Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Check My Hjt Log


  • Please log in to reply
35 replies to this topic

#1 janbas

janbas

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 15 October 2005 - 03:35 PM

Hi

all of a sudden, my computer starts running very slow and there were several times it restarted automatically and i really have a strong feeling it's some kind of a virus.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:29:34, on 15/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Eset\nod32krn.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://israelinfo.ru/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://209.25.194.146/DigiChat/DigiClasses..._IE_5_1_0_1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128883079093
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01DD349F-54E6-4B33-81F2-DF04B91AB305}: NameServer = 212.116.161.37 212.117.129.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{01DD349F-54E6-4B33-81F2-DF04B91AB305}: NameServer = 212.116.161.37 212.117.129.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{01DD349F-54E6-4B33-81F2-DF04B91AB305}: NameServer = 212.116.161.37 212.117.129.5
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I'm really kinda worried specifically about this: "C:\windows\system32\lsass.exe", because my ZoneAlarm asked me if i want to allow it and i accepted it, and it seems to me that ever since then the problems began.
Then again, maybe it's irrelevant. I don't know....

Thanks in advace for your help.

BC AdBot (Login to Remove)

 


#2 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 AM

Posted 20 October 2005 - 04:40 AM

Hi janbas,

Check your computer with the following free anti-virus/anti-trojan products.

Housecall Anti Virus Panda Anti Virus Trojan Scan Bit Defender

Post all the logs that you can create with these services.

And, here's the link to McAfee AVERT Stinger and instructions for use.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.

I'm really kinda worried specifically about this: "C:\windows\system32\lsass.exe", because my ZoneAlarm asked me if i want to allow it and i accepted it, and it seems to me that ever since then the problems began.
Then again, maybe it's irrelevant. I don't know....

Thanks in advace for your help.

Lsass.exe is a valid file, but it can be used for bad. So don't do anything rash, you might lock yourself out of the computer. I see you run Ewido; can you update that and run it as well. Please post the log from Ewido after that. And also a new log from HijackThis.
Posted Image

#3 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 20 October 2005 - 10:28 AM

Hi

I did as you have instructed, and the results are as following:

The Housecall Anti Virus, Panda Anti Virus, Trojan Scan, and Bit Defender found no viruses or malware.

Here is the log of McAfee AVERT Stinger scan:

McAfee AVERT Stinger Version 2.5.8 built on Oct 5 2005

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Oct 5 2005.

Ready to scan for 54 viruses, trojans and variants.



Scan initiated on Thu Oct 20 16:55:53 2005

Number of clean files: 97263


Here is the log of Ewido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:21:10, 20/10/2005
+ Report-Checksum: 46DE4630

+ Scan result:

C:\Documents and Settings\user\Cookies\user@2o7[1].txt -> Spyware.Cookie.2o7
C:\Documents and Settings\user\Cookies\user@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix
C:\Documents and Settings\user\Cookies\user@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll
C:\Documents and Settings\user\Cookies\user@perf.overture[1].txt -> Spyware.Cookie.Overture
C:\Documents and Settings\user\Cookies\user@questionmarket[1].txt -> Spyware.Cookie.Questionmarket


::Report End

I have to say that almost every time i run ewido, it lists some kind of ".txt" files as viruses and i don't understand, because it seems to me that these are just simple cookies, but i'm no expert and maybe i'm mistaken.
Also, every time i delete those files they keep coming back and i don't know what to do.
I didn't delete them this time because i wanted you to take a look at them.

One more thing i've noticed and i think is important for you to know is that every time i turn on my computer, it runs smoothly, but after i watch a file with Real Player, my computer becomes very very sluggish and it makes browsing almost impossible. It doesn't matter what file i watch with the Real Player- the outcome is always the same. Those are some old media files of mine i've watched many times before and there was never any problem.
Just to be sure, I've scanned the media files and they are not corrupt and are not infected.


Waiting for further instructions,
Thanks.

#4 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 AM

Posted 20 October 2005 - 12:42 PM

Hi janbas,

This looks a-okay. There's not much you can do against these cookies. You can install IE-Spyads and use MVPHost to block them. But that is about all.

I think that you can say okay to lsass.exe when it wants to get access again.

One more thing i've noticed and i think is important for you to know is that every time i turn on my computer, it runs smoothly, but after i watch a file with Real Player, my computer becomes very very sluggish and it makes browsing almost impossible. It doesn't matter what file i watch with the Real Player- the outcome is always the same. Those are some old media files of mine i've watched many times before and there was never any problem.
Just to be sure, I've scanned the media files and they are not corrupt and are not infected.

