ebay paypal redirect/hijack

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 1st May 2010, 7:21 pm

Ok... starting fresh! Big Grin

Ran the OTR thing... deleted all the other stuff it didn't delete... Downloaded GMER & ran it as instructed.... left it for several hours, when I came back, it said the scan was stopped (but no one touched my computer during the scan.) The log is below... Thank You!



GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-01 15:04:30
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\yo\LOCALS~1\Temp\uwtdapob.sys


---- System - GMER 1.0.15 ----

SSDT B15DFAF6 ZwCreateKey
SSDT B15DFAEC ZwCreateThread
SSDT B15DFAFB ZwDeleteKey
SSDT B15DFB05 ZwDeleteValueKey
SSDT B15DFB0A ZwLoadKey
SSDT B15DFAD8 ZwOpenProcess
SSDT B15DFADD ZwOpenThread
SSDT B15DFB14 ZwReplaceKey
SSDT B15DFB0F ZwRestoreKey
SSDT B15DFB00 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB8EF2380, 0x346307, 0xE8000020]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA90E4400, 0x87EE2, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA9188620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA9188620]
.protect˙˙˙˙hardlockunknown last code section [0xA9188400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA9188400, 0x5126, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 019C2862
.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019C26EE
.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019C27E0
.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 019C2726
.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 019C275E
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01992862
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019926EE
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019927E0
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01992726
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0199275E
.text C:\WINDOWS\system32\SearchIndexer.exe[2800] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

Device \Driver\si3112 \Device\Scsi\si31122Port1Path0Target0Lun0 889C7AF8
Device \Driver\si3112 \Device\Scsi\si31122 889C7AF8
Device \Driver\si3112 \Device\Scsi\si31122Port1Path1Target0Lun0 889C7AF8

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Photosmart B8500 series (Copy 1)@ChangeID 2284296

---- EOF - GMER 1.0.15 ----

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 1st May 2010, 11:20 pm

Let's scan with this to get more info.

Please download [You must be registered and logged in to see this link.] by me and save it to your Desktop.
  • Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  • Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  • Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 2nd May 2010, 1:13 am

Here you go... thanks!

SpiderKill by DragonMaster Jay


Microsoft Windows XP [Version 5.1.2600]

