View Full Version : I have Smitfraud, HELP!
I have smitfraud, below is my HJT file. Please help.
Logfile of HijackThis v1.99.1
Scan saved at 8:13:09 PM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ccs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\FreeSpace.exe
C:\WINDOWS\System32\FTPServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PCS-129\RedHanded.Net 2.4.0\pcln129.exe
C:\Program Files\PCS-772\Busted.Net 2.4.0\pcln772.exe
C:\Program Files\Computerized Medical Systems\Focal 4.0.2\FocalSim\FocalDICOMService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Cisco Aironet\adu.exe
C:\WINDOWS\system32\explorer32\WinsysMngr32.exe
C:\Program Files\PCS-772\Busted.Net 2.4.0\pcmn772.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\explorer32\explorer32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windstream.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.1.3.200:80
O1 - Hosts: 192.192.1.13 pickerCT
O1 - Hosts: 192.192.1.3 WRWS0
O1 - Hosts: 192.192.1.1 lxmr
O1 - Hosts: 192.192.1.5 WRMC02
O1 - Hosts: 192.192.1.101 telearad
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\adu.exe" -nogui
O4 - HKLM\..\Run: [EPSON PictureMate Deluxe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P24 "EPSON PictureMate Deluxe" /O6 "USB003" /M "PictureMate Deluxe"
O4 - HKLM\..\Run: [WinLoad] C:\WINDOWS\system32\Winload.exe
O4 - HKLM\..\Run: [WinLoad32] C:\WINDOWS\system32\Winload32.exe
O4 - HKLM\..\Run: [pcmn772.exe] C:\Program Files\PCS-772\Busted.Net 2.4.0\pcmn772.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [mmrk] C:\PROGRA~1\COMMON~1\mmrk\mmrkm.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FTPServer.lnk = C:\WINDOWS\system32\FTPServ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172933533685
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.wadleyrmc.com/tsweb/msrdp.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINDOWS\System32\ccs.exe
O23 - Service: Focal DICOM Server - CMS - C:\Program Files\Computerized Medical Systems\Focal 4.0.2\FocalSim\FocalDICOMService.exe
O23 - Service: FreeSpace - Unknown owner - C:\WINDOWS\System32\\FreeSpace.exe
O23 - Service: FTPServ - Unknown owner - C:\WINDOWS\System32\\FTPServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MGS - Unknown owner - C:\WINDOWS\system32\TCAL2.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: RdLst129 - Unknown owner - C:\Program Files\PCS-129\RedHanded.Net 2.4.0\pcln129.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SnLt772 - Unknown owner - C:\Program Files\PCS-772\Busted.Net 2.4.0\pcln772.exe
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please note that I am training, this means that any reply I give to you has to be checked first by an expert.
I apologize for any delay this might cause.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
I am looking at your log and will get back to you ASAP :)
Hi nbfan,
Are you the only user of this PC ? or are there profiles for other members of the family/friends ?
Have you installed any monitoring programs ?
SmitFraud Look
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)
Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Download and Run ComboFix
Download Combofix from one of the two links below :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Installed Programs
Please could you give me a list of the programs that are installed. This will help me create a fix for you.
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
SmitFraud Log
ComboFix Log
Installed Programs List
K'
Several people use this laptop, I do not think everyone has a profile though. There was tracking software installed at one time but I think it has been removed.