Real Player is a real resource hog. It uses a lot of memory and releases very few of it when you're done. How much memory do you have?
Posted Image

#5 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 20 October 2005 - 01:57 PM

Hi

I have 512 mb RAM, so i don't think this is a lack of memory issue.

I have been using Real Player for a long time now, and i'm quite sure that the extreme slowness i experience while browsing isn't caused by real player, because it started approximately two weeks ago and before then everything was ok.
I have a really strong feeling that despite the fact that the logs show i'm clean, there is some kinda of a bug or a hidden malware on my computer.
When i'm talking about "really slow" i mean i have to wait like 10 minutes when i try to enter any folder of mine, so there is definitely something wrong here.
I guess i have no other option but to format my computer.

By the way, i forgot to post the new HJT log, so here it is:

Logfile of HijackThis v1.99.1
Scan saved at 20:54:25, on 20/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Eset\nod32krn.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX00.484\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://israelinfo.ru/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://209.25.194.146/DigiChat/DigiClasses..._IE_5_1_0_1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128883079093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...603/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01DD349F-54E6-4B33-81F2-DF04B91AB305}: NameServer = 212.116.161.38 212.117.129.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{01DD349F-54E6-4B33-81F2-DF04B91AB305}: NameServer = 212.116.161.38 212.117.129.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{01DD349F-54E6-4B33-81F2-DF04B91AB305}: NameServer = 212.116.161.37 212.116.161.38
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks.

#6 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 AM

Posted 21 October 2005 - 05:28 AM

Hi janbas,

I have 512 mb RAM, so i don't think this is a lack of memory issue.

That should suffice for Windows XP.

I have been using Real Player for a long time now, and i'm quite sure that the extreme slowness i experience while browsing isn't caused by real player, because it started approximately two weeks ago and before then everything was ok.
I have a really strong feeling that despite the fact that the logs show i'm clean, there is some kinda of a bug or a hidden malware on my computer.
When i'm talking about "really slow" i mean i have to wait like 10 minutes when i try to enter any folder of mine, so there is definitely something wrong here.
I guess i have no other option but to format my computer.

Not yet. We try other things first. Don't give up this easily. :thumbsup: I'm not.

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

Your previous log had HijackThis in C:\HJT. What happened to it?

Save Silent Runners.vbs to your desktop and double click on it to run. This will make a file called something like "Startup Programs (UserName) DateTime.txt". Double click on it, so it'll open in Notepad. Post the text here.
Posted Image

#7 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 21 October 2005 - 04:45 PM

Hi

First of all, thank you very much for not giving up :thumbsup: :flowers:

You are right, the second time i posted hjt log, i accidentally double clicked the hijackthis.exe and the file was extracted to a temp folder.

Here is the content of the created text file:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\windows\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" ["HP"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{E5A1691B-D188-4419-AD02-90002030B8EE}\(Default) = "FlashFXP Helper for Internet Explorer" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Symantec\Norton Ghost 2003\GhoShExt.dll" ["Symantec Corporation"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
"{B089FE88-FB52-11d3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\windows\system32\logon.scr" [MS]


Startup items in "user" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
imon.dll ["Eset "], 01 - 05, 23
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
GhostStartService, GhostStartService, "C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe" ["Symantec Corporation"]
NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt02\Driver = "hpzlnt02.dll" ["HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 281 seconds, including 18 seconds for message boxes)


I don't know if you need it, but here is a new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 23:40:53, on 21/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Eset\nod32krn.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\divxsm.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://israelinfo.ru/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://209.25.194.146/DigiChat/DigiClasses..._IE_5_1_0_1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128883079093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...603/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01DD349F-54E6-4B33-81F2-DF04B91AB305}: NameServer = 212.116.161.38 212.117.129.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{01DD349F-54E6-4B33-81F2-DF04B91AB305}: NameServer = 212.116.161.38 212.117.129.5
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks in advance

Edited by janbas, 21 October 2005 - 04:50 PM.


#8 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 AM

Posted 22 October 2005 - 02:22 AM

Hi janbas,

First of all, thank you very much for not giving up :thumbsup: :flowers:

I don't give up. If I don't have the answer I call in the reserves see if they have answers.

Hmmm.... The Silentrunners log is clean as well.Is this with anything that you do in RealPlayer, regardless whether you're playing an .mp3, or a .mpg, or an .avi? Or is it just one certain file? If the last, it might be that the file is corrupt.