********************Drivers list********************


Volume in drive C has no label.
Volume Serial Number is 8C30-4B1B

Directory of C:\Windows\System32\Drivers

04/19/2010 09:42 AM .
04/19/2010 09:42 AM ..
04/13/2008 02:46 PM 53,376 1394bus.sys
04/13/2008 02:46 PM 48,128 61883.sys
04/13/2008 02:36 PM 187,776 acpi.sys
08/29/2002 08:00 AM 11,648 acpiec.sys
04/13/2008 08:11 PM 4,255 adv01nt5.dll
04/13/2008 08:11 PM 3,967 adv02nt5.dll
04/13/2008 08:11 PM 3,615 adv05nt5.dll
04/13/2008 08:11 PM 3,647 adv07nt5.dll
04/13/2008 08:11 PM 3,135 adv08nt5.dll
04/13/2008 08:11 PM 3,711 adv09nt5.dll
04/13/2008 08:11 PM 3,775 adv11nt5.dll
04/13/2008 12:39 PM 142,592 aec.sys
08/14/2008 06:04 AM 138,496 afd.sys
04/13/2008 02:36 PM 42,368 agp440.sys
04/13/2008 02:36 PM 44,928 agpcpq.sys
04/13/2008 02:36 PM 42,752 alim1541.sys
04/13/2008 02:36 PM 43,008 amdagp.sys
04/13/2008 02:31 PM 37,376 amdk6.sys
04/13/2008 02:31 PM 37,760 amdk7.sys
11/29/2006 01:46 AM 28,224 APLMp50.sys
04/13/2008 02:51 PM 60,800 arp1394.sys
03/29/2000 10:17 AM 5,824 ASUSHWIO.SYS
04/13/2008 02:57 PM 14,336 asyncmac.sys
04/13/2008 02:40 PM 96,512 atapi.sys
08/04/2004 01:29 AM 56,623 ati1btxx.sys
08/04/2004 01:29 AM 11,615 ati1mdxx.sys
08/04/2004 01:29 AM 12,047 ati1pdxx.sys
08/04/2004 01:29 AM 30,671 ati1raxx.sys
08/04/2004 01:29 AM 63,663 ati1rvxx.sys
08/04/2004 01:29 AM 26,367 ati1snxx.sys
08/04/2004 01:29 AM 21,343 ati1ttxx.sys
08/04/2004 01:29 AM 36,463 ati1tuxx.sys
08/04/2004 01:29 AM 29,455 ati1xbxx.sys
08/04/2004 01:29 AM 34,735 ati1xsxx.sys
08/04/2004 01:29 AM 327,040 ati2mtaa.sys
08/04/2004 01:29 AM 701,440 ati2mtag.sys
08/04/2004 01:29 AM 57,856 atinbtxx.sys
08/04/2004 01:29 AM 13,824 atinmdxx.sys
08/04/2004 01:29 AM 14,336 atinpdxx.sys
08/04/2004 01:29 AM 52,224 atinraxx.sys
08/04/2004 01:29 AM 104,960 atinrvxx.sys
08/04/2004 01:29 AM 28,672 atinsnxx.sys
08/04/2004 01:29 AM 13,824 atinttxx.sys
08/04/2004 01:29 AM 73,216 atintuxx.sys
08/04/2004 01:29 AM 31,744 atinxbxx.sys
08/04/2004 01:29 AM 63,488 atinxsxx.sys
07/17/2004 02:36 PM 64,352 ativmc20.cod
04/13/2008 02:51 PM 59,904 atmarpc.sys
08/29/2002 08:00 AM 31,360 atmepvc.sys
04/13/2008 02:51 PM 55,808 atmlane.sys
08/29/2002 08:00 AM 352,256 atmuni.sys
04/13/2008 08:11 PM 21,183 atv01nt5.dll
04/13/2008 08:11 PM 11,359 atv02nt5.dll
04/13/2008 08:11 PM 25,471 atv04nt5.dll
04/13/2008 08:11 PM 14,143 atv06nt5.dll
04/13/2008 08:11 PM 17,279 atv10nt5.dll
08/17/2001 09:59 AM 3,072 audstub.sys
04/13/2008 02:46 PM 38,912 avc.sys
05/11/2009 11:49 AM 45,416 avgntdd.sys
02/16/2010 01:24 PM 60,936 avgntflt.sys
05/11/2009 11:49 AM 22,360 avgntmgr.sys
03/01/2010 09:05 AM 124,784 avipbb.sys
08/29/2002 08:00 AM 4,224 beep.sys
04/13/2008 02:53 PM 71,552 bridge.sys
04/13/2008 02:46 PM 17,024 bthenum.sys
04/13/2008 02:46 PM 37,888 bthmodem.sys
04/13/2008 02:51 PM 101,120 bthpan.sys
06/13/2008 07:05 AM 272,128 bthport.sys
04/13/2008 02:46 PM 36,480 bthprint.sys
04/13/2008 02:46 PM 18,944 bthusb.sys
08/29/2002 08:00 AM 13,952 cbidf2k.sys
04/13/2008 02:46 PM 17,024 CCDECODE.sys
08/29/2002 08:00 AM 18,688 cdaudio.sys
04/13/2008 03:14 PM 63,744 cdfs.sys
04/13/2008 02:40 PM 62,976 cdrom.sys
04/13/2008 08:11 PM 15,423 ch7xxnt5.dll
08/29/2002 08:00 AM 262,528 cinemst2.sys
04/13/2008 03:16 PM 49,536 classpnp.sys
08/29/2002 08:00 AM 11,776 cpqdap01.sys
04/13/2008 02:31 PM 36,736 crusoe.sys
06/08/2005 02:08 PM 1,359,744 CT0531FL.SYS
08/11/2006 03:45 PM 502,272 ctac32k.sys
08/11/2006 03:45 PM 499,584 ctaud2k.sys
11/10/2005 06:06 PM 340,704 ctdvda2k.sys
12/30/2002 11:53 AM 12,160 CTGAME.SYS
09/06/2005 03:02 PM 1,365,888 CTMMFILT.SYS
08/11/2006 03:45 PM 116,224 ctoss2k.sys
08/11/2006 03:45 PM 7,168 ctprxy2k.sys
08/11/2006 03:45 PM 143,872 ctsfm2k.sys
01/18/2007 04:28 PM 5,275 CVirtA.sys
10/26/2007 02:27 PM 306,300 CVPNDRVA.sys
07/18/2004 01:55 AM 129,045 cxthsfs2.cty
01/12/2004 10:20 AM 9,600 CygF32x.sys
01/12/2004 10:20 AM 16,000 CygLib.sys
01/12/2008 09:58 AM disdn
04/13/2008 02:40 PM 36,352 disk.sys
04/13/2008 02:40 PM 14,208 diskdump.sys
04/13/2008 02:44 PM 799,744 dmboot.sys
04/13/2008 02:44 PM 153,344 dmio.sys
08/29/2002 08:00 AM 5,888 dmload.sys
04/13/2008 02:45 PM 52,864 dmusic.sys
01/31/2007 01:45 PM 127,376 dne2000.sys
04/13/2008 03:45 PM 60,160 drmk.sys
04/13/2008 02:45 PM 2,944 drmkaud.sys
08/29/2002 08:00 AM 10,496 dxapi.sys
04/13/2008 02:38 PM 71,168 dxg.sys
08/29/2002 08:00 AM 3,328 dxgthk.sys
08/11/2006 03:45 PM 78,336 emupia2k.sys
08/17/2001 09:46 AM 6,400 enum1394.sys
10/11/2007 12:10 PM 30,008 ET5Drv.sys
04/28/2010 02:47 PM etc
04/13/2008 03:14 PM 143,744 fastfat.sys
04/13/2008 02:40 PM 27,392 fdc.sys
04/13/2008 02:33 PM 44,544 fips.sys
04/13/2008 02:40 PM 20,480 flpydisk.sys
04/13/2008 02:32 PM 129,792 fltmgr.sys
08/29/2002 08:00 AM 12,160 fsvga.sys
08/29/2002 08:00 AM 7,936 fs_rec.sys
08/29/2002 08:00 AM 125,056 ftdisk.sys
04/13/2008 02:36 PM 46,464 gagp30kx.sys
04/13/2008 02:45 PM 10,624 gameenum.sys
04/17/2008 01:12 PM 15,464 GEARAspiWDM.sys
08/29/2002 08:00 AM 3,440,660 gm.dls
08/29/2002 08:00 AM 646 gmreadme.txt
01/23/2009 02:41 AM 24,944 GVTDrv.sys
08/11/2006 03:45 PM 766,976 ha10kx2k.sys
08/11/2006 03:45 PM 1,110,016 ha20x2k.sys
08/11/2006 03:45 PM 154,112 haP16v2k.sys
08/11/2006 03:45 PM 180,224 haP17v2k.sys
11/22/2006 11:01 AM 693,760 hardlock.sys
04/13/2008 12:36 PM 144,384 hdaudbus.sys
04/13/2008 02:46 PM 25,600 hidbth.sys
04/13/2008 02:45 PM 36,864 hidclass.sys
04/13/2008 02:45 PM 19,200 hidir.sys
04/13/2008 02:45 PM 24,960 hidparse.sys
04/13/2008 09:11 PM 21,504 hidserv.dll
04/13/2008 02:45 PM 10,368 hidusb.sys
10/30/2008 05:08 PM 49,920 HPZid412.sys
10/30/2008 05:08 PM 16,496 HPZipr12.sys
10/30/2008 05:08 PM 21,568 HPZius12.sys
08/04/2004 01:41 AM 220,032 hsfbs2s2.sys
08/04/2004 01:41 AM 685,056 hsfcxts2.sys
08/04/2004 01:41 AM 1,041,536 hsfdpsp2.sys
10/20/2009 12:20 PM 265,728 http.sys
04/13/2008 04:18 PM 52,480 i8042prt.sys
04/13/2008 02:40 PM 42,112 imapi.sys
11/26/2004 01:36 PM 98,176 InCDfs.sys
11/26/2004 01:36 PM 28,928 InCDpass.sys
11/26/2004 01:36 PM 7,808 InCDrec.sys
11/26/2004 08:36 AM 27,648 InCDrm.sys
04/13/2008 02:31 PM 36,352 intelppm.sys
04/13/2008 02:53 PM 36,608 ip6fw.sys
08/29/2002 08:00 AM 32,896 ipfltdrv.sys
04/13/2008 02:57 PM 20,864 ipinip.sys
04/13/2008 02:57 PM 152,832 ipnat.sys
04/13/2008 03:19 PM 75,264 ipsec.sys
04/13/2008 02:45 PM 46,592 irbus.sys
04/13/2008 02:54 PM 11,264 irenum.sys
04/13/2008 02:36 PM 37,248 isapnp.sys
10/28/2005 05:11 PM 27,648 iteatapi.sys
04/13/2008 02:39 PM 24,576 kbdclass.sys
04/13/2008 02:39 PM 14,592 kbdhid.sys
02/23/2010 01:10 PM 1,752 kgpcpy.cfg
09/14/2009 03:42 PM 32,272 klim5.sys
04/13/2008 02:45 PM 172,416 kmixer.sys
04/13/2008 04:16 PM 141,056 ks.sys
06/24/2009 07:18 AM 92,928 ksecdd.sys
03/30/2010 12:45 AM 20,824 mbam.sys
03/30/2010 12:46 AM 38,224 mbamswissarmy.sys
08/29/2002 08:00 AM 7,680 mcd.sys
08/04/2004 01:41 AM 11,868 mdmxsdk.sys
04/13/2008 02:36 PM 63,744 mf.sys
08/29/2002 08:00 AM 4,224 mnmdd.sys
04/13/2008 03:00 PM 30,080 modem.sys
04/13/2008 03:39 PM 23,040 mouclass.sys
08/29/2002 08:00 AM 12,160 mouhid.sys
04/13/2008 02:39 PM 42,368 mountmgr.sys
04/13/2008 02:39 PM 92,544 mqac.sys
04/13/2008 02:32 PM 180,608 mrxdav.sys
02/24/2010 09:11 AM 455,680 mrxsmb.sys
04/13/2008 02:46 PM 51,200 msdv.sys
04/13/2008 02:32 PM 19,072 msfs.sys
04/13/2008 02:56 PM 35,072 msgpc.sys
04/13/2008 02:39 PM 7,552 mskssrv.sys
08/17/2001 03:00 PM 2,944 msmpu401.sys
04/13/2008 02:39 PM 5,376 mspclock.sys
04/13/2008 02:39 PM 4,992 mspqm.sys
04/13/2008 02:36 PM 15,488 mssmbios.sys
04/13/2008 02:39 PM 5,504 MSTEE.sys
08/28/2006 06:12 PM 13,312 MTictwl.sys
08/04/2004 01:41 AM 126,686 mtlmnt5.sys
08/04/2004 01:41 AM 1,309,184 mtlstrm.sys
08/04/2004 01:29 AM 452,736 mtxparhm.sys
04/13/2008 03:17 PM 105,344 mup.sys
04/13/2008 02:43 PM 12,672 mutohpen.sys
05/03/2007 01:37 PM 22,152 mxopswd.sys
04/13/2008 02:46 PM 85,248 NABTSFEC.sys
04/13/2008 03:20 PM 182,656 ndis.sys
04/13/2008 02:46 PM 10,880 NdisIP.sys
04/13/2008 02:57 PM 10,112 ndistapi.sys
04/13/2008 02:55 PM 14,592 ndisuio.sys
04/13/2008 03:20 PM 91,520 ndiswan.sys
04/13/2008 02:57 PM 40,576 ndproxy.sys
04/13/2008 02:56 PM 34,688 netbios.sys
04/13/2008 03:21 PM 162,816 netbt.sys
09/09/2009 10:29 AM 199,432 neti1639.sys
04/15/2002 10:11 PM 67,866 netwlan5.img
04/13/2008 02:51 PM 61,824 nic1394.sys
08/29/2002 08:00 AM 12,032 nikedrv.sys
04/13/2008 02:53 PM 40,320 nmnt.sys
01/25/2007 01:31 PM 42,000 npf.sys
04/13/2008 02:32 PM 30,848 npfs.sys
04/13/2008 03:15 PM 574,976 ntfs.sys
08/04/2004 01:41 AM 180,360 ntmtlfax.sys
05/09/2009 02:14 AM 14,736 nuidfltr.sys
08/29/2002 08:00 AM 2,944 null.sys
12/05/2007 02:41 AM 7,435,392 nv4_mini.sys
05/25/2004 04:58 PM 396,032 nvapu.sys
05/25/2004 04:58 PM 66,688 nvarm.sys
04/21/2003 03:18 PM 52,608 nvatabus.sys
04/21/2003 03:18 PM 52,608 nvatabus_2.sys
05/25/2004 04:58 PM 48,640 nvax.sys
05/25/2004 04:58 PM 962,560 nvmcp.sys
03/19/2003 04:51 PM 18,688 nv_agp.SYS
08/29/2002 08:00 AM 12,416 nwlnkflt.sys
08/29/2002 08:00 AM 32,512 nwlnkfwd.sys
04/13/2008 02:56 PM 88,320 nwlnkipx.sys
08/29/2002 08:00 AM 63,232 nwlnknb.sys
08/29/2002 08:00 AM 55,936 nwlnkspx.sys
04/13/2008 02:34 PM 163,584 nwrdr.sys
04/13/2008 02:46 PM 61,696 ohci1394.sys
08/29/2002 08:00 AM 3,456 oprghdlr.sys
04/13/2008 02:31 PM 42,752 p3.sys
04/13/2008 02:40 PM 80,128 parport.sys
04/13/2008 02:40 PM 19,712 partmgr.sys
08/29/2002 08:00 AM 6,784 parvdm.sys
04/13/2008 02:36 PM 68,224 pci.sys
08/17/2001 02:51 PM 3,328 pciide.sys
04/13/2008 02:40 PM 24,960 pciidex.sys
04/13/2008 02:36 PM 120,192 pcmcia.sys
08/11/2006 03:56 PM 8,192 pfmodnt.sys
06/01/2009 02:51 PM 27,792 point32.sys
04/13/2008 04:19 PM 146,048 portcls.sys
04/13/2008 02:31 PM 35,840 processr.sys
04/13/2008 02:56 PM 69,120 psched.sys
08/29/2002 08:00 AM 17,792 ptilink.sys
08/29/2002 08:00 AM 8,832 rasacd.sys
04/13/2008 03:19 PM 51,328 rasl2tp.sys
04/13/2008 02:57 PM 41,472 raspppoe.sys
04/13/2008 03:19 PM 48,384 raspptp.sys
08/29/2002 08:00 AM 16,512 raspti.sys
08/29/2002 08:00 AM 34,432 rawwan.sys
04/13/2008 03:28 PM 175,744 rdbss.sys
08/29/2002 08:00 AM 4,224 rdpcdd.sys
04/13/2008 02:32 PM 196,224 rdpdr.sys
04/13/2008 08:13 PM 139,656 rdpwd.sys
08/04/2004 01:41 AM 13,776 recagent.sys
04/13/2008 02:40 PM 57,600 redbook.sys
04/13/2008 02:46 PM 59,136 rfcomm.sys
08/29/2002 08:00 AM 12,032 rio8drv.sys
08/29/2002 08:00 AM 12,032 riodrv.sys
05/08/2008 10:02 AM 203,136 rmcast.sys
04/13/2008 02:56 PM 30,592 rndismp.sys
04/13/2008 02:56 PM 30,592 rndismpx.sys
08/29/2002 08:00 AM 5,888 rootmdm.sys
07/16/2004 03:19 PM 70,400 Rtlnicxp.sys
11/20/2007 12:09 PM 104,320 Rtnicxp.sys
08/04/2004 01:29 AM 166,912 s3gnbm.sys
03/09/2010 11:13 PM 95,024 SBREDrv.sys
04/13/2008 02:40 PM 96,384 scsiport.sys
04/13/2008 02:36 PM 79,232 sdbus.sys
11/13/2007 06:25 AM 20,480 secdrv.sys
04/13/2008 02:40 PM 15,744 serenum.sys
04/13/2008 03:15 PM 64,512 serial.sys
04/13/2008 02:40 PM 11,904 sffdisk.sys
04/13/2008 02:40 PM 10,240 sffp_mmc.sys
04/13/2008 02:40 PM 11,008 sffp_sd.sys
04/13/2008 02:40 PM 11,392 sfloppy.sys
09/04/2003 08:45 AM 55,144 si3112.svs
09/04/2003 08:45 AM 55,144 si3112.sys
08/29/2007 04:04 AM 116,264 SI3112r.sys
04/13/2008 08:12 PM 3,901 siint5.dll
04/13/2008 02:36 PM 40,960 sisagp.sys
08/29/2007 04:04 AM 19,240 SiWinAcc.sys
04/13/2008 02:46 PM 11,136 SLIP.sys
08/04/2004 01:41 AM 129,535 slnt7554.sys
08/04/2004 01:41 AM 404,990 slntamr.sys
08/04/2004 01:41 AM 95,424 slnthal.sys
08/04/2004 01:41 AM 13,240 slwdmsup.sys
04/13/2008 02:36 PM 5,888 smbali.sys
08/29/2002 08:00 AM 14,592 smclib.sys
04/13/2008 02:46 PM 25,344 sonydcam.sys
04/13/2008 02:45 PM 6,272 splitter.sys
04/13/2008 02:36 PM 73,472 sr.sys
12/31/2009 12:50 PM 353,792 srv.sys
05/11/2009 09:12 AM 28,520 ssmdrv.sys
04/13/2008 03:45 PM 49,408 stream.sys
04/13/2008 02:46 PM 15,232 StreamIP.sys
04/13/2008 02:39 PM 4,352 swenum.sys
04/13/2008 02:45 PM 56,576 swmidi.sys
04/13/2008 03:15 PM 60,800 sysaudio.sys
04/13/2008 02:40 PM 14,976 tape.sys
06/20/2008 07:51 AM 361,600 tcpip.sys
02/11/2010 08:02 AM 226,880 tcpip6.sys
04/13/2008 03:00 PM 19,072 tdi.sys
04/13/2008 08:13 PM 12,040 tdpipe.sys
04/13/2008 08:13 PM 21,896 tdtcp.sys
04/13/2008 08:13 PM 40,840 termdd.sys
05/07/2009 03:04 AM 157,712 tmcomm.sys
08/29/2002 08:00 AM 51,712 tosdvd.sys
08/29/2002 08:00 AM 21,376 tsbvcap.sys
04/13/2008 02:56 PM 12,288 tunmp.sys
04/13/2008 02:36 PM 44,672 uagp35.sys
04/13/2008 02:32 PM 66,048 udfs.sys
11/23/2008 01:22 PM UMDF
04/13/2008 02:39 PM 384,768 update.sys
04/13/2008 02:56 PM 12,800 usb8023.sys
04/13/2008 02:56 PM 12,800 usb8023x.sys
04/13/2008 03:45 PM 60,032 USBAUDIO.sys
04/13/2008 02:45 PM 25,600 usbcamd.sys
04/13/2008 02:45 PM 25,728 usbcamd2.sys
04/13/2008 02:45 PM 32,128 usbccgp.sys
08/29/2002 08:00 AM 4,736 usbd.sys
04/13/2008 02:45 PM 30,208 usbehci.sys
04/13/2008 02:45 PM 59,520 usbhub.sys
04/13/2008 02:45 PM 15,872 usbintel.sys
04/13/2008 02:45 PM 17,152 usbohci.sys
04/13/2008 02:45 PM 143,872 usbport.sys
04/13/2008 02:47 PM 25,856 usbprint.sys
04/13/2008 03:45 PM 15,104 usbscan.sys
04/13/2008 02:45 PM 26,368 usbstor.sys
04/13/2008 02:46 PM 121,984 usbvideo.sys
04/13/2008 08:12 PM 11,325 vchnt5.dll
08/29/2002 08:00 AM 58,112 vdmindvd.sys
04/13/2008 02:44 PM 20,992 vga.sys
04/13/2008 02:36 PM 42,240 viaagp.sys
04/13/2008 02:44 PM 81,664 videoprt.sys
04/13/2008 02:41 PM 52,352 volsnap.sys
04/13/2008 02:43 PM 14,208 wacompen.sys
08/04/2004 01:29 AM 11,807 wadv07nt.sys
08/04/2004 01:29 AM 11,295 wadv08nt.sys
08/04/2004 01:29 AM 11,871 wadv09nt.sys
08/04/2004 01:29 AM 11,935 wadv11nt.sys
04/13/2008 02:57 PM 34,560 wanarp.sys
08/04/2004 01:29 AM 22,271 watv06nt.sys
08/04/2004 01:29 AM 25,471 watv10nt.sys
11/02/2006 08:22 AM 492,000 wdf01000.sys
11/02/2006 08:22 AM 32,224 wdfldr.sys
04/13/2008 03:17 PM 83,072 wdmaud.sys
08/29/2002 08:00 AM 4,352 wmilib.sys
10/18/2006 08:00 PM 38,528 wpdusb.sys
08/29/2002 08:00 AM 12,032 ws2ifsl.sys
04/13/2008 02:46 PM 19,200 WSTCODEC.SYS
09/28/2006 06:55 PM 77,568 WudfPf.sys
09/28/2006 07:00 PM 82,944 WudfRd.sys
352 File(s) 44,020,948 bytes

