Author Topic: DLLHOST.EXE/SVCHOST.EXE malicious actions? (Read 23393 times)

wordisbonz · « **on:** July 15, 2009, 06:54:54 PM »

Hi, can anyone tell me how to fix this problem? Every few minutes the following message pops up on my computer from spyware dr:

"MALICIOUS ACTION BLOCKED

Spyware Doctor has blocked an application svchost.exe attempting to access a file.

Path:
C:\WINDOWS\SYSTEM32\DLLHOST.EXE"

I followed the steps in the "Before you post" posting and below are my logs attached

[attachment deleted by admin]

evilfantasy · « **Reply #1 on:** July 18, 2009, 05:25:59 PM »

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

wordisbonz · « **Reply #2 on:** July 18, 2009, 06:40:57 PM »

thank you, here they are:

DDS (Ver_09-06-26.01) - NTFSx86
Run by PhilS at 17:35:36.99 on Sat 07/18/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1816 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\PhilS\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\phils\appdata\roaming\mozilla\firefox\profiles\r2or64x5.default\
FF - prefs.js: browser.startup.homepage - hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-29 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-3-29 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-3-29 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-3-29 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-4 361808]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-25 348752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-26 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-4 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-3-29 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-3-29 33056]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-17 14:47 1,056,768 a------- c:\windows\system32\defltbase.sdb
2009-07-17 03:37 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-17 03:17 219,648 a------- c:\windows\PEV.exe
2009-07-17 03:17 161,792 a------- c:\windows\SWREG.exe
2009-07-17 03:17 98,816 a------- c:\windows\sed.exe
2009-07-15 14:01 <DIR> --d----- c:\program files\Trend Micro
2009-07-15 01:51 <DIR> --d----- c:\users\phils\appdata\roaming\Malwarebytes
2009-07-15 01:51 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 01:51 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-15 01:51 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-15 01:51 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-15 01:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 13:11 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-14 13:11 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-14 13:11 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-14 13:11 23,552 a------- c:\windows\system32\lpk.dll
2009-07-14 13:11 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-14 10:16 224 a------- c:\windows\system32\9B13A86D.plf
2009-07-14 10:06 <DIR> --d----- c:\programdata\Cached Installations
2009-07-14 10:06 <DIR> --d----- c:\progra~2\Cached Installations
2009-07-14 10:02 <DIR> --d----- c:\users\phils\appdata\roaming\ParetoLogic
2009-07-14 10:00 <DIR> --d----- c:\programdata\Downloaded Installations
2009-07-14 10:00 <DIR> --d----- c:\progra~2\Downloaded Installations
2009-07-14 09:59 <DIR> --d----- c:\users\phils\appdata\roaming\DriverCure
2009-07-14 09:58 <DIR> --d----- c:\programdata\ParetoLogic
2009-07-14 09:58 <DIR> --d----- c:\programdata\DriverCure
2009-07-14 09:58 <DIR> --d----- c:\progra~2\ParetoLogic
2009-07-14 09:58 <DIR> --d----- c:\progra~2\DriverCure
2009-07-14 01:25 <DIR> --d----- c:\programdata\RegCure
2009-07-14 01:25 <DIR> --d----- c:\progra~2\RegCure
2009-07-13 10:41 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-13 10:41 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-13 10:40 <DIR> --d----- c:\users\phils\appdata\roaming\SUPERAntiSpyware.com
2009-07-13 10:40 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-13 10:39 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-10 16:43 <DIR> --d----- c:\users\phils\appdata\roaming\funkitron
2009-07-09 02:08 <DIR> --d----- c:\users\phils\appdata\roaming\iWin
2009-07-04 14:05 <DIR> --d----- c:\windows\system32\eu-ES
2009-07-04 14:05 <DIR> --d----- c:\windows\system32\ca-ES
2009-07-04 14:05 <DIR> --d----- c:\windows\system32\vi-VN
2009-07-04 12:40 <DIR> --d----- c:\windows\system32\EventProviders
2009-07-04 12:36 289,792 a------- c:\windows\system32\spinstall.exe
2009-07-04 12:35 409,600 a------- c:\windows\system32\odbc32.dll
2009-07-04 12:34 638,976 a------- c:\windows\system32\Utilman.exe
2009-07-04 12:33 140,288 a------- c:\windows\system32\wpcsvc.dll
2009-07-04 12:32 83,968 a------- c:\windows\system32\wbem\wmiutils.dll
2009-07-04 12:32 744,448 a------- c:\windows\system32\wbem\wbemcore.dll
2009-07-04 12:32 614,912 a------- c:\windows\system32\wbem\fastprox.dll
2009-07-04 12:32 265,728 a------- c:\windows\system32\wbem\repdrvfs.dll
2009-07-04 12:32 265,728 a------- c:\windows\system32\wbem\esscli.dll
2009-07-04 12:32 189,440 a------- c:\windows\system32\wbem\mofd.dll
2009-07-04 12:32 30,208 a------- c:\windows\system32\wbem\wbemprox.dll
2009-07-04 12:32 705,536 a------- c:\windows\system32\SmiEngine.dll
2009-07-04 12:32 218,624 a------- c:\windows\system32\wdscore.dll
2009-07-04 12:32 130,560 a------- c:\windows\system32\PkgMgr.exe
2009-07-04 12:32 247,808 a------- c:\windows\system32\drvstore.dll
2009-06-25 01:20 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-06-21 14:50 68,640 a------- c:\windows\unTMV.exe
2009-06-21 14:50 <DIR> --d----- c:\program files\SoftMaker Viewer
2009-06-19 04:32 <DIR> --d----- c:\programdata\NCH Swift Sound
2009-06-19 04:32 <DIR> --d----- c:\program files\NCH Software
2009-06-19 04:31 <DIR> --d----- c:\program files\NCH Swift Sound
2009-06-19 04:28 <DIR> --d----- c:\programdata\FreeRIP
2009-06-19 04:28 <DIR> --d----- c:\progra~2\FreeRIP
2009-06-19 04:28 <DIR> --d----- c:\program files\FreeRIP3