SmitFraudFix v2.212
Scan done at 22:01:15.84, Tue 08/14/2007
Run from C:\Documents and Settings\Troy Richards\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ccs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\FreeSpace.exe
C:\WINDOWS\System32\FTPServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PCS-129\RedHanded.Net 2.4.0\pcln129.exe
C:\Program Files\PCS-772\Busted.Net 2.4.0\pcln772.exe
C:\Program Files\Computerized Medical Systems\Focal 4.0.2\FocalSim\FocalDICOMService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Cisco Aironet\adu.exe
C:\Program Files\PCS-772\Busted.Net 2.4.0\pcmn772.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\explorer32\WinsysMngr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\explorer32\explorer32.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Troy Richards
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Troy Richards\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TROYRI~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Cisco Aironet 802.11a/b/g Wireless Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.254.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6342470F-CB10-46BD-8F12-C19F39FF389B}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6342470F-CB10-46BD-8F12-C19F39FF389B}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6342470F-CB10-46BD-8F12-C19F39FF389B}: DhcpNameServer=192.168.254.254
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
ComboFix 07-08-14.4 - "Troy Richards" 2007-08-14 21:33:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.121 [GMT -5:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\TROYRI~1\APPLIC~1.\curity~1
C:\Program Files\Common Files\{1C04F~1
C:\Program Files\Common Files\{1C04F~2
C:\Program Files\Common Files\{3C04F~1
C:\Program Files\Common Files\appatc~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\sks~2
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\crosof~1
C:\Program Files\fnts~1
C:\Program Files\icroso~1
C:\Program Files\ipwindows
C:\Program Files\ystem3~1
C:\temp\tn3
C:\WINDOWS\crosof~1.net
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\unsvchosts.lzma
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core
((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))
2007-08-14 21:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 21:26 2,892 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-14 21:25 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-14 21:25 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-14 21:25 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-14 18:59 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-06 22:54 <DIR> d-------- C:\DOCUME~1\TROYRI~1\APPLIC~1\Google
2007-08-06 21:26 <DIR> d-------- C:\Program Files\Google
2007-08-06 21:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Google
2007-08-04 22:57 <DIR> d-------- C:\My Games
2007-08-04 22:57 <DIR> d-------- C:\My Download Files
2007-08-04 22:49 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-07-14 22:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\America Online
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-13 17:42 --------- d-------- C:\DOCUME~1\TROYRI~1\APPLIC~1\WeatherBug
2007-08-10 13:29 --------- d-------- C:\Program Files\wmconnectb
2007-08-09 00:25 --------- d-------- C:\DOCUME~1\TROYRI~1\APPLIC~1\LimeWire
2007-08-04 22:49 --------- d-------- C:\Program Files\Real
2007-07-19 01:59 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 18:31 765952 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-06 21:03 --------- d-------- C:\Program Files\MyWebSearchWB
2007-07-06 21:02 --------- d-------- C:\Program Files\AWS
2007-06-30 17:20 --------- d-------- C:\DOCUME~1\TROYRI~1\APPLIC~1\AdobeUM
2007-06-27 09:34 823808 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 09:34 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 09:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 09:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 09:34 477696 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 09:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 09:34 44544 -----c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 09:34 384512 -----c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 09:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 09:34 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 09:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 09:34 232960 -----c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 09:34 230400 -----c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 09:34 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 09:34 153088 -----c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 09:34 132608 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 09:34 124928 -----c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 09:34 1152000 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 09:34 105984 -----c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 09:34 102400 -----c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 03:27 63488 -----c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 03:27 625152 -----c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 03:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 02:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-05-17 06:28 549376 --a------ C:\WINDOWS\system32\oleaut32.dll
2007-05-17 06:28 549376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-16 10:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-05-31 09:14 108056 --a------ C:\Program Files\Common Files\secman.dll
2006-03-11 19:09 626176 --a------ C:\Program Files\Common Files\osmax.ocx
2002-08-08 03:36 271 ---hs---- C:\Program Files\DESKTOP.INI
2002-08-08 03:36 21952 --ah----- C:\Program Files\FOLDER.HTT
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2001-11-08 19:50 C:\WINDOWS\system32\pctspk.exe]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"ADU"="C:\Program Files\Cisco Aironet\adu.exe" [2004-09-08 09:45]