Directory of C:\Windows\System32\Drivers\disdn

01/12/2008 09:58 AM .
01/12/2008 09:58 AM ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\Drivers\etc

04/28/2010 02:47 PM .
04/28/2010 02:47 PM ..
04/28/2010 02:47 PM 789 hosts
08/29/2002 08:00 AM 734 hosts.20100309-193033.backup
08/29/2002 08:00 AM 3,683 lmhosts.sam
08/29/2002 08:00 AM 407 networks
08/29/2002 08:00 AM 799 protocol
08/29/2002 08:00 AM 7,116 services
6 File(s) 13,528 bytes

Directory of C:\Windows\System32\Drivers\UMDF

11/23/2008 01:22 PM .
11/23/2008 01:22 PM ..
10/18/2006 09:47 PM 671,232 wpdmtpdr.dll
1 File(s) 671,232 bytes

Total Files Listed:
359 File(s) 44,705,708 bytes
11 Dir(s) 58,256,916,480 bytes free

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 2nd May 2010, 1:15 am

***********************Hidden Drivers********************
Volume in drive C has no label.
Volume Serial Number is 8C30-4B1B

Directory of C:\Windows\System32\Drivers

01/13/2008 12:07 AM 0 MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
01/13/2008 12:07 AM 0 Msft_Kernel_NuidFltr_01005.Wdf
2 File(s) 0 bytes
0 Dir(s) 58,256,928,768 bytes free


*********************Processes*******************


PROCESS PID PRIO PATH
smss.exe 1080 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 1132 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 1160 High C:\WINDOWS\system32\winlogon.exe
services.exe 1204 Normal C:\WINDOWS\system32\services.exe
lsass.exe 1216 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 1388 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1488 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1612 Normal C:\WINDOWS\System32\svchost.exe
InCDsrv.exe 1632 Normal C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe 1776 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1892 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 276 Normal C:\WINDOWS\system32\svchost.exe
Explorer.EXE 452 Normal C:\WINDOWS\Explorer.EXE
spoolsv.exe 584 Normal C:\WINDOWS\system32\spoolsv.exe
sched.exe 644 Normal C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe 756 Normal C:\WINDOWS\System32\svchost.exe
CTHELPER.EXE 1596 Normal C:\WINDOWS\CTHELPER.EXE
ipoint.exe 1640 Normal C:\Program Files\Microsoft IntelliPoint\ipoint.exe
itype.exe 1840 Normal C:\Program Files\Microsoft IntelliType Pro\itype.exe
avgnt.exe 1872 Normal C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
jusched.exe 1860 Normal C:\Program Files\Common Files\Java\Java Update\jusched.exe
ctfmon.exe 1904 Normal C:\WINDOWS\system32\ctfmon.exe
dpupdchk.exe 268 Normal C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
ACService.exe 340 Normal C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
avguard.exe 364 Normal C:\Program Files\Avira\AntiVir Desktop\avguard.exe
DkService.exe 344 Below Normal C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
avshadow.exe 1000 Normal C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
svchost.exe 1416 Normal C:\WINDOWS\system32\svchost.exe
SyncServices.exe 936 Normal C:\Program Files\Maxtor\Sync\SyncServices.exe
svchost.exe 2128 Normal C:\WINDOWS\System32\svchost.exe
nTuneService.exe 2164 Normal C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
nvsvc32.exe 2196 Normal C:\WINDOWS\system32\nvsvc32.exe
svchost.exe 2216 Normal C:\WINDOWS\System32\svchost.exe
snmp.exe 2300 Normal C:\WINDOWS\System32\snmp.exe
svchost.exe 2472 Normal C:\WINDOWS\System32\svchost.exe
SearchIndexer.exe 2688 Normal C:\WINDOWS\system32\SearchIndexer.exe
YahooAUService.exe 2876 Normal C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
alg.exe 3216 Normal C:\WINDOWS\System32\alg.exe
OUTLOOK.EXE 3520 Normal C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PokerStars.exe 2448 Normal C:\Program Files\PokerStars\PokerStars.exe
IEXPLORE.EXE 2796 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE 2504 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
hpswp_clipbook.exe 4072 Normal C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
SearchProtocolHost.exe 1032 Below Normal C:\WINDOWS\system32\SearchProtocolHost.exe
SearchFilterHost.exe 3588 Below Normal C:\WINDOWS\system32\SearchFilterHost.exe
cmd.exe 876 Normal C:\WINDOWS\system32\cmd.exe
wscntfy.exe 2544 Normal C:\WINDOWS\system32\wscntfy.exe
processes.exe 4000 Normal C:\Documents and Settings\yo\Desktop\SpiderKill\SpiderKill\processes.exe


*********************Modules of explorer.exe and svchost.exe*******************
Module information for 'Explorer.EXE'(452)
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
GrooveShellExtensions.dll 661d0000 2224128 C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll 12.0.6421.1000 GrooveShellExtensions Module
GrooveUtil.DLL 68ef0000 991232 C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL 12.0.6423.1000 GrooveUtil Module
MSVCR80.dll e40000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoft® C Runtime Library
GrooveNew.DLL 68ff0000 28672 C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL 12.0.6413.1000 GrooveNew Module
ATL80.DLL 7c630000 110592 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.DLL 8.00.50727.4053 ATL Module for Windows (Unicode)
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
MSImg32.dll 76380000 20480 C:\WINDOWS\system32\MSImg32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Theme API
xpsp2res.dll 1100000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
ieframe.dll 3e1c0000 11087872 C:\WINDOWS\system32\ieframe.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Explorer
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
GrooveSystemServices.dll 65e50000 184320 C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll 12.0.6421.1000 GrooveSystemServices Module
msxml3.dll 74980000 1191936 C:\WINDOWS\system32\msxml3.dll 8.100.1051.0 MSXML 3.0 SP10
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.5512 (xpsp.080413-2105) Multi Language Support DLL
NETSHELL.dll 76400000 1724416 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
dot3api.dll 478c0000 40960 C:\WINDOWS\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
dot3dlg.dll 736d0000 24576 C:\WINDOWS\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
OneX.DLL 5dca0000 163840 C:\WINDOWS\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
eappcfg.dll 745b0000 139264 C:\WINDOWS\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
eappprxy.dll 5dcd0000 57344 C:\WINDOWS\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
MSCTF.dll 74720000 311296 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.5512 (xpsp.080413-2105) MSCTF Server DLL
webcheck.dll 20f0000 249856 C:\WINDOWS\system32\webcheck.dll 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) Web Site Monitor
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.5512 (xpsp.080413-2105) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.5512 (xpsp.080413-2105) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.5868 (xpsp_sp3_gdr.090824-1328) Windows HTTP Services
mydocs.dll 72410000 106496 C:\WINDOWS\System32\mydocs.dll 6.00.2900.5512 (xpsp.080413-2105) My Documents Folder UI
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.5512 (xpsp.080413-2108) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft MIDI Mapper
ctagent.dll 3b90000 24576 C:\WINDOWS\system32\ctagent.dll 1, 0, 0, 12 ctagent
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.5512 (xpsp.080413-2113) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 40960 C:\WINDOWS\System32\davclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Client DLL
GrooveMisc.dll 66b50000 1568768 C:\Program Files\Microsoft Office\Office12\GrooveMisc.dll 12.0.6421.1000 GrooveMisc Module
MSNLNamespaceMgr.dll 45a0000 315392 C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll 7.00.6001.18260 (vistasp1_gdr_oobsvc.090524-1500) Windows Search Namespace Manager
SASSEH.DLL 10000000 81920 C:\Program Files\SUPERAntiSpyware\SASSEH.DLL 1, 0, 0, 1012 ShellExecuteHook
SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
AcroIEHelper.dll 1f60000 65536 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll 9.3.2.163 Adobe PDF Helper for Internet Explorer
gdiplus.dll 4ec50000 1748992 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\gdiplus.dll 5.2.6001.22319 (vistasp1_ldr.081126-1506) Microsoft GDI+
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
PDFShell.dll 4e30000 372736 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll 9.3.2.163 PDF Shell Extension
msohevi.dll 6bd10000 65536 C:\Program Files\Microsoft Office\Office12\msohevi.dll 12.0.6413.1000 2007 Microsoft Office component
wuapi.dll 506a0000 581632 C:\WINDOWS\system32\wuapi.dll 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834) Windows Update Client API
Cabinet.dll 75150000 77824 C:\WINDOWS\system32\Cabinet.dll 5.1.2600.5512 (xpsp.080413-2105) Microsoft® Cabinet File API

