:\Program Files\Stop My Popups\IP\StopIPPopups.exe"" [file not found]
"spywarefighterguard" = "C:\Program Files\SPYWAREfighter\spftray.exe" ["SPAMfighter"]
"SpyHunter" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{47C54F02-1B28-45F1-AE46-B5CDFB6E7926}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSVPS System"
\InProcServer32\(Default) = "C:\WINNT\duocore.dll" [empty string]
{724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FDMIECookiesBHO Class"
\InProcServer32\(Default) = "C:\Program Files\Free Download Manager\iefdmcks.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:55:04 PM, on 8/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wwSecure.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\SPYWAREfighter\spftray.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\SPYWAREfighter\spfprc.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.starhub.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 203.116.1.78:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINNT\duocore.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ippop] "C:\Program Files\Stop My Popups\IP\StopIPPopups.exe"
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\SPYWAREfighter\spftray.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1186318120200
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186318078950
O16 - DPF: {E596DF5F-4239-4D40-8367-EBADF0165917} - http://privacyprotector.com/.freewar...yprotector.cab
O20 - AppInit_DLLs: C:\WINNT\system32\hrum348.txt
O21 - SSODL: wmpenv - {1DE57E53-A312-4460-B93E-13C5C476656C} - C:\WINNT\wmpenv.dll
O21 - SSODL: wmpconf - {7154D775-8849-4BE8-920C-6260881FAC25} - C:\WINNT\wmpconf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SPYWAREfighterRP - SpamFighter APS - C:\Program Files\SPYWAREfighter\spfprc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\system32\wwSecure.exe



I hoped it will solve my problems,bye.

[Jintan]

I haven't any information on SPYWAREfighter - it is a new one to me. But SpyHunter has had past problems (see here) and recently problems like that seem to be showing up once again. Alot. As in too much and too often. If you should decide to remove that you can do so through Add/Remove Programs. Either way be sure both are disabled to keep them from interfering with repairs here.


Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.



After that completes Download SDFix.exe and save it to your desktop.

================================================== =


Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder. Open the extracted folder and double click RunThis.bat to start the script.


Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Then open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back here along with the combofix.txt lgo and a new HijackThis log please.

[padmee]

Hi Tom
All the popups are related to ultimate defenders and cleaners.By doing the scanning will it stop the popup ads?

[Jintan]

When we complete these repair steps you should not have any more popups, or infection on your system.

[padmee]

Hey Tom ,thanks so much ,my pc is okay now,and here is the scan results



ComboFix 07-08-16.3 - "PCuser" 08/16/2007 19:01:52.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.22 [GMT 8:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\PCuser\Desktop.\Spyware&Malware Protection.url
C:\DOCUME~1\PCuser\Desktop\Error Cleaner.url
C:\DOCUME~1\PCuser\Desktop\Privacy Protector.url
C:\DOCUME~1\PCuser\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\PCuser\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\PCuser\FAVORI~1.\Spyware&Malware Protection.url
C:\WINNT\dat.txt
C:\WINNT\duocore.dll
C:\WINNT\privacy_danger
C:\WINNT\privacy_danger\images\capt.gif
C:\WINNT\privacy_danger\images\danger.jpg
C:\WINNT\privacy_danger\images\down.gif
C:\WINNT\privacy_danger\images\spacer.gif
C:\WINNT\privacy_danger\index.htm
C:\WINNT\system32\WinAvXX.exe
C:\WINNT\wmpconf.dll
C:\WINNT\wmpenv.dll


((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))


