Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Software can't access internet


  • This topic is locked This topic is locked
15 replies to this topic

#1 sundanceranch

sundanceranch

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 06 March 2010 - 05:30 PM

I have a program called Poker Calculator Pro that should be able to acces the internet but can't. What it does is start to update then goes to an error message that says "No conenction could be made because the target machineactively refused it 127.0.0.1:5555" I had Norton IS 2010 and removed it using Norton Removal tool. I made sure the program is listed in Windows XP firewall but still can't get access. Many other programs (thunderbird, firefox) access the internet fine. Ive contacted the softwares support but they are useless.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Doug Johnson at 11:53:40.76 on Sat 03/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.561 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Holdem Genius\res\pd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Doug Johnson\My Documents\My Downloads\Defogger.exe
C:\Documents and Settings\Doug Johnson\My Documents\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.goodsearch.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - Adobe PDF Reader Link Helper
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: TwcToolbarBhoApp Class: {aa1f9ddb-e605-4ba6-81d4-e427dee012ad} - c:\windows\system32\TwcToolbarBho.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [AnVir Task Manager Pro] "c:\program files\anvir task manager pro\AnVir.exe" Minimized
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
dPolicies-explorer: DisallowRun = 0 (0x0)
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\doug johnson\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: intuit.com\ttlc
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117826741329
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: joburuvop - {1d58cb02-9516-4321-9944-f07e1813c025} - No File
STS: {aed6f6a3-183c-488d-9f90-23db99f56e7f} - No File
STS: {1d58cb02-9516-4321-9944-f07e1813c025} - No File
LSA: Notification Packages = scecli rujamika.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dougjo~1\applic~1\mozilla\firefox\profiles\ey9bnjzu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

S0 aqep;aqep; [x]
S0 bqqa;bqqa; [x]
S0 iwdmgj;iwdmgj; [x]
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S3 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]

=============== Created Last 30 ================

2010-03-06 18:52:44 0 ----a-w- c:\documents and settings\doug johnson\defogger_reenable
2010-03-06 18:07:29 0 d-----w- c:\windows\system32\NtmsData
2010-03-06 17:14:47 0 d-----w- c:\program files\Holdem Indicator
2010-03-06 16:27:07 0 d-----w- c:\program files\Holdem Genius
2010-03-06 16:19:45 148816 ----a-w- c:\windows\system32\unzip32.dll
2010-03-06 16:19:44 53248 ----a-w- c:\windows\system32\quick32.dll
2010-03-06 16:09:03 0 d-----w- c:\program files\Poker Wingman
2010-03-05 14:10:56 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-03 21:00:38 77824 ----a-w- c:\windows\system32\adistres.dll
2010-03-03 21:00:38 20588 ----a-w- c:\windows\system32\PdfPorts.dll
2010-03-03 20:51:57 0 d-----w- c:\windows\Profiles
2010-03-03 20:51:53 0 d-----w- c:\windows\system32\Adobe
2010-03-03 15:27:01 13492 ----a-w- c:\windows\system32\defprtr2.ppd
2010-02-25 23:40:52 0 d-----w- c:\program files\Symantec
2010-02-25 23:38:44 0 d-----w- c:\windows\system32\drivers\NIS
2010-02-25 22:22:12 0 d-----w- c:\program files\Trend Micro
2010-02-25 17:59:44 262144 ---h--w- c:\documents and settings\doug johnson\ntuser.dat.LOG1
2010-02-25 17:59:44 0 ---h--w- c:\documents and settings\doug johnson\ntuser.dat.LOG2
2010-02-25 16:28:30 98304 ----a-w- c:\windows\system32\TwcToolbarBho.dll
2010-02-25 16:28:30 331776 ----a-w- c:\windows\system32\TwcToolbarIe7.dll
2010-02-25 16:28:30 25600 ----a-w- c:\windows\system32\TwcToolInstDll.dll
2010-02-25 16:27:59 0 d-----w- c:\program files\The Weather Channel Toolbar
2010-02-07 18:42:57 0 d-----w- c:\program files\Black Isle