==================== Find3M ====================

2009-07-18 17:35 27,839 a------- c:\programdata\nvModes.dat
2009-07-18 17:35 27,839 a------- c:\progra~2\nvModes.dat
2009-07-14 17:12 1,092 a------- c:\users\phils\appdata\roaming\wklnhst.dat
2009-07-14 10:06 51,200 a------- c:\windows\inf\infpub.dat
2009-07-14 10:06 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-14 10:06 86,016 a------- c:\windows\inf\infstor.dat
2009-07-04 14:05 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-30 15:36 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryReplaceNew.exe
2009-06-30 15:10 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryNoTravel.exe
2009-06-30 15:03 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryAccessories.exe
2009-06-30 12:44 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryWeakNew.exe
2009-06-26 18:36 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryUpgrade.exe
2009-05-08 22:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 22:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-01 14:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 14:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 14:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 14:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 14:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 14:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 14:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-23 05:15 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 05:14 623,616 a------- c:\windows\system32\localspl.dll
2009-04-21 04:39 2,034,688 a------- c:\windows\system32\win32k.sys
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 17:36:54.89 ===============

DDS (Ver_09-06-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/5/2008 6:50:33 PM
System Uptime: 7/18/2009 2:26:10 PM (3 hours ago)

Motherboard: Wistron | | 303C
Processor: AMD Turion Dual-Core RM-70 | Socket A | 2000/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 71.407 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1.732 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0000
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter
PNP Device ID: ROOT\*ISATAP\0000
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter #2
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

AAC Decoder
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.6
Adobe Shockwave Player
Adobe Shockwave Player 11.5
AIM 6
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
AutoUpdate
Bonjour
CAM UnZip 4.42
Cards_Calendar_OrderGift_DoMorePlugout
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Conexant HD Audio
CyberLink DVD Suite
CyberLink YouCam
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
ESU for Microsoft Vista
Express Burn
Express Rip
FreeRIP v3.1
GPL MPEG-1/2 DirectShow Decoder Filter
H.264 Decoder
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.40 D3
HP Smart Web Printing
HP Total Care Advisor
HP Update
HP User Guides 0118
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabel_Tattoo
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookHolidayPack1
HPPhotoSmartPhotobookModernPack1
HPPhotoSmartPhotobookPlayfulPack1
HPPhotoSmartPhotobookScrapbookPack1
HPPhotoSmartPhotobookWebPack1
HPTCSSetup
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 5
LabelPrint
Last.fm 1.5.4.24567
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft Visual C Runtime
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MKV Splitter
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.1
My HP Games
NetWaiting
NVIDIA Drivers
Power2Go
PowerDirector
PSSWCORE
QuickPlay SlingPlayer 0.4.6
QuickTime
Realtek USB 2.0 Card Reader
RegCure 1.6.0.0
Spelling Dictionaries Support For Adobe Reader 8
Spyware Doctor 6.0
SUPERAntiSpyware Free Edition
Switch Sound File Converter
Synaptics Pointing Device Driver
System Requirements Lab
TextMaker Viewer
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.762
VideoToolkit01
Viewpoint Media Player
VLC media player 0.9.9
WavePad Sound Editor

==== Event Viewer Messages From Past Week ========

7/18/2009 5:36:58 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {883FF1FC-09E1-48E5-8E54-E2469ACB0CFD}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
7/18/2009 12:58:24 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
7/18/2009 12:58:19 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {56EA1054-1959-467F-BE3B-A2A787C4B6EA}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
7/18/2009 12:58:17 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/18/2009 12:57:59 PM, Error: EventLog [6008] - The previous system shutdown at 12:57:01 PM on 7/18/2009 was unexpected.
7/18/2009 12:48:26 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {4D111E08-CBF7-4F12-A926-2C7920AF52FC}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}
7/18/2009 1:01:40 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {86D5EB8A-859F-4C7B-A76B-2BD819B7A850}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{86D5EB8A-859F-4C7B-A76B-2BD819B7A850}
7/17/2009 8:04:59 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {FCC74B77-EC3E-4DD8-A80B-008A702075A9}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
7/17/2009 8:00:40 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {3AD05575-8857-4850-9277-11B85BDB8E09}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
7/17/2009 5:38:38 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {A2D8CFE7-7BA4-4BAD-B86B-851376B59134}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{A2D8CFE7-7BA4-4BAD-B86B-851376B59134}
7/17/2009 5:33:26 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the sdCoreService service.
7/17/2009 3:31:17 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the PEVSystemStart service to connect.
7/17/2009 3:31:16 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
7/16/2009 9:43:33 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {BBD8C065-5E6C-4E88-BFD7-BE3E6D1C063B}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{BBD8C065-5E6C-4E88-BFD7-BE3E6D1C063B}
7/15/2009 12:43:38 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {E9495B87-D950-4AB5-87A5-FF6D70BF3E90}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}
7/15/2009 12:42:46 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {A2D75874-6750-4931-94C1-C99D3BC9D0C7}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{A79DB36D-6218-48E6-9EC9-DCBA9A39BF0F}
7/14/2009 10:23:16 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.10 for the Network Card with network address 00234E139720 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/14/2009 10:12:38 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {D1F60CCB-8329-406E-976F-660B1BDF0D97}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{D1F60CCB-8329-406E-976F-660B1BDF0D97}
7/14/2009 1:46:03 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {1F2E5C40-9550-11CE-99D2-00AA006E086C}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{1F2E5C40-9550-11CE-99D2-00AA006E086C}
7/14/2009 1:23:01 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {9DF523B0-A6C0-4EA9-B5F1-F4565C3AC8B8}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{9DF523B0-A6C0-4EA9-B5F1-F4565C3AC8B8}
7/11/2009 7:52:05 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {BB46F03E-7CD2-489F-8F95-BB950F395FDB}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{16D99191-6280-4B33-A2F5-04805A0FC582}
7/11/2009 2:39:06 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 76.105.214.195 for the Network Card with network address 001F16498BEF has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
7/11/2009 2:35:55 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {BA126F01-2166-11D1-B1D0-00805FC1270E}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{BA126F01-2166-11D1-B1D0-00805FC1270E}
7/11/2009 1:11:58 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {71E7431B-17AA-4018-B62B-08C5F9AA4D8E}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{71E7431B-17AA-4018-B62B-08C5F9AA4D8E}