2007-08-16 19:00 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-15 23:22 <DIR> d--h----- C:\WINNT\PIF
2007-08-15 12:16 208,896 --a------ C:\WINNT\system32\wmpns.dll
2007-08-15 00:56 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-14 12:14 <DIR> d-------- C:\DOCUME~1\PCuser\APPLIC~1\Lavasoft
2007-08-14 12:04 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-13 20:08 <DIR> d-------- C:\Program Files\Common Files\Application
2007-08-13 20:07 <DIR> d-------- C:\Program Files\SPYWAREfighter
2007-08-13 15:51 22,016 --------- C:\WINNT\system32\borlndmm.dll
2007-08-13 15:51 1,497,088 --------- C:\WINNT\system32\cc3260mt.dll
2007-08-13 15:51 <DIR> d-------- C:\Program Files\R4U Soft
2007-08-13 15:40 <DIR> d-------- C:\Program Files\PCPitstop
2007-08-13 15:29 <DIR> d-------- C:\Program Files\PopUpCop
2007-08-13 15:29 <DIR> d-------- C:\DOCUME~1\PCuser\APPLIC~1\PopupCop
2007-08-13 10:21 74,752 --a------ C:\WINNT\invoice.exe
2007-08-13 00:21 37,376 --a------ C:\WINNT\system32\vtr348.dll
2007-08-12 13:00 <DIR> d-------- C:\DOCUME~1\PCuser\APPLIC~1\AdobeUM
2007-08-10 20:44 <DIR> d-a------ C:\WINNT\system32\appmgmt
2007-08-10 17:50 1,632 --a------ C:\WINNT\system32\d3d8caps.dat
2007-08-10 00:45 734,208 --a------ C:\WINNT\system32\qedwipes.dll
2007-08-10 00:45 6,400 --a------ C:\WINNT\system32\drivers\mskssrv.sys
2007-08-10 00:45 515,584 --a------ C:\WINNT\system32\qedit.dll
2007-08-10 00:45 41,792 --a------ C:\WINNT\system32\drivers\stream.sys
2007-08-10 00:45 4,896 --a------ C:\WINNT\system32\drivers\mstee.sys
2007-08-10 00:45 4,800 --a------ C:\WINNT\system32\drivers\mspclock.sys
2007-08-10 00:45 346,624 --a------ C:\WINNT\system32\qdvd.dll
2007-08-10 00:45 3,456 --a------ C:\WINNT\system32\drivers\swenum.sys
2007-08-10 00:45 29,184 --a------ C:\WINNT\system32\pid.dll
2007-08-10 00:45 244,224 --a------ C:\WINNT\system32\mswebdvd.dll
2007-08-10 00:45 229,888 --a------ C:\WINNT\system32\qdv.dll
2007-08-10 00:45 167,424 --a------ C:\WINNT\system32\qcap.dll
2007-08-10 00:45 11,264 --a------ C:\WINNT\system32\msdmo.dll
2007-08-10 00:45 1,704,960 --a------ C:\WINNT\system32\quartz.dll
2007-08-10 00:45 <DIR> d-------- C:\WINNT\system32\DirectX
2007-08-10 00:44 98,816 --a------ C:\WINNT\system32\dpnmodem.dll
2007-08-10 00:44 93,696 --a------ C:\WINNT\system32\dmusic.dll
2007-08-10 00:44 90,112 --a------ C:\WINNT\system32\d3dref.dll
2007-08-10 00:44 89,600 --a------ C:\WINNT\system32\dpnlobby.dll
2007-08-10 00:44 785,408 --a------ C:\WINNT\system32\d3dim700.dll
2007-08-10 00:44 78,848 --a------ C:\WINNT\system32\dmscript.dll
2007-08-10 00:44 77,824 --a------ C:\WINNT\system32\dpvacm.dll
2007-08-10 00:44 77,824 --a------ C:\WINNT\system32\dpnaddr.dll
2007-08-10 00:44 7,680 --a------ C:\WINNT\system32\d3d8thk.dll
2007-08-10 00:44 66,560 --a------ C:\WINNT\system32\dsdmoprp.dll
2007-08-10 00:44 62,976 --a------ C:\WINNT\system32\amstream.dll
2007-08-10 00:44 601,088 --a------ C:\WINNT\system32\dx7vb.dll
2007-08-10 00:44 60,928 --a------ C:\WINNT\system32\dpnsvr.exe
2007-08-10 00:44 59,904 --a------ C:\WINNT\system32\dmcompos.dll
2007-08-10 00:44 59,392 --a------ C:\WINNT\system32\gcdef.dll
2007-08-10 00:44 50,688 --a------ C:\WINNT\system32\devenum.dll