==================== Find3M ====================

2010-03-03 21:03:41 1901 ----a-w- c:\windows\panose.bin
2010-02-24 03:08:59 50416 ------w- c:\docume~1\dougjo~1\applic~1\GDIPFONTCACHEV1.DAT
2010-02-06 02:28:26 94208 ----a-w- c:\windows\DUMP64c4.tmp
2010-02-05 18:21:55 94208 ----a-w- c:\windows\DUMP632e.tmp
2010-01-07 23:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-30 17:48:23 78059 ----a-w- c:\windows\fonts\AdobeFnt.lst
2009-12-18 13:05:43 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2008-08-23 01:12:21 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 11:54:26.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 AM

Posted 06 March 2010 - 09:32 PM

Hi sundanceranch,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

We will take care of the connection problem but there is a rootkit we deed to remove also. Besides we need to install an antivirus later on.
  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, it is normal.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 sundanceranch

sundanceranch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 06 March 2010 - 10:38 PM

here is the log you requested



ComboFix 10-03-06.03 - Doug Johnson 03/06/2010 20:09:22.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.467 [GMT -7:00]
Running from: c:\documents and settings\Doug Johnson\My Documents\My Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Doug Johnson\Application Data\QUAD Backups
c:\documents and settings\Doug Johnson\Application Data\QUAD Backups\01.01.2010,09-13-55\Automatic.reg
c:\documents and settings\Doug Johnson\Application Data\QUAD Backups\01.01.2010,09-17-00\Automatic.reg
c:\documents and settings\Doug Johnson\Application Data\QUAD Backups\04.09.2009,09-29-43\Automatic.reg
c:\documents and settings\Doug Johnson\Application Data\QUAD Backups\09.11.2009,18-58-57\Automatic.reg
c:\documents and settings\Doug Johnson\Application Data\QUAD Backups\10.01.2009,06-47-42\Automatic.reg
c:\documents and settings\Doug Johnson\Application Data\QUAD Backups\11.01.2009,06-58-12\Automatic.reg
c:\documents and settings\Doug Johnson\Application Data\QUAD Backups\12.01.2009,06-18-48\Automatic.reg
c:\documents and settings\Doug Johnson\Application Data\QUAD Backups\12.27.2009,06-59-12\Automatic.reg
c:\documents and settings\Doug Johnson\Start Menu\Programs\QUAD Utilities
c:\documents and settings\Doug Johnson\Start Menu\Programs\QUAD Utilities\QUAD RegistryCleaner\QUAD RegistryCleaner.lnk
c:\documents and settings\Doug Johnson\Start Menu\Programs\QUAD Utilities\QUAD RegistryCleaner\Uninstall QUAD RegistryCleaner.lnk
c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll
c:\program files\QUAD Utilities\QUAD RegistryCleaner\program.log
c:\program files\QUAD Utilities\QUAD RegistryCleaner\QUAD RegistryCleaner website.url
c:\program files\QUAD Utilities\QUAD RegistryCleaner\QUAD RegistryCleaner.exe
c:\program files\QUAD Utilities\QUAD RegistryCleaner\Styles\Vista.cjstyles
c:\program files\QUAD Utilities\QUAD RegistryCleaner\uninst.exe
c:\program files\QUAD Utilities\QUAD RegistryCleaner\Vista Scheduler.dll
C:\Thumbs.db
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\Tasks\chkvlyos.job
E:\AUTORUN.INF