"EPSON PictureMate Deluxe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.exe" [2004-10-17 04:00]
"WinLoad"="C:\WINDOWS\system32\Winload.exe" [2005-10-30 20:38]
"WinLoad32"="C:\WINDOWS\system32\Winload32.exe" [2005-10-30 20:38]
"pcmn772.exe"="C:\Program Files\PCS-772\Busted.Net 2.4.0\pcmn772.exe" [2007-03-03 19:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-24 20:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-14 22:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-06 17:56]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-12-26 09:37]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mmrk"="C:\PROGRA~1\COMMON~1\mmrk\mmrkm.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 15:02]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-08 22:46]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
FTPServer.lnk - C:\WINDOWS\system32\FTPServ.exe [2003-02-18 14:15:25]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Netscape Connect Tray Icon(2).lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Netscape Connect Tray Icon(2).lnk
backup=C:\WINDOWS\pss\Netscape Connect Tray Icon(2).lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Netscape Connect Tray Icon.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Netscape Connect Tray Icon.lnk
backup=C:\WINDOWS\pss\Netscape Connect Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\Ipwindows\ipwins.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
R2 CSCO21P;Cisco Protocol (IEEE 802.1x) v2.3.1.8;C:\WINDOWS\system32\DRIVERS\csco21p.sys
R2 Focal DICOM Server;Focal DICOM Server;"C:\Program Files\Computerized Medical Systems\Focal 4.0.2\FocalSim\FocalDICOMService.exe"
R2 FreeSpace;FreeSpace;C:\WINDOWS\System32\\FreeSpace.exe
R2 FTPServ;FTPServ;C:\WINDOWS\System32\\FTPServ.exe
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\system32\PackethSvc.exe
R2 RdLst129;RdLst129;"C:\Program Files\PCS-129\RedHanded.Net 2.4.0\pcln129.exe"
R2 SnLt772;SnLt772;"C:\Program Files\PCS-772\Busted.Net 2.4.0\pcln772.exe"
R3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\csco21.sys
R3 irsir;Microsoft Serial Infrared Driver;C:\WINDOWS\system32\DRIVERS\irsir.sys
R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S2 MGS;MGS;C:\WINDOWS\system32\TCAL2.exe
S3 PSSdk23;PSSdk23;\??\C:\WINDOWS\system32\Drivers\PsSdk23.drv
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]
C:\WINDOWS\Winload32.exe
Contents of the 'Scheduled Tasks' folder
2005-08-01 05:36:12 C:\WINDOWS\Tasks\Disk Cleanup.job - C:\WINDOWS\system32\cleanmgr.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 21:45:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-14 21:49:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-14 21:49
--- E O F ---
Uninstall file to follow
Thanks
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
AVG 7.5
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
Baseball Memories Evaluation Version 3.5
Cisco Aironet Installation Program
Command & Conquer Tiberian Sun
Dell Photo Printer 720
Dell Photo Printer 720 Logger
EPSON CardMonitor
EPSON PhotoStarter3.0
EPSON PictureMate Deluxe User's Guide
EPSON Printer Software
Film Factory
FinePixViewer Ver.4.2
Focal 4.0.2
FUJIFILM USB Driver
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
ImageMixer VCD2 for FinePix
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
LimeWire 4.12.11
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard
MicroStaff WINASPI
Netscape Connect
NVIDIA Windows 2000/XP Display Drivers
PCTEL 2304WT V.92 MDC Modem Drivers
QuickTime
RAW FILE CONVERTER LE
RealArcade
RealPlayer Basic
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Spybot - Search & Destroy 1.4
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
WeatherBug
WeatherBug Browser Bar - powered by MyWebSearch
WebCyberCoach 3.2 Dell
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinPcap 4.0
Hi nbfan,
You are running a P2P filesharing program. LimeWire 4.12.11
Many of these programs come with unwanted components bundled with them.
If you wish to find out whether the one you're using does click here (http://p2p.malwareremoval.com/).
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
My recommendation is you uninstall it.
Please note: you must NOT use this whilst we are cleaning your machine.
WeatherBug is a system tray icon that offers weather information and includes built-in ads. WeatherBug is controlled by AWS Convergence Technologies (weatherbugmedia.com). There is some controversy over whether WeatherBug should be targeted by anti-parasite software. AWS strongly deny their software is ‘spyware’, and by the definition used here, it is not, as it does not leak information back to its controlling servers. However, WeatherBug has in the past been silently installed by the FavoriteMan parasite and Freeze.com screensavers, and more recently has been bundled by software such as AIM and Blubster. This makes it ‘unsolicited’, and since it is installed to raise money for its creators through the built-in ads it is certainly ‘commercial’. So it does meet the definition for ‘parasite’: unsolicited commercial software. It is nonetheless listed as a borderline case because it is not overtly harmful and many people do install it deliberately. WeatherBug bundles the MySearch parasite in its standalone distribution and has in the past, installed Gator and SVAPlayer.
I recommend that you uninstall WeatherBugand choose one of these alternatives:
Weather Pulse (http://tropicdesigns.net/weatherpulse.php)
Weather Watcher (http://www.singerscreations.com/)
or
Get mozilla Firefox (http://www.mozilla.com/) and then get FORECASTFOX!!! (https://addons.mozilla.org/firefox/398/)
or check the weather at these websites:
Weather Street: US Weather (www.weatherstreet.com)
Intellicast (http://www.intellicast.com/IcastPage/LoadPage.aspx)
To uninstall WeatherBug:
Remove Programs
Click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
WeatherBug
WeatherBug Browser Bar - powered by MyWebSearch
MyWebSearchWB
Now close the Control Panel.