2007-08-10 00:44 45,056 --a------ C:\WINNT\system32\dimap.dll
2007-08-10 00:44 4,096 --a------ C:\WINNT\system32\ksuser.dll
2007-08-10 00:44 36,864 --a------ C:\WINNT\system32\dplaysvr.exe
2007-08-10 00:44 330,752 --a------ C:\WINNT\system32\dsound.dll
2007-08-10 00:44 33,792 --a------ C:\WINNT\system32\mciqtz32.dll
2007-08-10 00:44 31,232 --a------ C:\WINNT\system32\dmloader.dll
2007-08-10 00:44 306,176 --a------ C:\WINNT\system32\diactfrm.dll
2007-08-10 00:44 271,872 --a------ C:\WINNT\system32\dpvoice.dll
2007-08-10 00:44 26,112 --a------ C:\WINNT\system32\dmband.dll
2007-08-10 00:44 256,000 --a------ C:\WINNT\system32\ddraw.dll
2007-08-10 00:44 225,792 --a------ C:\WINNT\system32\dpnet.dll
2007-08-10 00:44 21,504 --a------ C:\WINNT\system32\dpmodemx.dll
2007-08-10 00:44 181,760 --a------ C:\WINNT\system32\d3dref8.dll
2007-08-10 00:44 176,128 --a------ C:\WINNT\system32\dsdmo.dll
2007-08-10 00:44 175,616 --a------ C:\WINNT\system32\dpvvox.dll
2007-08-10 00:44 169,472 --a------ C:\WINNT\system32\dmime.dll
2007-08-10 00:44 162,816 --a------ C:\WINNT\system32\dinput8.dll
2007-08-10 00:44 15,872 --a------ C:\WINNT\system32\dswave.dll
2007-08-10 00:44 143,872 --a------ C:\WINNT\system32\dinput.dll
2007-08-10 00:44 130,560 --a------ C:\WINNT\system32\dmsynth.dll
2007-08-10 00:44 121,344 --a------ C:\WINNT\system32\drivers\ks.sys
2007-08-10 00:44 116,224 --a------ C:\WINNT\system32\dpvsetup.exe
2007-08-10 00:44 111,616 --a------ C:\WINNT\system32\dpnwsock.dll
2007-08-10 00:44 110,592 --a------ C:\WINNT\system32\dmstyle.dll
2007-08-10 00:44 1,769,472 --a------ C:\WINNT\system32\dxdiag.exe
2007-08-10 00:44 1,294,336 --a------ C:\WINNT\system32\dsound3d.dll
2007-08-10 00:44 1,069,056 --a------ C:\WINNT\system32\dx8vb.dll
2007-08-10 00:44 1,036,288 --a------ C:\WINNT\system32\d3d8.dll
2007-08-10 00:44 <DIR> d-------- C:\Program Files\directx
2007-08-08 19:05 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-08 19:05 <DIR> d-------- C:\Program Files\Messenger
2007-08-07 22:45 <DIR> d-------- C:\WINNT\system32\cache632
2007-08-07 22:45 <DIR> d-------- C:\WINNT\system32\AdCache
2007-08-07 20:41 <DIR> d-------- C:\Program Files\NetAnts
2007-08-07 20:37 <DIR> d-------- C:\Downloads
2007-08-07 20:32 <DIR> d-------- C:\Program Files\Free Download Manager
2007-08-07 20:32 <DIR> d-------- C:\DOCUME~1\PCuser\APPLIC~1\Free Download Manager
2007-08-07 00:41 <DIR> d-------- C:\DOCUME~1\PCuser\Saved Games
2007-08-07 00:39 <DIR> d-------- C:\DOCUME~1\PCuser\APPLIC~1\iWin
2007-08-06 23:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\RoboForm
2007-08-06 23:12 <DIR> d-------- C:\Program Files\Siber Systems
2007-08-06 20:33 58,368 --a------ C:\WINNT\Unwash6.exe
2007-08-06 20:33 486,400 --a------ C:\WINNT\system32\wwSecure.exe
2007-08-06 20:33 <DIR> d-------- C:\Program Files\Webroot
2007-08-06 20:33 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-08-06 20:33 <DIR> d-------- C:\DOCUME~1\PCuser\APPLIC~1\Webroot
2007-08-06 20:10 <DIR> d-------- C:\DOCUME~1\PCuser\APPLIC~1\Talkback
2007-08-06 19:00 8,976 --a------ C:\WINNT\system32\kbdjpn.dll
2007-08-06 19:00 7,440 --a------ C:\WINNT\system32\kbd106.dll
2007-08-06 10:03 <DIR> d-------- C:\FILES