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-06 18:07 . 2010-03-06 18:22 -------- d-----w- c:\windows\system32\NtmsData
2010-03-06 17:14 . 2010-03-07 00:05 -------- d-----w- c:\program files\Holdem Indicator
2010-03-06 16:27 . 2010-03-06 16:27 -------- d-----w- c:\program files\Holdem Genius
2010-03-06 16:19 . 2010-03-06 16:19 148816 ----a-w- c:\windows\system32\unzip32.dll
2010-03-06 16:19 . 2010-03-06 16:19 53248 ----a-w- c:\windows\system32\quick32.dll
2010-03-06 16:09 . 2010-03-06 16:14 -------- d-----w- c:\program files\Poker Wingman
2010-03-05 14:10 . 2010-03-05 14:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-03 21:00 . 2001-10-11 23:35 20588 ----a-w- c:\windows\system32\PdfPorts.dll
2010-03-03 21:00 . 2001-10-11 23:34 77824 ----a-w- c:\windows\system32\adistres.dll
2010-03-03 20:51 . 2010-03-03 20:51 -------- d-----w- c:\windows\Profiles
2010-03-03 20:51 . 2010-03-03 20:51 -------- d-----w- c:\windows\system32\Adobe
2010-03-03 20:51 . 2010-03-03 20:51 -------- d-----w- c:\documents and settings\Doug Johnson\Application Data\InterTrust
2010-02-25 23:40 . 2010-03-06 17:34 -------- d-----w- c:\program files\Symantec
2010-02-25 23:38 . 2010-02-27 22:00 -------- d-----w- c:\windows\system32\drivers\NIS
2010-02-25 22:22 . 2010-02-25 22:22 -------- d-----w- c:\program files\Trend Micro
2010-02-25 16:34 . 2010-02-26 03:22 -------- d-----w- c:\documents and settings\Doug Johnson\Local Settings\Application Data\oqgdcr
2010-02-25 16:28 . 2009-06-23 16:23 331776 ----a-w- c:\windows\system32\TwcToolbarIe7.dll
2010-02-25 16:28 . 2008-07-22 20:24 98304 ----a-w- c:\windows\system32\TwcToolbarBho.dll
2010-02-25 16:28 . 2007-12-03 19:36 25600 ----a-w- c:\windows\system32\TwcToolInstDll.dll
2010-02-25 16:27 . 2010-02-25 16:28 -------- d-----w- c:\program files\The Weather Channel Toolbar
2010-02-07 18:42 . 2010-02-07 18:42 -------- d-----w- c:\program files\Black Isle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 00:01 . 2006-11-12 15:09 -------- d-----w- c:\program files\PokerStars
2010-03-06 23:54 . 2010-02-01 22:02 -------- d-----w- c:\program files\Common Files\Poker Pro Labs
2010-03-06 23:50 . 2008-04-01 16:31 -------- d-----w- c:\program files\Poker Pro Labs
2010-03-06 17:34 . 2005-06-01 02:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-06 17:15 . 2008-03-02 04:13 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-06 16:23 . 2009-05-11 03:24 -------- d-----w- c:\program files\CalculatemPro
2010-03-06 16:09 . 2010-03-06 16:09 6091987 ------r- c:\documents and settings\Doug Johnson\Application Data\Microsoft\Installer\{8013F4EA-D2F6-439A-8444-CDB8D684E267}\Wingman.exe
2010-03-06 16:08 . 2009-03-15 02:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-06 16:08 . 2007-11-01 02:38 -------- d-----w- c:\program files\Poker Tracker V2
2010-03-06 00:47 . 2007-03-21 19:39 2561 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-03-05 22:46 . 2009-12-29 16:48 -------- d-----w- c:\documents and settings\Doug Johnson\Application Data\DYMO Stamps
2010-03-05 22:45 . 2006-06-19 19:57 -------- d-----w- c:\program files\DYMO Label
2010-03-03 21:03 . 2005-06-06 12:49 1901 ----a-w- c:\windows\panose.bin
2010-03-03 20:51 . 2005-06-04 01:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-27 22:03 . 2005-06-01 02:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-25 23:38 . 2009-12-28 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-25 22:54 . 2009-04-09 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-25 22:20 . 2009-04-10 00:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 04:23 . 2009-12-27 19:17 56842752 ----a-w- c:\documents and settings\All Users\Application Data\URG\MyPostageRateSaver\LU\setup.exe
2010-02-24 10:46 . 2009-11-25 10:17 235704 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-23 13:32 . 2005-12-13 17:39 -------- d-----w- c:\program files\Diablo II
2010-02-10 20:18 . 2009-12-29 00:41 -------- d-----w- c:\documents and settings\Doug Johnson\Application Data\Tific
2010-02-08 23:17 . 2009-12-28 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-08 22:15 . 2007-11-02 22:55 -------- d-----w- c:\program files\UltimateBet
2010-02-08 16:23 . 2006-12-27 19:29 -------- d-----w- c:\program files\Quicken WillMaker Plus 2007
2010-02-06 02:28 . 2009-10-16 01:29 94208 ----a-w- c:\windows\DUMP64c4.tmp
2010-02-05 18:21 . 2009-10-16 01:29 94208 ----a-w- c:\windows\DUMP632e.tmp
2010-01-30 13:44 . 2010-01-30 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Turbine
2010-01-30 00:56 . 2010-01-30 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-01-29 19:47 . 2010-01-29 19:47 -------- d-----w- c:\program files\Pando Networks
2010-01-07 23:07 . 2009-12-27 14:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-12-27 14:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 10:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-04-08 22:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 16:00 . 2005-06-03 22:10 50416 ------w- c:\documents and settings\Doug Johnson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-27 04:51 . 2009-12-27 15:31 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-27 04:51 . 2009-12-27 15:31 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-27 04:51 . 2009-12-27 15:31 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-27 04:51 . 2009-12-27 15:31 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-27 04:51 . 2009-12-27 15:31 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnVir Task Manager Pro"="c:\program files\AnVir Task Manager Pro\AnVir.exe" [2008-11-14 2743008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-5-31 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^Doug Johnson^Start Menu^Programs^Startup^Smart Buddy.lnk]
path=c:\documents and settings\Doug Johnson\Start Menu\Programs\Startup\Smart Buddy.lnk
backup=c:\windows\pss\Smart Buddy.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2008-08-14 00:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 04:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 23:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DYMO Stamps\\DYMO Stamps.exe"=
"c:\\Program Files\\Full Tilt Poker\\FullTiltPoker.exe"=
"c:\\Program Files\\CalculatemPro\\CalculatemPro.exe"=
"c:\\Program Files\\Adobe\\GoLive 6.0_ENG\\GoLive.exe"=
"c:\\Program Files\\URG\\MyPostageRateSaver\\MyMail.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Premier - Nonprofit Edition\\QBDBMgrN.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Poker Pro Labs\\Poker Calculator Pro\\PokerCalculatorPro.exe"=
"c:\\Program Files\\Poker Pro Labs\\Poker Calculator Pro\\PokerCalculatorProUpdate.exe"=
"c:\\Program Files\\Holdem Indicator\\HoldemIndicator.exe"=
"c:\\Program Files\\Holdem Genius\\HoldemGenius.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57194:TCP"= 57194:TCP:Pando Media Booster
"57194:UDP"= 57194:UDP:Pando Media Booster