Can you uninstall RealPlayer? Delete the folder. Restart your computer, and then reinstall Real. Maybe something went wrong during one of the updates.

Does that help?
Posted Image

#9 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 22 October 2005 - 06:41 AM

Hi

After i play any type of file with real player, my computer gets extremly slow.
It doesn't happen with one particular file.

I've tried uninstalling realplayer and reinstalling it, and unfortunately it also didn't help :thumbsup:

It seems as if though something is wrong with my system processes.

I've opened Task manager and under the perfomance tab it says: CPU usage- 100% and it stays the same all the time unless i restart the computer.

I hope you can figure out what is the problem, because it drives me insane

Thanks in advance.

#10 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 AM

Posted 23 October 2005 - 03:19 AM

Can you click on the "Processes" tab and then on "CPU" to sort the contents. At the top should be the program that is using most of the CPU time. Which program is that?
Posted Image

#11 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 24 October 2005 - 06:49 AM

Hi

The program is "explorer.exe"

it lists CPU around 95-99 and memory usage around 75,000k- 97,000k.

It stays 100% all the time, until the next time i restart the computer.

All the other processes' CPU is very low 00-02


Hope this helps you

Waiting for furher instructions

#12 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 AM

Posted 24 October 2005 - 07:26 AM

Hi janbas,

that's strange. Download pv.zip, and unzip it to your desktop.
It will not work if you run it from inside the zip.

Open the pv folder and double-click "runme.bat". A DOS box will open. Select
Type 1 for Explorer Dll's
and press <Enter>.

Notepad will open text in it. Copy and paste the text into a new post. If this doesn't give answers I think you'll have to get in contact with the people from Real. Can you do these instructions once before you use Real and then after using Real. That way I can also see if another set of dlls is getting loaded... Thanks
Posted Image

#13 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 24 October 2005 - 11:36 AM

Hi

I did as you've instructed.

Here is the log before using Real:


Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\windows\Explorer.EXE 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Explorer
ntdll.dll 7c900000 720896 C:\windows\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\windows\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\windows\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 634880 C:\windows\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\windows\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 286720 C:\windows\system32\GDI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDI Client DLL
USER32.dll 77d40000 589824 C:\windows\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
SHLWAPI.dll 77f60000 483328 C:\windows\system32\SHLWAPI.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8474624 C:\windows\system32\SHELL32.dll 6.00.2900.2763 (xpsp_sp2_gdr.050922-1642) Windows Shell Common Dll
ole32.dll 774e0000 1298432 C:\windows\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft OLE for Windows
OLEAUT32.dll 77120000 573440 C:\windows\system32\OLEAUT32.dll 5.1.2600.2180
BROWSEUI.dll 75f80000 1036288 C:\windows\system32\BROWSEUI.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) Shell Browser UI Library
SHDOCVW.dll 77760000 1490944 C:\windows\system32\SHDOCVW.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\windows\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\windows\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\windows\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\windows\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\windows\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\windows\system32\NETAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Win32 API DLL
WININET.dll 771b0000 679936 C:\windows\system32\WININET.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\windows\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\windows\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
UxTheme.dll 5ad70000 229376 C:\windows\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\windows\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\windows\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\windows\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77be0000 86016 C:\windows\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
USERENV.dll 769c0000 733184 C:\windows\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
LPK.DLL 629c0000 36864 C:\windows\system32\LPK.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Language Pack
USP10.dll 74d90000 438272 C:\windows\system32\USP10.dll 1.0420.2600.2180 (xpsp_sp2_rtm.040803-2158) Uniscribe Unicode script processor
comctl32.dll 773d0000 1056768 C:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
comctl32.dll 5d090000 618496 C:\windows\system32\comctl32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
appHelp.dll 77b40000 139264 C:\windows\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\windows\system32\CLBCATQ.DLL 2001.12.4414.308
COMRes.dll 77050000 806912 C:\windows\system32\COMRes.dll 2001.12.4414.258
cscui.dll 77a20000 344064 C:\windows\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\windows\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
themeui.dll 5ba60000 462848 C:\windows\system32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Theme API
Secur32.dll 77fe0000 69632 C:\windows\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\windows\system32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
xpsp2res.dll 20000000 2904064 C:\windows\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
actxprxy.dll 71d40000 114688 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
msutb.dll 5fc10000 208896 C:\WINDOWS\system32\msutb.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSUTB Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
urlmon.dll 77260000 651264 C:\WINDOWS\system32\urlmon.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) OLE32 Extensions for Win32
LINKINFO.dll 76980000 32768 C:\windows\system32\LINKINFO.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\windows\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\windows\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
rsaenh.dll ffd0000 163840 C:\windows\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
comdlg32.dll 763b0000 299008 C:\windows\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
msi.dll 1590000 2908160 C:\windows\system32\msi.dll 3.1.4000.2435 Windows Installer
NETSHELL.dll 76400000 1728512 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network Connections Shell
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Credential Manager User Interface
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) IP Helper API
WINSTA.dll 76360000 65536 C:\windows\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
webcheck.dll 74b30000 286720 C:\windows\system32\webcheck.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Web Site Monitor
WSOCK32.dll 71ad0000 36864 C:\windows\system32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
wdmaud.drv 72d20000 36864 C:\windows\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\windows\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\windows\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
RASDLG.dll 768d0000 671744 C:\windows\system32\RASDLG.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Common Dialog API
MPRAPI.dll 76d40000 98304 C:\windows\system32\MPRAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MP Router Administration DLL
ACTIVEDS.dll 77cc0000 204800 C:\windows\system32\ACTIVEDS.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\windows\system32\adsldpc.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs LDAP Provider C DLL
SAMLIB.dll 71bf0000 77824 C:\windows\system32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
RASAPI32.dll 76ee0000 245760 C:\windows\system32\RASAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\windows\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\windows\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Windows™ Telephony API Client DLL
msv1_0.dll 77c70000 143360 C:\windows\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
browselc.dll 1fd0000 73728 C:\windows\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
SXS.DLL 75e90000 720896 C:\windows\system32\SXS.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Fusion 2.5
MPR.dll 71b20000 73728 C:\windows\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\windows\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\windows\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\windows\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\windows\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\windows\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\windows\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
MSGINA.dll 75970000 1011712 C:\windows\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
ODBC32.dll 74320000 249856 C:\windows\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
odbcint.dll 2250000 94208 C:\windows\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
DUSER.dll 6c1b0000 315392 C:\windows\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
MLANG.dll 75cf0000 593920 C:\windows\system32\MLANG.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
AcroIEHelper.ocx 10000000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
shellhook.dll 23f0000 53248 C:\Program Files\ewido\security suite\shellhook.dll
MSVCR71.dll 7c340000 352256 C:\windows\system32\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
MSISIP.DLL 60980000 28672 C:\windows\system32\MSISIP.DLL 3.1.4000.1823 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\system32\wshext.dll 5.6.0.8820 Microsoft ® Shell Extension for Windows Script Host
MFC42.DLL 73dd0000 1040384 C:\windows\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version