==== End Of File ===========================

evilfantasy · « **Reply #3 on:** July 18, 2009, 07:02:16 PM »

Go to Add or Remove Programs and uninstall:

RegCure 1.6.0.0
Viewpoint Media Player

.
--------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
Viewpoint Manager Service

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

Firefox::
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

Folder::
c:\program files\viewpoint
c:\users\phils\appdata\roaming\ParetoLogic
c:\users\phils\appdata\roaming\DriverCure
c:\programdata\ParetoLogic
c:\programdata\DriverCure
c:\progra~2\ParetoLogic
c:\progra~2\DriverCure
c:\programdata\RegCure
c:\progra~2\RegCure

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the Desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

wordisbonz · « **Reply #4 on:** July 18, 2009, 08:20:08 PM »

ok, i keep gettting this popup - "You don't have sufficient access to uninstall ____. Please contact your system administrator." when trying to uninstall anything..

javara worked. i could not install the new java...i got an error message saying "Unzipping core files failed." and the installation exited.

ComboFix 09-07-14.08 - PhilS 07/18/2009 18:45.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1659 [GMT -7:00]
Running from: c:\users\PhilS\Desktop\ComboFix.exe
Command switches used :: c:\users\PhilS\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~2\DriverCure
c:\progra~2\DriverCure\9B13A86D3456.plf
c:\progra~2\ParetoLogic
c:\progra~2\ParetoLogic\Privacy Controls\AppPreferences.dat
c:\progra~2\ParetoLogic\UUS2\DriverCure\Master.xml
c:\progra~2\ParetoLogic\UUS2\DriverCure\Patch.xml
c:\progra~2\ParetoLogic\UUS2\DriverCure\Update.xml
c:\progra~2\RegCure
c:\progra~2\RegCure\whitelist.dat
c:\program files\viewpoint
c:\program files\viewpoint\Common\ViewpointService.exe
c:\program files\viewpoint\Common\VistaBoot.sdll
c:\program files\viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\viewpoint\Viewpoint Media Player\ComponentMgr.dll
c:\program files\viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\viewpoint\Viewpoint Media Player\Components\Cursors.dll
c:\program files\viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
c:\program files\viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\viewpoint\Viewpoint Media Player\Components\VETScriptInterpreter.dll
c:\program files\viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
c:\program files\viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\program files\viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
c:\program files\viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\viewpoint\Viewpoint Media Player\npViewpoint.xpt
c:\programdata\DriverCure\9B13A86D3456.plf
c:\programdata\ParetoLogic\Privacy Controls\AppPreferences.dat
c:\programdata\ParetoLogic\UUS2\DriverCure\Master.xml
c:\programdata\ParetoLogic\UUS2\DriverCure\Patch.xml
c:\programdata\ParetoLogic\UUS2\DriverCure\Update.xml
c:\programdata\RegCure\whitelist.dat
c:\users\phils\appdata\roaming\DriverCure
c:\users\phils\appdata\roaming\DriverCure\Client.txt
c:\users\phils\appdata\roaming\DriverCure\LogFile.txt
c:\users\phils\appdata\roaming\DriverCure\Server.txt
c:\users\phils\appdata\roaming\ParetoLogic
c:\users\phils\appdata\roaming\ParetoLogic\Privacy Controls\CleanPreferences.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-19 01:56 . 2009-07-19 02:01   --------   d-----w-   c:\users\PhilS\AppData\Local\temp
2009-07-15 21:01 . 2009-07-15 21:01   --------   d-----w-   c:\program files\Trend Micro
2009-07-15 08:51 . 2009-07-15 08:51   --------   d-----w-   c:\users\PhilS\AppData\Roaming\Malwarebytes
2009-07-15 08:51 . 2009-07-13 20:36   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 08:51 . 2009-07-15 08:51   --------   d-----w-   c:\programdata\Malwarebytes
2009-07-15 08:51 . 2009-07-15 08:51   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-07-15 08:51 . 2009-07-13 20:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-07-14 20:11 . 2009-06-15 14:53   156672   ----a-w-   c:\windows\system32\t2embed.dll
2009-07-14 20:11 . 2009-06-15 14:52   72704   ----a-w-   c:\windows\system32\fontsub.dll
2009-07-14 20:11 . 2009-06-15 12:42   289792   ----a-w-   c:\windows\system32\atmfd.dll
2009-07-14 20:11 . 2009-06-15 14:52   23552   ----a-w-   c:\windows\system32\lpk.dll
2009-07-14 20:11 . 2009-06-15 14:51   10240   ----a-w-   c:\windows\system32\dciman32.dll
2009-07-14 17:06 . 2009-07-14 17:06   --------   d-----w-   c:\programdata\Cached Installations
2009-07-14 17:00 . 2009-07-14 17:00   --------   d-----w-   c:\programdata\Downloaded Installations
2009-07-14 08:25 . 2009-07-14 08:39   --------   d-----w-   c:\program files\RegCure
2009-07-13 17:41 . 2009-07-16 00:48   117760   ----a-w-   c:\users\PhilS\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-13 17:41 . 2009-07-13 17:41   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2009-07-13 17:40 . 2009-07-13 17:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-07-13 17:40 . 2009-07-13 17:40   --------   d-----w-   c:\users\PhilS\AppData\Roaming\SUPERAntiSpyware.com
2009-07-13 17:39 . 2009-07-13 17:39   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-07-10 23:43 . 2009-07-10 23:43   --------   d-----w-   c:\users\PhilS\AppData\Roaming\funkitron
2009-07-09 09:08 . 2009-07-09 09:08   --------   d-----w-   c:\users\PhilS\AppData\Roaming\iWin
2009-07-04 21:05 . 2009-07-04 21:06   --------   d-----w-   c:\windows\system32\ca-ES
2009-07-04 21:05 . 2009-07-04 21:06   --------   d-----w-   c:\windows\system32\eu-ES
2009-07-04 21:05 . 2009-07-04 21:06   --------   d-----w-   c:\windows\system32\vi-VN
2009-07-04 19:40 . 2009-07-04 19:40   --------   d-----w-   c:\windows\system32\EventProviders
2009-07-04 19:36 . 2009-04-11 06:28   289792   ----a-w-   c:\windows\system32\spinstall.exe
2009-07-04 19:35 . 2009-04-11 06:28   71680   ----a-w-   c:\windows\system32\propdefs.dll
2009-07-04 19:34 . 2009-04-11 06:28   152576   ----a-w-   c:\windows\system32\secproc_ssp_isv.dll
2009-07-04 19:33 . 2009-04-11 06:28   140288   ----a-w-   c:\windows\system32\wpcsvc.dll
2009-07-04 19:32 . 2009-04-11 06:28   83968   ----a-w-   c:\windows\system32\wbem\wmiutils.dll
2009-07-04 19:32 . 2009-04-11 06:28   744448   ----a-w-   c:\windows\system32\wbem\wbemcore.dll
2009-07-04 19:32 . 2009-04-11 06:28   30208   ----a-w-   c:\windows\system32\wbem\wbemprox.dll
2009-07-04 19:32 . 2009-04-11 06:28   265728   ----a-w-   c:\windows\system32\wbem\repdrvfs.dll
2009-07-04 19:32 . 2009-04-11 06:28   189440   ----a-w-   c:\windows\system32\wbem\mofd.dll
2009-07-04 19:32 . 2009-04-11 06:28   614912   ----a-w-   c:\windows\system32\wbem\fastprox.dll
2009-07-04 19:32 . 2009-04-11 06:28   265728   ----a-w-   c:\windows\system32\wbem\esscli.dll
2009-07-04 19:32 . 2009-04-11 06:28   705536   ----a-w-   c:\windows\system32\SmiEngine.dll
2009-07-04 19:32 . 2009-04-11 06:28   218624   ----a-w-   c:\windows\system32\wdscore.dll
2009-07-04 19:32 . 2009-04-11 06:27   130560   ----a-w-   c:\windows\system32\PkgMgr.exe
2009-07-04 19:32 . 2009-04-11 06:28   247808   ----a-w-   c:\windows\system32\drvstore.dll
2009-06-25 08:20 . 2009-06-25 08:24   --------   d-----w-   c:\program files\SystemRequirementsLab
2009-06-25 08:20 . 2009-06-25 08:21   --------   d-----w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab
2009-06-25 08:20 . 2009-06-25 08:20   290816   ----a-w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-25 08:20 . 2009-06-25 08:20   290816   ----a-w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-25 08:20 . 2009-06-25 08:20   290816   ----a-w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-25 08:20 . 2009-06-25 08:20   290816   ----a-w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-22 10:42 . 2009-06-24 11:14   --------   d-----w-   c:\users\PhilS\AppData\Roaming\dvdcss
2009-06-21 21:50 . 2009-06-05 11:33   68640   ----a-w-   c:\windows\unTMV.exe
2009-06-21 21:50 . 2009-06-21 21:50   --------   d-----w-   c:\program files\SoftMaker Viewer
2009-06-19 19:58 . 2009-06-19 19:58   --------   d-----w-   c:\users\PhilS\AppData\Roaming\Recordpad
2009-06-19 11:32 . 2009-06-19 11:33   --------   d-----w-   c:\programdata\NCH Swift Sound
2009-06-19 11:32 . 2009-06-19 11:33   --------   d-----w-   c:\users\PhilS\AppData\Roaming\NCH Swift Sound
2009-06-19 11:32 . 2009-06-19 11:32   --------   d-----w-   c:\program files\NCH Software
2009-06-19 11:31 . 2009-06-27 03:50   --------   d-----w-   c:\program files\NCH Swift Sound
2009-06-19 11:28 . 2009-06-19 11:28   --------   d-----w-   c:\programdata\FreeRIP
2009-06-19 11:28 . 2009-06-19 11:28   --------   d-----w-   c:\program files\FreeRIP3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 01:59 . 2008-12-26 00:31   --------   d-----w-   c:\program files\Spyware Doctor
2009-07-19 00:35 . 2008-12-26 00:22   27839   ----a-w-   c:\programdata\nvModes.dat
2009-07-15 06:38 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2009-07-15 00:12 . 2008-12-26 00:25   1092   ----a-w-   c:\users\PhilS\AppData\Roaming\wklnhst.dat
2009-07-14 17:11 . 2008-12-26 00:31   --------   d-----w-   c:\program files\Common Files\PC Tools
2009-07-14 17:07 . 2008-12-30 00:43   --------   d-----w-   c:\users\PhilS\AppData\Roaming\uTorrent
2009-07-14 08:56 . 2008-12-26 07:54   74432   ----a-w-   c:\users\PhilS\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-11 11:16 . 2008-08-04 17:19   --------   d-----w-   c:\programdata\WildTangent
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Sidebar
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Photo Gallery
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Collaboration
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Calendar
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Defender
2009-07-04 21:05 . 2006-11-02 10:25   665600   ----a-w-   c:\windows\inf\drvindex.dat
2009-07-04 19:58 . 2008-11-06 03:37   --------   d-----w-   c:\programdata\NVIDIA
2009-07-04 19:47 . 2006-11-02 12:37   37665   ----a-w-   c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-30 22:36 . 2009-07-12 05:36   18696   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryReplaceNew.exe
2009-06-30 22:10 . 2009-07-12 05:36   18696   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryNoTravel.exe
2009-06-30 22:03 . 2009-07-12 05:36   18696   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryAccessories.exe
2009-06-30 19:44 . 2009-07-12 05:36   18184   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryWeakNew.exe
2009-06-27 01:36 . 2009-07-12 05:36   18184   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryUpgrade.exe
2009-06-21 08:52 . 2009-06-18 10:22   --------   d-----w-   c:\users\PhilS\AppData\Roaming\vlc
2009-06-18 10:21 . 2009-06-18 10:21   --------   d-----w-   c:\program files\VideoLAN
2009-06-18 10:15 . 2009-06-18 10:13   --------   d-----w-   c:\program files\GPL MPEG Decoder
2009-06-13 10:03 . 2008-08-04 17:50   --------   d-----w-   c:\program files\Microsoft Works
2009-06-07 06:27 . 2009-01-09 00:06   --------   d-----w-   c:\program files\DivX
2009-06-07 06:23 . 2009-06-07 06:23   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-06-07 05:54 . 2009-04-08 05:13   --------   d-----w-   c:\users\PhilS\AppData\Roaming\DivX
2009-05-09 05:50 . 2009-06-12 14:11   915456   ----a-w-   c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-12 14:11   71680   ----a-w-   c:\windows\system32\iesetup.dll
2009-05-01 21:02 . 2009-05-01 21:02   90112   ----a-w-   c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02   823296   ----a-w-   c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02   823296   ----a-w-   c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02   815104   ----a-w-   c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02   811008   ----a-w-   c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02   802816   ----a-w-   c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02   685056   ----a-w-   c:\windows\system32\DivX.dll
2009-04-23 12:15 . 2009-06-12 14:11   784896   ----a-w-   c:\windows\system32\rpcrt4.dll
2009-04-23 12:14 . 2009-06-12 14:12   623616   ----a-w-   c:\windows\system32\localspl.dll
2009-04-21 11:39 . 2009-06-12 14:12   2034688   ----a-w-   c:\windows\system32\win32k.sys
2009-04-20 06:26 . 2009-03-30 00:32   39200   ----a-w-   c:\windows\system32\drivers\TfSysMon.sys
2009-04-20 06:26 . 2009-03-30 00:32   33056   ----a-w-   c:\windows\system32\drivers\TfNetMon.sys
2009-04-20 06:26 . 2009-03-30 00:32   51488   ----a-w-   c:\windows\system32\drivers\TfFsMon.sys
2009-04-20 06:26 . 2009-03-30 00:32   12576   ----a-w-   c:\windows\system32\drivers\TfKbMon.sys
2009-04-20 06:26 . 2009-03-30 00:30   130936   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2009-06-12 10:19 . 2009-01-06 23:26   134648   ----a-w-   c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-08-04 15:03 . 2008-08-04 15:03   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d7,86,ac,d9,ec,fc,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{053E5549-ECD5-4FE4-8DB9-641DFB10CF77}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{C1BAABB6-21B7-49B7-91E1-E455B4B6BC44}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{C55EE582-4D18-4465-B67C-01CCBFDC83AC}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{B2DD7404-A6FC-40B9-8308-6C878692A3C9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{61163C9B-D9DA-4470-B24F-3F12B829515A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{5FFDBBF0-35FB-4F2D-9936-1E5CA81749AD}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{557017AC-78EB-4FEF-B5BA-785EC157B329}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{C02004D7-C5DA-4F5A-9748-7C6D34C4B495}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F9002FAE-E853-4411-9606-D546AA53E040}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{C584877B-5ED8-4DE5-AF02-3B55F5AEF3FD}"= Disabled:UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1AFE8673-5972-4C8A-BC15-0B44CC879F75}"= Disabled:TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7D94000C-BBBC-44EB-BCCA-577F962A31C6}"= Disabled:UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{17ECCB8F-DF6F-416B-884A-F0B83C4C6A41}"= Disabled:TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [3/29/2009 5:30 PM 130936]
R0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys [3/29/2009 5:32 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys [3/29/2009 5:32 PM 39200]
R1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [3/29/2009 5:30 PM 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [8/4/2008 11:43 AM 361808]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/25/2008 5:31 PM 348752]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [8/4/2008 10:15 AM 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [5/9/2008 12:17 PM 43040]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [3/29/2009 5:30 PM 64392]
R3 TfNetMon;TfNetMon;c:\windows\System32\drivers\TfNetMon.sys [3/29/2009 5:32 PM 33056]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-18 c:\windows\Tasks\HPCeeScheduleForPhilS.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-04 03:03]