S0 aqep;aqep; [x]
S0 bqqa;bqqa; [x]
S0 iwdmgj;iwdmgj; [x]
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 3:47 AM 98304]
S3 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 2:40 AM 118784]

--- Other Services/Drivers In Memory ---

*Deregistered* - dnbudf

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-01-05 10:00 124928 ----a-w- c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 05:36]

2010-03-05 c:\windows\Tasks\sundance 1259546778.job
- c:\program files\Intuit\QuickBooks Premier - Nonprofit Edition\AutoBackupEXE.exe [2009-09-17 02:16]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.goodsearch.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Doug Johnson\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Doug Johnson\Application Data\Mozilla\Firefox\Profiles\ey9bnjzu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SharedTaskScheduler-{1d58cb02-9516-4321-9944-f07e1813c025} - (no file)
SSODL-joburuvop-{1d58cb02-9516-4321-9944-f07e1813c025} - (no file)
SafeBoot-aawservice
SafeBoot-WinDefend
MSConfigStartUp-Drag'n'Drop_Autolaunch - c:\program files\Iomega HotBurn Pro\Autolaunch.exe
AddRemove-QUAD RegistryCleaner - c:\program files\QUAD Utilities\QUAD RegistryCleaner\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 20:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D96284CB-92E6-3E1E-196BB0273B005327}\{BCF0CDFC-4A0B-26E5-259182A4D665E8F2}\{6E248836-421D-F84C-CF6B8AC08EBF0D43}*]
"526BA65ZPQS4U365YNAELLJ5XA1"=hex:01,00,01,00,00,00,00,00,50,bd,9f,8a,7e,a0,d0,
fa,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"??? ?????????? ???"="c?\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\InstallSqlState.sql"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2436)
c:\windows\system32\WININET.dll
c:\program files\AnVir Task Manager Pro\AnvirHook54.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\ftpxext.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-06 20:30:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 03:30

Pre-Run: 1,374,449,664 bytes free
Post-Run: 1,187,844,096 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,3,4,5
- - End Of File - - 5414E3E48930233E7993FBEA091A67A6


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 AM

Posted 07 March 2010 - 07:58 AM

Beside other malware ComboFix removed Quad Utilities and QUAD RegistryCleaner which is a rogue security software.
See here:http://www.emsisoft.com/en/malware/Adware....ner-remove.aspx

I don't see Iomega Activity Disk2 on the program list but there is a service entry in the registry. Are you using this software?

Edited by farbar, 07 March 2010 - 08:04 AM.


