ebay paypal redirect/hijack

Re: ebay paypal redirect/hijack22nd April 2010, 4:11 am

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

kapersky scan22nd April 2010, 2:17 pm

Hi Dragonmaster_Jay,

Here are the results of the Kapersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, April 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 21, 2010 20:27:33
Records in database: 3962586
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Objects scanned: 273092
Threats found: 1
Infected objects found: 0
Suspicious objects found: 1
Scan duration: 06:38:06

File name / Threat / Threats count
C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.

Re: ebay paypal redirect/hijack22nd April 2010, 4:26 pm

Good.

I think this will be the final check.

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.
ebay paypal redirect/hijack - Page 2 Icon13

Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button. ebay paypal redirect/hijack - Page 2 2hd457o

ebay paypal redirect/hijack - Page 2 2hd457o

ebay paypal redirect/hijack - Page 2 34gul1w

Set it to Maximum

ebay paypal redirect/hijack - Page 2 2n9gldh

IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.

Click Create Report to run it. ebay paypal redirect/hijack - Page 2 2ekm73m

ebay paypal redirect/hijack - Page 2 2ekm73m

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

Re: ebay paypal redirect/hijack22nd April 2010, 4:58 pm

ok...here is the link:

http://www.getsysteminfo.com/read.php?file=400e227e867fa84d76bbdb441b1bd205

Re: ebay paypal redirect/hijack23rd April 2010, 12:12 am

We need to do some diagnostics.

1. Please download Profiles by noahdfear.

Save it to your desktop.
Double-click profiles.exe and post its log when you reply

2. Download Win32kDiag by ad13 and save it to your Desktop.

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

3. In your next reply, please post the following logs for my review:

Profiles log (1)
Win32kDiag log (2)

Thanks! Smile...

Re: ebay paypal redirect/hijack23rd April 2010, 12:31 am

Unfortunatly, redirect is still alive and well. I just took a screen shot of what I get when I try to log on to ebay or paypal (except if paypal it has that logo of course...) If I log on with a different computer, I can log on without any problems.

Re: ebay paypal redirect/hijack23rd April 2010, 12:33 am

Ok. Try Profiles and Win32kDiag and let me see the logs, please.

Re: ebay paypal redirect/hijack23rd April 2010, 12:41 am

Hi Dragonmaster_Jay,

Thank you very much for your patience and continued help in trying to track down this problem!

Here is the log for Profiles:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\yo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS

And here is the log for Win32Kdialog:

Running from: C:\Documents and Settings\yo\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\yo\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Re: ebay paypal redirect/hijack23rd April 2010, 12:55 am

Go here, and download SWReg:

http://www.xs4all.nl/~fstaal01/downloads/swreg.exe

When installed, go to Start | Run and type the following. You may want to copy/paste, just to make sure:

swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f

============

Then, do the HelpAsst fix there again.

Re: ebay paypal redirect/hijack23rd April 2010, 3:50 am

Hi Dragonmaster_Jay,

This did not find a mbr infection on the scan, so I followed the directions for that situation. Here is the helpasst log:

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/22/2010 at 21:48:18.12

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5823:TCP"=-
"5824:TCP"=-
"3389:TCP"=-
"4603:TCP"=-
"7706:TCP"=-
"6698:TCP"=-
"6699:TCP"=-
"7478:TCP"=-
"7479:TCP"=-
"7590:TCP"=-
"7589:TCP"=-
"9885:TCP"=-
"9886:TCP"=-
"8540:TCP"=-
"8541:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5823:TCP"=-
"5824:TCP"=-
"3389:TCP"=-
"4603:TCP"=-
"7706:TCP"=-
"6699:TCP"=-
"6698:TCP"=-
"7478:TCP"=-
"7479:TCP"=-
"7589:TCP"=-
"7590:TCP"=-
"9886:TCP"=-
"9885:TCP"=-
"8540:TCP"=-
"8541:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.LINDAS files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/22/2010 at 23:41:28.57

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A337C78]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1844237615-1409082233-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services

~~ EOF ~~

Re: ebay paypal redirect/hijack23rd April 2010, 3:53 am

Delete the current copy of HelpAsst_mebroot_fix.exe and download a fresh one from here. Please save it to your desktop, else the following command will not work.
Click Start>Run then copy and paste in the following bolded command, then hit Enter.

"%userprofile%\desktop\helpasst_mebroot_fix.exe" -mbrt

A log will open when it completes. Please post it's contents here.

Re: ebay paypal redirect/hijack23rd April 2010, 2:57 pm

ok, here it is:

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/22/2010 at 21:48:18.12

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5823:TCP"=-
"5824:TCP"=-
"3389:TCP"=-
"4603:TCP"=-
"7706:TCP"=-
"6698:TCP"=-
"6699:TCP"=-
"7478:TCP"=-
"7479:TCP"=-
"7590:TCP"=-
"7589:TCP"=-
"9885:TCP"=-
"9886:TCP"=-
"8540:TCP"=-
"8541:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5823:TCP"=-
"5824:TCP"=-
"3389:TCP"=-
"4603:TCP"=-
"7706:TCP"=-
"6699:TCP"=-
"6698:TCP"=-
"7478:TCP"=-
"7479:TCP"=-
"7589:TCP"=-
"7590:TCP"=-
"9886:TCP"=-
"9885:TCP"=-
"8540:TCP"=-
"8541:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.LINDAS files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/22/2010 at 23:41:28.57

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A337C78]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1844237615-1409082233-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services

~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Fri 04/23/2010 at 10:55:51.35

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D2E5A8]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-1844237615-1409082233-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

~~ EOF ~~

Re: ebay paypal redirect/hijack23rd April 2010, 8:08 pm

We beat up part of it now. Let's search and destroy.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind *helpassistant* *helpasst* *assistant* :folderfind *helpassistant* *helpasst* *assistant* :regfind helpassistant helpasst
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Re: ebay paypal redirect/hijack23rd April 2010, 9:14 pm

Sounds Great... I'm ready to squash this bug for good!

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:56 on 23/04/2010 by yo (Administrator - Elevation successful)

========== filefind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\Documents and Settings\yo\Recent\HelpAssistant.lnk --a--- 517 bytes [10:57 13/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.LINDAS.lnk --a--- 556 bytes [02:06 23/04/2010] [13:06 13/04/2010] C750B857F6A8620410F6ED1F4D31CEEF
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.lnk --a--- 517 bytes [02:06 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F

Searching for "*helpasst*"
C:\Documents and Settings\HelpAssistant.LINDAS\Desktop\HelpAsst_mebroot_fix.exe --a--- 490232 bytes [03:36 23/04/2010] [01:29 23/04/2010] 1F400D155A8F31DD57BC2A9CE5B8D6F5
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAsst.log.lnk --a--- 415 bytes [04:01 23/04/2010] [15:17 19/04/2010] E56FDA3CBEB0BFB4B6484CDD4FD8F79E
C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe --a--- 489984 bytes [14:55 23/04/2010] [14:55 23/04/2010] 3516C911A1B9264D5E6B26F27D114FB6
C:\Documents and Settings\yo\Recent\HelpAsst.log.lnk --a--- 415 bytes [15:17 19/04/2010] [15:17 19/04/2010] E56FDA3CBEB0BFB4B6484CDD4FD8F79E
C:\HelpAsst.log --a--- 4856 bytes [22:23 11/04/2010] [14:55 23/04/2010] C9356F32033DB9C16EA6E62EB04047DA
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Desktop\HelpAsst_mebroot_fix.exe --a--- 490008 bytes [01:52 23/04/2010] [22:20 11/04/2010] 58B59A8C44CB661F3E4A952E88B0F8F3
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAsst.log.lnk --a--- 415 bytes [02:06 23/04/2010] [15:17 19/04/2010] E56FDA3CBEB0BFB4B6484CDD4FD8F79E
C:\WINDOWS\Prefetch\HELPASST_MEBROOT_FIX.EXE-23271C94.pf --a--- 59716 bytes [01:48 23/04/2010] [14:55 23/04/2010] 04DD050E52A2FA069BEB963B364537DD

Searching for "*assistant*"
C:\Documents and Settings\All Users\Application Data\HP Product Assistant\HPProductAssistant.ini --a--- 9024 bytes [23:23 16/10/2008] [05:28 23/04/2010] 612BA8FFDD872F33F164BE751B6B7471
C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\ShippingAssistant\Database\ShippingAssistant.sdf --a--- 282624 bytes [03:38 23/04/2010] [04:46 15/05/2008] DC4CBE48E58A09DDCCDE388087F749C9
C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\ShippingAssistant\Logs\ShippingAssistant.log --a--- 740 bytes [03:38 23/04/2010] [04:45 15/05/2008] E03399893DC6F022AE2AB573E8AB956F
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\Documents and Settings\yo\Local Settings\Application Data\ShippingAssistant\Database\ShippingAssistant.sdf --a--- 282624 bytes [04:01 15/05/2008] [04:46 15/05/2008] DC4CBE48E58A09DDCCDE388087F749C9
C:\Documents and Settings\yo\Local Settings\Application Data\ShippingAssistant\Logs\ShippingAssistant.log --a--- 740 bytes [04:02 15/05/2008] [04:45 15/05/2008] E03399893DC6F022AE2AB573E8AB956F
C:\Documents and Settings\yo\Recent\HelpAssistant.lnk --a--- 517 bytes [10:57 13/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\ShippingAssistant\Database\ShippingAssistant.sdf --a--- 282624 bytes [01:53 23/04/2010] [04:46 15/05/2008] DC4CBE48E58A09DDCCDE388087F749C9
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\ShippingAssistant\Logs\ShippingAssistant.log --a--- 740 bytes [01:53 23/04/2010] [04:45 15/05/2008] E03399893DC6F022AE2AB573E8AB956F
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.LINDAS.lnk --a--- 556 bytes [02:06 23/04/2010] [13:06 13/04/2010] C750B857F6A8620410F6ED1F4D31CEEF
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.lnk --a--- 517 bytes [02:06 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\MicrosoftDotNetFrameworkAssistant.xpi --a--- 19153 bytes [18:40 18/03/2009] [18:40 18/03/2009] 142AA9EC7D07C3F7B26E20E5EA399C80

========== folderfind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]

Searching for "*helpasst*"
C:\HelpAsst_backup d----- [22:23 11/04/2010]

Searching for "*assistant*"
C:\Documents and Settings\All Users\Application Data\HP Product Assistant d----- [00:33 05/04/2010]
C:\Documents and Settings\All Users\Application Data\HP\ProductAssistant d----- [00:33 05/04/2010]
C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]
C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\ShippingAssistant d----- [03:38 23/04/2010]
C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\USPS\ShippingAssistant.exe_StrongName_1530igqym0lgi3fwh2vbxinwnit5pbs3 d----- [03:38 23/04/2010]
C:\Documents and Settings\yo\Local Settings\Application Data\ShippingAssistant d----- [04:01 15/05/2008]
C:\Documents and Settings\yo\Local Settings\Application Data\USPS\ShippingAssistant.exe_StrongName_1530igqym0lgi3fwh2vbxinwnit5pbs3 d----- [04:02 15/05/2008]
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\ShippingAssistant d-a--- [01:53 23/04/2010]
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\USPS\ShippingAssistant.exe_StrongName_1530igqym0lgi3fwh2vbxinwnit5pbs3 d-a--- [01:53 23/04/2010]
C:\Program Files\HP\Digital Imaging\Product Assistant d----- [00:33 05/04/2010]
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ExceptionAssistantContent d----- [05:31 28/11/2008]
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension d----- [07:09 15/08/2009]

========== regfind ==========

Searching for "helpassistant"
[HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000]
"ProfileImagePath"="%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000]
"ProfileImagePath"="%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"

Searching for "helpasst"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HelpAsst.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HelpAsst.exe]
@="C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe"

-=End Of File=-

Re: ebay paypal redirect/hijack24th April 2010, 3:50 am

Do you have an XP cd?

Re: ebay paypal redirect/hijack24th April 2010, 3:23 pm

Yes, I do.

Re: ebay paypal redirect/hijack24th April 2010, 5:12 pm

Reboot your computer.

Boot from the windows XP CD, press the "R" key in the setup in order to start the Recovery Console.

Select your windows XP installation from the list (usually 1). It will prompt for an administrator password. The password is probably blank, so just hit enter.

Enter the command: fixmbr at the input prompt and confirm the next question with a Y.

It should then reboot the computer. If it does not, then type exit.

Boot back in to the Normal XP.

=================

After that, please do the following:

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

Double-click mbr.exe to start the program.
When done scanning, it will save a log on the Desktop called mbr.log.
Please post the contents of that log in your next reply.

Re: ebay paypal redirect/hijack28th April 2010, 6:21 pm

Hi Dragonmaster Jay,

I followed the directions, booted from windows xp cd. When I typed R to go to recovery consol, it went to the black screen with the c prompt. (I did not have to select anything). When I typed fixmbr, it just popped up another c prompt. No response, just the c prompt. So I typed exit.

Upon restarting, I tried going into windows recovery consol (installed on one of the earlier steps, it shows now whenever I boot). It started loading, then BAM.... blue screen of death...

So I am going to go ahead and do the Stealth MBR Rootkit Detector & post log... but wanted to update you on what was happening.

Thanks
yolinda

Re: ebay paypal redirect/hijack28th April 2010, 6:24 pm

Here is the log from Stealth MBR Rootkit Detector:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Re: ebay paypal redirect/hijack28th April 2010, 9:10 pm

Having anymore redirects?

Re: ebay paypal redirect/hijack29th April 2010, 8:11 pm

Man, I was really hoping we killed this thing!

I did not have the redirect last night, but now it is back again.

This thing is worse than a bad horror movie where they "kill" the bad guy, then he pops back up and attacks again...

Re: ebay paypal redirect/hijack29th April 2010, 8:29 pm

Whenever rootkit scanners, and antivirus software scan for the rootkit, it gets as close to the system kernel as possible. If the rootkit is beyond that point, it will not be detected.

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

Double-click mbr.exe to start the program.
When done scanning, it will save a log on the Desktop called mbr.log.
Please post the contents of that log in your next reply.

Re: ebay paypal redirect/hijack29th April 2010, 9:41 pm

Ok, here is the scan:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2

Re: ebay paypal redirect/hijack30th April 2010, 2:58 am

Please download Profiles by noahdfear.

Save it to your desktop.
Double-click profiles.exe and post its log when you reply

Re: ebay paypal redirect/hijack30th April 2010, 3:32 am

Below is the log for Profiles... by the way, can I delete the help assistant folders under documents and settings? Or do I need to leave those there?
Thank you-- Linda

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\yo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS

Re: ebay paypal redirect/hijack30th April 2010, 3:57 am

Please download HAMeb_check.exe and save it to your desktop.

Double-click on HAMeb_check.exe to run the utility and it will create a log.
Copy and paste the contents of that log in your next reply.

===============================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind termsrv.dll termsrv32.dll :reg HKLM\SYSTEM\CurrentControlSet\Services\TermService /s
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

=============================================

Open Notepad and copy/paste the code box below into a new text file.

Code:

@echo off
net user HelpAssistant 
/active:no >nul 2>&1
net localgroup Administrators 
HelpAssistant /delete >nul 2>&1
attrib -s -h -r 
C:\docume~\HelpAssistant\* /s /d
del /s/q 
C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant

Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
It will open a text file, please copy the content in your next reply.

Please make sure to post the log from HAMeb_Check, SystemLook, and the regquery in your next reply.

Re: ebay paypal redirect/hijack30th April 2010, 5:04 am

ok... first two ran fine... but regquery did not give me a txt file. It popped open a black window and I saw a bunch of text for about 1/2 second, then it closed and no log file opened... here are the logs for HAMeb_check and SystemLook:

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Fri 04/30/2010 at 0:47:11.73

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-1844237615-1409082233-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A439BC0]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

~~ EOF ~~

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 00:48 on 30/04/2010 by yo (Administrator - Elevation successful)

========== filefind ==========

Searching for "termsrv.dll"
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll -----c 295424 bytes [02:10 25/09/2008] [07:56 04/08/2004] B60C877D16D9C880B952FDA04ADF16E6
C:\WINDOWS\ERDNT\cache\termsrv.dll --a--- 295424 bytes [13:16 19/04/2010] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll ------ 295424 bytes [07:56 04/08/2004] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [19:11 12/01/2008] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F

Searching for "termsrv32.dll"
C:\HelpAsst_backup\termsrv32.dll --a--- 295424 bytes [22:23 11/04/2010] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82
C:\WINDOWS\system32\termsrv32.dll --a--- 295424 bytes [19:11 12/01/2008] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
"DependOnService"="RPCSS"
"Description"="Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server."
"DisplayName"="Terminal Services"
"ErrorControl"= 0x0000000001 (1)
"ImagePath"="%SystemRoot%\System32\svchost -k DComLaunch"
"ObjectName"="LocalSystem"
"Start"= 0x0000000002 (2)
"Type"= 0x0000000020 (32)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Enum]
"0"="Root\LEGACY_TERMSERVICE\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters]
"Certificate"=01 00 00 00 01 00 00 00 01 00 00 00 06 00 5c 00 52 53 41 31 48 00 00 00 00 02 00 00 3f 00 00 00 01 00 01 00 7f d2 2e a9 8b cc 63 eb 41 8a 8e b2 13 3c 20 ef 92 f2 76 8b 92 2d 8b c6 4b 76 f8 03 f6 6f 47 80 68 0d a1 19 2e ce 3c f5 93 30 be 01 61 c7 c1 65 73 b9 a5 39 51 78 65 f2 25 e0 3d dd 84 0c 47 b6 00 00 00 00 00 00 00 00 08 00 48 00 42 37 0d ab 7b 6e 5a 4b f5 a7 d9 16 ff 4e 49 62 99 d5 0a 33 d4 56 63 ac 42 28 c9 f5 b3 a5 e8 42 88 7e 56 4c dd 5e 03 e7 78 80 08 fc 40 bb 44 36 ae 44 f9 10 7a 21 26 c5 fd 39 26 22 4a 21 49 4b 00 00 00 00 00 00 00 00 (REG_BINARY)
"ServiceDll"="%SystemRoot%\System32\termsrv32.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Performance]
"Close"="CloseTSObject"
"Collect Timeout"= 0x00000003e8 (1000)
"Collect"="CollectTSObjectData"
"First Counter"= 0x0000000806 (2054)
"First Help"= 0x0000000807 (2055)
"Last Counter"= 0x0000000886 (2182)
"Last Help"= 0x0000000887 (2183)
"Library Validation Code"=00 60 bd 99 53 4f c2 01 00 30 00 00 00 00 00 00 (REG_BINARY)
"Library"="perfts.dll"
"Object List"="2054 2176"
"Open Timeout"= 0x00000003e8 (1000)
"Open"="OpenTSObject"
"WbemAdapFileSignature"=7e fd 21 14 ea d1 ac 72 34 26 10 d7 19 2b fb 32 (REG_BINARY)
"WbemAdapFileSize"= 0x0000003000 (12288)
"WbemAdapFileTime"=00 60 bd 99 53 4f c2 01 (REG_BINARY)
"WbemAdapStatus"= 0000000000 (0)

-=End Of File=-

Re: ebay paypal redirect/hijack30th April 2010, 7:57 pm

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Please open Command Prompt (Start > Run and type CMD and press OK)
Enter the following in to the black box, pressing enter after each line:

Code:

mbr.exe -f

exit

Post a log (MBR.log).

Re: ebay paypal redirect/hijack30th April 2010, 9:07 pm

ok... here is the log...

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

Re: ebay paypal redirect/hijack1st May 2010, 3:40 am

Ok. We are going to start over here. Right On!

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

============

Then, please do the following:

GMER

Note about this tool:

This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Re: ebay paypal redirect/hijack1st May 2010, 7:21 pm

Ok... starting fresh! Big Grin

Ran the OTR thing... deleted all the other stuff it didn't delete... Downloaded GMER & ran it as instructed.... left it for several hours, when I came back, it said the scan was stopped (but no one touched my computer during the scan.) The log is below... Thank You!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-01 15:04:30
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\yo\LOCALS~1\Temp\uwtdapob.sys

---- System - GMER 1.0.15 ----

SSDT B15DFAF6 ZwCreateKey
SSDT B15DFAEC ZwCreateThread
SSDT B15DFAFB ZwDeleteKey
SSDT B15DFB05 ZwDeleteValueKey
SSDT B15DFB0A ZwLoadKey
SSDT B15DFAD8 ZwOpenProcess
SSDT B15DFADD ZwOpenThread
SSDT B15DFB14 ZwReplaceKey
SSDT B15DFB0F ZwRestoreKey
SSDT B15DFB00 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB8EF2380, 0x346307, 0xE8000020]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA90E4400, 0x87EE2, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA9188620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA9188620]
.protectÿÿÿÿhardlockunknown last code section [0xA9188400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA9188400, 0x5126, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 019C2862
.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019C26EE
.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019C27E0
.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 019C2726
.text C:\WINDOWS\Explorer.EXE[436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 019C275E
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01992862
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019926EE
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019927E0
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01992726
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[656] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0199275E
.text C:\WINDOWS\system32\SearchIndexer.exe[2800] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

Device \Driver\si3112 \Device\Scsi\si31122Port1Path0Target0Lun0 889C7AF8
Device \Driver\si3112 \Device\Scsi\si31122 889C7AF8
Device \Driver\si3112 \Device\Scsi\si31122Port1Path1Target0Lun0 889C7AF8

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Photosmart B8500 series (Copy 1)@ChangeID 2284296

---- EOF - GMER 1.0.15 ----

Re: ebay paypal redirect/hijack1st May 2010, 11:20 pm

Let's scan with this to get more info.

Please download SpiderKill by me and save it to your Desktop.

Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.

Re: ebay paypal redirect/hijack2nd May 2010, 1:13 am

Here you go... thanks!

SpiderKill by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]

********************Drivers list********************

Volume in drive C has no label.
Volume Serial Number is 8C30-4B1B

Directory of C:\Windows\System32\Drivers

04/19/2010 09:42 AM .
04/19/2010 09:42 AM ..
04/13/2008 02:46 PM 53,376 1394bus.sys
04/13/2008 02:46 PM 48,128 61883.sys
04/13/2008 02:36 PM 187,776 acpi.sys
08/29/2002 08:00 AM 11,648 acpiec.sys
04/13/2008 08:11 PM 4,255 adv01nt5.dll
04/13/2008 08:11 PM 3,967 adv02nt5.dll
04/13/2008 08:11 PM 3,615 adv05nt5.dll
04/13/2008 08:11 PM 3,647 adv07nt5.dll
04/13/2008 08:11 PM 3,135 adv08nt5.dll
04/13/2008 08:11 PM 3,711 adv09nt5.dll
04/13/2008 08:11 PM 3,775 adv11nt5.dll
04/13/2008 12:39 PM 142,592 aec.sys
08/14/2008 06:04 AM 138,496 afd.sys
04/13/2008 02:36 PM 42,368 agp440.sys
04/13/2008 02:36 PM 44,928 agpcpq.sys
04/13/2008 02:36 PM 42,752 alim1541.sys
04/13/2008 02:36 PM 43,008 amdagp.sys
04/13/2008 02:31 PM 37,376 amdk6.sys
04/13/2008 02:31 PM 37,760 amdk7.sys
11/29/2006 01:46 AM 28,224 APLMp50.sys
04/13/2008 02:51 PM 60,800 arp1394.sys
03/29/2000 10:17 AM 5,824 ASUSHWIO.SYS
04/13/2008 02:57 PM 14,336 asyncmac.sys
04/13/2008 02:40 PM 96,512 atapi.sys
08/04/2004 01:29 AM 56,623 ati1btxx.sys
08/04/2004 01:29 AM 11,615 ati1mdxx.sys
08/04/2004 01:29 AM 12,047 ati1pdxx.sys
08/04/2004 01:29 AM 30,671 ati1raxx.sys
08/04/2004 01:29 AM 63,663 ati1rvxx.sys
08/04/2004 01:29 AM 26,367 ati1snxx.sys
08/04/2004 01:29 AM 21,343 ati1ttxx.sys
08/04/2004 01:29 AM 36,463 ati1tuxx.sys
08/04/2004 01:29 AM 29,455 ati1xbxx.sys
08/04/2004 01:29 AM 34,735 ati1xsxx.sys
08/04/2004 01:29 AM 327,040 ati2mtaa.sys
08/04/2004 01:29 AM 701,440 ati2mtag.sys
08/04/2004 01:29 AM 57,856 atinbtxx.sys
08/04/2004 01:29 AM 13,824 atinmdxx.sys
08/04/2004 01:29 AM 14,336 atinpdxx.sys
08/04/2004 01:29 AM 52,224 atinraxx.sys
08/04/2004 01:29 AM 104,960 atinrvxx.sys
08/04/2004 01:29 AM 28,672 atinsnxx.sys
08/04/2004 01:29 AM 13,824 atinttxx.sys
08/04/2004 01:29 AM 73,216 atintuxx.sys
08/04/2004 01:29 AM 31,744 atinxbxx.sys
08/04/2004 01:29 AM 63,488 atinxsxx.sys
07/17/2004 02:36 PM 64,352 ativmc20.cod
04/13/2008 02:51 PM 59,904 atmarpc.sys
08/29/2002 08:00 AM 31,360 atmepvc.sys
04/13/2008 02:51 PM 55,808 atmlane.sys
08/29/2002 08:00 AM 352,256 atmuni.sys
04/13/2008 08:11 PM 21,183 atv01nt5.dll
04/13/2008 08:11 PM 11,359 atv02nt5.dll
04/13/2008 08:11 PM 25,471 atv04nt5.dll
04/13/2008 08:11 PM 14,143 atv06nt5.dll
04/13/2008 08:11 PM 17,279 atv10nt5.dll
08/17/2001 09:59 AM 3,072 audstub.sys
04/13/2008 02:46 PM 38,912 avc.sys
05/11/2009 11:49 AM 45,416 avgntdd.sys
02/16/2010 01:24 PM 60,936 avgntflt.sys
05/11/2009 11:49 AM 22,360 avgntmgr.sys
03/01/2010 09:05 AM 124,784 avipbb.sys
08/29/2002 08:00 AM 4,224 beep.sys
04/13/2008 02:53 PM 71,552 bridge.sys
04/13/2008 02:46 PM 17,024 bthenum.sys
04/13/2008 02:46 PM 37,888 bthmodem.sys
04/13/2008 02:51 PM 101,120 bthpan.sys
06/13/2008 07:05 AM 272,128 bthport.sys
04/13/2008 02:46 PM 36,480 bthprint.sys
04/13/2008 02:46 PM 18,944 bthusb.sys
08/29/2002 08:00 AM 13,952 cbidf2k.sys
04/13/2008 02:46 PM 17,024 CCDECODE.sys
08/29/2002 08:00 AM 18,688 cdaudio.sys
04/13/2008 03:14 PM 63,744 cdfs.sys
04/13/2008 02:40 PM 62,976 cdrom.sys
04/13/2008 08:11 PM 15,423 ch7xxnt5.dll
08/29/2002 08:00 AM 262,528 cinemst2.sys
04/13/2008 03:16 PM 49,536 classpnp.sys
08/29/2002 08:00 AM 11,776 cpqdap01.sys
04/13/2008 02:31 PM 36,736 crusoe.sys
06/08/2005 02:08 PM 1,359,744 CT0531FL.SYS
08/11/2006 03:45 PM 502,272 ctac32k.sys
08/11/2006 03:45 PM 499,584 ctaud2k.sys
11/10/2005 06:06 PM 340,704 ctdvda2k.sys
12/30/2002 11:53 AM 12,160 CTGAME.SYS
09/06/2005 03:02 PM 1,365,888 CTMMFILT.SYS
08/11/2006 03:45 PM 116,224 ctoss2k.sys
08/11/2006 03:45 PM 7,168 ctprxy2k.sys
08/11/2006 03:45 PM 143,872 ctsfm2k.sys
01/18/2007 04:28 PM 5,275 CVirtA.sys
10/26/2007 02:27 PM 306,300 CVPNDRVA.sys
07/18/2004 01:55 AM 129,045 cxthsfs2.cty
01/12/2004 10:20 AM 9,600 CygF32x.sys
01/12/2004 10:20 AM 16,000 CygLib.sys
01/12/2008 09:58 AM disdn
04/13/2008 02:40 PM 36,352 disk.sys
04/13/2008 02:40 PM 14,208 diskdump.sys
04/13/2008 02:44 PM 799,744 dmboot.sys
04/13/2008 02:44 PM 153,344 dmio.sys
08/29/2002 08:00 AM 5,888 dmload.sys
04/13/2008 02:45 PM 52,864 dmusic.sys
01/31/2007 01:45 PM 127,376 dne2000.sys
04/13/2008 03:45 PM 60,160 drmk.sys
04/13/2008 02:45 PM 2,944 drmkaud.sys
08/29/2002 08:00 AM 10,496 dxapi.sys
04/13/2008 02:38 PM 71,168 dxg.sys
08/29/2002 08:00 AM 3,328 dxgthk.sys
08/11/2006 03:45 PM 78,336 emupia2k.sys
08/17/2001 09:46 AM 6,400 enum1394.sys
10/11/2007 12:10 PM 30,008 ET5Drv.sys
04/28/2010 02:47 PM etc
04/13/2008 03:14 PM 143,744 fastfat.sys
04/13/2008 02:40 PM 27,392 fdc.sys
04/13/2008 02:33 PM 44,544 fips.sys
04/13/2008 02:40 PM 20,480 flpydisk.sys
04/13/2008 02:32 PM 129,792 fltmgr.sys
08/29/2002 08:00 AM 12,160 fsvga.sys
08/29/2002 08:00 AM 7,936 fs_rec.sys
08/29/2002 08:00 AM 125,056 ftdisk.sys
04/13/2008 02:36 PM 46,464 gagp30kx.sys
04/13/2008 02:45 PM 10,624 gameenum.sys
04/17/2008 01:12 PM 15,464 GEARAspiWDM.sys
08/29/2002 08:00 AM 3,440,660 gm.dls
08/29/2002 08:00 AM 646 gmreadme.txt
01/23/2009 02:41 AM 24,944 GVTDrv.sys
08/11/2006 03:45 PM 766,976 ha10kx2k.sys
08/11/2006 03:45 PM 1,110,016 ha20x2k.sys
08/11/2006 03:45 PM 154,112 haP16v2k.sys
08/11/2006 03:45 PM 180,224 haP17v2k.sys
11/22/2006 11:01 AM 693,760 hardlock.sys
04/13/2008 12:36 PM 144,384 hdaudbus.sys
04/13/2008 02:46 PM 25,600 hidbth.sys
04/13/2008 02:45 PM 36,864 hidclass.sys
04/13/2008 02:45 PM 19,200 hidir.sys
04/13/2008 02:45 PM 24,960 hidparse.sys
04/13/2008 09:11 PM 21,504 hidserv.dll
04/13/2008 02:45 PM 10,368 hidusb.sys
10/30/2008 05:08 PM 49,920 HPZid412.sys
10/30/2008 05:08 PM 16,496 HPZipr12.sys
10/30/2008 05:08 PM 21,568 HPZius12.sys
08/04/2004 01:41 AM 220,032 hsfbs2s2.sys
08/04/2004 01:41 AM 685,056 hsfcxts2.sys
08/04/2004 01:41 AM 1,041,536 hsfdpsp2.sys
10/20/2009 12:20 PM 265,728 http.sys
04/13/2008 04:18 PM 52,480 i8042prt.sys
04/13/2008 02:40 PM 42,112 imapi.sys
11/26/2004 01:36 PM 98,176 InCDfs.sys
11/26/2004 01:36 PM 28,928 InCDpass.sys
11/26/2004 01:36 PM 7,808 InCDrec.sys
11/26/2004 08:36 AM 27,648 InCDrm.sys
04/13/2008 02:31 PM 36,352 intelppm.sys
04/13/2008 02:53 PM 36,608 ip6fw.sys
08/29/2002 08:00 AM 32,896 ipfltdrv.sys
04/13/2008 02:57 PM 20,864 ipinip.sys
04/13/2008 02:57 PM 152,832 ipnat.sys
04/13/2008 03:19 PM 75,264 ipsec.sys
04/13/2008 02:45 PM 46,592 irbus.sys
04/13/2008 02:54 PM 11,264 irenum.sys
04/13/2008 02:36 PM 37,248 isapnp.sys
10/28/2005 05:11 PM 27,648 iteatapi.sys
04/13/2008 02:39 PM 24,576 kbdclass.sys
04/13/2008 02:39 PM 14,592 kbdhid.sys
02/23/2010 01:10 PM 1,752 kgpcpy.cfg
09/14/2009 03:42 PM 32,272 klim5.sys
04/13/2008 02:45 PM 172,416 kmixer.sys
04/13/2008 04:16 PM 141,056 ks.sys
06/24/2009 07:18 AM 92,928 ksecdd.sys
03/30/2010 12:45 AM 20,824 mbam.sys
03/30/2010 12:46 AM 38,224 mbamswissarmy.sys
08/29/2002 08:00 AM 7,680 mcd.sys
08/04/2004 01:41 AM 11,868 mdmxsdk.sys
04/13/2008 02:36 PM 63,744 mf.sys
08/29/2002 08:00 AM 4,224 mnmdd.sys
04/13/2008 03:00 PM 30,080 modem.sys
04/13/2008 03:39 PM 23,040 mouclass.sys
08/29/2002 08:00 AM 12,160 mouhid.sys
04/13/2008 02:39 PM 42,368 mountmgr.sys
04/13/2008 02:39 PM 92,544 mqac.sys
04/13/2008 02:32 PM 180,608 mrxdav.sys
02/24/2010 09:11 AM 455,680 mrxsmb.sys
04/13/2008 02:46 PM 51,200 msdv.sys
04/13/2008 02:32 PM 19,072 msfs.sys
04/13/2008 02:56 PM 35,072 msgpc.sys
04/13/2008 02:39 PM 7,552 mskssrv.sys
08/17/2001 03:00 PM 2,944 msmpu401.sys
04/13/2008 02:39 PM 5,376 mspclock.sys
04/13/2008 02:39 PM 4,992 mspqm.sys
04/13/2008 02:36 PM 15,488 mssmbios.sys
04/13/2008 02:39 PM 5,504 MSTEE.sys
08/28/2006 06:12 PM 13,312 MTictwl.sys
08/04/2004 01:41 AM 126,686 mtlmnt5.sys
08/04/2004 01:41 AM 1,309,184 mtlstrm.sys
08/04/2004 01:29 AM 452,736 mtxparhm.sys
04/13/2008 03:17 PM 105,344 mup.sys
04/13/2008 02:43 PM 12,672 mutohpen.sys
05/03/2007 01:37 PM 22,152 mxopswd.sys
04/13/2008 02:46 PM 85,248 NABTSFEC.sys
04/13/2008 03:20 PM 182,656 ndis.sys
04/13/2008 02:46 PM 10,880 NdisIP.sys
04/13/2008 02:57 PM 10,112 ndistapi.sys
04/13/2008 02:55 PM 14,592 ndisuio.sys
04/13/2008 03:20 PM 91,520 ndiswan.sys
04/13/2008 02:57 PM 40,576 ndproxy.sys
04/13/2008 02:56 PM 34,688 netbios.sys
04/13/2008 03:21 PM 162,816 netbt.sys
09/09/2009 10:29 AM 199,432 neti1639.sys
04/15/2002 10:11 PM 67,866 netwlan5.img
04/13/2008 02:51 PM 61,824 nic1394.sys
08/29/2002 08:00 AM 12,032 nikedrv.sys
04/13/2008 02:53 PM 40,320 nmnt.sys
01/25/2007 01:31 PM 42,000 npf.sys
04/13/2008 02:32 PM 30,848 npfs.sys
04/13/2008 03:15 PM 574,976 ntfs.sys
08/04/2004 01:41 AM 180,360 ntmtlfax.sys
05/09/2009 02:14 AM 14,736 nuidfltr.sys
08/29/2002 08:00 AM 2,944 null.sys
12/05/2007 02:41 AM 7,435,392 nv4_mini.sys
05/25/2004 04:58 PM 396,032 nvapu.sys
05/25/2004 04:58 PM 66,688 nvarm.sys
04/21/2003 03:18 PM 52,608 nvatabus.sys
04/21/2003 03:18 PM 52,608 nvatabus_2.sys
05/25/2004 04:58 PM 48,640 nvax.sys
05/25/2004 04:58 PM 962,560 nvmcp.sys
03/19/2003 04:51 PM 18,688 nv_agp.SYS
08/29/2002 08:00 AM 12,416 nwlnkflt.sys
08/29/2002 08:00 AM 32,512 nwlnkfwd.sys
04/13/2008 02:56 PM 88,320 nwlnkipx.sys
08/29/2002 08:00 AM 63,232 nwlnknb.sys
08/29/2002 08:00 AM 55,936 nwlnkspx.sys
04/13/2008 02:34 PM 163,584 nwrdr.sys
04/13/2008 02:46 PM 61,696 ohci1394.sys
08/29/2002 08:00 AM 3,456 oprghdlr.sys
04/13/2008 02:31 PM 42,752 p3.sys
04/13/2008 02:40 PM 80,128 parport.sys
04/13/2008 02:40 PM 19,712 partmgr.sys
08/29/2002 08:00 AM 6,784 parvdm.sys
04/13/2008 02:36 PM 68,224 pci.sys
08/17/2001 02:51 PM 3,328 pciide.sys
04/13/2008 02:40 PM 24,960 pciidex.sys
04/13/2008 02:36 PM 120,192 pcmcia.sys
08/11/2006 03:56 PM 8,192 pfmodnt.sys
06/01/2009 02:51 PM 27,792 point32.sys
04/13/2008 04:19 PM 146,048 portcls.sys
04/13/2008 02:31 PM 35,840 processr.sys
04/13/2008 02:56 PM 69,120 psched.sys
08/29/2002 08:00 AM 17,792 ptilink.sys
08/29/2002 08:00 AM 8,832 rasacd.sys
04/13/2008 03:19 PM 51,328 rasl2tp.sys
04/13/2008 02:57 PM 41,472 raspppoe.sys
04/13/2008 03:19 PM 48,384 raspptp.sys
08/29/2002 08:00 AM 16,512 raspti.sys
08/29/2002 08:00 AM 34,432 rawwan.sys
04/13/2008 03:28 PM 175,744 rdbss.sys
08/29/2002 08:00 AM 4,224 rdpcdd.sys
04/13/2008 02:32 PM 196,224 rdpdr.sys
04/13/2008 08:13 PM 139,656 rdpwd.sys
08/04/2004 01:41 AM 13,776 recagent.sys
04/13/2008 02:40 PM 57,600 redbook.sys
04/13/2008 02:46 PM 59,136 rfcomm.sys
08/29/2002 08:00 AM 12,032 rio8drv.sys
08/29/2002 08:00 AM 12,032 riodrv.sys
05/08/2008 10:02 AM 203,136 rmcast.sys
04/13/2008 02:56 PM 30,592 rndismp.sys
04/13/2008 02:56 PM 30,592 rndismpx.sys
08/29/2002 08:00 AM 5,888 rootmdm.sys
07/16/2004 03:19 PM 70,400 Rtlnicxp.sys
11/20/2007 12:09 PM 104,320 Rtnicxp.sys
08/04/2004 01:29 AM 166,912 s3gnbm.sys
03/09/2010 11:13 PM 95,024 SBREDrv.sys
04/13/2008 02:40 PM 96,384 scsiport.sys
04/13/2008 02:36 PM 79,232 sdbus.sys
11/13/2007 06:25 AM 20,480 secdrv.sys
04/13/2008 02:40 PM 15,744 serenum.sys
04/13/2008 03:15 PM 64,512 serial.sys
04/13/2008 02:40 PM 11,904 sffdisk.sys
04/13/2008 02:40 PM 10,240 sffp_mmc.sys
04/13/2008 02:40 PM 11,008 sffp_sd.sys
04/13/2008 02:40 PM 11,392 sfloppy.sys
09/04/2003 08:45 AM 55,144 si3112.svs
09/04/2003 08:45 AM 55,144 si3112.sys
08/29/2007 04:04 AM 116,264 SI3112r.sys
04/13/2008 08:12 PM 3,901 siint5.dll
04/13/2008 02:36 PM 40,960 sisagp.sys
08/29/2007 04:04 AM 19,240 SiWinAcc.sys
04/13/2008 02:46 PM 11,136 SLIP.sys
08/04/2004 01:41 AM 129,535 slnt7554.sys
08/04/2004 01:41 AM 404,990 slntamr.sys
08/04/2004 01:41 AM 95,424 slnthal.sys
08/04/2004 01:41 AM 13,240 slwdmsup.sys
04/13/2008 02:36 PM 5,888 smbali.sys
08/29/2002 08:00 AM 14,592 smclib.sys
04/13/2008 02:46 PM 25,344 sonydcam.sys
04/13/2008 02:45 PM 6,272 splitter.sys
04/13/2008 02:36 PM 73,472 sr.sys
12/31/2009 12:50 PM 353,792 srv.sys
05/11/2009 09:12 AM 28,520 ssmdrv.sys
04/13/2008 03:45 PM 49,408 stream.sys
04/13/2008 02:46 PM 15,232 StreamIP.sys
04/13/2008 02:39 PM 4,352 swenum.sys
04/13/2008 02:45 PM 56,576 swmidi.sys
04/13/2008 03:15 PM 60,800 sysaudio.sys
04/13/2008 02:40 PM 14,976 tape.sys
06/20/2008 07:51 AM 361,600 tcpip.sys
02/11/2010 08:02 AM 226,880 tcpip6.sys
04/13/2008 03:00 PM 19,072 tdi.sys
04/13/2008 08:13 PM 12,040 tdpipe.sys
04/13/2008 08:13 PM 21,896 tdtcp.sys
04/13/2008 08:13 PM 40,840 termdd.sys
05/07/2009 03:04 AM 157,712 tmcomm.sys
08/29/2002 08:00 AM 51,712 tosdvd.sys
08/29/2002 08:00 AM 21,376 tsbvcap.sys
04/13/2008 02:56 PM 12,288 tunmp.sys
04/13/2008 02:36 PM 44,672 uagp35.sys
04/13/2008 02:32 PM 66,048 udfs.sys
11/23/2008 01:22 PM UMDF
04/13/2008 02:39 PM 384,768 update.sys
04/13/2008 02:56 PM 12,800 usb8023.sys
04/13/2008 02:56 PM 12,800 usb8023x.sys
04/13/2008 03:45 PM 60,032 USBAUDIO.sys
04/13/2008 02:45 PM 25,600 usbcamd.sys
04/13/2008 02:45 PM 25,728 usbcamd2.sys
04/13/2008 02:45 PM 32,128 usbccgp.sys
08/29/2002 08:00 AM 4,736 usbd.sys
04/13/2008 02:45 PM 30,208 usbehci.sys
04/13/2008 02:45 PM 59,520 usbhub.sys
04/13/2008 02:45 PM 15,872 usbintel.sys
04/13/2008 02:45 PM 17,152 usbohci.sys
04/13/2008 02:45 PM 143,872 usbport.sys
04/13/2008 02:47 PM 25,856 usbprint.sys
04/13/2008 03:45 PM 15,104 usbscan.sys
04/13/2008 02:45 PM 26,368 usbstor.sys
04/13/2008 02:46 PM 121,984 usbvideo.sys
04/13/2008 08:12 PM 11,325 vchnt5.dll
08/29/2002 08:00 AM 58,112 vdmindvd.sys
04/13/2008 02:44 PM 20,992 vga.sys
04/13/2008 02:36 PM 42,240 viaagp.sys
04/13/2008 02:44 PM 81,664 videoprt.sys
04/13/2008 02:41 PM 52,352 volsnap.sys
04/13/2008 02:43 PM 14,208 wacompen.sys
08/04/2004 01:29 AM 11,807 wadv07nt.sys
08/04/2004 01:29 AM 11,295 wadv08nt.sys
08/04/2004 01:29 AM 11,871 wadv09nt.sys
08/04/2004 01:29 AM 11,935 wadv11nt.sys
04/13/2008 02:57 PM 34,560 wanarp.sys
08/04/2004 01:29 AM 22,271 watv06nt.sys
08/04/2004 01:29 AM 25,471 watv10nt.sys
11/02/2006 08:22 AM 492,000 wdf01000.sys
11/02/2006 08:22 AM 32,224 wdfldr.sys
04/13/2008 03:17 PM 83,072 wdmaud.sys
08/29/2002 08:00 AM 4,352 wmilib.sys
10/18/2006 08:00 PM 38,528 wpdusb.sys
08/29/2002 08:00 AM 12,032 ws2ifsl.sys
04/13/2008 02:46 PM 19,200 WSTCODEC.SYS
09/28/2006 06:55 PM 77,568 WudfPf.sys
09/28/2006 07:00 PM 82,944 WudfRd.sys
352 File(s) 44,020,948 bytes

Directory of C:\Windows\System32\Drivers\disdn

01/12/2008 09:58 AM .
01/12/2008 09:58 AM ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\Drivers\etc

04/28/2010 02:47 PM .
04/28/2010 02:47 PM ..
04/28/2010 02:47 PM 789 hosts
08/29/2002 08:00 AM 734 hosts.20100309-193033.backup
08/29/2002 08:00 AM 3,683 lmhosts.sam
08/29/2002 08:00 AM 407 networks
08/29/2002 08:00 AM 799 protocol
08/29/2002 08:00 AM 7,116 services
6 File(s) 13,528 bytes

Directory of C:\Windows\System32\Drivers\UMDF

11/23/2008 01:22 PM .
11/23/2008 01:22 PM ..
10/18/2006 09:47 PM 671,232 wpdmtpdr.dll
1 File(s) 671,232 bytes

Total Files Listed:
359 File(s) 44,705,708 bytes
11 Dir(s) 58,256,916,480 bytes free

Re: ebay paypal redirect/hijack2nd May 2010, 1:15 am

***********************Hidden Drivers********************
Volume in drive C has no label.
Volume Serial Number is 8C30-4B1B

Directory of C:\Windows\System32\Drivers

01/13/2008 12:07 AM 0 MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
01/13/2008 12:07 AM 0 Msft_Kernel_NuidFltr_01005.Wdf
2 File(s) 0 bytes
0 Dir(s) 58,256,928,768 bytes free

*********************Processes*******************

PROCESS PID PRIO PATH
smss.exe 1080 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 1132 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 1160 High C:\WINDOWS\system32\winlogon.exe
services.exe 1204 Normal C:\WINDOWS\system32\services.exe
lsass.exe 1216 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 1388 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1488 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1612 Normal C:\WINDOWS\System32\svchost.exe
InCDsrv.exe 1632 Normal C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe 1776 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1892 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 276 Normal C:\WINDOWS\system32\svchost.exe
Explorer.EXE 452 Normal C:\WINDOWS\Explorer.EXE
spoolsv.exe 584 Normal C:\WINDOWS\system32\spoolsv.exe
sched.exe 644 Normal C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe 756 Normal C:\WINDOWS\System32\svchost.exe
CTHELPER.EXE 1596 Normal C:\WINDOWS\CTHELPER.EXE
ipoint.exe 1640 Normal C:\Program Files\Microsoft IntelliPoint\ipoint.exe
itype.exe 1840 Normal C:\Program Files\Microsoft IntelliType Pro\itype.exe
avgnt.exe 1872 Normal C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
jusched.exe 1860 Normal C:\Program Files\Common Files\Java\Java Update\jusched.exe
ctfmon.exe 1904 Normal C:\WINDOWS\system32\ctfmon.exe
dpupdchk.exe 268 Normal C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
ACService.exe 340 Normal C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
avguard.exe 364 Normal C:\Program Files\Avira\AntiVir Desktop\avguard.exe
DkService.exe 344 Below Normal C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
avshadow.exe 1000 Normal C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
svchost.exe 1416 Normal C:\WINDOWS\system32\svchost.exe
SyncServices.exe 936 Normal C:\Program Files\Maxtor\Sync\SyncServices.exe
svchost.exe 2128 Normal C:\WINDOWS\System32\svchost.exe
nTuneService.exe 2164 Normal C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
nvsvc32.exe 2196 Normal C:\WINDOWS\system32\nvsvc32.exe
svchost.exe 2216 Normal C:\WINDOWS\System32\svchost.exe
snmp.exe 2300 Normal C:\WINDOWS\System32\snmp.exe
svchost.exe 2472 Normal C:\WINDOWS\System32\svchost.exe
SearchIndexer.exe 2688 Normal C:\WINDOWS\system32\SearchIndexer.exe
YahooAUService.exe 2876 Normal C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
alg.exe 3216 Normal C:\WINDOWS\System32\alg.exe
OUTLOOK.EXE 3520 Normal C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PokerStars.exe 2448 Normal C:\Program Files\PokerStars\PokerStars.exe
IEXPLORE.EXE 2796 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE 2504 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
hpswp_clipbook.exe 4072 Normal C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
SearchProtocolHost.exe 1032 Below Normal C:\WINDOWS\system32\SearchProtocolHost.exe
SearchFilterHost.exe 3588 Below Normal C:\WINDOWS\system32\SearchFilterHost.exe
cmd.exe 876 Normal C:\WINDOWS\system32\cmd.exe
wscntfy.exe 2544 Normal C:\WINDOWS\system32\wscntfy.exe
processes.exe 4000 Normal C:\Documents and Settings\yo\Desktop\SpiderKill\SpiderKill\processes.exe

*********************Modules of explorer.exe and svchost.exe*******************
Module information for 'Explorer.EXE'(452)
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
GrooveShellExtensions.dll 661d0000 2224128 C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll 12.0.6421.1000 GrooveShellExtensions Module
GrooveUtil.DLL 68ef0000 991232 C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL 12.0.6423.1000 GrooveUtil Module
MSVCR80.dll e40000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoft

C Runtime Library
GrooveNew.DLL 68ff0000 28672 C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL 12.0.6413.1000 GrooveNew Module
ATL80.DLL 7c630000 110592 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.DLL 8.00.50727.4053 ATL Module for Windows (Unicode)
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
MSImg32.dll 76380000 20480 C:\WINDOWS\system32\MSImg32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Theme API
xpsp2res.dll 1100000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
ieframe.dll 3e1c0000 11087872 C:\WINDOWS\system32\ieframe.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Explorer
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
GrooveSystemServices.dll 65e50000 184320 C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll 12.0.6421.1000 GrooveSystemServices Module
msxml3.dll 74980000 1191936 C:\WINDOWS\system32\msxml3.dll 8.100.1051.0 MSXML 3.0 SP10
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.5512 (xpsp.080413-2105) Multi Language Support DLL
NETSHELL.dll 76400000 1724416 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
dot3api.dll 478c0000 40960 C:\WINDOWS\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
dot3dlg.dll 736d0000 24576 C:\WINDOWS\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
OneX.DLL 5dca0000 163840 C:\WINDOWS\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
eappcfg.dll 745b0000 139264 C:\WINDOWS\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
eappprxy.dll 5dcd0000 57344 C:\WINDOWS\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
MSCTF.dll 74720000 311296 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.5512 (xpsp.080413-2105) MSCTF Server DLL
webcheck.dll 20f0000 249856 C:\WINDOWS\system32\webcheck.dll 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) Web Site Monitor
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.5512 (xpsp.080413-2105) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.5512 (xpsp.080413-2105) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.5868 (xpsp_sp3_gdr.090824-1328) Windows HTTP Services
mydocs.dll 72410000 106496 C:\WINDOWS\System32\mydocs.dll 6.00.2900.5512 (xpsp.080413-2105) My Documents Folder UI
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.5512 (xpsp.080413-2108) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft MIDI Mapper
ctagent.dll 3b90000 24576 C:\WINDOWS\system32\ctagent.dll 1, 0, 0, 12 ctagent
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft

Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.5512 (xpsp.080413-2113) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 40960 C:\WINDOWS\System32\davclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Client DLL
GrooveMisc.dll 66b50000 1568768 C:\Program Files\Microsoft Office\Office12\GrooveMisc.dll 12.0.6421.1000 GrooveMisc Module
MSNLNamespaceMgr.dll 45a0000 315392 C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll 7.00.6001.18260 (vistasp1_gdr_oobsvc.090524-1500) Windows Search Namespace Manager
SASSEH.DLL 10000000 81920 C:\Program Files\SUPERAntiSpyware\SASSEH.DLL 1, 0, 0, 1012 ShellExecuteHook
SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
AcroIEHelper.dll 1f60000 65536 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll 9.3.2.163 Adobe PDF Helper for Internet Explorer
gdiplus.dll 4ec50000 1748992 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\gdiplus.dll 5.2.6001.22319 (vistasp1_ldr.081126-1506) Microsoft GDI+
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
PDFShell.dll 4e30000 372736 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll 9.3.2.163 PDF Shell Extension
msohevi.dll 6bd10000 65536 C:\Program Files\Microsoft Office\Office12\msohevi.dll 12.0.6413.1000 2007 Microsoft Office component
wuapi.dll 506a0000 581632 C:\WINDOWS\system32\wuapi.dll 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834) Windows Update Client API
Cabinet.dll 75150000 77824 C:\WINDOWS\system32\Cabinet.dll 5.1.2600.5512 (xpsp.080413-2105) Microsoft

Cabinet File API

Module information for 'svchost.exe'(1388)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
rpcss.dll 76a80000 409600 c:\windows\system32\rpcss.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Distributed COM Services
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
xpsp2res.dll 670000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll c10000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
termsrv32.dll 760f0000 339968 c:\windows\system32\termsrv32.dll 5.1.2600.5512 (xpsp.080413-2111) Terminal Server Service
ICAAPI.dll 74f70000 24576 c:\windows\system32\ICAAPI.dll 5.1.2600.5512 (xpsp.080413-2111) DLL Interface to TermDD Device Driver
SETUPAPI.dll 77920000 995328 c:\windows\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
WINTRUST.dll 76c30000 188416 c:\windows\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
CRYPT32.dll 77a80000 610304 c:\windows\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 c:\windows\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
AUTHZ.dll 776c0000 73728 c:\windows\system32\AUTHZ.dll 5.1.2600.5512 (xpsp.080413-2113) Authorization Framework
mstlsapi.dll 75110000 126976 c:\windows\system32\mstlsapi.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft

Terminal Server Licensing
ACTIVEDS.dll 77cc0000 204800 c:\windows\system32\ACTIVEDS.dll 5.1.2600.5512 (xpsp.080413-2113) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 c:\windows\system32\adsldpc.dll 5.1.2600.5512 (xpsp.080413-2113) ADs LDAP Provider C DLL
NETAPI32.dll 5b860000 348160 c:\windows\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
ATL.DLL 76b20000 69632 c:\windows\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
REGAPI.dll 76bc0000 61440 C:\WINDOWS\system32\REGAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Registry Configuration APIs
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
rdpwsx.dll 72460000 98304 C:\WINDOWS\system32\rdpwsx.dll 5.1.2600.5512 (xpsp.080413-2111) RDP Extension DLL
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
Apphelp.dll 77b40000 139264 C:\WINDOWS\system32\Apphelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
Module information for 'svchost.exe'(1488)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
rpcss.dll 76a80000 409600 c:\windows\system32\rpcss.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Distributed COM Services
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
xpsp2res.dll 670000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Sockets Helper DLL
DNSAPI.dll 76f20000 159744 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) DNS Client API DLL
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
winrnr.dll 76fb0000 32768 C:\WINDOWS\System32\winrnr.dll 5.1.2600.5512 (xpsp.080413-2113) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
mdnsNSP.dll 16080000 151552 C:\Program Files\Bonjour\mdnsNSP.dll 1,0,6,2 Bonjour Namespace Provider
rasadhlp.dll 76fc0000 24576 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access AutoDial Helper
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll d00000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
Module information for 'svchost.exe'(1612)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
NTMARTA.DLL 77690000 135168 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
xpsp2res.dll 630000 2904064 C:\WINDOWS\System32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
shsvcs.dll 776e0000 143360 c:\windows\system32\shsvcs.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Shell Services Dll
WINSTA.dll 76360000 65536 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
NETAPI32.dll 5b860000 348160 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
rsaenh.dll 68000000 221184 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
dhcpcsvc.dll 7d4b0000 139264 c:\windows\system32\dhcpcsvc.dll 5.1.2600.5512 (xpsp.080413-0852) DHCP Client Service
DNSAPI.dll 76f20000 159744 c:\windows\system32\DNSAPI.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) DNS Client API DLL
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 c:\windows\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINDOWS\System32\hnetcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Sockets Helper DLL
wzcsvc.dll 7db10000 573440 c:\windows\system32\wzcsvc.dll 5.1.2600.5512 (xpsp.080413-0852) Wireless Zero Configuration Service
rtutils.dll 76e80000 57344 c:\windows\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
WMI.dll 76d30000 16384 c:\windows\system32\WMI.dll 5.1.2600.5512 (xpsp.080413-2113) WMI DC and DP functionality
CRYPT32.dll 77a80000 610304 c:\windows\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 c:\windows\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
EapolQec.dll 72810000 45056 c:\windows\system32\EapolQec.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPOL NAP Enforcement Client
ATL.DLL 76b20000 69632 c:\windows\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
QUtil.dll 726c0000 90112 c:\windows\system32\QUtil.dll 5.1.2600.5512 (xpsp.080413-0852) Quarantine Utilities
MSVCP60.dll 76080000 413696 c:\windows\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
dot3api.dll 478c0000 40960 c:\windows\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
WTSAPI32.dll 76f50000 32768 c:\windows\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
ESENT.dll 606b0000 1101824 c:\windows\system32\ESENT.dll 5.1.2600.5512 (xpsp.080413-2113) Server Database Storage Engine
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
rastls.dll 76b70000 159744 C:\WINDOWS\System32\rastls.dll 5.1.2600.5886 (xpsp_sp3_gdr.091012-1253) Remote Access PPP EAP-TLS
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\System32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll 1510000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
MPRAPI.dll 76d40000 98304 C:\WINDOWS\System32\MPRAPI.dll 5.1.2600.5512 (xpsp.080413-0852) Windows NT MP Router Administration DLL
ACTIVEDS.dll 77cc0000 204800 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.5512 (xpsp.080413-2113) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.5512 (xpsp.080413-2113) ADs LDAP Provider C DLL
SETUPAPI.dll 77920000 995328 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
RASAPI32.dll 76ee0000 245760 C:\WINDOWS\System32\RASAPI32.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access API
rasman.dll 76e90000 73728 C:\WINDOWS\System32\rasman.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft

Windows(TM) Telephony API Client DLL
SCHANNEL.dll 767f0000 163840 C:\WINDOWS\System32\SCHANNEL.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) TLS / SSL Security Provider
WinSCard.dll 723d0000 114688 C:\WINDOWS\System32\WinSCard.dll 5.1.2600.5512 (xpsp.080413-2113) Microsoft Smart Card API
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\System32\PSAPI.DLL 5.1.2600.5512 (xpsp.080413-2105) Process Status Helper
raschap.dll 76bd0000 90112 C:\WINDOWS\System32\raschap.dll 5.1.2600.5886 (xpsp_sp3_gdr.091012-1253) Remote Access PPP CHAP
msv1_0.dll 77c70000 151552 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.5876 (xpsp_sp3_gdr.090909-1234) Microsoft Authentication Package v1.0
cryptdll.dll 76790000 49152 C:\WINDOWS\System32\cryptdll.dll 5.1.2600.5512 (xpsp.080413-2113) Cryptography Manager
schedsvc.dll 77300000 208896 c:\windows\system32\schedsvc.dll 5.1.2600.5512 (xpsp.080413-2108) Task Scheduler Engine
NTDSAPI.dll 767a0000 77824 c:\windows\system32\NTDSAPI.dll 5.1.2600.5512 (xpsp.080413-2113) NT5DS
MSIDLE.DLL 74f50000 20480 C:\WINDOWS\System32\MSIDLE.DLL 6.00.2900.5512 (xpsp.080413-2105) User Idle Monitor
audiosrv.dll 708b0000 53248 c:\windows\system32\audiosrv.dll 5.1.2600.5512 (xpsp.080413-0845) Windows Audio Service
wkssvc.dll 76e40000 143360 c:\windows\system32\wkssvc.dll 5.1.2600.5826 (xpsp_sp3_gdr.090609-1434) Workstation Service DLL
cryptsvc.dll 76ce0000 73728 c:\windows\system32\cryptsvc.dll 5.1.2600.5512 (xpsp.080413-2113) Cryptographic Services
certcli.dll 77b90000 204800 c:\windows\system32\certcli.dll 5.1.2600.5512 (xpsp.080413-2113) Microsoft

Certificate Services Client
dmserver.dll 74f90000 36864 c:\windows\system32\dmserver.dll 2600.5512.503.0 Logical Disk Manager service dll
ersvc.dll 74f80000 36864 c:\windows\system32\ersvc.dll 5.1.2600.5512 (xpsp.080413-2108) Windows Error Reporting Service
es.dll 77710000 278528 c:\windows\system32\es.dll 2001.12.4414.706 2001.12.4414.706
pchsvc.dll 74f40000 49152 c:\windows\pchealth\helpctr\binaries\pchsvc.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft PCHealth Service Holder
hidserv.dll 688e0000 36864 c:\windows\system32\hidserv.dll 5.1.2600.5512 (xpsp.080413-2108) HID Audio Service
HID.DLL 688f0000 36864 c:\windows\system32\HID.DLL 5.1.2600.5512 (xpsp.080413-2108) Hid User Library
srvsvc.dll 75090000 106496 c:\windows\system32\srvsvc.dll 5.1.2600.5512 (xpsp.080413-2113) Server Service DLL
winspool.drv 73000000 155648 C:\WINDOWS\System32\winspool.drv 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
netman.dll 77d00000 208896 c:\windows\system32\netman.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Manager
netshell.dll 76400000 1724416 c:\windows\system32\netshell.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
credui.dll 76c00000 188416 c:\windows\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
dot3dlg.dll 736d0000 24576 c:\windows\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
OneX.DLL 5dca0000 163840 c:\windows\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
eappcfg.dll 745b0000 139264 c:\windows\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
eappprxy.dll 5dcd0000 57344 c:\windows\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
WZCSAPI.DLL 73030000 65536 c:\windows\system32\WZCSAPI.DLL 5.1.2600.5512 (xpsp.080413-0852) Wireless Zero Configuration service API
seclogon.dll 73d20000 32768 c:\windows\system32\seclogon.dll 5.1.2600.5512 (xpsp.080413-2113) Secondary Logon Service DLL
sens.dll 722d0000 53248 c:\windows\system32\sens.dll 5.1.2600.5512 (xpsp.080413-2108) System Event Notification Service (SENS)
srsvc.dll 751a0000 188416 c:\windows\system32\srsvc.dll 5.1.2600.5512 (xpsp.080413-2108) System Restore Service
POWRPROF.dll 74ad0000 32768 c:\windows\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
SXS.DLL 7e720000 720896 C:\WINDOWS\System32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
trkwks.dll 75070000 102400 c:\windows\system32\trkwks.dll 5.1.2600.5512 (xpsp.080413-2108) Distributed Link Tracking Client
w32time.dll 767c0000 180224 c:\windows\system32\w32time.dll 5.1.2600.5512 (xpsp.080413-2113) Windows Time Service
wmisvc.dll 59490000 163840 c:\windows\system32\wbem\wmisvc.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
VSSAPI.DLL 753e0000 446464 C:\WINDOWS\system32\VSSAPI.DLL 5.1.2600.5512 (xpsp.080413-2108) Microsoft

Volume Shadow Copy Requestor/Writer Services API DLL
comsvcs.dll 76620000 1294336 C:\WINDOWS\system32\comsvcs.dll 2001.12.4414.702 2001.12.4414.702
colbact.DLL 75130000 81920 C:\WINDOWS\system32\colbact.DLL 2001.12.4414.700 2001.12.4414.700
MTXCLU.DLL 750f0000 77824 C:\WINDOWS\system32\MTXCLU.DLL 2001.12.4414.706 MS DTC amd MTS clustering support DLL
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\system32\WSOCK32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 32-Bit DLL
CLUSAPI.DLL 76d10000 73728 C:\WINDOWS\System32\CLUSAPI.DLL 5.1.2600.5512 (xpsp.080413-2111) Cluster API Library
RESUTILS.DLL 750b0000 73728 C:\WINDOWS\System32\RESUTILS.DLL 5.1.2600.5512 (xpsp.080413-2111) Microsoft Cluster Resource Utility DLL
wuauserv.dll 50000000 20480 c:\windows\system32\wuauserv.dll 5.4.3790.5512 (xpsp.080413-0852) Windows Update AutoUpdate Service
wuaueng.dll 50040000 1937408 C:\WINDOWS\system32\wuaueng.dll 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834) Windows Update Agent

Re: ebay paypal redirect/hijack2nd May 2010, 1:16 am

WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\System32\WINHTTP.dll 5.1.2600.5868 (xpsp_sp3_gdr.090824-1328) Windows HTTP Services
Cabinet.dll 75150000 77824 C:\WINDOWS\System32\Cabinet.dll 5.1.2600.5512 (xpsp.080413-2105) Microsoft

Cabinet File API
mspatcha.dll 600a0000 45056 C:\WINDOWS\System32\mspatcha.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft(R) Patch Engine
sfc.dll 76bb0000 20480 C:\WINDOWS\System32\sfc.dll 5.1.2600.5512 (xpsp.080413-2111) Windows File Protection
sfc_os.dll 76c60000 172032 C:\WINDOWS\System32\sfc_os.dll 5.1.2600.5512 (xpsp.080413-2111) Windows File Protection
ipnathlp.dll 66460000 348160 c:\windows\system32\ipnathlp.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft NAT Helper Components
AUTHZ.dll 776c0000 73728 c:\windows\system32\AUTHZ.dll 5.1.2600.5512 (xpsp.080413-2113) Authorization Framework
browser.dll 76da0000 90112 c:\windows\system32\browser.dll 5.1.2600.5512 (xpsp.080413-2113) Computer Browser Service DLL
wscsvc.dll 4c0a0000 94208 c:\windows\system32\wscsvc.dll 5.1.2600.5512 (xpsp.080413-2108) Windows Security Center Service
msi.dll 7d1e0000 2867200 c:\windows\system32\msi.dll 3.1.4001.5512 Windows Installer
wbemcomn.dll 75290000 225280 C:\WINDOWS\System32\wbem\wbemcomn.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
wbemcore.dll 762c0000 544768 C:\WINDOWS\system32\wbem\wbemcore.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
esscli.dll 75310000 258048 C:\WINDOWS\system32\wbem\esscli.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
FastProx.dll 75690000 483328 C:\WINDOWS\system32\wbem\FastProx.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) WMI
wbemsvc.dll 74ed0000 57344 C:\WINDOWS\System32\wbem\wbemsvc.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
upnp.dll 76de0000 147456 C:\WINDOWS\System32\upnp.dll 5.1.2600.5512 (xpsp.080413-0852) Universal Plug and Play API
SSDPAPI.dll 74f00000 49152 C:\WINDOWS\System32\SSDPAPI.dll 5.1.2600.5512 (xpsp.080413-0852) SSDP Client API DLL
wmiutils.dll 75020000 110592 C:\WINDOWS\System32\wbem\wmiutils.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
Apphelp.dll 77b40000 139264 C:\WINDOWS\system32\Apphelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
repdrvfs.dll 75200000 192512 C:\WINDOWS\system32\wbem\repdrvfs.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
wmiprvsd.dll 3f1e0000 466944 C:\WINDOWS\System32\wbem\wmiprvsd.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) WMI
NCObjAPI.DLL 5f770000 49152 C:\WINDOWS\system32\NCObjAPI.DLL 5.1.2600.5512 (xpsp.080413-2108)
wbemess.dll 75390000 286720 C:\WINDOWS\System32\wbem\wbemess.dll 5.1.2600.5512 (xpsp.080413-2108) WMI
netcfgx.dll 755f0000 630784 C:\WINDOWS\System32\netcfgx.dll 5.1.2600.5512 (xpsp.080413-0852) Network Configuration Objects
ncprov.dll 5f740000 57344 C:\WINDOWS\System32\wbem\ncprov.dll 5.1.2600.5512 (xpsp.080413-2108) Non-COM WMI Event Provision APIs
rasmans.dll 7df30000 204800 C:\WINDOWS\System32\rasmans.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access Connection Manager
WINIPSEC.DLL 74370000 45056 C:\WINDOWS\System32\WINIPSEC.DLL 5.1.2600.5512 (xpsp.080413-0852) Windows IPSec SPD Client DLL
wups2.dll 50f00000 53248 C:\WINDOWS\system32\wups2.dll 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834) Windows Update client proxy stub 2
qmgr.dll 5b9f0000 438272 c:\windows\system32\qmgr.dll 6.7.2600.5512 (xpsp.080413-2108) Background Intelligent Transfer Service
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
SHFOLDER.dll 76780000 36864 c:\windows\system32\SHFOLDER.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Folder Service
tapisrv.dll 733e0000 262144 c:\windows\system32\tapisrv.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft

Windows(TM) Telephony Server
rastapi.dll 75880000 69632 C:\WINDOWS\System32\rastapi.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access TAPI Compliance Layer
rasadhlp.dll 76fc0000 24576 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access AutoDial Helper
unimdm.tsp 57cc0000 221184 C:\WINDOWS\System32\unimdm.tsp 5.1.2600.5512 (xpsp.080413-0852) Unimodem 5 Service Provider
uniplat.dll 72000000 28672 C:\WINDOWS\System32\uniplat.dll 5.1.2600.5512 (xpsp.080413-0852) Unimodem AT Mini Driver Platform Driver for Windows NT
kmddsp.tsp 57d40000 45056 C:\WINDOWS\System32\kmddsp.tsp 5.1.2600.5512 (xpsp.080413-0852) TAPI Kernel-Mode Service Provider
ndptsp.tsp 57d20000 65536 C:\WINDOWS\System32\ndptsp.tsp 5.1.2600.5512 (xpsp.080413-0852) NDIS Proxy TAPI Service Provider
ipconf.tsp 57d50000 32768 C:\WINDOWS\System32\ipconf.tsp 5.1.2600.5512 (xpsp.080413-0852) Microsoft Multicast Conference TAPI Service Provider
h323.tsp 57d70000 286720 C:\WINDOWS\System32\h323.tsp 5.1.2600.5512 (xpsp.080413-0852) Microsoft H.323 Telephony Service Provider
hidphone.tsp 57d60000 40960 C:\WINDOWS\System32\hidphone.tsp 5.1.2600.5512 (xpsp.080413-0852) Microsoft HID Phone TSP
rasppp.dll 72240000 225280 C:\WINDOWS\System32\rasppp.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access PPP
ntlsapi.dll 724b0000 24576 C:\WINDOWS\System32\ntlsapi.dll 5.1.2600.5512 (xpsp.080413-2113) Microsoft

License Server Interface DLL
kerberos.dll 71cf0000 311296 C:\WINDOWS\system32\kerberos.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Kerberos Security Package
RASQEC.DLL 72ae0000 77824 C:\WINDOWS\System32\RASQEC.DLL 5.1.2600.5512 (xpsp.080413-0852) RAS Quarantine Enforcement Client
RASDLG.dll 768d0000 671744 C:\WINDOWS\System32\RASDLG.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access Common Dialog API
msxml3.dll 74980000 1191936 C:\WINDOWS\system32\msxml3.dll 8.100.1051.0 MSXML 3.0 SP10
Module information for 'svchost.exe'(1776)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
wudfsvc.dll 670000 65536 c:\windows\system32\wudfsvc.dll 6.0.5716.32 (winmain(wmbla).060928-1756) Windows Driver Foundation - User-mode Driver Framework Service
SETUPAPI.dll 77920000 995328 c:\windows\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
WUDFPlatform.dll 680000 180224 c:\windows\system32\WUDFPlatform.dll 6.0.5716.32 (winmain(wmbla).060928-1756) Windows Driver Foundation - User-mode Platform Library
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll b70000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
Module information for 'svchost.exe'(1892)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
dnsrslvr.dll 76770000 53248 c:\windows\system32\dnsrslvr.dll 5.1.2600.5512 (xpsp.080413-2113) DNS Caching Resolver Service
DNSAPI.dll 76f20000 159744 c:\windows\system32\DNSAPI.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) DNS Client API DLL
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 c:\windows\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
rsaenh.dll 68000000 221184 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) Microsoft Windows Sockets 2.0 Service Provider
hnetcfg.dll 662b0000 360448 C:\WINDOWS\System32\hnetcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Home Networking Configuration Manager
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Sockets Helper DLL
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll a80000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
Module information for 'svchost.exe'(276)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
xpsp2res.dll 630000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
lmhsvc.dll 74c40000 24576 c:\windows\system32\lmhsvc.dll 5.1.2600.5512 (xpsp.080413-0852) TCPIP NetBios Transport Services DLL
iphlpapi.dll 76d60000 102400 c:\windows\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
regsvc.dll 76af0000 73728 c:\windows\system32\regsvc.dll 5.1.2600.5512 (xpsp.080413-2111) Remote Registry Service
ssdpsrv.dll 765e0000 81920 c:\windows\system32\ssdpsrv.dll 5.1.2600.5512 (xpsp.080413-0852) SSDP Service DLL
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Home Networking Configuration Manager
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Sockets Helper DLL
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll d50000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
Module information for 'svchost.exe'(756)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
NTMARTA.DLL 77690000 135168 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
xpsp2res.dll 630000 2904064 C:\WINDOWS\System32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
webclnt.dll 5a6e0000 86016 c:\windows\system32\webclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Service DLL
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll 940000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
Module information for 'svchost.exe'(1416)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
hpqddsvc.dll 10000000 139264 c:\program files\hp\digital imaging\bin\hpqddsvc.dll 120.0.194.000 HP CUE DeviceDiscovery Service
hpqddcmn.dll 3af00000 192512 c:\program files\hp\digital imaging\bin\hpqddcmn.dll 120.0.194.000 HP CUE DeviceDiscovery Common Library
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
MSVCP80.dll 7c420000 552960 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll 8.00.50727.4053 Microsoft

C++ Runtime Library
MSVCR80.dll 78130000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoft

C Runtime Library
xpsp2res.dll 6b0000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
hpqcxs08.dll 14a00000 221184 c:\program files\hp\digital imaging\bin\hpqcxs08.dll 120.0.194.000 HP CUE Context Manager Objects
SHFOLDER.dll 76780000 36864 C:\WINDOWS\system32\SHFOLDER.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Folder Service
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll b60000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 1010000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
Module information for 'svchost.exe'(2128)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
hpzinw12.dll 670000 57344 c:\windows\system32\hpzinw12.dll 12,1,2,54 Dot4Net Module
WSOCK32.dll 71ad0000 36864 c:\windows\system32\WSOCK32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
NTMARTA.DLL 77690000 135168 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
Module information for 'svchost.exe'(2216)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
hpzipm12.dll 670000 65536 c:\windows\system32\hpzipm12.dll 12,1,2,54 PmlDrv Module
WSOCK32.dll 71ad0000 36864 c:\windows\system32\WSOCK32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 94208 c:\windows\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 c:\windows\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
NTMARTA.DLL 77690000 135168 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
Module information for 'svchost.exe'(2472)
MODULE BASE SIZE PATH
svchost.exe 1000000 24576 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 (xpsp.080413-2111) Generic Host Process for Win32 Services
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
ShimEng.dll 5cb70000 155648 C:\WINDOWS\System32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
MSACM32.dll 77be0000 86016 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\System32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
wiaservc.dll 75aa0000 348160 c:\windows\system32\wiaservc.dll 5.1.2600.5512 (xpsp.080413-0852) Still Image Devices Service
CFGMGR32.dll 74ae0000 28672 c:\windows\system32\CFGMGR32.dll 5.1.2600.5512 (xpsp.080413-2111) Configuration Manager Forwarder DLL
setupapi.DLL 77920000 995328 c:\windows\system32\setupapi.DLL 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
mscms.dll 73b30000 86016 c:\windows\system32\mscms.dll 5.1.2600.5627 (xpsp_sp3_gdr.080624-1245) Microsoft Color Matching System DLL
WINSPOOL.DRV 73000000 155648 c:\windows\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
WINSTA.dll 76360000 65536 c:\windows\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
NETAPI32.dll 5b860000 348160 c:\windows\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
xpsp2res.dll 680000 2904064 C:\WINDOWS\System32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
WINTRUST.dll 76c30000 188416 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
CRYPT32.dll 77a80000 610304 C:\WINDOWS\System32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\System32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
actxprxy.dll 71d40000 110592 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.5512 (xpsp.080413-2113) ActiveX Interface Marshaling Library
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll d10000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WS2_32.dll 71ab0000 94208 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT

******************************************
EOF

Re: ebay paypal redirect/hijack2nd May 2010, 1:52 am

Let's try and slaughter it. Big Grin

Please open Notepad and enter in the following:

@echo off
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%systemroot^%\System32\termsrv.dll /f
pause
del c:\windows\system32\termsrv32.dll
mbr -t > log.txt
start log.txt
exit

Then, click File > Save as...
Save as file.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on file.bat, and it will finish quickly and launch a log (log.txt).

Please post that in your next reply.

===================================

Then run the HelpAsst_mebroot_fix again, three times. At the end of the third run, please post the log from it along with the log from above.

Re: ebay paypal redirect/hijack2nd May 2010, 3:42 am

The first time I ran the HelpAsst_mebroot_fix it said Please wait, and sat for about 10 minutes, then blue screen of death.

I rebooted & ran it again 3 times and below is the log.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8880BF28]<<
kernel: MBR read successfully
user & kernel MBR OK

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Sat 05/01/2010 at 23:32:50.67

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS.000 ~ attempting to remove

~ Not all HelpAssistant files sucessfully removed ~
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWSPLI~2.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWSTYL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTABL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTEXT~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTIME~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\FILEPA~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\SITEPA~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus\DWANCH~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus\DWAPPL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1
Remove on reboot: C:\Documents and Settings\HelpAssistant.LINDAS.000

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:37:55.29

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:38:48.73

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:39:13.32

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

Re: ebay paypal redirect/hijack2nd May 2010, 9:55 am

Good progress.

Please open Notepad and enter in the following:

@echo off
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
pause
net user HelpAssistant > log.txt
mbr -t >> log.txt
pause
start log.txt
exit

Then, click File > Save as...
Save as check.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on check.bat, and it will finish quickly and launch a log (log.txt).

Please post that in your next reply.

Re: ebay paypal redirect/hijack2nd May 2010, 4:04 pm

Ok... here you go...

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/1/2010 11:32 PM
Password expires Never
Password changeable 5/1/2010 11:32 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/1/2010 11:32 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK
Right On!

Re: ebay paypal redirect/hijack2nd May 2010, 6:20 pm

Now, let's see if it is gone, before we try to delete the HelpAssistant account.

Please download HAMeb_check.exe and save it to your desktop.

Double-click on HAMeb_check.exe to run the utility and it will create a log.
Copy and paste the contents of that log in your next reply.

Re: ebay paypal redirect/hijack2nd May 2010, 10:32 pm

ok... here is the log...

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Sun 05/02/2010 at 18:31:57.81

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

~~ EOF ~~

Re: ebay paypal redirect/hijack3rd May 2010, 4:16 am

Need more info to execute a total disinfection.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind *helpassistant* disk.sys atapi.sys mbr.sys ntoskrnl.exe mat*.dll termsrv* :folderfind *helpassistant* :regfind PhysicalDrive helpassistant termservice
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Re: ebay paypal redirect/hijack3rd May 2010, 6:10 am

ok... here is the log...

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 01:59 on 03/05/2010 by yo (Administrator - Elevation successful)

========== filefind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F

Searching for "disk.sys"
C:\WINDOWS\$NtServicePackUninstall$\disk.sys -----c 36352 bytes [02:10 25/09/2008] [05:59 04/08/2004] 00CA44E4534865F8A3B64F7C0984BFF0
C:\WINDOWS\ServicePackFiles\i386\disk.sys ------ 36352 bytes [05:59 04/08/2004] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25
C:\WINDOWS\system32\drivers\disk.sys --a--- 36352 bytes [12:00 29/08/2002] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [02:10 25/09/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [13:16 19/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [19:59 12/01/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "mbr.sys"
No files found.

Searching for "ntoskrnl.exe"
C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe --a--- 2179328 bytes [00:59 02/03/2005] [00:59 02/03/2005] 4D4CF2C14550A4B7718E94A6E581856E
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe --a--- 2179456 bytes [01:04 02/03/2005] [01:04 02/03/2005] 28187802B7C368C0D3AEF7D4C382AABB
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe --a--- 2182144 bytes [09:55 28/02/2007] [09:55 28/02/2007] 5A5C8DB4AA962C714C8371FBDF189FC9
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe --a--- 2189184 bytes [23:35 07/02/2009] [23:35 07/02/2009] EFE8EACE83EAAD5849A7A548FB75B584
C:\WINDOWS\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe --a--- 2189184 bytes [20:11 14/08/2008] [20:11 14/08/2008] 31914172342BFF330063F343AC6958FE
C:\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe --a--- 2189312 bytes [18:18 15/10/2009] [13:56 04/08/2009] FDE779EA1A564EBFE16F4E0F82B61BAD
C:\WINDOWS\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe --a--- 2189312 bytes [04:52 09/12/2009] [04:52 09/12/2009] 05BE3D9A71972223AFF6A3C823BA51B1
C:\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe --a--- 2190080 bytes [13:48 14/04/2010] [12:52 16/02/2010] E1F653A542449D54FA2D27463D99B6B6
C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe -----c 2180352 bytes [02:10 25/09/2008] [09:10 28/02/2007] 582A8DBAA58C3B1F176EB2817DAEE77C
C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe -----c 2042240 bytes [02:01 13/01/2008] [12:00 29/08/2002] B9080D97DBD631AADF9128F7316958D2
C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe -----c 2180992 bytes [02:43 13/01/2008] [06:19 04/08/2004] CE218BC7088681FAA06633E218596CA7
C:\WINDOWS\$NtUninstallKB890859_0$\ntoskrnl.exe -----c 2088448 bytes [02:01 13/01/2008] [08:33 22/10/2004] 5A7EB0C9F96917B7ECF5ADF70C4B1BAE
C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe -----c 2179328 bytes [03:17 13/01/2008] [00:59 02/03/2005] 4D4CF2C14550A4B7718E94A6E581856E
C:\WINDOWS\$NtUninstallKB956572$\ntoskrnl.exe -----c 2189184 bytes [07:06 17/04/2009] [10:11 14/08/2008] EEAF32F8E15A24F62BECB1BD403BB5C5
C:\WINDOWS\$NtUninstallKB956841$\ntoskrnl.exe -----c 2188928 bytes [07:01 15/10/2008] [19:27 13/04/2008] 0C89243C7C3EE199B96FCC16990E0679
C:\WINDOWS\$NtUninstallKB971486$\ntoskrnl.exe -----c 2189056 bytes [07:08 16/10/2009] [11:08 06/02/2009] 7A95B10A73737EBF24139AAA63F5212B
C:\WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe -----c 2189184 bytes [08:01 11/02/2010] [00:44 05/08/2009] 8415D9C7C050E7022AED8ABF281BE4A6
C:\WINDOWS\$NtUninstallKB979683$\ntoskrnl.exe -----c 2189184 bytes [07:07 16/04/2010] [19:27 08/12/2009] 78EC47F9B9A3A1D539262D8834C896CE
C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe ------ 2189952 bytes [22:23 14/10/2008] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\ERDNT\cache\ntoskrnl.exe --a--- 2189952 bytes [13:16 19/04/2010] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe ------ 2188928 bytes [06:19 04/08/2004] [19:27 13/04/2008] 0C89243C7C3EE199B96FCC16990E0679
C:\WINDOWS\system32\dllcache\ntoskrnl.exe -----c 2189952 bytes [22:23 14/10/2008] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\system32\ntoskrnl.exe --a--- 2189952 bytes [12:00 29/08/2002] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA

Searching for "mat*.dll"
No files found.

Searching for "termsrv*"
C:\Documents and Settings\HelpAssistant.LINDAS.000\Local Settings\temp\RarSFX5\termsrv.dat --a--- 15 bytes [03:43 02/05/2010] [03:18 02/05/2010] BBFCC0810FB0FD869118C1053DDF0EAC
C:\Documents and Settings\yo\Local Settings\temp\RarSFX5\termsrv.dat --a--- 15 bytes [03:18 02/05/2010] [03:18 02/05/2010] BBFCC0810FB0FD869118C1053DDF0EAC
C:\HelpAsst_backup\termsrv32.dll --a--- 295424 bytes [03:18 02/05/2010] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll -----c 295424 bytes [02:10 25/09/2008] [07:56 04/08/2004] B60C877D16D9C880B952FDA04ADF16E6
C:\WINDOWS\ERDNT\cache\termsrv.dll --a--- 295424 bytes [13:16 19/04/2010] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll ------ 295424 bytes [07:56 04/08/2004] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [19:11 12/01/2008] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv32.dll --a--- 295424 bytes [19:11 12/01/2008] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82

========== folderfind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]
C:\Documents and Settings\HelpAssistant.LINDAS.000 d----- [03:32 02/05/2010]

========== regfind ==========

Searching for "PhysicalDrive"
No data found.

Searching for "helpassistant"
[HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"

Searching for "termservice"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000\Control]
"ActiveService"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TermService\Enum]
"0"="Root\LEGACY_TERMSERVICE\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000\Control]
"ActiveService"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Enum]
"0"="Root\LEGACY_TERMSERVICE\0000"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"

-=End Of File=-

Re: ebay paypal redirect/hijack4th May 2010, 3:43 am

Ok.

Please download and run this: http://www.eset.eu/download/emebremover

Let me know if it launches or saves a log.

===========

Once done, please re-run HaMeb_Check.exe and post a log.

Re: ebay paypal redirect/hijack4th May 2010, 5:12 am

Emebremover did not produce a log... but it did display 2 messages as it ran. First was that MBR rootkit (Win32/Mebroot) was found on my system and asked if I wanted it to clean/remove it. I clicked yes. Then it said it was cleaned sucessfully.

And here is the log for HaMeb_Check.exe

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 1:07:05.06

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

~~ EOF ~~

Re: ebay paypal redirect/hijack4th May 2010, 7:36 am

Whew. This is going to be a little complicated. It is obviously reinstalling itself after every removal.

============================

In order to do this, every step should be taken correctly.

1. Download all that is needed in the below instructions, and then save all of these instructions to Notepad or print them for easy access.

2. Disconnect from the Internet. Very important to do, until after the last reboot.

3. Open Notepad and copy/paste the code box below into a new text file.

Code:

@echo off
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
del /s/q C:\documents and settings\HelpAssistant.LINDAS
del /s/q C:\documents and settings\HelpAssistant.LINDAS.000

Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).

4. Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the box below into it:
killall::

registry::

file::
c:\windows\system32\termsrv32.dll

snapshot::
mbr::
Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

5. Run Help_Asst_Mebroot_Fix and make sure that log gets posted in your next reply.

6. Reboot your computer three times!

7. Run HaMeb_Check once more and post a log.

Make sure to post the ComboFix log, HelpAsstMebrootFix log, and HaMeb_Check log in your next reply.

Re: ebay paypal redirect/hijack4th May 2010, 3:56 pm

Ok... all instructions followed precisely.... here are the logs:

ComboFix 10-05-03.06 - yo 05/04/2010 10:05:19.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.969 [GMT -4:00]
Running from: c:\documents and settings\yo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\yo\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\termsrv32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\yo\Recent\Thumbs.db
c:\program files\WindowsUpdate
c:\windows\system32\termsrv32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-02 04:07 . 2010-05-02 04:07 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\UserData
2010-05-02 04:06 . 2010-05-02 04:06 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\PrivacIE
2010-05-02 04:06 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS.000\PNPrint3.exe
2010-05-02 03:52 . 2010-05-02 03:52 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\log
2010-05-02 03:39 . 2010-05-02 03:39 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\IETldCache
2010-05-02 03:39 . 2010-05-02 03:39 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\IECompatCache
2010-05-02 03:32 . 2010-05-02 04:07 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000
2010-05-02 03:18 . 2010-05-02 03:18 -------- d-----w- C:\HelpAsst_backup
2010-04-28 23:47 . 2010-04-28 23:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
2010-04-23 04:01 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
2010-04-23 03:49 . 2010-04-23 03:49 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
2010-04-23 03:31 . 2010-03-10 08:05 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IETldCache
2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
2010-04-05 21:46 . 2010-05-04 09:44 -------- d-----w- c:\windows\system32\NtmsData
2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
2010-04-05 01:04 . 2010-05-04 13:59 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
2010-04-04 19:57 . 2010-04-29 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 04:00 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
2010-05-01 19:24 . 2008-01-13 03:02 207024 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 04:46 . 2010-04-04 07:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-04 07:36 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^yo^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\yo\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-14 15:29 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"MagicTuneEngine"=2 (0x2)
"CVPND"=2 (0x2)
"cisvc"=3 (0x3)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe Version Cue CS2"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:Remote Desktop

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\63.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
"D-Code"="9943096400"
"U-Code"="Demo"
"S-Code"="4973197477"
"C-Code"="2108728324272124"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1152)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2184)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\snmp.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2010-05-04 11:38:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 15:38

Pre-Run: 57,514,393,600 bytes free
Post-Run: 58,265,882,624 bytes free

- - End Of File - - C772DC53CDE8935104EAF894955A4315

Re: ebay paypal redirect/hijack4th May 2010, 3:58 pm

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 11:40:51.81

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

------------------------------------------------------------------------------------------------

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 11:50:32.84

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

Re: ebay paypal redirect/hijack4th May 2010, 4:20 pm

I think we might have killed most of the infection. Run Help_Asst_Mebroot_Fix once more and post a log, please.

Re: ebay paypal redirect/hijack4th May 2010, 7:10 pm

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 15:07:36.48

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

ebay paypal redirect/hijack

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 4:11 am

descriptionkapersky scan22nd April 2010, 2:17 pm

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 4:26 pm

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 4:58 pm

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:12 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:31 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:33 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:41 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:55 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 3:50 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 3:53 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 2:57 pm

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 8:08 pm

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 9:14 pm

descriptionRe: ebay paypal redirect/hijack24th April 2010, 3:50 am

descriptionRe: ebay paypal redirect/hijack24th April 2010, 3:23 pm

descriptionRe: ebay paypal redirect/hijack24th April 2010, 5:12 pm

descriptionRe: ebay paypal redirect/hijack28th April 2010, 6:21 pm

descriptionRe: ebay paypal redirect/hijack28th April 2010, 6:24 pm

descriptionRe: ebay paypal redirect/hijack28th April 2010, 9:10 pm

descriptionRe: ebay paypal redirect/hijack29th April 2010, 8:11 pm

descriptionRe: ebay paypal redirect/hijack29th April 2010, 8:29 pm

descriptionRe: ebay paypal redirect/hijack29th April 2010, 9:41 pm

descriptionRe: ebay paypal redirect/hijack30th April 2010, 2:58 am

descriptionRe: ebay paypal redirect/hijack30th April 2010, 3:32 am

descriptionRe: ebay paypal redirect/hijack30th April 2010, 3:57 am

descriptionRe: ebay paypal redirect/hijack30th April 2010, 5:04 am

descriptionRe: ebay paypal redirect/hijack30th April 2010, 7:57 pm

descriptionRe: ebay paypal redirect/hijack30th April 2010, 9:07 pm

descriptionRe: ebay paypal redirect/hijack1st May 2010, 3:40 am

descriptionRe: ebay paypal redirect/hijack1st May 2010, 7:21 pm

descriptionRe: ebay paypal redirect/hijack1st May 2010, 11:20 pm

descriptionRe: ebay paypal redirect/hijack2nd May 2010, 1:13 am

descriptionRe: ebay paypal redirect/hijack2nd May 2010, 1:15 am

descriptionRe: ebay paypal redirect/hijack2nd May 2010, 1:16 am

descriptionRe: ebay paypal redirect/hijack2nd May 2010, 1:52 am

descriptionRe: ebay paypal redirect/hijack2nd May 2010, 3:42 am

descriptionRe: ebay paypal redirect/hijack2nd May 2010, 9:55 am

descriptionRe: ebay paypal redirect/hijack2nd May 2010, 4:04 pm

descriptionRe: ebay paypal redirect/hijack2nd May 2010, 6:20 pm

descriptionRe: ebay paypal redirect/hijack2nd May 2010, 10:32 pm

descriptionRe: ebay paypal redirect/hijack3rd May 2010, 4:16 am

descriptionRe: ebay paypal redirect/hijack3rd May 2010, 6:10 am

descriptionRe: ebay paypal redirect/hijack4th May 2010, 3:43 am

descriptionRe: ebay paypal redirect/hijack4th May 2010, 5:12 am

descriptionRe: ebay paypal redirect/hijack4th May 2010, 7:36 am

descriptionRe: ebay paypal redirect/hijack4th May 2010, 3:56 pm

descriptionRe: ebay paypal redirect/hijack4th May 2010, 3:58 pm

descriptionRe: ebay paypal redirect/hijack4th May 2010, 4:20 pm

descriptionRe: ebay paypal redirect/hijack4th May 2010, 7:10 pm

descriptionRe: ebay paypal redirect/hijack

Re: ebay paypal redirect/hijack22nd April 2010, 4:11 am

kapersky scan22nd April 2010, 2:17 pm

Re: ebay paypal redirect/hijack22nd April 2010, 4:26 pm

Re: ebay paypal redirect/hijack22nd April 2010, 4:58 pm

Re: ebay paypal redirect/hijack23rd April 2010, 12:12 am

Re: ebay paypal redirect/hijack23rd April 2010, 12:31 am

Re: ebay paypal redirect/hijack23rd April 2010, 12:33 am

Re: ebay paypal redirect/hijack23rd April 2010, 12:41 am

Re: ebay paypal redirect/hijack23rd April 2010, 12:55 am

Re: ebay paypal redirect/hijack23rd April 2010, 3:50 am

Re: ebay paypal redirect/hijack23rd April 2010, 3:53 am

Re: ebay paypal redirect/hijack23rd April 2010, 2:57 pm

Re: ebay paypal redirect/hijack23rd April 2010, 8:08 pm

Re: ebay paypal redirect/hijack23rd April 2010, 9:14 pm

Re: ebay paypal redirect/hijack24th April 2010, 3:50 am

Re: ebay paypal redirect/hijack24th April 2010, 3:23 pm

Re: ebay paypal redirect/hijack24th April 2010, 5:12 pm

Re: ebay paypal redirect/hijack28th April 2010, 6:21 pm

Re: ebay paypal redirect/hijack28th April 2010, 6:24 pm

Re: ebay paypal redirect/hijack28th April 2010, 9:10 pm

Re: ebay paypal redirect/hijack29th April 2010, 8:11 pm

Re: ebay paypal redirect/hijack29th April 2010, 8:29 pm

Re: ebay paypal redirect/hijack29th April 2010, 9:41 pm

Re: ebay paypal redirect/hijack30th April 2010, 2:58 am

Re: ebay paypal redirect/hijack30th April 2010, 3:32 am

Re: ebay paypal redirect/hijack30th April 2010, 3:57 am

Re: ebay paypal redirect/hijack30th April 2010, 5:04 am

Re: ebay paypal redirect/hijack30th April 2010, 7:57 pm

Re: ebay paypal redirect/hijack30th April 2010, 9:07 pm

Re: ebay paypal redirect/hijack1st May 2010, 3:40 am

Re: ebay paypal redirect/hijack1st May 2010, 7:21 pm

Re: ebay paypal redirect/hijack1st May 2010, 11:20 pm

Re: ebay paypal redirect/hijack2nd May 2010, 1:13 am

Re: ebay paypal redirect/hijack2nd May 2010, 1:15 am

Re: ebay paypal redirect/hijack2nd May 2010, 1:16 am

Re: ebay paypal redirect/hijack2nd May 2010, 1:52 am

Re: ebay paypal redirect/hijack2nd May 2010, 3:42 am

Re: ebay paypal redirect/hijack2nd May 2010, 9:55 am

Re: ebay paypal redirect/hijack2nd May 2010, 4:04 pm

Re: ebay paypal redirect/hijack2nd May 2010, 6:20 pm

Re: ebay paypal redirect/hijack2nd May 2010, 10:32 pm

Re: ebay paypal redirect/hijack3rd May 2010, 4:16 am

Re: ebay paypal redirect/hijack3rd May 2010, 6:10 am

Re: ebay paypal redirect/hijack4th May 2010, 3:43 am

Re: ebay paypal redirect/hijack4th May 2010, 5:12 am

Re: ebay paypal redirect/hijack4th May 2010, 7:36 am

Re: ebay paypal redirect/hijack4th May 2010, 3:56 pm

Re: ebay paypal redirect/hijack4th May 2010, 3:58 pm

Re: ebay paypal redirect/hijack4th May 2010, 4:20 pm

Re: ebay paypal redirect/hijack4th May 2010, 7:10 pm

Re: ebay paypal redirect/hijack