2009-07-19 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-07-19 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-07-14 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-07-18 c:\windows\Tasks\User_Feed_Synchronization-{9051D44C-782E-4E8D-B571-01D8B4400FEE}.job
- c:\windows\system32\msfeedssync.exe [2009-04-06 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\users\PhilS\AppData\Roaming\Mozilla\Firefox\Profiles\r2or64x5.default\
FF - prefs.js: browser.startup.homepage - hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 19:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1196)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll

- - - - - - - > 'lsass.exe'(660)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll

- - - - - - - > 'Explorer.exe'(3008)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Spyware Doctor\TFEngine\TFService.exe
c:\windows\System32\rundll32.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
**************************************************************************
.
Completion time: 2009-07-19 19:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 02:10
ComboFix2.txt 2009-07-17 10:37

Pre-Run: 75,693,498,368 bytes free
Post-Run: 75,118,772,224 bytes free

318   --- E O F ---   2009-07-15 06:38

evilfantasy · « **Reply #5 on:** July 18, 2009, 08:44:34 PM »

Is this a limited account?

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\windows\Tasks\RegCure Program Check.job
c:\windows\Tasks\RegCure Startup.job
c:\windows\Tasks\RegCure.job

Folder::
c:\program files\RegCure

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

wordisbonz · « **Reply #6 on:** July 18, 2009, 08:49:14 PM »

It never was...these limitations saying "PhilS" is not the admin began with the spyware doctor dllhost/svchost messages , I dont know what's going on.

doing combofix now..

wordisbonz · « **Reply #7 on:** July 19, 2009, 02:06:07 AM »