#5 sundanceranch

sundanceranch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 07 March 2010 - 09:41 AM

i had an iomega back up drive but don't anymore

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 AM

Posted 07 March 2010 - 10:48 AM

  1. Open notepad and copy/paste the text in the code box below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/300783/some-software-cant-access-internet/

    Collect::
    c:\windows\system32\drivers\UACqnkwnsqomy.sys
    c:\systemroot\system32\UACcksewpybow.dll
    c:\windows\system32\UAConbgkvvmpf.dll
    c:\windows\systemroot\system32\UACqjdsbicjqs.dat
    c:\windows\systemroot\system32\UACrvrgyulhjm.dll
    c:\windows\system32\UACqrlkxayrtx.dll

    Driver::
    aqep
    bqqa
    iwdmgj
    Iomega Activity Disk2
    UACd.sys
    Regnull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D96284CB-92E6-3E1E-196BB0273B005327}\{BCF0CDFC-4A0B-26E5-259182A4D665E8F2}\{6E248836-421D-F84C-CF6B8AC08EBF0D43}*]
    RegLockDell::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D96284CB-92E6-3E1E-196BB0273B005327}\{BCF0CDFC-4A0B-26E5-259182A4D665E8F2}\{6E248836-421D-F84C-CF6B8AC08EBF0D43}]
    [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys]


    Save this as CFScript.txt





    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  2. Please run GMER once more. Uncheck all the other sections except Registry as we just need Registry section now and post the log.


#7 sundanceranch

sundanceranch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 07 March 2010 - 02:20 PM

there isnt any cat icon on my desktop to drag into

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 AM

Posted 07 March 2010 - 04:24 PM

It is because ComboFix is not download to desktop as instructed.

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c copy /y "%userprofile%\My Documents\My Downloads\ComboFix.exe" "%userprofile%\desktop"

A window flashes. It is normal.

Now Combofix is your desktop and you can carry on the instruction provided the CFScript.txt is on your desktop.

#9 sundanceranch

sundanceranch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 07 March 2010 - 06:14 PM

I tried top run the G things and the computer fobared
brought up a blue screen and the error said

PFN_List_Corrupt

so i did not run the program again

here is the combofix txt that came right before the ui tried to run the g program


ComboFix 10-03-07.02 - Doug Johnson 03/07/2010 14:38:11.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.429 [GMT -7:00]
Running from: c:\documents and settings\Doug Johnson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Doug Johnson\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_aqep
-------\Service_bqqa
-------\Service_Iomega Activity Disk2
-------\Service_iwdmgj