Module information for 'svchost.exe'(1388)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
rpcss.dll 76a80000 409600 c:\windows\system32\rpcss.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Distributed COM Services
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
xpsp2res.dll 670000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll c10000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
termsrv32.dll 760f0000 339968 c:\windows\system32\termsrv32.dll 5.1.2600.5512 (xpsp.080413-2111) Terminal Server Service
ICAAPI.dll 74f70000 24576 c:\windows\system32\ICAAPI.dll 5.1.2600.5512 (xpsp.080413-2111) DLL Interface to TermDD Device Driver
SETUPAPI.dll 77920000 995328 c:\windows\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
WINTRUST.dll 76c30000 188416 c:\windows\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
CRYPT32.dll 77a80000 610304 c:\windows\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 c:\windows\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
AUTHZ.dll 776c0000 73728 c:\windows\system32\AUTHZ.dll 5.1.2600.5512 (xpsp.080413-2113) Authorization Framework
mstlsapi.dll 75110000 126976 c:\windows\system32\mstlsapi.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft® Terminal Server Licensing
ACTIVEDS.dll 77cc0000 204800 c:\windows\system32\ACTIVEDS.dll 5.1.2600.5512 (xpsp.080413-2113) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 c:\windows\system32\adsldpc.dll 5.1.2600.5512 (xpsp.080413-2113) ADs LDAP Provider C DLL
NETAPI32.dll 5b860000 348160 c:\windows\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
ATL.DLL 76b20000 69632 c:\windows\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
REGAPI.dll 76bc0000 61440 C:\WINDOWS\system32\REGAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Registry Configuration APIs
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
rdpwsx.dll 72460000 98304 C:\WINDOWS\system32\rdpwsx.dll 5.1.2600.5512 (xpsp.080413-2111) RDP Extension DLL
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
Apphelp.dll 77b40000 139264 C:\WINDOWS\system32\Apphelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
Module information for 'svchost.exe'(1488)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
rpcss.dll 76a80000 409600 c:\windows\system32\rpcss.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Distributed COM Services
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
xpsp2res.dll 670000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Sockets Helper DLL
DNSAPI.dll 76f20000 159744 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) DNS Client API DLL
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
winrnr.dll 76fb0000 32768 C:\WINDOWS\System32\winrnr.dll 5.1.2600.5512 (xpsp.080413-2113) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
mdnsNSP.dll 16080000 151552 C:\Program Files\Bonjour\mdnsNSP.dll 1,0,6,2 Bonjour Namespace Provider
rasadhlp.dll 76fc0000 24576 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access AutoDial Helper
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll d00000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
Module information for 'svchost.exe'(1612)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
NTMARTA.DLL 77690000 135168 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
xpsp2res.dll 630000 2904064 C:\WINDOWS\System32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
shsvcs.dll 776e0000 143360 c:\windows\system32\shsvcs.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Shell Services Dll
WINSTA.dll 76360000 65536 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
NETAPI32.dll 5b860000 348160 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
rsaenh.dll 68000000 221184 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
dhcpcsvc.dll 7d4b0000 139264 c:\windows\system32\dhcpcsvc.dll 5.1.2600.5512 (xpsp.080413-0852) DHCP Client Service
DNSAPI.dll 76f20000 159744 c:\windows\system32\DNSAPI.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) DNS Client API DLL
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 c:\windows\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINDOWS\System32\hnetcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Sockets Helper DLL
wzcsvc.dll 7db10000 573440 c:\windows\system32\wzcsvc.dll 5.1.2600.5512 (xpsp.080413-0852) Wireless Zero Configuration Service
rtutils.dll 76e80000 57344 c:\windows\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
WMI.dll 76d30000 16384 c:\windows\system32\WMI.dll 5.1.2600.5512 (xpsp.080413-2113) WMI DC and DP functionality
CRYPT32.dll 77a80000 610304 c:\windows\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 c:\windows\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
EapolQec.dll 72810000 45056 c:\windows\system32\EapolQec.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPOL NAP Enforcement Client
ATL.DLL 76b20000 69632 c:\windows\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
QUtil.dll 726c0000 90112 c:\windows\system32\QUtil.dll 5.1.2600.5512 (xpsp.080413-0852) Quarantine Utilities
MSVCP60.dll 76080000 413696 c:\windows\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
dot3api.dll 478c0000 40960 c:\windows\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
WTSAPI32.dll 76f50000 32768 c:\windows\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
ESENT.dll 606b0000 1101824 c:\windows\system32\ESENT.dll 5.1.2600.5512 (xpsp.080413-2113) Server Database Storage Engine
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
rastls.dll 76b70000 159744 C:\WINDOWS\System32\rastls.dll 5.1.2600.5886 (xpsp_sp3_gdr.091012-1253) Remote Access PPP EAP-TLS
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\System32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll 1510000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
MPRAPI.dll 76d40000 98304 C:\WINDOWS\System32\MPRAPI.dll 5.1.2600.5512 (xpsp.080413-0852) Windows NT MP Router Administration DLL
ACTIVEDS.dll 77cc0000 204800 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.5512 (xpsp.080413-2113) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.5512 (xpsp.080413-2113) ADs LDAP Provider C DLL
SETUPAPI.dll 77920000 995328 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
RASAPI32.dll 76ee0000 245760 C:\WINDOWS\System32\RASAPI32.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access API
rasman.dll 76e90000 73728 C:\WINDOWS\System32\rasman.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft® Windows(TM) Telephony API Client DLL
SCHANNEL.dll 767f0000 163840 C:\WINDOWS\System32\SCHANNEL.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) TLS / SSL Security Provider
WinSCard.dll 723d0000 114688 C:\WINDOWS\System32\WinSCard.dll 5.1.2600.5512 (xpsp.080413-2113) Microsoft Smart Card API
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\System32\PSAPI.DLL 5.1.2600.5512 (xpsp.080413-2105) Process Status Helper
raschap.dll 76bd0000 90112 C:\WINDOWS\System32\raschap.dll 5.1.2600.5886 (xpsp_sp3_gdr.091012-1253) Remote Access PPP CHAP
msv1_0.dll 77c70000 151552 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.5876 (xpsp_sp3_gdr.090909-1234) Microsoft Authentication Package v1.0
cryptdll.dll 76790000 49152 C:\WINDOWS\System32\cryptdll.dll 5.1.2600.5512 (xpsp.080413-2113) Cryptography Manager
schedsvc.dll 77300000 208896 c:\windows\system32\schedsvc.dll 5.1.2600.5512 (xpsp.080413-2108) Task Scheduler Engine
NTDSAPI.dll 767a0000 77824 c:\windows\system32\NTDSAPI.dll 5.1.2600.5512 (xpsp.080413-2113) NT5DS
MSIDLE.DLL 74f50000 20480 C:\WINDOWS\System32\MSIDLE.DLL 6.00.2900.5512 (xpsp.080413-2105) User Idle Monitor
audiosrv.dll 708b0000 53248 c:\windows\system32\audiosrv.dll 5.1.2600.5512 (xpsp.080413-0845) Windows Audio Service
wkssvc.dll 76e40000 143360 c:\windows\system32\wkssvc.dll 5.1.2600.5826 (xpsp_sp3_gdr.090609-1434) Workstation Service DLL
cryptsvc.dll 76ce0000 73728 c:\windows\system32\cryptsvc.dll 5.1.2600.5512 (xpsp.080413-2113) Cryptographic Services
certcli.dll 77b90000 204800 c:\windows\system32\certcli.dll 5.1.2600.5512 (xpsp.080413-2113) Microsoft® Certificate Services Client
dmserver.dll 74f90000 36864 c:\windows\system32\dmserver.dll 2600.5512.503.0 Logical Disk Manager service dll
ersvc.dll 74f80000 36864 c:\windows\system32\ersvc.dll 5.1.2600.5512 (xpsp.080413-2108) Windows Error Reporting Service
es.dll 77710000 278528 c:\windows\system32\es.dll 2001.12.4414.706 2001.12.4414.706
pchsvc.dll 74f40000 49152 c:\windows\pchealth\helpctr\binaries\pchsvc.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft PCHealth Service Holder
hidserv.dll 688e0000 36864 c:\windows\system32\hidserv.dll 5.1.2600.5512 (xpsp.080413-2108) HID Audio Service
HID.DLL 688f0000 36864 c:\windows\system32\HID.DLL 5.1.2600.5512 (xpsp.080413-2108) Hid User Library
srvsvc.dll 75090000 106496 c:\windows\system32\srvsvc.dll 5.1.2600.5512 (xpsp.080413-2113) Server Service DLL
winspool.drv 73000000 155648 C:\WINDOWS\System32\winspool.drv 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
netman.dll 77d00000 208896 c:\windows\system32\netman.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Manager
netshell.dll 76400000 1724416 c:\windows\system32\netshell.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
credui.dll 76c00000 188416 c:\windows\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
dot3dlg.dll 736d0000 24576 c:\windows\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
OneX.DLL 5dca0000 163840 c:\windows\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
eappcfg.dll 745b0000 139264 c:\windows\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
eappprxy.dll 5dcd0000 57344 c:\windows\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
WZCSAPI.DLL 73030000 65536 c:\windows\system32\WZCSAPI.DLL 5.1.2600.5512 (xpsp.080413-0852) Wireless Zero Configuration service API
seclogon.dll 73d20000 32768 c:\windows\system32\seclogon.dll 5.1.2600.5512 (xpsp.080413-2113) Secondary Logon Service DLL
sens.dll 722d0000 53248 c:\windows\system32\sens.dll 5.1.2600.5512 (xpsp.080413-2108) System Event Notification Service (SENS)
srsvc.dll 751a0000 188416 c:\windows\system32\srsvc.dll 5.1.2600.5512 (xpsp.080413-2108) System Restore Service
POWRPROF.dll 74ad0000 32768 c:\windows\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
SXS.DLL 7e720000 720896 C:\WINDOWS\System32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
trkwks.dll 75070000 102400 c:\windows\system32\trkwks.dll 5.1.2600.5512 (xpsp.080413-2108) Distributed Link Tracking Client
w32time.dll 767c0000 180224 c:\windows\system32\w32time.dll 5.1.2600.5512 (xpsp.080413-2113) Windows Time Service
wmisvc.dll 59490000 163840 c:\windows\system32\wbem\wmisvc.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
VSSAPI.DLL 753e0000 446464 C:\WINDOWS\system32\VSSAPI.DLL 5.1.2600.5512 (xpsp.080413-2108) Microsoft® Volume Shadow Copy Requestor/Writer Services API DLL
comsvcs.dll 76620000 1294336 C:\WINDOWS\system32\comsvcs.dll 2001.12.4414.702 2001.12.4414.702
colbact.DLL 75130000 81920 C:\WINDOWS\system32\colbact.DLL 2001.12.4414.700 2001.12.4414.700
MTXCLU.DLL 750f0000 77824 C:\WINDOWS\system32\MTXCLU.DLL 2001.12.4414.706 MS DTC amd MTS clustering support DLL
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\system32\WSOCK32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 32-Bit DLL
CLUSAPI.DLL 76d10000 73728 C:\WINDOWS\System32\CLUSAPI.DLL 5.1.2600.5512 (xpsp.080413-2111) Cluster API Library
RESUTILS.DLL 750b0000 73728 C:\WINDOWS\System32\RESUTILS.DLL 5.1.2600.5512 (xpsp.080413-2111) Microsoft Cluster Resource Utility DLL
wuauserv.dll 50000000 20480 c:\windows\system32\wuauserv.dll 5.4.3790.5512 (xpsp.080413-0852) Windows Update AutoUpdate Service
wuaueng.dll 50040000 1937408 C:\WINDOWS\system32\wuaueng.dll 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834) Windows Update Agent