ComboFix 09-07-14.08 - PhilS 07/19/2009 0:43.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1746 [GMT -7:00]
Running from: c:\users\PhilS\Desktop\ComboFix.exe
Command switches used :: c:\users\PhilS\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\Tasks\RegCure Program Check.job"
"c:\windows\Tasks\RegCure Startup.job"
"c:\windows\Tasks\RegCure.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\RegCure
c:\program files\RegCure\0_days.htm
c:\program files\RegCure\1_days.htm
c:\program files\RegCure\15_days.htm
c:\program files\RegCure\2_days.htm
c:\program files\RegCure\30_days.htm
c:\program files\RegCure\5_days.htm
c:\program files\RegCure\Animated-Bar.gif
c:\program files\RegCure\AutoUpdate.dll
c:\program files\RegCure\Backup\RegCureBak_July_14_09_01_39_51.bak
c:\program files\RegCure\Backup\RegCureBak_July_14_09_01_39_51.reg
c:\program files\RegCure\Backup\RegCureBak_July_14_09_01_39_51\Sample Music.lnk
c:\program files\RegCure\Backup\RegCureBak_July_14_09_01_39_51\Sample Videos.lnk
c:\program files\RegCure\Backup\RegCureBak_July_14_09_09_45_18.reg
c:\program files\RegCure\Backup\RegCureBak_July_16_09_02_29_39.bak
c:\program files\RegCure\Backup\RegCureBak_July_16_09_02_29_39.reg
c:\program files\RegCure\Backup\RegCureBak_July_16_09_02_29_39\Recently Changed.lnk
c:\program files\RegCure\blue_duo.jpg
c:\program files\RegCure\buttonfill.jpg
c:\program files\RegCure\buttonfill_expire.jpg
c:\program files\RegCure\buttonfill_mo.jpg
c:\program files\RegCure\buttonfill_mo_expire.jpg
c:\program files\RegCure\BuyNags.htm
c:\program files\RegCure\center_gradient.jpg
c:\program files\RegCure\container_content_bkimg.gif
c:\program files\RegCure\container_content_leftimg.gif
c:\program files\RegCure\container_content_rightimg.gif
c:\program files\RegCure\contentwrapper.gif
c:\program files\RegCure\email.htm
c:\program files\RegCure\expire.css
c:\program files\RegCure\footerbar.gif
c:\program files\RegCure\green_duo.jpg
c:\program files\RegCure\help.chm
c:\program files\RegCure\info_bubble.jpg
c:\program files\RegCure\left_gradient.jpg
c:\program files\RegCure\logo.jpg
c:\program files\RegCure\Logs\Regcure-14-07-09-01-39-53.zip
c:\program files\RegCure\Logs\Regcure-14-07-09-09-45-19.zip
c:\program files\RegCure\Logs\Regcure-16-07-09-02-29-39.zip
c:\program files\RegCure\Logs\SystemInfo.zip
c:\program files\RegCure\LogSettings.xml
c:\program files\RegCure\main.css
c:\program files\RegCure\main_nag.css
c:\program files\RegCure\main_showstats.css
c:\program files\RegCure\package_titlebar_bkimg.jpg
c:\program files\RegCure\process-animation.gif
c:\program files\RegCure\RegCure.exe
c:\program files\RegCure\regcure.gif
c:\program files\RegCure\right_gradient.jpg
c:\program files\RegCure\settings.xml
c:\program files\RegCure\showstats.htm
c:\program files\RegCure\small_vbxregcure.jpg
c:\program files\RegCure\special_offer.jpg
c:\program files\RegCure\special_offer_nag.jpg
c:\program files\RegCure\subtitlebar.gif
c:\program files\RegCure\tile_titlebar.jpg
c:\program files\RegCure\Tip1.html
c:\program files\RegCure\Tip10.html
c:\program files\RegCure\Tip11.html
c:\program files\RegCure\Tip12.html
c:\program files\RegCure\Tip13.html
c:\program files\RegCure\Tip14.html
c:\program files\RegCure\Tip15.html
c:\program files\RegCure\Tip2.html
c:\program files\RegCure\Tip3.html
c:\program files\RegCure\Tip4.html
c:\program files\RegCure\Tip5.html
c:\program files\RegCure\Tip6.html
c:\program files\RegCure\Tip7.html
c:\program files\RegCure\Tip8.html
c:\program files\RegCure\Tip9.html
c:\program files\RegCure\titlebar_left.jpg
c:\program files\RegCure\titlebar_right.jpg
c:\program files\RegCure\tp.css
c:\program files\RegCure\TrialPay.htm
c:\program files\RegCure\underline.gif
c:\program files\RegCure\uninst.exe
c:\program files\RegCure\zlibwapi.dll
c:\windows\Tasks\RegCure Program Check.job
c:\windows\Tasks\RegCure Startup.job
c:\windows\Tasks\RegCure.job