((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-06 18:07 . 2010-03-06 18:22 -------- d-----w- c:\windows\system32\NtmsData
2010-03-06 17:14 . 2010-03-07 00:05 -------- d-----w- c:\program files\Holdem Indicator
2010-03-06 16:19 . 2010-03-06 16:19 148816 ----a-w- c:\windows\system32\unzip32.dll
2010-03-06 16:19 . 2010-03-06 16:19 53248 ----a-w- c:\windows\system32\quick32.dll
2010-03-06 16:09 . 2010-03-06 16:14 -------- d-----w- c:\program files\Poker Wingman
2010-03-05 14:10 . 2010-03-05 14:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-03 21:00 . 2001-10-11 23:35 20588 ----a-w- c:\windows\system32\PdfPorts.dll
2010-03-03 21:00 . 2001-10-11 23:34 77824 ----a-w- c:\windows\system32\adistres.dll
2010-03-03 20:51 . 2010-03-03 20:51 -------- d-----w- c:\windows\Profiles
2010-03-03 20:51 . 2010-03-03 20:51 -------- d-----w- c:\windows\system32\Adobe
2010-03-03 20:51 . 2010-03-03 20:51 -------- d-----w- c:\documents and settings\Doug Johnson\Application Data\InterTrust
2010-02-25 23:40 . 2010-03-06 17:34 -------- d-----w- c:\program files\Symantec
2010-02-25 23:38 . 2010-02-27 22:00 -------- d-----w- c:\windows\system32\drivers\NIS
2010-02-25 22:22 . 2010-02-25 22:22 -------- d-----w- c:\program files\Trend Micro
2010-02-25 16:34 . 2010-02-26 03:22 -------- d-----w- c:\documents and settings\Doug Johnson\Local Settings\Application Data\oqgdcr
2010-02-25 16:28 . 2009-06-23 16:23 331776 ----a-w- c:\windows\system32\TwcToolbarIe7.dll
2010-02-25 16:28 . 2008-07-22 20:24 98304 ----a-w- c:\windows\system32\TwcToolbarBho.dll
2010-02-25 16:28 . 2007-12-03 19:36 25600 ----a-w- c:\windows\system32\TwcToolInstDll.dll
2010-02-25 16:27 . 2010-02-25 16:28 -------- d-----w- c:\program files\The Weather Channel Toolbar
2010-02-07 18:42 . 2010-02-07 18:42 -------- d-----w- c:\program files\Black Isle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 20:16 . 2009-12-27 19:17 58600960 ----a-w- c:\documents and settings\All Users\Application Data\URG\MyPostageRateSaver\LU\setup.exe
2010-03-07 19:25 . 2007-03-21 19:39 2561 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-03-07 14:44 . 2009-03-15 02:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-07 14:44 . 2007-11-01 02:38 -------- d-----w- c:\program files\Poker Tracker V2
2010-03-07 13:39 . 2009-05-11 03:24 -------- d-----w- c:\program files\CalculatemPro
2010-03-07 13:17 . 2006-11-12 15:09 -------- d-----w- c:\program files\PokerStars
2010-03-06 23:54 . 2010-02-01 22:02 -------- d-----w- c:\program files\Common Files\Poker Pro Labs
2010-03-06 23:50 . 2008-04-01 16:31 -------- d-----w- c:\program files\Poker Pro Labs
2010-03-06 17:34 . 2005-06-01 02:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-06 17:15 . 2008-03-02 04:13 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-06 16:09 . 2010-03-06 16:09 6091987 ------r- c:\documents and settings\Doug Johnson\Application Data\Microsoft\Installer\{8013F4EA-D2F6-439A-8444-CDB8D684E267}\Wingman.exe
2010-03-05 22:46 . 2009-12-29 16:48 -------- d-----w- c:\documents and settings\Doug Johnson\Application Data\DYMO Stamps
2010-03-05 22:45 . 2006-06-19 19:57 -------- d-----w- c:\program files\DYMO Label
2010-03-03 21:03 . 2005-06-06 12:49 1901 ----a-w- c:\windows\panose.bin
2010-03-03 20:51 . 2005-06-04 01:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-27 22:03 . 2005-06-01 02:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-25 23:38 . 2009-12-28 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-25 22:54 . 2009-04-09 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-25 22:20 . 2009-04-10 00:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 10:46 . 2009-11-25 10:17 235704 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-23 13:32 . 2005-12-13 17:39 -------- d-----w- c:\program files\Diablo II
2010-02-10 20:18 . 2009-12-29 00:41 -------- d-----w- c:\documents and settings\Doug Johnson\Application Data\Tific
2010-02-08 23:17 . 2009-12-28 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-08 22:15 . 2007-11-02 22:55 -------- d-----w- c:\program files\UltimateBet
2010-02-08 16:23 . 2006-12-27 19:29 -------- d-----w- c:\program files\Quicken WillMaker Plus 2007
2010-02-06 02:28 . 2009-10-16 01:29 94208 ----a-w- c:\windows\DUMP64c4.tmp
2010-02-05 18:21 . 2009-10-16 01:29 94208 ----a-w- c:\windows\DUMP632e.tmp
2010-01-30 13:44 . 2010-01-30 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Turbine
2010-01-30 00:56 . 2010-01-30 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-01-29 19:47 . 2010-01-29 19:47 -------- d-----w- c:\program files\Pando Networks
2010-01-07 23:07 . 2009-12-27 14:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-12-27 14:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 10:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-04-08 22:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 16:00 . 2005-06-03 22:10 50416 ------w- c:\documents and settings\Doug Johnson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-27 04:51 . 2009-12-27 15:31 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-27 04:51 . 2009-12-27 15:31 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-27 04:51 . 2009-12-27 15:31 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-27 04:51 . 2009-12-27 15:31 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-27 04:51 . 2009-12-27 15:31 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnVir Task Manager Pro"="c:\program files\AnVir Task Manager Pro\AnVir.exe" [2008-11-14 2743008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-5-31 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^Doug Johnson^Start Menu^Programs^Startup^Smart Buddy.lnk]
path=c:\documents and settings\Doug Johnson\Start Menu\Programs\Startup\Smart Buddy.lnk
backup=c:\windows\pss\Smart Buddy.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2008-08-14 00:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 04:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 23:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DYMO Stamps\\DYMO Stamps.exe"=
"c:\\Program Files\\Full Tilt Poker\\FullTiltPoker.exe"=
"c:\\Program Files\\CalculatemPro\\CalculatemPro.exe"=
"c:\\Program Files\\Adobe\\GoLive 6.0_ENG\\GoLive.exe"=
"c:\\Program Files\\URG\\MyPostageRateSaver\\MyMail.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Premier - Nonprofit Edition\\QBDBMgrN.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Poker Pro Labs\\Poker Calculator Pro\\PokerCalculatorPro.exe"=
"c:\\Program Files\\Poker Pro Labs\\Poker Calculator Pro\\PokerCalculatorProUpdate.exe"=
"c:\\Program Files\\Holdem Indicator\\HoldemIndicator.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57194:TCP"= 57194:TCP:Pando Media Booster
"57194:UDP"= 57194:UDP:Pando Media Booster