(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

07-08-13 15:57 --------- d-------- C:\DOCUME~1\PCuser\APPLIC~1\OpenOffice.org2
07-06-29 20:48 --------- d-------- C:\Program Files\Microsoft.NET
07-06-29 20:47 --------- d-------- C:\Program Files\Microsoft ActiveSync
07-06-26 17:57 235280 --a------ C:\WINNT\system32\GDI32.DLL
07-06-08 11:52 947096 --a------ C:\WINNT\system32\_ISource30.dll
07-06-07 14:50 1119232 --a------ C:\WINNT\system32\msxml3.dll
07-05-22 15:01 499712 --a------ C:\WINNT\system32\msvcp71.dll
07-05-22 15:01 348160 --a------ C:\WINNT\system32\msvcr71.dll
07-05-22 14:06 0 -rahs---- C:\MSDOS.SYS
07-05-22 14:06 0 -rahs---- C:\IO.SYS
07-05-22 14:06 0 ---h----- C:\CONFIG.SYS
07-05-22 14:06 0 ---h----- C:\AUTOEXEC.BAT
07-05-22 14:05 271 ---h----- C:\Program Files\desktop.ini
07-05-22 14:05 21952 ---h----- C:\Program Files\folder.htt
03-06-20 20:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ippop"="C:\Program Files\Stop My Popups\IP\StopIPPopups.exe" []
"spywarefighterguard"="C:\Program Files\SPYWAREfighter\spftray.exe" [07-06-08 11:52 ]
"Synchronization Manager"="mobsync.exe" [03-06-20 20:00 C:\WINNT\system32\mobsync.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [05-06-10 09:45 ]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [07-08-06 23:12 ]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [06-08-21 00:24 ]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINNT\privacy_danger\index.htm
FriendlyName= my current home page

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
"PC Pitstop Optimize Scheduler"=C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
"PCPitstop Optimize Registration Reminder"=C:\Program Files\PCPitstop\Optimize\Reminder.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"spywarefighterguard"=C:\Program Files\SPYWAREfighter\spftray.exe
"Synchronization Manager"=mobsync.exe /logon
"<NO NAME>"=
"SpyHunter"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
S3 SpyFighter;SpyFighter Guard Device;\??\C:\Program Files\SPYWAREfighter\spyfighter.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

************************************************** ************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 19:07:42
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************

Completion time: 2007-08-16 19:09:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-16 19:09

--- E O F ---


Norman Malware Cleaner
Copyright © 1990 - 2007, Norman ASA. Built 2007/07/27 01:04:54

Norman Scanner Engine Version: 5.91.02
Nvcbin.def Version: 5.90.00, Date: 2007/07/27 01:04:54, Variants: 1
Nvcmacro.def Version: 5.90.00, Date: 2007/07/27 01:04:54, Variants: 12
Running pre-scan cleanup routine:
Operating System: Microsoft Windows 2000 5.0.2195 Service Pack 4
Logged on user: CL\PCuser


Scan started: 17/08/2007 18:46:08


Scanning running processes and process memory...

Number of processes/threads found: 1320
Number of processes/threads scanned: 1320
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 53s


Scanning file system...

Scanning: C:\*.*


Running post-scan cleanup routine:

[Jintan]

Not sure where Norman came from there, though it didn't locate anything on a system that still has infection. I am getting the sense that this system has quite a bit of not-so-well-known anti-malware softwares and I am still not sure all that you have are true legit softwares. Please run the SDFix scan steps as posted and post back those results.


Also I would like to check one of the files showing there. Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"


Please locate the following hilighted file(s), zip a copy of it, and send it to jintan@cfl.rr.com as an attachment. Please place "Submitted Files - padmee" as the email Subject.

C:\WINNT\invoice.exe

[padmee]

HI
Now my keyboard is acting strangely ,e.g if i strike the a button it comes out as + sign.Can you assist me how to fix the problem,thanks.

[Jintan]

3 months ago your system remained infected, so not sure of the status at this time to give a guess on any issues there. Keyboard issues like you describe are not malware related problems typically. If you did something to remove the infection back then and have this problem now, you can post a request in the CTH Hardware forum for ideas. If you possibly never corrected the infection problem, you can post a new HijackThis log and we can start over here, so I'll leave that up to you to decide.