.
((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-19 07:52 . 2009-07-19 07:55   --------   d-----w-   c:\users\PhilS\AppData\Local\temp
2009-07-19 07:38 . 2009-07-19 07:38   --------   d-----w-   c:\programdata\McAfee
2009-07-15 21:01 . 2009-07-15 21:01   --------   d-----w-   c:\program files\Trend Micro
2009-07-15 08:51 . 2009-07-15 08:51   --------   d-----w-   c:\users\PhilS\AppData\Roaming\Malwarebytes
2009-07-15 08:51 . 2009-07-13 20:36   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 08:51 . 2009-07-15 08:51   --------   d-----w-   c:\programdata\Malwarebytes
2009-07-15 08:51 . 2009-07-15 08:51   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-07-15 08:51 . 2009-07-13 20:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-07-14 20:11 . 2009-06-15 14:53   156672   ----a-w-   c:\windows\system32\t2embed.dll
2009-07-14 20:11 . 2009-06-15 14:52   72704   ----a-w-   c:\windows\system32\fontsub.dll
2009-07-14 20:11 . 2009-06-15 12:42   289792   ----a-w-   c:\windows\system32\atmfd.dll
2009-07-14 20:11 . 2009-06-15 14:52   23552   ----a-w-   c:\windows\system32\lpk.dll
2009-07-14 20:11 . 2009-06-15 14:51   10240   ----a-w-   c:\windows\system32\dciman32.dll
2009-07-14 17:06 . 2009-07-14 17:06   --------   d-----w-   c:\programdata\Cached Installations
2009-07-14 17:00 . 2009-07-14 17:00   --------   d-----w-   c:\programdata\Downloaded Installations
2009-07-13 17:41 . 2009-07-16 00:48   117760   ----a-w-   c:\users\PhilS\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-13 17:41 . 2009-07-13 17:41   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2009-07-13 17:40 . 2009-07-13 17:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-07-13 17:40 . 2009-07-13 17:40   --------   d-----w-   c:\users\PhilS\AppData\Roaming\SUPERAntiSpyware.com
2009-07-13 17:39 . 2009-07-13 17:39   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-07-10 23:43 . 2009-07-10 23:43   --------   d-----w-   c:\users\PhilS\AppData\Roaming\funkitron
2009-07-09 09:08 . 2009-07-09 09:08   --------   d-----w-   c:\users\PhilS\AppData\Roaming\iWin
2009-07-04 21:05 . 2009-07-04 21:06   --------   d-----w-   c:\windows\system32\ca-ES
2009-07-04 21:05 . 2009-07-04 21:06   --------   d-----w-   c:\windows\system32\eu-ES
2009-07-04 21:05 . 2009-07-04 21:06   --------   d-----w-   c:\windows\system32\vi-VN
2009-07-04 19:40 . 2009-07-04 19:40   --------   d-----w-   c:\windows\system32\EventProviders
2009-07-04 19:36 . 2009-04-11 06:28   289792   ----a-w-   c:\windows\system32\spinstall.exe
2009-07-04 19:35 . 2009-04-11 06:28   71680   ----a-w-   c:\windows\system32\propdefs.dll
2009-07-04 19:34 . 2009-04-11 06:28   152576   ----a-w-   c:\windows\system32\secproc_ssp_isv.dll
2009-07-04 19:33 . 2009-04-11 06:28   140288   ----a-w-   c:\windows\system32\wpcsvc.dll
2009-07-04 19:32 . 2009-04-11 06:28   83968   ----a-w-   c:\windows\system32\wbem\wmiutils.dll
2009-07-04 19:32 . 2009-04-11 06:28   744448   ----a-w-   c:\windows\system32\wbem\wbemcore.dll
2009-07-04 19:32 . 2009-04-11 06:28   30208   ----a-w-   c:\windows\system32\wbem\wbemprox.dll
2009-07-04 19:32 . 2009-04-11 06:28   265728   ----a-w-   c:\windows\system32\wbem\repdrvfs.dll
2009-07-04 19:32 . 2009-04-11 06:28   189440   ----a-w-   c:\windows\system32\wbem\mofd.dll
2009-07-04 19:32 . 2009-04-11 06:28   614912   ----a-w-   c:\windows\system32\wbem\fastprox.dll
2009-07-04 19:32 . 2009-04-11 06:28   265728   ----a-w-   c:\windows\system32\wbem\esscli.dll
2009-07-04 19:32 . 2009-04-11 06:28   705536   ----a-w-   c:\windows\system32\SmiEngine.dll
2009-07-04 19:32 . 2009-04-11 06:28   218624   ----a-w-   c:\windows\system32\wdscore.dll
2009-07-04 19:32 . 2009-04-11 06:27   130560   ----a-w-   c:\windows\system32\PkgMgr.exe
2009-07-04 19:32 . 2009-04-11 06:28   247808   ----a-w-   c:\windows\system32\drvstore.dll
2009-06-25 08:20 . 2009-06-25 08:24   --------   d-----w-   c:\program files\SystemRequirementsLab
2009-06-25 08:20 . 2009-06-25 08:21   --------   d-----w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab
2009-06-25 08:20 . 2009-06-25 08:20   290816   ----a-w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-25 08:20 . 2009-06-25 08:20   290816   ----a-w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-25 08:20 . 2009-06-25 08:20   290816   ----a-w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-25 08:20 . 2009-06-25 08:20   290816   ----a-w-   c:\users\PhilS\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-22 10:42 . 2009-06-24 11:14   --------   d-----w-   c:\users\PhilS\AppData\Roaming\dvdcss
2009-06-21 21:50 . 2009-06-05 11:33   68640   ----a-w-   c:\windows\unTMV.exe
2009-06-21 21:50 . 2009-06-21 21:50   --------   d-----w-   c:\program files\SoftMaker Viewer
2009-06-19 19:58 . 2009-06-19 19:58   --------   d-----w-   c:\users\PhilS\AppData\Roaming\Recordpad
2009-06-19 11:32 . 2009-06-19 11:33   --------   d-----w-   c:\programdata\NCH Swift Sound
2009-06-19 11:32 . 2009-06-19 11:33   --------   d-----w-   c:\users\PhilS\AppData\Roaming\NCH Swift Sound
2009-06-19 11:32 . 2009-06-19 11:32   --------   d-----w-   c:\program files\NCH Software
2009-06-19 11:31 . 2009-06-27 03:50   --------   d-----w-   c:\program files\NCH Swift Sound
2009-06-19 11:28 . 2009-06-19 11:28   --------   d-----w-   c:\programdata\FreeRIP
2009-06-19 11:28 . 2009-06-19 11:28   --------   d-----w-   c:\program files\FreeRIP3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 07:54 . 2008-12-26 00:31   --------   d-----w-   c:\program files\Spyware Doctor
2009-07-19 00:35 . 2008-12-26 00:22   27839   ----a-w-   c:\programdata\nvModes.dat
2009-07-15 06:38 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2009-07-15 00:12 . 2008-12-26 00:25   1092   ----a-w-   c:\users\PhilS\AppData\Roaming\wklnhst.dat
2009-07-14 17:11 . 2008-12-26 00:31   --------   d-----w-   c:\program files\Common Files\PC Tools
2009-07-14 17:07 . 2008-12-30 00:43   --------   d-----w-   c:\users\PhilS\AppData\Roaming\uTorrent
2009-07-14 08:56 . 2008-12-26 07:54   74432   ----a-w-   c:\users\PhilS\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-11 11:16 . 2008-08-04 17:19   --------   d-----w-   c:\programdata\WildTangent
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Sidebar
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Photo Gallery
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Collaboration
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Calendar
2009-07-04 21:06 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Defender
2009-07-04 21:05 . 2006-11-02 10:25   665600   ----a-w-   c:\windows\inf\drvindex.dat
2009-07-04 19:58 . 2008-11-06 03:37   --------   d-----w-   c:\programdata\NVIDIA
2009-07-04 19:47 . 2006-11-02 12:37   37665   ----a-w-   c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-30 22:36 . 2009-07-12 05:36   18696   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryReplaceNew.exe
2009-06-30 22:10 . 2009-07-12 05:36   18696   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryNoTravel.exe
2009-06-30 22:03 . 2009-07-12 05:36   18696   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryAccessories.exe
2009-06-30 19:44 . 2009-07-12 05:36   18184   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryWeakNew.exe
2009-06-27 01:36 . 2009-07-12 05:36   18184   ----a-w-   c:\windows\Help\OEM\scripts\HC_BatteryUpgrade.exe
2009-06-21 08:52 . 2009-06-18 10:22   --------   d-----w-   c:\users\PhilS\AppData\Roaming\vlc
2009-06-18 10:21 . 2009-06-18 10:21   --------   d-----w-   c:\program files\VideoLAN
2009-06-18 10:15 . 2009-06-18 10:13   --------   d-----w-   c:\program files\GPL MPEG Decoder
2009-06-13 10:03 . 2008-08-04 17:50   --------   d-----w-   c:\program files\Microsoft Works
2009-06-07 06:27 . 2009-01-09 00:06   --------   d-----w-   c:\program files\DivX
2009-06-07 06:23 . 2009-06-07 06:23   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-06-07 05:54 . 2009-04-08 05:13   --------   d-----w-   c:\users\PhilS\AppData\Roaming\DivX
2009-05-09 05:50 . 2009-06-12 14:11   915456   ----a-w-   c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-12 14:11   71680   ----a-w-   c:\windows\system32\iesetup.dll
2009-05-01 21:02 . 2009-05-01 21:02   90112   ----a-w-   c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02   823296   ----a-w-   c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02   823296   ----a-w-   c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02   815104   ----a-w-   c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02   811008   ----a-w-   c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02   802816   ----a-w-   c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02   685056   ----a-w-   c:\windows\system32\DivX.dll
2009-04-23 12:15 . 2009-06-12 14:11   784896   ----a-w-   c:\windows\system32\rpcrt4.dll
2009-04-23 12:14 . 2009-06-12 14:12   623616   ----a-w-   c:\windows\system32\localspl.dll
2009-04-21 11:39 . 2009-06-12 14:12   2034688   ----a-w-   c:\windows\system32\win32k.sys
2009-06-12 10:19 . 2009-01-06 23:26   134648   ----a-w-   c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-08-04 15:03 . 2008-08-04 15:03   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-07-19_02.00.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:05 . 2009-07-19 07:34   79512 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-26 07:42 . 2009-07-19 01:58   16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-26 07:42 . 2009-07-19 07:54   16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-26 07:42 . 2009-07-19 01:58   32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-26 07:42 . 2009-07-19 07:54   32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-26 07:42 . 2009-07-19 07:54   16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-26 07:42 . 2009-07-19 01:58   16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-19 07:53 . 2009-07-19 07:53   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-07-19 01:58 . 2009-07-19 01:58   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-07-19 01:58 . 2009-07-19 01:58   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-19 07:53 . 2009-07-19 07:53   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-26 04:27 . 2009-07-19 07:05   254518 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-07-19 07:38   595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-07-18 20:03   595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-07-19 07:38   101350 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-07-18 20:03   101350 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d7,86,ac,d9,ec,fc,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{053E5549-ECD5-4FE4-8DB9-641DFB10CF77}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{C1BAABB6-21B7-49B7-91E1-E455B4B6BC44}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{C55EE582-4D18-4465-B67C-01CCBFDC83AC}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{B2DD7404-A6FC-40B9-8308-6C878692A3C9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{61163C9B-D9DA-4470-B24F-3F12B829515A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{5FFDBBF0-35FB-4F2D-9936-1E5CA81749AD}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{557017AC-78EB-4FEF-B5BA-785EC157B329}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{C02004D7-C5DA-4F5A-9748-7C6D34C4B495}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F9002FAE-E853-4411-9606-D546AA53E040}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{C584877B-5ED8-4DE5-AF02-3B55F5AEF3FD}"= Disabled:UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1AFE8673-5972-4C8A-BC15-0B44CC879F75}"= Disabled:TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7D94000C-BBBC-44EB-BCCA-577F962A31C6}"= Disabled:UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{17ECCB8F-DF6F-416B-884A-F0B83C4C6A41}"= Disabled:TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [3/29/2009 5:30 PM 130936]
R0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys [3/29/2009 5:32 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys [3/29/2009 5:32 PM 39200]
R1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [3/29/2009 5:30 PM 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [8/4/2008 11:43 AM 361808]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/25/2008 5:31 PM 348752]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [5/9/2008 12:17 PM 43040]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [3/29/2009 5:30 PM 64392]
R3 TfNetMon;TfNetMon;c:\windows\System32\drivers\TfNetMon.sys [3/29/2009 5:32 PM 33056]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [8/4/2008 10:15 AM 193840]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-18 c:\windows\Tasks\HPCeeScheduleForPhilS.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-04 03:03]