Here is the log after using Real:


Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\windows\Explorer.EXE 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Explorer
ntdll.dll 7c900000 720896 C:\windows\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\windows\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\windows\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 634880 C:\windows\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\windows\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 286720 C:\windows\system32\GDI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDI Client DLL
USER32.dll 77d40000 589824 C:\windows\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
SHLWAPI.dll 77f60000 483328 C:\windows\system32\SHLWAPI.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8474624 C:\windows\system32\SHELL32.dll 6.00.2900.2763 (xpsp_sp2_gdr.050922-1642) Windows Shell Common Dll
ole32.dll 774e0000 1298432 C:\windows\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft OLE for Windows
OLEAUT32.dll 77120000 573440 C:\windows\system32\OLEAUT32.dll 5.1.2600.2180
BROWSEUI.dll 75f80000 1036288 C:\windows\system32\BROWSEUI.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) Shell Browser UI Library
SHDOCVW.dll 77760000 1490944 C:\windows\system32\SHDOCVW.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\windows\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\windows\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\windows\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\windows\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\windows\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\windows\system32\NETAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Win32 API DLL
WININET.dll 771b0000 679936 C:\windows\system32\WININET.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\windows\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\windows\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
UxTheme.dll 5ad70000 229376 C:\windows\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\windows\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\windows\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\windows\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77be0000 86016 C:\windows\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
USERENV.dll 769c0000 733184 C:\windows\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
LPK.DLL 629c0000 36864 C:\windows\system32\LPK.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Language Pack
USP10.dll 74d90000 438272 C:\windows\system32\USP10.dll 1.0420.2600.2180 (xpsp_sp2_rtm.040803-2158) Uniscribe Unicode script processor
comctl32.dll 773d0000 1056768 C:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
comctl32.dll 5d090000 618496 C:\windows\system32\comctl32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
appHelp.dll 77b40000 139264 C:\windows\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\windows\system32\CLBCATQ.DLL 2001.12.4414.308
COMRes.dll 77050000 806912 C:\windows\system32\COMRes.dll 2001.12.4414.258
cscui.dll 77a20000 344064 C:\windows\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\windows\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
themeui.dll 5ba60000 462848 C:\windows\system32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Theme API
Secur32.dll 77fe0000 69632 C:\windows\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\windows\system32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
xpsp2res.dll 20000000 2904064 C:\windows\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
actxprxy.dll 71d40000 114688 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
msutb.dll 5fc10000 208896 C:\WINDOWS\system32\msutb.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSUTB Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
urlmon.dll 77260000 651264 C:\WINDOWS\system32\urlmon.dll 6.00.2900.2753 (xpsp_sp2_gdr.050902-1326) OLE32 Extensions for Win32
LINKINFO.dll 76980000 32768 C:\windows\system32\LINKINFO.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\windows\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\windows\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
rsaenh.dll ffd0000 163840 C:\windows\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