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 2nd May 2010, 1:16 am

WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\System32\WINHTTP.dll 5.1.2600.5868 (xpsp_sp3_gdr.090824-1328) Windows HTTP Services
Cabinet.dll 75150000 77824 C:\WINDOWS\System32\Cabinet.dll 5.1.2600.5512 (xpsp.080413-2105) Microsoft® Cabinet File API
mspatcha.dll 600a0000 45056 C:\WINDOWS\System32\mspatcha.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft(R) Patch Engine
sfc.dll 76bb0000 20480 C:\WINDOWS\System32\sfc.dll 5.1.2600.5512 (xpsp.080413-2111) Windows File Protection
sfc_os.dll 76c60000 172032 C:\WINDOWS\System32\sfc_os.dll 5.1.2600.5512 (xpsp.080413-2111) Windows File Protection
ipnathlp.dll 66460000 348160 c:\windows\system32\ipnathlp.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft NAT Helper Components
AUTHZ.dll 776c0000 73728 c:\windows\system32\AUTHZ.dll 5.1.2600.5512 (xpsp.080413-2113) Authorization Framework
browser.dll 76da0000 90112 c:\windows\system32\browser.dll 5.1.2600.5512 (xpsp.080413-2113) Computer Browser Service DLL
wscsvc.dll 4c0a0000 94208 c:\windows\system32\wscsvc.dll 5.1.2600.5512 (xpsp.080413-2108) Windows Security Center Service
msi.dll 7d1e0000 2867200 c:\windows\system32\msi.dll 3.1.4001.5512 Windows Installer
wbemcomn.dll 75290000 225280 C:\WINDOWS\System32\wbem\wbemcomn.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
wbemcore.dll 762c0000 544768 C:\WINDOWS\system32\wbem\wbemcore.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
esscli.dll 75310000 258048 C:\WINDOWS\system32\wbem\esscli.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
FastProx.dll 75690000 483328 C:\WINDOWS\system32\wbem\FastProx.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) WMI
wbemsvc.dll 74ed0000 57344 C:\WINDOWS\System32\wbem\wbemsvc.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
upnp.dll 76de0000 147456 C:\WINDOWS\System32\upnp.dll 5.1.2600.5512 (xpsp.080413-0852) Universal Plug and Play API
SSDPAPI.dll 74f00000 49152 C:\WINDOWS\System32\SSDPAPI.dll 5.1.2600.5512 (xpsp.080413-0852) SSDP Client API DLL
wmiutils.dll 75020000 110592 C:\WINDOWS\System32\wbem\wmiutils.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
Apphelp.dll 77b40000 139264 C:\WINDOWS\system32\Apphelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
repdrvfs.dll 75200000 192512 C:\WINDOWS\system32\wbem\repdrvfs.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
wmiprvsd.dll 3f1e0000 466944 C:\WINDOWS\System32\wbem\wmiprvsd.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) WMI
NCObjAPI.DLL 5f770000 49152 C:\WINDOWS\system32\NCObjAPI.DLL 5.1.2600.5512 (xpsp.080413-2108)
wbemess.dll 75390000 286720 C:\WINDOWS\System32\wbem\wbemess.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
netcfgx.dll 755f0000 630784 C:\WINDOWS\System32\netcfgx.dll 5.1.2600.5512 (xpsp.080413-0852) Network Configuration Objects
ncprov.dll 5f740000 57344 C:\WINDOWS\System32\wbem\ncprov.dll 5.1.2600.5512 (xpsp.080413-2108) Non-COM WMI Event Provision APIs
rasmans.dll 7df30000 204800 C:\WINDOWS\System32\rasmans.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access Connection Manager
WINIPSEC.DLL 74370000 45056 C:\WINDOWS\System32\WINIPSEC.DLL 5.1.2600.5512 (xpsp.080413-0852) Windows IPSec SPD Client DLL
wups2.dll 50f00000 53248 C:\WINDOWS\system32\wups2.dll 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834) Windows Update client proxy stub 2
qmgr.dll 5b9f0000 438272 c:\windows\system32\qmgr.dll 6.7.2600.5512 (xpsp.080413-2108) Background Intelligent Transfer Service
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
SHFOLDER.dll 76780000 36864 c:\windows\system32\SHFOLDER.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Folder Service
tapisrv.dll 733e0000 262144 c:\windows\system32\tapisrv.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft® Windows(TM) Telephony Server
rastapi.dll 75880000 69632 C:\WINDOWS\System32\rastapi.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access TAPI Compliance Layer
rasadhlp.dll 76fc0000 24576 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access AutoDial Helper
unimdm.tsp 57cc0000 221184 C:\WINDOWS\System32\unimdm.tsp 5.1.2600.5512 (xpsp.080413-0852) Unimodem 5 Service Provider
uniplat.dll 72000000 28672 C:\WINDOWS\System32\uniplat.dll 5.1.2600.5512 (xpsp.080413-0852) Unimodem AT Mini Driver Platform Driver for Windows NT
kmddsp.tsp 57d40000 45056 C:\WINDOWS\System32\kmddsp.tsp 5.1.2600.5512 (xpsp.080413-0852) TAPI Kernel-Mode Service Provider
ndptsp.tsp 57d20000 65536 C:\WINDOWS\System32\ndptsp.tsp 5.1.2600.5512 (xpsp.080413-0852) NDIS Proxy TAPI Service Provider
ipconf.tsp 57d50000 32768 C:\WINDOWS\System32\ipconf.tsp 5.1.2600.5512 (xpsp.080413-0852) Microsoft Multicast Conference TAPI Service Provider
h323.tsp 57d70000 286720 C:\WINDOWS\System32\h323.tsp 5.1.2600.5512 (xpsp.080413-0852) Microsoft H.323 Telephony Service Provider
hidphone.tsp 57d60000 40960 C:\WINDOWS\System32\hidphone.tsp 5.1.2600.5512 (xpsp.080413-0852) Microsoft HID Phone TSP
rasppp.dll 72240000 225280 C:\WINDOWS\System32\rasppp.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access PPP
ntlsapi.dll 724b0000 24576 C:\WINDOWS\System32\ntlsapi.dll 5.1.2600.5512 (xpsp.080413-2113) Microsoft® License Server Interface DLL
kerberos.dll 71cf0000 311296 C:\WINDOWS\system32\kerberos.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Kerberos Security Package
RASQEC.DLL 72ae0000 77824 C:\WINDOWS\System32\RASQEC.DLL 5.1.2600.5512 (xpsp.080413-0852) RAS Quarantine Enforcement Client
RASDLG.dll 768d0000 671744 C:\WINDOWS\System32\RASDLG.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access Common Dialog API
msxml3.dll 74980000 1191936 C:\WINDOWS\system32\msxml3.dll 8.100.1051.0 MSXML 3.0 SP10
Module information for 'svchost.exe'(1776)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
wudfsvc.dll 670000 65536 c:\windows\system32\wudfsvc.dll 6.0.5716.32 (winmain(wmbla).060928-1756) Windows Driver Foundation - User-mode Driver Framework Service
SETUPAPI.dll 77920000 995328 c:\windows\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
WUDFPlatform.dll 680000 180224 c:\windows\system32\WUDFPlatform.dll 6.0.5716.32 (winmain(wmbla).060928-1756) Windows Driver Foundation - User-mode Platform Library
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll b70000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
Module information for 'svchost.exe'(1892)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
dnsrslvr.dll 76770000 53248 c:\windows\system32\dnsrslvr.dll 5.1.2600.5512 (xpsp.080413-2113) DNS Caching Resolver Service
DNSAPI.dll 76f20000 159744 c:\windows\system32\DNSAPI.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) DNS Client API DLL
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 c:\windows\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
rsaenh.dll 68000000 221184 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINDOWS\System32\hnetcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Sockets Helper DLL
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll a80000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
Module information for 'svchost.exe'(276)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
xpsp2res.dll 630000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
lmhsvc.dll 74c40000 24576 c:\windows\system32\lmhsvc.dll 5.1.2600.5512 (xpsp.080413-0852) TCPIP NetBios Transport Services DLL
iphlpapi.dll 76d60000 102400 c:\windows\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
regsvc.dll 76af0000 73728 c:\windows\system32\regsvc.dll 5.1.2600.5512 (xpsp.080413-2111) Remote Registry Service
ssdpsrv.dll 765e0000 81920 c:\windows\system32\ssdpsrv.dll 5.1.2600.5512 (xpsp.080413-0852) SSDP Service DLL
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Home Networking Configuration Manager
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Sockets Helper DLL
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll d50000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
Module information for 'svchost.exe'(756)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
NTMARTA.DLL 77690000 135168 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
xpsp2res.dll 630000 2904064 C:\WINDOWS\System32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
webclnt.dll 5a6e0000 86016 c:\windows\system32\webclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Service DLL
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll 940000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
Module information for 'svchost.exe'(1416)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
hpqddsvc.dll 10000000 139264 c:\program files\hp\digital imaging\bin\hpqddsvc.dll 120.0.194.000 HP CUE DeviceDiscovery Service
hpqddcmn.dll 3af00000 192512 c:\program files\hp\digital imaging\bin\hpqddcmn.dll 120.0.194.000 HP CUE DeviceDiscovery Common Library
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
MSVCP80.dll 7c420000 552960 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll 8.00.50727.4053 Microsoft® C++ Runtime Library
MSVCR80.dll 78130000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoft® C Runtime Library
xpsp2res.dll 6b0000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
hpqcxs08.dll 14a00000 221184 c:\program files\hp\digital imaging\bin\hpqcxs08.dll 120.0.194.000 HP CUE Context Manager Objects
SHFOLDER.dll 76780000 36864 C:\WINDOWS\system32\SHFOLDER.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Folder Service
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll b60000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 1010000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
Module information for 'svchost.exe'(2128)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
hpzinw12.dll 670000 57344 c:\windows\system32\hpzinw12.dll 12,1,2,54 Dot4Net Module
WSOCK32.dll 71ad0000 36864 c:\windows\system32\WSOCK32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
NTMARTA.DLL 77690000 135168 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
Module information for 'svchost.exe'(2216)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
hpzipm12.dll 670000 65536 c:\windows\system32\hpzipm12.dll 12,1,2,54 PmlDrv Module
WSOCK32.dll 71ad0000 36864 c:\windows\system32\WSOCK32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
NTMARTA.DLL 77690000 135168 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
Module information for 'svchost.exe'(2472)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
wiaservc.dll 75aa0000 348160 c:\windows\system32\wiaservc.dll 5.1.2600.5512 (xpsp.080413-0852) Still Image Devices Service
CFGMGR32.dll 74ae0000 28672 c:\windows\system32\CFGMGR32.dll 5.1.2600.5512 (xpsp.080413-2111) Configuration Manager Forwarder DLL
setupapi.DLL 77920000 995328 c:\windows\system32\setupapi.DLL 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
mscms.dll 73b30000 86016 c:\windows\system32\mscms.dll 5.1.2600.5627 (xpsp_sp3_gdr.080624-1245) Microsoft Color Matching System DLL
WINSPOOL.DRV 73000000 155648 c:\windows\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
WINSTA.dll 76360000 65536 c:\windows\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
NETAPI32.dll 5b860000 348160 c:\windows\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
xpsp2res.dll 680000 2904064 C:\WINDOWS\System32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
WINTRUST.dll 76c30000 188416 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
CRYPT32.dll 77a80000 610304 C:\WINDOWS\System32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\System32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
actxprxy.dll 71d40000 110592 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.5512 (xpsp.080413-2113) ActiveX Interface Marshaling Library
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll d10000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WS2_32.dll 71ab0000 94208 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT



******************************************
EOF

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 2nd May 2010, 1:52 am

Let's try and slaughter it. Big Grin

Please open Notepad and enter in the following:
@echo off
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%systemroot^%\System32\termsrv.dll /f
pause
del c:\windows\system32\termsrv32.dll
mbr -t > log.txt
start log.txt
exit
Then, click File > Save as...
Save as file.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on file.bat, and it will finish quickly and launch a log (log.txt).