Show All Files And Folders
Now you need to show all files and folders
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti
Please visit Jotti (http://virusscan.jotti.org/)
Click on Browse... and navigate to the following file: C:\PROGRAM FILES\Common Files\mmrk\mmrkm.exe
Click Open
Please post back, to let me know the results.
Please do the same for the following file
C:\WINDOWS\system32\TCAL2.exe
If Jotti is too busy please try Virustotal (http://www.virustotal.com/en/indexf.html)
Please can you post a HJT log from all the accounts on the machine, ie. log on to each accoount and run HJT to create a log
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Jotti/Virus Total results
A fresh HJT log from each account
K'
I do not have a mmrkm.exe file. All files in this folder have a .lck extension none have an .exe
I do not have the C:\WINDOWS\system32\TCAL2.exe
file.
Do you have any Idea what the mmrk folder is related to ?
No, I do not know what it is related too.
Ok, if you can post the HJT logs from any other accounts please.
K'
Here is the HJT log file. I can not find any other acounts except the Administrator and I can not access it.
Logfile of HijackThis v1.99.1
Scan saved at 2:18:03 PM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ccs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\FreeSpace.exe
C:\WINDOWS\System32\FTPServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PCS-129\RedHanded.Net 2.4.0\pcln129.exe
C:\Program Files\PCS-772\Busted.Net 2.4.0\pcln772.exe
C:\Program Files\Computerized Medical Systems\Focal 4.0.2\FocalSim\FocalDICOMService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Cisco Aironet\adu.exe
C:\Program Files\PCS-772\Busted.Net 2.4.0\pcmn772.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\explorer32\WinsysMngr32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\explorer32\explorer32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windstream.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.1.3.200:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\adu.exe" -nogui
O4 - HKLM\..\Run: [EPSON PictureMate Deluxe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P24 "EPSON PictureMate Deluxe" /O6 "USB003" /M "PictureMate Deluxe"
O4 - HKLM\..\Run: [WinLoad] C:\WINDOWS\system32\Winload.exe
O4 - HKLM\..\Run: [WinLoad32] C:\WINDOWS\system32\Winload32.exe
O4 - HKLM\..\Run: [pcmn772.exe] C:\Program Files\PCS-772\Busted.Net 2.4.0\pcmn772.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [mmrk] C:\PROGRA~1\COMMON~1\mmrk\mmrkm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FTPServer.lnk = C:\WINDOWS\system32\FTPServ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172933533685
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.wadleyrmc.com/tsweb/msrdp.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINDOWS\System32\ccs.exe
O23 - Service: Focal DICOM Server - CMS - C:\Program Files\Computerized Medical Systems\Focal 4.0.2\FocalSim\FocalDICOMService.exe
O23 - Service: FreeSpace - Unknown owner - C:\WINDOWS\System32\\FreeSpace.exe
O23 - Service: FTPServ - Unknown owner - C:\WINDOWS\System32\\FTPServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MGS - Unknown owner - C:\WINDOWS\system32\TCAL2.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: RdLst129 - Unknown owner - C:\Program Files\PCS-129\RedHanded.Net 2.4.0\pcln129.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SnLt772 - Unknown owner - C:\Program Files\PCS-772\Busted.Net 2.4.0\pcln772.exe
Hi nbfan,
I am afraid that I will need access to all the accounts, before I can say that you are free of malware.
Please speak to your System Administrator or I.T. Consultant and ask them to contact me here.
I have went to User Profiles and the only profile is mine, so the HJT log file that I sent earlier is the only one.
I can not find any other acounts except the Administrator and I can not access it.
Hi Nbfan,
If there is an Administrator account that you can't access, then someone else has access to it.
I need to speak to the person who has this access.
The answers that you have already given, lead me to believe that this is not your personal computer.
Your log shows programs that are linked to medical research,
so I can only assume that you are either a student or an employee of a company.
Spybot Forum Rules (http://forums.spybot.info/showpost.php?p=25712&postcount=5)
Note:
When the infected computer in question is a company machine in the workplace, and you are an employee.
Your organization must give their permission for assistance to be received in the removal of malware. The intention of this forum is not to replace a company's IT department.
More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.
Please inform your IT department or Supervisor when a workplace computer has been infected, immediately.
Thank you for your understanding.
The same applies to Educational/Research organizations.
K'
It is a personal computer, the medical software that is on this machine is for my job. I am the Director of Radiology and Cancer Treatment Center at a hospital. The laptop was purchased from a physician in my department. It is not connected to the hospitals network in any fashion, only my home network, so I am the IT department. I use this laptop to do some of my work (via the internet) from home. I am sorry about the confusion.