comdlg32.dll 763b0000 299008 C:\windows\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
msi.dll 1590000 2908160 C:\windows\system32\msi.dll 3.1.4000.2435 Windows Installer
NETSHELL.dll 76400000 1728512 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network Connections Shell
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Credential Manager User Interface
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) IP Helper API
WINSTA.dll 76360000 65536 C:\windows\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
webcheck.dll 74b30000 286720 C:\windows\system32\webcheck.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Web Site Monitor
WSOCK32.dll 71ad0000 36864 C:\windows\system32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
wdmaud.drv 72d20000 36864 C:\windows\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\windows\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\windows\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
RASDLG.dll 768d0000 671744 C:\windows\system32\RASDLG.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Common Dialog API
MPRAPI.dll 76d40000 98304 C:\windows\system32\MPRAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MP Router Administration DLL
ACTIVEDS.dll 77cc0000 204800 C:\windows\system32\ACTIVEDS.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\windows\system32\adsldpc.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs LDAP Provider C DLL
SAMLIB.dll 71bf0000 77824 C:\windows\system32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
RASAPI32.dll 76ee0000 245760 C:\windows\system32\RASAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\windows\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\windows\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Windows™ Telephony API Client DLL
msv1_0.dll 77c70000 143360 C:\windows\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
browselc.dll 1fd0000 73728 C:\windows\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
SXS.DLL 75e90000 720896 C:\windows\system32\SXS.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Fusion 2.5
MPR.dll 71b20000 73728 C:\windows\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\windows\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\windows\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\windows\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\windows\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\windows\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\windows\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
MSGINA.dll 75970000 1011712 C:\windows\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
ODBC32.dll 74320000 249856 C:\windows\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
odbcint.dll 2250000 94208 C:\windows\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
DUSER.dll 6c1b0000 315392 C:\windows\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
MLANG.dll 75cf0000 593920 C:\windows\system32\MLANG.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
AcroIEHelper.ocx 10000000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
shmedia.dll 5cad0000 159744 C:\windows\system32\shmedia.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Media File Property Extractor Shell Extension
MSVFW32.dll 75a70000 135168 C:\windows\system32\MSVFW32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Video for Windows DLL
AVIFIL32.dll 73b50000 94208 C:\windows\system32\AVIFIL32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft AVI File support library
IMM32.dll 76390000 118784 C:\windows\system32\IMM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
L3codecp.acm 2ca0000 397312 C:\windows\system32\L3codecp.acm 3, 3, 2, 44 MPEG Audio Layer-3 Codec for MSACM
ymmapi.dll 64000000 188416 C:\PROGRA~1\Yahoo!\Common\ymmapi.dll 2004, 6, 13, 1 YMMAPI Module
WZSHLSTB.DLL 16200000 24576 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL
rarext.dll 2630000 176128 C:\Program Files\WinRAR\rarext.dll
nodshex.dll 2400000 61440 C:\Program Files\Eset\nodshex.dll 2, 50, 41 NOD32 - on-demand scanner
pu_nod32.dll 20a00000 176128 C:\Program Files\Eset\pu_nod32.dll 2, 50, 41 NOD32 - on-demand scanner
MFC42u.DLL 72830000 1040384 C:\windows\system32\MFC42u.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