Please post that in your next reply.

===================================

Then run the HelpAsst_mebroot_fix again, three times. At the end of the third run, please post the log from it along with the log from above.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 2nd May 2010, 3:42 am

The first time I ran the HelpAsst_mebroot_fix it said Please wait, and sat for about 10 minutes, then blue screen of death.

I rebooted & ran it again 3 times and below is the log.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8880BF28]<<
kernel: MBR read successfully
user & kernel MBR OK


C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Sat 05/01/2010 at 23:32:50.67

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS.000 ~ attempting to remove

~ Not all HelpAssistant files sucessfully removed ~
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWSPLI~2.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWSTYL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTABL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTEXT~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTIME~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\FILEPA~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\SITEPA~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus\DWANCH~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus\DWAPPL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1
Remove on reboot: C:\Documents and Settings\HelpAssistant.LINDAS.000


~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:37:55.29

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:38:48.73

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:39:13.32

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 2nd May 2010, 9:55 am

Good progress.

Please open Notepad and enter in the following:
@echo off
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
pause
net user HelpAssistant > log.txt
mbr -t >> log.txt
pause
start log.txt
exit
Then, click File > Save as...
Save as check.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on check.bat, and it will finish quickly and launch a log (log.txt).

Please post that in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 2nd May 2010, 4:04 pm

Ok... here you go...

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/1/2010 11:32 PM
Password expires Never
Password changeable 5/1/2010 11:32 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/1/2010 11:32 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK
Right On!

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 2nd May 2010, 6:20 pm

Now, let's see if it is gone, before we try to delete the HelpAssistant account.

Please download [You must be registered and logged in to see this link.] and save it to your desktop.

  • Double-click on HAMeb_check.exe to run the utility and it will create a log.
  • Copy and paste the contents of that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 2nd May 2010, 10:32 pm

ok... here is the log...

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Sun 05/02/2010 at 18:31:57.81

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 3rd May 2010, 4:16 am

Need more info to execute a total disinfection.

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    *helpassistant*
    disk.sys
    atapi.sys
    mbr.sys
    ntoskrnl.exe
    mat*.dll
    termsrv*

    :folderfind
    *helpassistant*

    :regfind
    PhysicalDrive
    helpassistant
    termservice

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 3rd May 2010, 6:10 am

ok... here is the log...

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 01:59 on 03/05/2010 by yo (Administrator - Elevation successful)

========== filefind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F

Searching for "disk.sys"
C:\WINDOWS\$NtServicePackUninstall$\disk.sys -----c 36352 bytes [02:10 25/09/2008] [05:59 04/08/2004] 00CA44E4534865F8A3B64F7C0984BFF0
C:\WINDOWS\ServicePackFiles\i386\disk.sys ------ 36352 bytes [05:59 04/08/2004] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25
C:\WINDOWS\system32\drivers\disk.sys --a--- 36352 bytes [12:00 29/08/2002] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [02:10 25/09/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [13:16 19/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [19:59 12/01/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "mbr.sys"
No files found.

Searching for "ntoskrnl.exe"
C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe --a--- 2179328 bytes [00:59 02/03/2005] [00:59 02/03/2005] 4D4CF2C14550A4B7718E94A6E581856E
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe --a--- 2179456 bytes [01:04 02/03/2005] [01:04 02/03/2005] 28187802B7C368C0D3AEF7D4C382AABB
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe --a--- 2182144 bytes [09:55 28/02/2007] [09:55 28/02/2007] 5A5C8DB4AA962C714C8371FBDF189FC9
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe --a--- 2189184 bytes [23:35 07/02/2009] [23:35 07/02/2009] EFE8EACE83EAAD5849A7A548FB75B584
C:\WINDOWS\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe --a--- 2189184 bytes [20:11 14/08/2008] [20:11 14/08/2008] 31914172342BFF330063F343AC6958FE
C:\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe --a--- 2189312 bytes [18:18 15/10/2009] [13:56 04/08/2009] FDE779EA1A564EBFE16F4E0F82B61BAD
C:\WINDOWS\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe --a--- 2189312 bytes [04:52 09/12/2009] [04:52 09/12/2009] 05BE3D9A71972223AFF6A3C823BA51B1
C:\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe --a--- 2190080 bytes [13:48 14/04/2010] [12:52 16/02/2010] E1F653A542449D54FA2D27463D99B6B6
C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe -----c 2180352 bytes [02:10 25/09/2008] [09:10 28/02/2007] 582A8DBAA58C3B1F176EB2817DAEE77C
C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe -----c 2042240 bytes [02:01 13/01/2008] [12:00 29/08/2002] B9080D97DBD631AADF9128F7316958D2
C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe -----c 2180992 bytes [02:43 13/01/2008] [06:19 04/08/2004] CE218BC7088681FAA06633E218596CA7
C:\WINDOWS\$NtUninstallKB890859_0$\ntoskrnl.exe -----c 2088448 bytes [02:01 13/01/2008] [08:33 22/10/2004] 5A7EB0C9F96917B7ECF5ADF70C4B1BAE
C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe -----c 2179328 bytes [03:17 13/01/2008] [00:59 02/03/2005] 4D4CF2C14550A4B7718E94A6E581856E
C:\WINDOWS\$NtUninstallKB956572$\ntoskrnl.exe -----c 2189184 bytes [07:06 17/04/2009] [10:11 14/08/2008] EEAF32F8E15A24F62BECB1BD403BB5C5
C:\WINDOWS\$NtUninstallKB956841$\ntoskrnl.exe -----c 2188928 bytes [07:01 15/10/2008] [19:27 13/04/2008] 0C89243C7C3EE199B96FCC16990E0679
C:\WINDOWS\$NtUninstallKB971486$\ntoskrnl.exe -----c 2189056 bytes [07:08 16/10/2009] [11:08 06/02/2009] 7A95B10A73737EBF24139AAA63F5212B
C:\WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe -----c 2189184 bytes [08:01 11/02/2010] [00:44 05/08/2009] 8415D9C7C050E7022AED8ABF281BE4A6
C:\WINDOWS\$NtUninstallKB979683$\ntoskrnl.exe -----c 2189184 bytes [07:07 16/04/2010] [19:27 08/12/2009] 78EC47F9B9A3A1D539262D8834C896CE
C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe ------ 2189952 bytes [22:23 14/10/2008] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\ERDNT\cache\ntoskrnl.exe --a--- 2189952 bytes [13:16 19/04/2010] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe ------ 2188928 bytes [06:19 04/08/2004] [19:27 13/04/2008] 0C89243C7C3EE199B96FCC16990E0679
C:\WINDOWS\system32\dllcache\ntoskrnl.exe -----c 2189952 bytes [22:23 14/10/2008] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\system32\ntoskrnl.exe --a--- 2189952 bytes [12:00 29/08/2002] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA

Searching for "mat*.dll"
No files found.

Searching for "termsrv*"
C:\Documents and Settings\HelpAssistant.LINDAS.000\Local Settings\temp\RarSFX5\termsrv.dat --a--- 15 bytes [03:43 02/05/2010] [03:18 02/05/2010] BBFCC0810FB0FD869118C1053DDF0EAC
C:\Documents and Settings\yo\Local Settings\temp\RarSFX5\termsrv.dat --a--- 15 bytes [03:18 02/05/2010] [03:18 02/05/2010] BBFCC0810FB0FD869118C1053DDF0EAC
C:\HelpAsst_backup\termsrv32.dll --a--- 295424 bytes [03:18 02/05/2010] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll -----c 295424 bytes [02:10 25/09/2008] [07:56 04/08/2004] B60C877D16D9C880B952FDA04ADF16E6
C:\WINDOWS\ERDNT\cache\termsrv.dll --a--- 295424 bytes [13:16 19/04/2010] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll ------ 295424 bytes [07:56 04/08/2004] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [19:11 12/01/2008] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv32.dll --a--- 295424 bytes [19:11 12/01/2008] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82

========== folderfind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]
C:\Documents and Settings\HelpAssistant.LINDAS.000 d----- [03:32 02/05/2010]

========== regfind ==========

Searching for "PhysicalDrive"
No data found.

Searching for "helpassistant"
[HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"

Searching for "termservice"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000\Control]
"ActiveService"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TermService\Enum]
"0"="Root\LEGACY_TERMSERVICE\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000\Control]
"ActiveService"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Enum]
"0"="Root\LEGACY_TERMSERVICE\0000"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"

-=End Of File=-

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 4th May 2010, 3:43 am

Ok.

Please download and run this: [You must be registered and logged in to see this link.]

Let me know if it launches or saves a log.

===========

Once done, please re-run HaMeb_Check.exe and post a log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 4th May 2010, 5:12 am

Emebremover did not produce a log... but it did display 2 messages as it ran. First was that MBR rootkit (Win32/Mebroot) was found on my system and asked if I wanted it to clean/remove it. I clicked yes. Then it said it was cleaned sucessfully.

And here is the log for HaMeb_Check.exe


C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 1:07:05.06

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 4th May 2010, 7:36 am

Whew. This is going to be a little complicated. It is obviously reinstalling itself after every removal.

============================

In order to do this, every step should be taken correctly.

1. Download all that is needed in the below instructions, and then save all of these instructions to Notepad or print them for easy access.

2. Disconnect from the Internet. Very important to do, until after the last reboot.

3. Open Notepad and copy/paste the code box below into a new text file.
Code:
@echo off
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
del /s/q C:\documents and settings\HelpAssistant.LINDAS
del /s/q C:\documents and settings\HelpAssistant.LINDAS.000
  • Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).


4. Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    registry::


    file::
    c:\windows\system32\termsrv32.dll

    snapshot::
    mbr::
    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


5. Run Help_Asst_Mebroot_Fix and make sure that log gets posted in your next reply.

6. Reboot your computer three times!

7. Run HaMeb_Check once more and post a log.

Make sure to post the ComboFix log, HelpAsstMebrootFix log, and HaMeb_Check log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 4th May 2010, 3:56 pm

Ok... all instructions followed precisely.... here are the logs:

ComboFix 10-05-03.06 - yo 05/04/2010 10:05:19.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.969 [GMT -4:00]
Running from: c:\documents and settings\yo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\yo\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\termsrv32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\yo\Recent\Thumbs.db
c:\program files\WindowsUpdate
c:\windows\system32\termsrv32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-02 04:07 . 2010-05-02 04:07 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\UserData
2010-05-02 04:06 . 2010-05-02 04:06 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\PrivacIE
2010-05-02 04:06 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS.000\PNPrint3.exe
2010-05-02 03:52 . 2010-05-02 03:52 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\log
2010-05-02 03:39 . 2010-05-02 03:39 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\IETldCache
2010-05-02 03:39 . 2010-05-02 03:39 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\IECompatCache
2010-05-02 03:32 . 2010-05-02 04:07 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000
2010-05-02 03:18 . 2010-05-02 03:18 -------- d-----w- C:\HelpAsst_backup
2010-04-28 23:47 . 2010-04-28 23:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
2010-04-23 04:01 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
2010-04-23 03:49 . 2010-04-23 03:49 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
2010-04-23 03:31 . 2010-03-10 08:05 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IETldCache
2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
2010-04-05 21:46 . 2010-05-04 09:44 -------- d-----w- c:\windows\system32\NtmsData
2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
2010-04-05 01:04 . 2010-05-04 13:59 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
2010-04-04 19:57 . 2010-04-29 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 04:00 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
2010-05-01 19:24 . 2008-01-13 03:02 207024 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 04:46 . 2010-04-04 07:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-04 07:36 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^yo^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\yo\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-14 15:29 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"MagicTuneEngine"=2 (0x2)
"CVPND"=2 (0x2)
"cisvc"=3 (0x3)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe Version Cue CS2"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:Remote Desktop

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-04 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\63.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
"D-Code"="9943096400"
"U-Code"="Demo"
"S-Code"="4973197477"
"C-Code"="2108728324272124"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1152)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2184)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\snmp.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2010-05-04 11:38:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 15:38

Pre-Run: 57,514,393,600 bytes free
Post-Run: 58,265,882,624 bytes free

- - End Of File - - C772DC53CDE8935104EAF894955A4315

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 4th May 2010, 3:58 pm

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 11:40:51.81

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

------------------------------------------------------------------------------------------------


C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 11:50:32.84

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 4th May 2010, 4:20 pm

I think we might have killed most of the infection. Run Help_Asst_Mebroot_Fix once more and post a log, please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 4th May 2010, 7:10 pm

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 15:07:36.48

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 4th May 2010, 7:12 pm

Go to Start > Run

type in CMD and hit OK.

In command prompt, type this in exactly:

net localgroup Administrators HelpAssistant /delete

Let me know if a message pops up.

===============

Reboot your computer, then run HaMeb_Check once more and post a log, please. Smile

I think it is almost gone.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 4th May 2010, 7:34 pm

Ok... No message popped up, but in the command window it said

System error 1377 has occurred.
The specified account name is not a member of the local group.

And here is the log for HaMeb_Check... Thank you

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 15:28:44.34

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~
Suspect

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 4th May 2010, 7:57 pm

Enter the Recovery Console again,

place in fixmbr

then reboot, and run HelpAsst_Mebroot_Fix and post a log, please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 5th May 2010, 2:46 am

Hi there...

I loaded Recovery Console from my computer (from ComboFix install). As it was loaded... blue screen of death.

I then loaded it from the XP disk. When I selected R for repair, a black screen came up that said Recovery Console with a C prompt. I typed fixmbr, and immediatly got another C prompt. No messages saying does not compute, or okay, etc. I typed exit & it rebooted.

Windows started up, but once loaded I could not click on anything. I could move the mouse, but nothing would happen if I clicked anything. I triec ctrl-alt-del and that did not respond either, so I hit the button & rebooted. I tried this 3-4 times, then rebooted into safe mode. Everything worked ok in safe mode, so I tried rebooting in regular mode again and again could not click on anything... windows key on keyboard & ctl-alt-del did nothing. I rebooted into safe mode with networking. Everything seems to be working ok again in safe mode, so I logged on to here and am now typing this message to you...

This bug is evil and must be eradicated from the planet.

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 5th May 2010, 2:59 am

Reboot, and at the options menu for Safe Mode and the rest of the options, choose "Last known good configuration."

Let me know if that helps you boot the Normal Mode again.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 5th May 2010, 3:38 am

Unfortunatly, that didn't fix it. Let me think

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 5th May 2010, 2:13 pm

Ok... hopefully I didn't mess anything up with this, but I had to get my computer working again (I use it for work and had work I had to do on it)....

Since Last Known Good didn't work, I went to Safe Mode and to system restore & restored it to the setting point it made at 9am yesterday. That helped, I was able to click on stuff, but they were taking forever to respond.... like 4 minutes for my documents to open, over 5 minutes when I tried IE, and then it came up and said it could not connect. I rebooted to safe mode with networking & again, everything was fine, so I knew the problem was something loading in regular windows mode. I have very little that loads on start up, mainly just Avira, so I rebooted into regular mode again and tried to open Avira. It just sat & sat, so I thought something must be hosed with that. I rebooted to safe mode, and uninstalled Avira. Rebooted again and now everything, including IE is opening correctly.

So now, should I reinstall Avira, or do you have a suggestion for a different anti-virus program? I've tried a bunch of them, & was running Kapersky when I got this bug & before coming on this board had tried most of the Anti-virus products to try to get rid of this thing. (Download free trial, try to kill the bug, didn't work (or worked but it came back), uninstalled and tried the next one...) It doesn't necessarily have to be a free one, I was just using Avira because it was the last one I had tried.

Don't worry, I won't be surfing looking for a new bug with no anti-virus on my computer... just working until I get my next move from you.

Thank you.

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 5th May 2010, 4:50 pm

Go ahead and leave the antivirus uninstalled.

I do recommend Kaspersky products. What version was it?

Please go to Start > Run

type in mbr.exe -t and press OK.

It will run. Post the log when it finishes.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 5th May 2010, 4:56 pm

ok, here you go sir...

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 6th May 2010, 1:30 am

Now, let me see a HaMeb_Check log, please. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 6th May 2010, 4:28 am

ok...here you go...

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Thu 05/06/2010 at 0:28:11.25

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 6th May 2010, 4:32 am

Let's try a different method here.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Do NOT perform a scan yet

  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 6th May 2010, 6:07 pm

Hi Dragonmaster Jay,

I downloaded DrWeb-CureIt as instructed... the express scan ran for about 12 hours, then I finally stopped it. I think it kept getting hung up or timed out on something & would restart because when I would come check on it, I would recognize the files as ones it already scanned, and then it would get to itype.exe and just sit. Then I'd walk away for a while & when I'd come back it would still be scanning and then sit again on that same file.

When I stopped it, it did show a warning and said it detected viruses, but it did not give me the option to quarantine. It said I should run the full (or maybe the word it used was premium) version of DrWeb-CureIt to detect and remove the viruses.

I will try running DrWeb-CureIt again shortly, but wanted to update you on the situation & ask you if I should run it in safe mode so the minimum is loaded in memory for the express scan?

The log it created is pretty huge (2 MB), so rather than upload it to 10 posts, I'm uploading it to one of my websites.... here is the link:
[You must be registered and logged in to see this link.]

Thank you

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 6th May 2010, 11:44 pm

Try this new version of CureIt:

Please download this file:
Code:

http://beta.drweb.com/files/?p=cureit%2FCureIt!.exe&lng=en&t=f

and run a scan with it. Post the log it generates.

It will be a *.cvs file, so double-click on it, and open it in Notepad.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 10th May 2010, 3:12 am

Did it work? What happened?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 10th May 2010, 3:27 am

New version of CureIt did not work. I tried it a couple of times and as it loaded, blue screen flashed up and computer rebooted.

I did try the first version again and it was scanning for about 20 hours, when someone was reaching under my desk for something that fell and accidentally hit the reboot button on my computer. So I'm running the scan again, and will post the log... it will probably be sometime monday since this scan seems to take so long. I'm having it just do the C drive first though, not the D drive (the second hard drive).... so hopefully it won't take quite so long.

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 10th May 2010, 1:39 pm

ok... DrWeb CureIt ran without complications... it rebooted the machine when it was done. The log file is enormous, so I uploaded it to the web. Here is the link [You must be registered and logged in to see this link.]

Thank you

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 10th May 2010, 3:20 pm

It did not detect anything.

Even the Master Boot Record showed up fine.

Now the key is, is to get rid of that HelpAssistant account.


Please open OTL, click Run Scan, and post a log when it is finished.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 10th May 2010, 3:51 pm

Sounds good to me!

Here is the log:

OTL logfile created on: 5/10/2010 11:47:18 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\yo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 62.00% Paging File free
Paging file location(s): D:\pagefile.sys 2956 2956 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 52.41 Gb Free Space | 45.78% Space Free | Partition Type: NTFS
Drive D: | 114.49 Gb Total Space | 31.72 Gb Free Space | 27.71% Space Free | Partition Type: NTFS
Drive E: | 539.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LINDAS
Current User Name: yo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/10 11:44:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/11/11 19:04:14 | 001,505,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2009/06/01 14:51:52 | 000,448,392 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
PRC - [2009/05/26 21:06:32 | 004,351,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/07/21 17:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2008/04/13 20:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/04 19:25:44 | 000,131,072 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
PRC - [2007/05/21 10:48:36 | 000,932,944 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2006/08/11 15:56:02 | 000,017,920 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\CTHELPER.EXE
PRC - [2004/11/26 13:42:10 | 000,812,032 | ---- | M] (Ahead Software AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe


========== Modules (SafeList) ==========

MOD - [2010/05/10 11:44:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2006/08/11 15:56:02 | 000,007,168 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTAGENT.DLL


========== Win32 Services (SafeList) ==========

SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/07/21 17:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2008/04/13 20:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2008/01/13 16:35:23 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Disabled | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/09/04 19:25:44 | 000,131,072 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)
SRV - [2007/08/23 16:05:00 | 000,045,056 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe -- (MagicTuneEngine)
SRV - [2007/05/21 10:48:36 | 000,932,944 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2007/03/20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2007/01/25 13:31:34 | 000,093,048 | ---- | M] (CACE Technologies) [Disabled | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2005/04/04 19:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)
SRV - [2004/11/26 13:42:10 | 000,812,032 | ---- | M] (Ahead Software AG) [Auto | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)
SRV - [2004/11/26 13:42:10 | 000,812,032 | ---- | M] (Ahead Software AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2002/08/29 08:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)