S3 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 3:47 AM 98304]
S3 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 2:40 AM 118784]

--- Other Services/Drivers In Memory ---

*Deregistered* - dnbudf

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-01-05 10:00 124928 ----a-w- c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 05:36]

2010-03-05 c:\windows\Tasks\sundance 1259546778.job
- c:\program files\Intuit\QuickBooks Premier - Nonprofit Edition\AutoBackupEXE.exe [2009-09-17 02:16]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.goodsearch.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Doug Johnson\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Doug Johnson\Application Data\Mozilla\Firefox\Profiles\ey9bnjzu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 15:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"??? ?????????? ???"="c?\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\InstallSqlState.sql"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1700)
c:\windows\system32\WININET.dll
c:\program files\AnVir Task Manager Pro\AnvirHook54.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\ftpxext.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-07 15:40:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 22:40
ComboFix2.txt 2010-03-07 03:30

Pre-Run: 1,110,626,304 bytes free
Post-Run: 1,079,595,008 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,3,4,5
- - End Of File - - 481C3A01981278133CC75AC7050249E5


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 AM

Posted 08 March 2010 - 02:34 AM

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    CODE
    Comment:
    start to process
    Drivers to disable:
    Drivers to delete:
    UACd.sys
    Registry keys to delete:
    HKLM\SYSTEM\ControlSet001\Services\UACd.sys
  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.


#11 sundanceranch

sundanceranch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 March 2010 - 03:47 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!
Deletion of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet001\Services\UACd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 AM

Posted 08 March 2010 - 03:55 PM

  1. I see on the log My Way Search Assistant is installed on your computer:

    This program is known to be bundled with adware/spyware. You may read more about My Way Search Assistant here:
    http://www.bleepingcomputer.com/uninstall/...-Assistant.html

    To uninstall My Way Search Assistant:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    My Way Search Assistant

    Also remove the folder in bold: C:\Program Files\MyWay

  2. I see on your log that Pokerstar is installed on your computer:

    This program is known to be related to adware/spyware. More information here: http://www.bleepingcomputer.com/uninstall/...rStars.net.html
    To uninstall it:
    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    PokerStars

    Also remove the folder in bold: C:\Program Files\PokerStars

  3. Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  4. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  5. Your Adobe Reader is outdated. I strongly recommend you to update your Adobe Readert to the latest version to avoid being infected through its security holes.

  6. Tell me also how is your computer running.


#13 sundanceranch

sundanceranch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 March 2010 - 05:40 PM

My Way Search Assistant gets an error when attempting to remove "Error loading..... specified module dcould not be found"


The Pokerstars is how I make a living. Its a poker site I use so it cannot be deleted.


Removed Viewpoint Media Player


The computer seems to run fine, maybe even a little faster


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 AM

Posted 08 March 2010 - 05:47 PM

Pokerstars could be kept. It is not a big deal.

All looks good. thumbup2.gif
  1. Download the trial version of Your Uninstaller! (Free Fix)
      Install it and run it.
      Under Modules select Uninstaller.
      Highlight My Way Search Assistant and press Uninstall.
      It might give you an error, proceed anyway and it eventually removes the software.
      Let it remove all the files and folders and anything it founds.

  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  3. Remove any other tool or log we used from your computer.

Happy Surfing sundanceranch. smile.gif

#15 sundanceranch

sundanceranch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 March 2010 - 06:31 PM

You GUYS and/or GALS ROCK! Thanks so much for making my repairs painless and smooth.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users