ICQLiteShell.dll 3230000 61440 C:\Program Files\ICQLite\ICQLiteShell.dll 20, 34, 2321, 0 ICQLiteShell Module
MFC42.DLL 73dd0000 1040384 C:\windows\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
wmpshell.dll 85c0000 86016 C:\WINDOWS\system32\wmpshell.dll 10.00.00.3802 ????? Windows Media Player
rpshell.dll 62d50000 49152 C:\Program Files\Real\RealPlayer\rpshell.dll 1.0.1.2021 RealPlayer Shell Extensions
PNCRT.dll 60a20000 294912 C:\windows\system32\PNCRT.dll 6.0.0.0 Real Networks C/C++ Runtime Library
shellhook.dll 2550000 53248 C:\Program Files\ewido\security suite\shellhook.dll
MSVCR71.dll 7c340000 352256 C:\windows\system32\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
sti.dll 73ba0000 77824 C:\WINDOWS\system32\sti.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Still Image Devices client DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\system32\CFGMGR32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Configuration Manager Forwarder DLL
gdiplus.dll 4ec50000 1716224 C:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 (xpsp_sp2_rtm.040803-2158) Microsoft GDI+
qedit.dll 60ca0000 573440 C:\WINDOWS\system32\qedit.dll
quartz.dll 74810000 1490944 C:\WINDOWS\system32\quartz.dll
devenum.dll 75f40000 69632 C:\WINDOWS\system32\devenum.dll
msdmo.dll 736b0000 28672 C:\windows\system32\msdmo.dll
mpeg2dmx.ax 2ee0000 495616 C:\windows\system32\mpeg2dmx.ax 2, 0, 72, 30204 Elecard MPEG 2 Demultiplexor
DivXAF.ax 1c400000 53248 C:\windows\system32\DivXAF.ax 0.4 DivX AntiFreeze Filter
DivXMedia.ax 2f60000 360448 C:\WINDOWS\system32\DivXMedia.ax 0.0.0.026 DivX® Media Filter
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft ® C++ Runtime Library
RealMediaSplitter.ax 2fc0000 372736 C:\Program Files\Matroska Pack\RealMediaSplitter.ax 1, 0, 1, 0 RealMedia Splitter
WINSPOOL.DRV 73000000 155648 C:\windows\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
DivXDec.ax 3e10000 729088 C:\windows\system32\DivXDec.ax 6.0.0.1571 DivX® Decoder Filter
xvid.ax 3220000 61440 C:\windows\system32\xvid.ax
3ivxDSDecoder.ax 3ed0000 290816 C:\Program Files\Divx\3ivx\3ivx D4 4.5.1\3ivxDSDecoder.ax 4, 5, 1, 30 3ivx D4 4.5.1 DirectShow Video Decoder
3ivx.dll 3f20000 1163264 C:\windows\system32\3ivx.dll 4, 5, 1, 30 3ivx D4 4.5.1 Core
3ivxDSMediaSplitter.ax 2d10000 290816 C:\Program Files\Divx\3ivx\3ivx D4 4.5.1\3ivxDSMediaSplitter.ax 4, 5, 1, 30 3ivx D4 4.5.1 DirectShow Media Splitter
OpenQuicktimeLib.dll 2df0000 421888 C:\windows\system32\OpenQuicktimeLib.dll
lmpgspl.ax f00000 94208 C:\windows\system32\lmpgspl.ax 3.0.0.17 Ligos MPEG Splitter
wmpasf.dll 8e80000 139264 C:\WINDOWS\system32\wmpasf.dll 10.00.00.3802 Windows Media Filter Shim
dxmasf.dll 6bf50000 512000 C:\windows\system32\dxmasf.dll
DRMClien.DLL 97e0000 266240 C:\windows\system32\DRMClien.DLL 10.00.00.3802 DRM Client DLL
WavPackDSSplitter.ax e40000 86016 C:\Program Files\Matroska Pack\WavPackDSSplitter.ax 1, 0, 0, 125 WavPack Audio DirectShow Splitter
mpg2splt.ax 57fd0000 159744 C:\windows\system32\mpg2splt.ax
oggds.dll 25f0000 241664 C:\windows\system32\oggds.dll 0, 9, 9, 5 Ogg DirectShow™ Filter Collection
vorbis.dll 2e60000 196608 C:\windows\system32\vorbis.dll
ogg.dll e60000 49152 C:\windows\system32\ogg.dll
vorbisenc.dll 3d00000 937984 C:\windows\system32\vorbisenc.dll
TTADSSplitter.ax 3140000 90112 C:\Program Files\Matroska Pack\TTADSSplitter.ax 1, 0, 0, 203 True Audio DirectShow Splitter
wmvcore.dll 86d0000 2383872 C:\windows\system32\wmvcore.dll 10.00.00.3802 built by: dnsrv(bld4act) Windows Media Playback/Authoring DLL
WMASF.DLL 70d0000 237568 C:\windows\system32\WMASF.DLL 10.00.00.3802 built by: dnsrv(bld4act) Windows Media ASF DLL
DivXa32.acm 1c200000 323584 C:\windows\system32\DivXa32.acm 4.2.00.000 DivX WMA Audi
qasf.dll 95f0000 225280 C:\WINDOWS\system32\qasf.dll 10.00.00.3802 built by: dnsrv(bld4act) DirectShow ASF Support
wmvdmod.dll 4840000 901120 C:\WINDOWS\system32\wmvdmod.dll 10.00.00.3802 Windows Media Video Decoder
NeVideo.ax 6210000 1081344 C:\Program Files\Common Files\Ahead\DSFilter\NeVideo.ax 1, 1, 4, 6
qdvd.dll 5df80000 393216 C:\WINDOWS\system32\qdvd.dll
MSISIP.DLL 60980000 28672 C:\windows\system32\MSISIP.DLL 3.1.4000.1823 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\system32\wshext.dll 5.6.0.8820 Microsoft ® Shell Extension for Windows Script Host