========== Driver Services (SafeList) ==========

DRV - [2010/03/09 23:13:40 | 000,095,024 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 11:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/01/23 02:41:20 | 000,024,944 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GVTDrv.sys -- (GVTDrv)
DRV - [2008/07/09 09:05:22 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/04/13 15:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 14:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 14:46:20 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/13 14:46:20 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/13 14:46:10 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/12/05 02:41:00 | 007,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/11/20 12:09:22 | 000,104,320 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2007/10/26 14:27:00 | 000,306,300 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/10/11 12:10:52 | 000,030,008 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ET5Drv.sys -- (ET5Drv)
DRV - [2007/09/04 19:26:32 | 000,029,696 | ---- | M] (NVidia Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\nvoclock.sys -- (NVR0Dev)
DRV - [2007/08/29 04:04:04 | 000,116,264 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SI3112r.sys -- (SI3112r)
DRV - [2007/08/29 04:04:04 | 000,019,240 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SiWinAcc.sys -- (SiWinAcc)
DRV - [2007/08/29 04:04:04 | 000,019,240 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)
DRV - [2007/05/03 13:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2007/01/31 13:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/25 13:31:34 | 000,042,000 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/11/22 11:01:48 | 000,693,760 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2006/08/28 18:12:04 | 000,013,312 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\MTictwl.sys -- (NCPro)
DRV - [2006/08/28 18:12:04 | 000,013,312 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MTictwl.sys -- (MagicTune)
DRV - [2006/08/11 15:48:52 | 000,061,952 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2006/08/11 15:48:50 | 000,158,720 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2006/08/11 15:48:42 | 001,170,432 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEXFIFX.dll -- (CTEXFIFX.DLL)
DRV - [2006/08/11 15:48:32 | 000,548,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ctsblfx.dll -- (CTSBLFX.DLL)
DRV - [2006/08/11 15:48:28 | 000,160,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\cteapsfx.dll -- (CTEAPSFX.DLL)
DRV - [2006/08/11 15:48:12 | 000,536,576 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ctaudfx.dll -- (CTAUDFX.DLL)
DRV - [2006/08/11 15:48:08 | 000,087,552 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\commonfx.dll -- (COMMONFX.DLL)
DRV - [2006/08/11 15:48:06 | 000,317,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2006/08/11 15:45:50 | 000,115,200 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2006/08/11 15:45:40 | 000,269,824 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2006/08/11 15:45:40 | 000,007,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2006/08/11 15:45:38 | 000,499,584 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2006/08/11 15:45:28 | 000,180,224 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2006/08/11 15:45:26 | 000,766,976 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2006/08/11 15:45:26 | 000,154,112 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2006/08/11 15:45:24 | 000,116,224 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2006/08/11 15:45:18 | 000,143,872 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2006/08/11 15:45:18 | 000,078,336 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2006/08/11 15:45:14 | 000,502,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2005/11/10 18:06:04 | 000,340,704 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2005/10/28 17:11:00 | 000,027,648 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iteatapi.sys -- (iteatapi)
DRV - [2004/11/26 13:36:24 | 000,098,176 | ---- | M] (Ahead Software AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2004/11/26 13:36:06 | 000,028,928 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2004/11/26 08:36:02 | 000,027,648 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDrm.sys -- (incdrm)
DRV - [2004/05/25 16:58:04 | 000,396,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA(R) nForce(TM)
DRV - [2004/05/25 16:58:02 | 000,048,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA(R) nForce(TM)
DRV - [2004/01/12 10:20:00 | 000,009,600 | ---- | M] (Cygnal Integrated Products) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CygF32x.sys -- (CYGF32X)
DRV - [2003/09/04 08:45:44 | 000,055,144 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\si3112.sys -- (si3112)
DRV - [2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2003/03/19 16:51:00 | 000,018,688 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2001/08/17 15:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/04/04 20:34:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/28 15:49:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/29 12:10:31 | 000,000,000 | ---D | M]

[2009/10/15 11:28:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions
[2009/08/12 21:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/07 20:20:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions
[2009/10/15 11:31:42 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/07 20:20:12 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/17 11:26:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/05/04 11:25:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\yo\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} [You must be registered and logged in to see this link.] (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [You must be registered and logged in to see this link.] (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} [You must be registered and logged in to see this link.] (PogoWebLauncher Control)
O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} [You must be registered and logged in to see this link.] (SentinelProxy Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} [You must be registered and logged in to see this link.] (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} [You must be registered and logged in to see this link.] (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/08/29 08:00:00 | 000,000,110 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{2bfa3ffa-c16e-11dc-9085-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{2bfa3ffa-c16e-11dc-9085-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2bfa3ffa-c16e-11dc-9085-806d6172696f}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2002/08/29 08:00:00 | 001,310,720 | R--- | M] (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/10 11:44:49 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
[2010/05/10 11:35:11 | 000,201,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTC.exe
[2010/05/07 04:06:34 | 000,110,456 | ---- | C] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2010/05/06 01:30:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\DoctorWeb
[2010/05/05 01:30:06 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/04 15:06:19 | 000,000,000 | ---D | C] -- C:\RECYCLER(2)
[2010/05/04 10:04:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/04 00:59:03 | 000,117,912 | ---- | C] (ESET spol. s r.o.) -- C:\Documents and Settings\yo\Desktop\EMebRemover.exe
[2010/05/01 23:18:22 | 000,278,016 | ---- | C] (SteelWerX) -- C:\WINDOWS\swreg.exe
[2010/05/01 23:18:22 | 000,000,000 | ---D | C] -- C:\HelpAsst_backup
[2010/05/01 21:09:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Desktop\SpiderKill
[2010/05/01 13:20:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Desktop\gmer
[2010/04/28 19:47:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/17 11:26:31 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/17 11:26:30 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/17 11:26:30 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/17 11:26:30 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/15 08:56:12 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/04/13 17:37:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/13 17:35:41 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/13 17:35:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\SUPERAntiSpyware.com
[2010/04/12 16:14:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/12 16:13:17 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/12 16:03:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\.SunDownloadManager
[2007/04/09 13:32:58 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2 C:\Documents and Settings\yo\My Documents\*.tmp files -> C:\Documents and Settings\yo\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\yo\*.tmp files -> C:\Documents and Settings\yo\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/10 11:44:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
[2010/05/10 11:37:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/10 11:35:18 | 000,201,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTC.exe
[2010/05/10 10:58:39 | 013,893,632 | ---- | M] () -- C:\Documents and Settings\yo\ntuser.dat
[2010/05/10 04:37:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/10 01:07:05 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/10 01:02:04 | 001,851,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/10 01:01:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/10 01:01:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/09 02:24:39 | 000,208,216 | ---- | M] () -- C:\Documents and Settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/07 10:20:23 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/05/07 10:20:23 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/05/07 10:20:23 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/05/07 10:19:55 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\yo\ntuser.ini
[2010/05/07 10:18:04 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.CDF
[2010/05/07 10:18:04 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.BAK
[2010/05/07 04:16:21 | 000,110,456 | ---- | M] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2010/05/07 00:30:59 | 039,112,800 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\CureIt!.exe
[2010/05/06 01:23:38 | 039,267,408 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\drweb-cureit.exe
[2010/05/04 11:26:18 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/04 11:25:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/04 00:59:07 | 000,117,912 | ---- | M] (ESET spol. s r.o.) -- C:\Documents and Settings\yo\Desktop\EMebRemover.exe
[2010/05/03 00:19:35 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\SystemLook.exe
[2010/05/02 18:31:55 | 000,485,896 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
[2010/05/02 12:03:17 | 000,000,457 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\check.bat
[2010/05/01 23:17:12 | 000,489,984 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
[2010/05/01 23:12:31 | 000,000,598 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\file.bat
[2010/05/01 21:09:34 | 000,113,664 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\SpiderKill.zip
[2010/05/01 13:19:55 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\gmer.zip
[2010/04/30 11:33:28 | 002,145,538 | -H-- | M] () -- C:\Documents and Settings\yo\Local Settings\Application Data\IconCache.db
[2010/04/30 04:20:37 | 000,000,691 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/30 04:20:37 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/16 03:06:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/12 17:29:27 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/12 17:29:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/12 17:29:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/12 15:19:02 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2 C:\Documents and Settings\yo\My Documents\*.tmp files -> C:\Documents and Settings\yo\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\yo\*.tmp files -> C:\Documents and Settings\yo\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/10 01:07:41 | 004,958,588 | ---- | C] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.CDF
[2010/05/07 00:30:55 | 039,112,800 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\CureIt!.exe
[2010/05/06 01:23:37 | 039,267,408 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\drweb-cureit.exe
[2010/05/05 12:56:08 | 000,000,409 | ---- | C] () -- C:\Documents and Settings\yo\mbr.log
[2010/05/04 09:08:05 | 013,893,632 | ---- | C] () -- C:\Documents and Settings\yo\ntuser.dat
[2010/05/03 00:19:29 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\SystemLook.exe
[2010/05/02 18:31:35 | 000,485,896 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
[2010/05/02 12:03:17 | 000,000,457 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\check.bat
[2010/05/01 23:18:22 | 000,082,944 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/01 23:17:10 | 000,489,984 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
[2010/05/01 23:12:31 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\file.bat
[2010/05/01 21:09:32 | 000,113,664 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\SpiderKill.zip
[2010/05/01 13:19:53 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\gmer.zip
[2010/04/14 17:59:44 | 000,384,872 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/09/28 21:44:10 | 000,000,038 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/02/13 23:28:05 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\drivers\MTictwl.sys
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/07/01 14:46:07 | 000,000,899 | ---- | C] () -- C:\WINDOWS\CadraViewExp.ini
[2008/06/29 09:39:31 | 001,936,528 | ---- | C] () -- C:\WINDOWS\System32\ltmm15.dll
[2008/05/09 16:42:24 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/04/24 00:20:00 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2008/02/01 21:03:21 | 000,025,339 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/01/14 13:56:19 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS61.DLL
[2008/01/14 12:32:14 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/01/13 19:29:15 | 000,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/01/13 19:29:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/01/13 19:29:15 | 000,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/01/13 13:33:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/12 22:24:48 | 000,024,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\GVTDrv.sys
[2008/01/12 20:24:20 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\idecoi.dll
[2008/01/12 15:58:54 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/12/05 02:41:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 02:41:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 02:41:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 02:41:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 02:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/10/26 14:28:18 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/10/26 14:28:04 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/03/12 12:01:30 | 000,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2007/03/09 03:12:32 | 000,027,648 | -HS- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2007/03/06 05:14:48 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/03/06 05:14:48 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/01/25 13:31:36 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2006/08/11 15:57:18 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2006/07/25 14:57:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[2006/05/23 13:40:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2005/06/16 19:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
< End of report >

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 10th May 2010, 5:33 pm

Good. Almost done.

Run HaMeb_Check so I can see our progress. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 10th May 2010, 8:18 pm

Great! Big Grin Here it is...

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Mon 05/10/2010 at 16:17:43.18

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 11th May 2010, 1:42 am

What has happened here, is that the infection has been removed. However, the account wants to stay continually active.

The account HelpAssistant has attached itself to your account, so at System log-on, that account runs at the same time you are. So, when you try to delete it, it will just re-appear, because it cannot be deleted while it is still active.

So, the idea is going to be, is to delete it while it is inactive.


Need some more info.

Go to Start > Run
type in cmd and hit OK.

Type this in exactly:

net user helpassistant > log.txt && log.txt


It will launch a log. Please post it, if there is text in the log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 11th May 2010, 3:11 am

Sounds great....

Ok... here is the log:

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/5/2010 1:32 AM
Password expires Never
Password changeable 5/5/2010 1:32 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/1/2010 11:32 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 11th May 2010, 3:21 am

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Open Notepad and copy/paste the code box below into a new text file.
Code:
@echo off
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\documents and settings\HelpAssistant\* /s /d
del /s/q C:\documents and settings\HelpAssistant\*.*
rmdir /s/q C:\documents and settings\HelpAssistant
attrib -s -h -r C:\documents and settings\HelpAssistant.LINDAS\* /s /d
del /s/q C:\documents and settings\HelpAssistant.LINDAS\*.*
rmdir /s/q C:\documents and settings\HelpAssistant.LINDAS
attrib -s -h -r C:\documents and settings\HelpAssistant.LINDAS.000\* /s /d
del /s/q C:\documents and settings\HelpAssistant.LINDAS.000\*.*
rmdir /s/q C:\documents and settings\HelpAssistant.LINDAS.000
  • Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
  • It will open a text file, please copy the content in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 11th May 2010, 4:07 am

I ran it, but no text file opened...

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 11th May 2010, 5:12 am

Ok.

do this once more and post a log, please:

net user helpassistant > log.txt && log.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 11th May 2010, 2:49 pm

Alrighty... here it is...


User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/5/2010 1:32 AM
Password expires Never
Password changeable 5/5/2010 1:32 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/1/2010 11:32 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 11th May 2010, 6:01 pm

Good. Now, please reboot your computer twice, and run the Profiles program once more.

I think it is gone now. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 11th May 2010, 6:25 pm

Sorry... we've run so much stuff... which one is the Profiles program?

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25478
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Dr Jay on 11th May 2010, 6:39 pm

Here. You can probably re-download it.

Download [You must be registered and logged in to see this link.]
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum