Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows cannot find c:\windows\system\regedit.exe


  • Please log in to reply
18 replies to this topic

#1 nancy559

nancy559

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 05 April 2009 - 04:40 PM

Hello, I've just discovered this site while trying to figure out what's up with my computer. On doing a Google search I saw that there was another user (gurung guni) with the same (?) problem, but couldn't really understand how it was fixed... I'm not very computer savvy.

The problem is this: when my computer starts up, I get a message popping up saying
"Windows cannot find C:\Docume-1\powers\LOCALS-1\services.exe" (there is the squiggly line rather than the dash before the number "1's" in the message, but I can't figure how to get that on the keyboard.)

I close that and then I get an error message stating
"Could not load or run C:\Docume-1\powers\LOCALS-1\services.exe specified in the registry. Make sure the file exists in your computer or remove the reference to it in the registry."

I close that and get the following message while at the same time the "My Documents" window opens:
"Windows cannot find c:\windows\system\regedit.exe"

When I close that I get the error message:
"Could not load or run c:\windows\system\regedit.exe specified in the registry. Make sure the file exists in your computer or remove the reference to it in the registry."

Finally after closing this window my computer seems to perform normally.

Any help with this is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 05 April 2009 - 08:12 PM

Hello.

C:\Docume-1\powers\LOCALS-1\services.exe

This is bad. It is part of an infection, but it seems the file is gone. We will deal with this soon.

c:\windows\system\regedit.exe

This is a legit file and it seems to be gone now. Please download regedit from here and save it to your C:\Windows directory.

After that run the following tools/programs.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.


Download and Run SDFix
You can find complete instructions on running SDFix in the link below:
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

SDfix is for Windows 2000 and Windows XP only,
  • Download SDfix setup onto your desktop.
  • Run the installer. Leave the install location at your system root.
  • After the install, boot into Safe Mode(refer below)
  • Click your Start Menu. Click Run. Type in c:\sdfix\runthis.bat. Hit OK.
  • The prompt window will open. Type Y and hit Enter.
  • Wait for the scan to finish.
  • You will be prompted to restart. Press anykey to do so. Allow Sdfix to boot the computer into normal boot.
  • At reboot, the prompt window will pop-up, along with a log (\rapport.txt) shortly after. Copy the contents of the log back in your next reply.
Boot into Safe Mode

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 nancy559

nancy559
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 05 April 2009 - 08:53 PM

Thanks for the quick reply! I've just discovered that for the next 24 hours my internet connection is going to be sketchy at best. I will get the log report going and post it here as soon as I can- probably tomorrow. Thanks!

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 05 April 2009 - 08:58 PM

Hello.

No problem. I'll always be on the forum everyday (unless something happens unexpectedly...) so take your time.

It's getting late here so I'll probably review the log tomorrow as well in the evening. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 nancy559

nancy559
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 06 April 2009 - 12:07 AM

Okay, good news first...

Those error messages are not appearing anymore. Here's what I did:

I downloaded regedit and saved it to the folder you specified (interestingly, it said the file already existed so I let it replace the file)

Then I backed up the registry with ERUNT.

Then I downloaded and ran SDFix. It all worked as you said, HOWEVER when the computer rebooted in NORMAL mode (after doing the scan, etc. in SAFE mode) there was a brief pop-up window (saying something about SDFix taking a few minutes to finish up... sorry I can't recall exactly what it said- and my notes are not handy) and then that was it. There was no rapport.txt log file. I did a search on the computer and couldn't find one. I ran through the SDFix a second time and still no log. But as I said, the computer is now booting up normally- I'm not getting any of the error messages. So is this a success? Do I need worry about anything else?

Thanks so much for your help.

Nancy

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:50 AM

Posted 06 April 2009 - 12:58 AM

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.


C:\SDFix

Once in Safe Mode, double-click SmitfraudFix.exe
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Chewy

No. Try not. Do... or do not. There is no try.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 06 April 2009 - 03:18 PM

I think my instruction needs to be modified a bit...

As Da Chew mentioned see if it's in the C:\SDFix folder called Report.txt. If not, just let me know.

Also run MBAM.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy

Edited by extremeboy, 06 April 2009 - 03:18 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 nancy559

nancy559
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 07 April 2009 - 03:38 PM

Okay here's the latest...

I searched for report.txt in the C:\SDFix folder and here's what I got:



SDFix: Version 1.240
Run by powers on Sun 04/05/2009 at 08:41 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :




Then I ran the mbam and here is the log from that...

Malwarebytes' Anti-Malware 1.36
Database version: 1949
Windows 5.1.2600 Service Pack 2

4/7/2009 1:27:22 PM
mbam-log-2009-04-07 (13-27-22).txt

Scan type: Quick Scan
Objects scanned: 77827
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


How'd I do?

Nancy


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 07 April 2009 - 04:44 PM

Hello.

I assume you still get that error on startup?

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".
    @Echo off
    
    Echo [color=orange][b]---------------------HKLM\RUN-------------------------[/b][/color] > C:\runkeys.txt
    
    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" >> C:\runkeys.txt
    
    Echo [color=orange][b]---------------------HKLM\RUN-------------------------[/b][/color]  >> C:\runkeys.txt
    
    reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" >> C:\runkeys.txt
    
    Echo [color=orange][b]---------------------HKLM\RUN-------------------------[/b][/color]  >> C:\runkeys.txt
    
    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices" >> C:\runkeys.txt
    
    Notepad C:\runkeys.txt
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input look.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on look.bat, and Black DOS window shall appear and then you will see notepad open. Post the contents of notepad in your next reply. That notepad file can also be found at C:\runkeys.txt

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 nancy559

nancy559
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 08 April 2009 - 06:14 PM

No...
No more error messages on startup.
As I said above, those went away after running SDFix.
So, do I need to continue with further measures?

Nancy

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 08 April 2009 - 08:42 PM

Okay.

You might want to run an online scan and see if there's anything else. That was a nasty infection you had but it was not active so I can't say too much on that..

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 nancy559

nancy559
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 10 April 2009 - 03:26 PM

Sorry for the delay...

I installed Java but then when I went to the Kaspersky site and tried to start the online scanner nothing happens. I click on it, double-click, reload the page and try again- nothing happens. I have McAfee VirusScan Enterprise and I disabled that before trying the Kaspersky.

So, kind of at a dead-end right now. What should I try next?

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 10 April 2009 - 04:41 PM

Hello.

Please run GMER for me first then try the scanner below.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.


Run F-Secure Online Scan

Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 nancy559

nancy559
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 11 April 2009 - 05:33 PM

I think I ran GMER correctly. When I opened it it didn't ask for anything. I hit the "scan" button and after scanning I hit "copy" to copy the contents of the log...

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-04-11 14:02:29
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 85C30109 ZwCreateThread

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[212] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[248] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[312] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1004] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1016] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1176] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1324] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[2132] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] WININET.dll!InternetOpenA 771C574E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] WININET.dll!InternetReadFile 771C828C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[2568] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll

---- Files - GMER 1.0.12 ----

ADS C:\Program Files\PhysPlot\Example.iac: SummaryInformation
ADS C:\Program Files\PhysPlot\Example.iac:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----



Then I ran the F-Secure online scanner. Here's that log...


Scanning Report
Saturday, April 11, 2009 14:37:37 - 15:25:54
Computer name: NEWBUILD
Scanning type: Scan system for malware, rootkits
Target: C:\
________________________________________
Result: 9 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Imrworldwide (spyware)
System
TrackingCookie.Mediaplex (spyware)
System
TrackingCookie.Questionmarket (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Specificclick (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System
________________________________________
Statistics
Scanned:
Files: 27241
System: 3486
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 9
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\POWERS\LOCAL SETTINGS\TEMP\ETILQS_AHOBWPFQND2LCAFZVO6T
C:\DOCUMENTS AND SETTINGS\POWERS\LOCAL SETTINGS\TEMP\ETILQS_MLVQDX0SMN31DFWESIEH


Nancy

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 11 April 2009 - 08:04 PM

Hello.

Both looks good. How's everything going? Any more symptoms?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users