It's seems to me there is a difference between the two logs. The secong log is much longer.

Hope this helps solving the problem.

Thanks in advance.

#14 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 AM

Posted 24 October 2005 - 12:16 PM

MODULE BASE SIZE PATH
shmedia.dll 5cad0000 159744 C:\windows\system32\shmedia.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Media File Property Extractor Shell Extension
MSVFW32.dll 75a70000 135168 C:\windows\system32\MSVFW32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Video for Windows DLL
AVIFIL32.dll 73b50000 94208 C:\windows\system32\AVIFIL32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft AVI File support library
IMM32.dll 76390000 118784 C:\windows\system32\IMM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
L3codecp.acm 2ca0000 397312 C:\windows\system32\L3codecp.acm 3, 3, 2, 44 MPEG Audio Layer-3 Codec for MSACM
ymmapi.dll 64000000 188416 C:\PROGRA~1\Yahoo!\Common\ymmapi.dll 2004, 6, 13, 1 YMMAPI Module
WZSHLSTB.DLL 16200000 24576 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL
rarext.dll 2630000 176128 C:\Program Files\WinRAR\rarext.dll 
nodshex.dll 2400000 61440 C:\Program Files\Eset\nodshex.dll 2, 50, 41 NOD32 - on-demand scanner
pu_nod32.dll 20a00000 176128 C:\Program Files\Eset\pu_nod32.dll 2, 50, 41 NOD32 - on-demand scanner
MFC42u.DLL 72830000 1040384 C:\windows\system32\MFC42u.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
ICQLiteShell.dll 3230000 61440 C:\Program Files\ICQLite\ICQLiteShell.dll 20, 34, 2321, 0 ICQLiteShell Module
wmpshell.dll 85c0000 86016 C:\WINDOWS\system32\wmpshell.dll 10.00.00.3802 ????? Windows Media Player
rpshell.dll 62d50000 49152 C:\Program Files\Real\RealPlayer\rpshell.dll 1.0.1.2021 RealPlayer Shell Extensions
PNCRT.dll 60a20000 294912 C:\windows\system32\PNCRT.dll 6.0.0.0 Real Networks C/C++ Runtime Library
sti.dll 73ba0000 77824 C:\WINDOWS\system32\sti.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Still Image Devices client DLL 
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\system32\CFGMGR32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Configuration Manager Forwarder DLL
gdiplus.dll 4ec50000 1716224 C:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 (xpsp_sp2_rtm.040803-2158) Microsoft GDI+
qedit.dll 60ca0000 573440 C:\WINDOWS\system32\qedit.dll 
quartz.dll 74810000 1490944 C:\WINDOWS\system32\quartz.dll 
devenum.dll 75f40000 69632 C:\WINDOWS\system32\devenum.dll 
msdmo.dll 736b0000 28672 C:\windows\system32\msdmo.dll 
mpeg2dmx.ax 2ee0000 495616 C:\windows\system32\mpeg2dmx.ax 2, 0, 72, 30204 Elecard MPEG 2 Demultiplexor
DivXAF.ax 1c400000 53248 C:\windows\system32\DivXAF.ax 0.4 DivX AntiFreeze Filter
DivXMedia.ax 2f60000 360448 C:\WINDOWS\system32\DivXMedia.ax 0.0.0.026 DivX® Media Filter
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft ® C++ Runtime Library
RealMediaSplitter.ax 2fc0000 372736 C:\Program Files\Matroska Pack\RealMediaSplitter.ax 1, 0, 1, 0 RealMedia Splitter
WINSPOOL.DRV 73000000 155648 C:\windows\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
DivXDec.ax 3e10000 729088 C:\windows\system32\DivXDec.ax 6.0.0.1571 DivX® Decoder Filter
xvid.ax 3220000 61440 C:\windows\system32\xvid.ax 