Hi nbfan,
I can not find any other acounts except the Administrator and I can not access it.
The laptop was purchased from a physician in my department.
I think you need to speak to the Physician in your department and ask for the Admin password.
If for any reason you can not speak to the Physician, or they do not know the Admin password,
then I recommend that you Reformat and Reinstall.
Please see this link for more information on reformatting --- Reformatting Windows XP (http://spyware-free.us/tutorials/reformat/)
You have monitor/tracking software installed on your computer.
If you installed this yourself then you can either uninstall it or seek advice from the company which made the program.
If you are in an office or educational environment then the system administrator has installed this software and you should not be tampering with it.
If you are a child then it is likely that your parents have installed it to prevent you from accessing unsuitable sites.
In either of these situations I would be negligent if I aided you in altering this restriction in any way.
If you are a home user who has every right to do as you please then I am sorry,
I can not help you because I would be unable to verify that you did not fall into either of the above categories.
I can only suggest that you contact the person or store that you purchased your computer from and ask them for removal instructions for the relevant program/s.
Security Note: It is possible that the previous owner has access to what you do on this machine.
If you have used the computer for any sort of banking or financial transactions then I recommend that you contact the Bank/Business involved and change any passwords.
Sorry for the confusion. I installed the spyware and have removed it. I am no longer getting the pop ups or smitfraud on my spybot scan.
Just to set the record straight it is my computer, I am not a child I was born in 1967. I have worked in the same department at the same hospital for the last ten years and I can easily prove this if needed.
I understand that you probably get all kinds of bogus request but this is not one of them.
Thanks for the help.
Thank you for understanding the position we are in :)
I understand that you probably get all kinds of bogus request
You would not believe some of the requests we get :laugh:
If you would like to post the Spybot scan and a new HJT, I will look over them for you.
If you have removed all the tracking software then I can clean up anything else.
Once again I am sorry for this inconvenience, but we do have a certain amount of responsibility for what we do.
Here is the HJT log file, I will send the Spybot Scan file when it gets finished scanning.
Logfile of HijackThis v1.99.1
Scan saved at 7:34:50 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ccs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Cisco Aironet\adu.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\explorer32\WinsysMngr32.exe
C:\WINDOWS\system32\explorer32\explorer32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windstream.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.1.3.200:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\adu.exe" -nogui
O4 - HKLM\..\Run: [EPSON PictureMate Deluxe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P24 "EPSON PictureMate Deluxe" /O6 "USB003" /M "PictureMate Deluxe"
O4 - HKLM\..\Run: [WinLoad] C:\WINDOWS\system32\Winload.exe
O4 - HKLM\..\Run: [WinLoad32] C:\WINDOWS\system32\Winload32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172933533685
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.wadleyrmc.com/tsweb/msrdp.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINDOWS\System32\ccs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MGS - Unknown owner - C:\WINDOWS\system32\TCAL2.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
I ran spybot and it did not find anything. The log file is too large to send. 392kb.
Hi nbfan,
Your HJT log is free of any unsolicited spyware,
The monitoring program problem still remains.
I know you have assured me that you are well within your rights to have this removed, but unfortunately there is no way that I can verify this.
You have two options.
1) Reformat and Reinstall
2) Take your Laptop to a reputable shop and have them look at it.
I am very sorry if my lack of help offends you, but this is the way it has to be.
As helpers on AntiMalware forums we have to be carefull about what we do,
not only to make sure your computer is safe but also to make sure that the user is.
This is why the forums have guidelines and rules.
And under the rules of the forum I can not help you any further.
To tidy up please delete the following:-
SmitfraudFix.exe.
ComboFix.exe
C:\ComboFix-quarantined-files.txt
C:\ComboFix.txt
C:\rapport.txt
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
For future reference PLEASE read these articles
So How Did I Get Infected In The First Place (http://forums.spybot.info/showthread.php?t=279)
How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Antivirus and Antispyware programs are a must, there is no point having them if you do not use them on a regular basis.
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
K'
Thanks for all the help that you were able to provide. I did uninstall the last spyware program, I had forgot about that one TCAL.EXE (To catch a liar). I understand rules are rules and don't expect you to break them.
Thanks again for your help, at least I don't have pop ups every minute or two.
Have a great weekend, NBFAN (New Boston Fan.... New Boston, Texas)