2009-07-19 c:\windows\Tasks\User_Feed_Synchronization-{9051D44C-782E-4E8D-B571-01D8B4400FEE}.job
- c:\windows\system32\msfeedssync.exe [2009-04-06 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\users\PhilS\AppData\Roaming\Mozilla\Firefox\Profiles\r2or64x5.default\
FF - prefs.js: browser.startup.homepage - hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 00:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\users\PhilS\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll

- - - - - - - > 'lsass.exe'(660)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll

- - - - - - - > 'Explorer.exe'(2912)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Spyware Doctor\TFEngine\TFService.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-07-19 1:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 08:03
ComboFix2.txt 2009-07-19 02:10
ComboFix3.txt 2009-07-17 10:37

Pre-Run: 73,999,659,008 bytes free
Post-Run: 74,679,185,408 bytes free

356   --- E O F ---   2009-07-15 06:38

evilfantasy · « **Reply #8 on:** July 19, 2009, 09:52:26 AM »

* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 and 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

If needed, this animation will guide you through the process.

Computer Hope Forum

News:

Author Topic: DLLHOST.EXE/SVCHOST.EXE malicious actions? (Read 23393 times)

wordisbonz

DLLHOST.EXE/SVCHOST.EXE malicious actions?

evilfantasy

Re: DLLHOST.EXE/SVCHOST.EXE malicious actions?

wordisbonz

Re: DLLHOST.EXE/SVCHOST.EXE malicious actions?

evilfantasy

Re: DLLHOST.EXE/SVCHOST.EXE malicious actions?

wordisbonz

Re: DLLHOST.EXE/SVCHOST.EXE malicious actions?

evilfantasy

Re: DLLHOST.EXE/SVCHOST.EXE malicious actions?

wordisbonz

Re: DLLHOST.EXE/SVCHOST.EXE malicious actions?

wordisbonz

Re: DLLHOST.EXE/SVCHOST.EXE malicious actions?

evilfantasy

Re: DLLHOST.EXE/SVCHOST.EXE malicious actions?