3ivxDSDecoder.ax 3ed0000 290816 C:\Program Files\Divx\3ivx\3ivx D4 4.5.1\3ivxDSDecoder.ax 4, 5, 1, 30 3ivx D4 4.5.1 DirectShow Video Decoder
3ivx.dll 3f20000 1163264 C:\windows\system32\3ivx.dll 4, 5, 1, 30 3ivx D4 4.5.1 Core
3ivxDSMediaSplitter.ax 2d10000 290816 C:\Program Files\Divx\3ivx\3ivx D4 4.5.1zm\3ivxDSMediaSplitter.ax 4, 5, 1, 30 3ivx D4 4.5.1 DirectShow Media Splitter
OpenQuicktimeLib.dll 2df0000 421888 C:\windows\system32\OpenQuicktimeLib.dll 
lmpgspl.ax f00000 94208 C:\windows\system32\lmpgspl.ax 3.0.0.17 Ligos MPEG Splitter
wmpasf.dll 8e80000 139264 C:\WINDOWS\system32\wmpasf.dll 10.00.00.3802 Windows Media Filter Shim
dxmasf.dll 6bf50000 512000 C:\windows\system32\dxmasf.dll 
DRMClien.DLL 97e0000 266240 C:\windows\system32\DRMClien.DLL 10.00.00.3802 DRM Client DLL
WavPackDSSplitter.ax e40000 86016 C:\Program Files\Matroska Pack\WavPackDSSplitter.ax 1, 0, 0, 125 WavPack Audio DirectShow Splitter
mpg2splt.ax 57fd0000 159744 C:\windows\system32\mpg2splt.ax 
oggds.dll 25f0000 241664 C:\windows\system32\oggds.dll 0, 9, 9, 5 Ogg DirectShow™ Filter Collection
vorbis.dll 2e60000 196608 C:\windows\system32\vorbis.dll 
ogg.dll e60000 49152 C:\windows\system32\ogg.dll 
vorbisenc.dll 3d00000 937984 C:\windows\system32\vorbisenc.dll 
TTADSSplitter.ax 3140000 90112 C:\Program Files\Matroska Pack\TTADSSplitter.ax 1, 0, 0, 203 True Audio DirectShow Splitter
wmvcore.dll 86d0000 2383872 C:\windows\system32\wmvcore.dll 10.00.00.3802 built by: dnsrv(bld4act) Windows Media Playback/Authoring DLL
WMASF.DLL 70d0000 237568 C:\windows\system32\WMASF.DLL 10.00.00.3802 built by: dnsrv(bld4act) Windows Media ASF DLL
DivXa32.acm 1c200000 323584 C:\windows\system32\DivXa32.acm 4.2.00.000 DivX WMA Audi
qasf.dll 95f0000 225280 C:\WINDOWS\system32\qasf.dll 10.00.00.3802 built by: dnsrv(bld4act) DirectShow ASF Support
wmvdmod.dll 4840000 901120 C:\WINDOWS\system32\wmvdmod.dll 10.00.00.3802 Windows Media Video Decoder
NeVideo.ax 6210000 1081344 C:\Program Files\Common Files\Ahead\DSFilter\NeVideo.ax 1, 1, 4, 6 
qdvd.dll 5df80000 393216 C:\WINDOWS\system32\qdvd.dll
These are all the different dlls between the two sessions. Most of what it lists are things I expected, like codecs for MP3, Ogg, vorbis, etc.

But it also listed an extra anti-virus application. NOD. That was not in the first log. Real time Anti-virus is very much there, always checking out if something is happening that has to be interfered with. But Ewido is there as well. It might be that the two of them are fighting bringing your system to a crawl. Can you try the following. Restart and run something in Real. When that is done. Check if the system is again on 100 %. If so, unload/quit NOD and see if that helps... If not, I'll take a look at this list again to find out what it can be.
Posted Image

#15 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 24 October 2005 - 01:13 PM

Hi

I did as you told, but sadly it didn't help :thumbsup:
I've even uninstalled NOD.

I really do feel the cause is some kinda of clash between systems/processes because even the connection to internet takes much longer time than usual. Something is making the system to crawl.

Hope you can find out what it is.

Thanks in advance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users