Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to recover from AntiVirus Pro 2010 Virus


  • This topic is locked This topic is locked
19 replies to this topic

#1 jhoward73

jhoward73

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 16 October 2009 - 08:23 AM

Hello, I am posting here per the advise of "Garmanma".
My previous post can be viewed here: http://www.bleepingcomputer.com/forums/t/264610/trying-to-recover-from-antivirus-pro-2010-virus/

I tried to follow the Prep Guide but was unable to get DDS to run.

I also tried to run RSIT.exe but received an error: AutoIt "variable used without being declared"

I got runscanner to work but cannot paste from notepad because notepad not working is one of my current symptoms. So I am attaching the runscanner.log file

Many thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:07 PM

Posted 28 October 2009 - 02:02 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 jhoward73

jhoward73
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 28 October 2009 - 04:15 PM

schrauber, many thanks for your reply, unfortunately I cannot get DDS to run.
Garmanma had asked me to try this when I first posted, it still will not work for me.

It simply says "this tool does not support your operating system

Just to simplify things I am including links to my other posts in regards to my issues and am attaching a few things as well.

Previous Links Here:
- October 15th (my first post)
http://www.bleepingcomputer.com/forums/t/264610/trying-to-recover-from-antivirus-pro-2010-virus/

- October 25th (the end of this post shows my most recent assesment of issues I am having)
http://www.bleepingcomputer.com/forums/t/266430/have-i-given-the-techs-herewhat-they-need/

Attached documents and screen shots:
runscanner.log
RootRepeal (ark.txt)
Windows Task Manager screen shot 1 (WTM_Scrn1.gif)
Windows Task Manager screen shot 2 (WTM_Scrn2.gif)

Thanks,
j

Attached Files


Edited by jhoward73, 29 October 2009 - 07:51 AM.


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:07 PM

Posted 29 October 2009 - 12:10 PM

Hello, jhoward73 and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.






Step 1

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.









Step 2
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<








Please post back with:
  • Gmer-Logfile
  • Both RSIT-Logfiles

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 jhoward73

jhoward73
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 30 October 2009 - 03:09 AM

Hi Tom, here is an update. Oct 29th

- I let this scan run for about 8 hours I guess, and decided to check on its status this AM. What I found was a popup error stating "windows delayed write failed was unable to save all the data for the file windows/system/config/sysevent.evt. the data was lost.
My mouse was locked so I clicked the enter button
- Unfortunately at this time GMER closed automatically when I clicked enter and I was never able to save the log file.
- then go another popup error "windows application failed - windows failed to initialize the property. click on ok to terminate the application"
My mouse was locked so I clicked the enter button
I restarted in hopes to get my mouse back, which worked.
- now a common issue where wuauclt.exe (win update) application error, followed by many instances of the exe trying to run in processes. I renamed the wuauclt.exe and restarted, then reinstalled windows update client and turned auto updates off.
The wuauclt.exe process are gone now and the computer more stable.
- I am attempting to re-run GMER now.
Wish me luck!

Thanks,
Jason

Edited by jhoward73, 30 October 2009 - 11:18 AM.


#6 jhoward73

jhoward73
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 30 October 2009 - 11:33 AM

Hi Tom, another update Friday Oct 30th

I got GMER to run this time! I attached the log file.
Unfortunately, when I try and run the RSIT.exe I get to the section where it is "Listing services and drivers" then I get this error:
"Auto It Error Line -1 variable used without being declared"

Let me know what else you need.
Thanks,
Jason

Here is GMER's results:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-30 11:58:30
Windows 5.2.3790 Service Pack 2
Running: p6vx5sdv.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwldauog.sys


---- System - GMER 1.0.15 ----

SSDT 88BEC113 ZwCreateThread

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[452] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[464] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[668] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[740] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[796] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[844] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[860] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1400] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[1588] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1804] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[2232] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\wuauclt.exe[2688] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2760] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3272] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!ReadFile 77E4184F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!VirtualProtectEx 77E41A9C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!LoadLibraryA 77E41DCA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!VirtualProtect 77E41FF3 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!GetStartupInfoA 77E420EC 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!CreatePipe 77E4E363 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!GetProcAddress 77E63D7A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!WriteFile 77E65531 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!PeekNamedPipe 77EA2A87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] kernel32.dll!WinExec 77EA424E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] ADVAPI32.dll!RegOpenKeyA 7D1F70F9 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] msvcrt.dll!system 77BBA083 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] msvcrt.dll!_creat 77BBE19E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] msvcrt.dll!_read 77BC09B6 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] msvcrt.dll!_write 77BC1233 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] WS2_32.dll!select 71C0279B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] WS2_32.dll!send 71C02EC2 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] WS2_32.dll!recv 71C02F7F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] WS2_32.dll!socket 71C0410C 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] WS2_32.dll!bind 71C0438D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] WININET.dll!InternetReadFile 4040654B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] WININET.dll!InternetOpenA 4041D690 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[3304] WININET.dll!InternetOpenUrlA 4041F3A4 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [731B1775] C:\Program Files\Network Associates\Common Framework\PsApi.dll (Process Status Helper/Microsoft Corporation)
IAT C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1432] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [731B16B3] C:\Program Files\Network Associates\Common Framework\PsApi.dll (Process Status Helper/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat Dfs.sys (Distributed File System Filter Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E970-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E970-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{6D807884-7D21-11CF-801C-08002BE10318}\Properties@DeviceType 31
Reg HKLM\SYSTEM\controlset002\control\Class\{6D807884-7D21-11CF-801C-08002BE10318}\Properties@DeviceCharacteristics 257
Reg HKLM\SYSTEM\controlset002\control\Class\{CE5939AE-EBDE-11D0-B181-0000F8753EC4}\Properties@DeviceType 48
Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime 272

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  gmer.log   112.41KB   0 downloads


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:07 PM

Posted 30 October 2009 - 04:12 PM

Hi,


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 jhoward73

jhoward73
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 31 October 2009 - 04:33 AM

Hi Tom,

I disabled everything (virus protection software), I thought I had the first time, did it appear that I hadnt?
I disabled everything I can in Mcafee and followed instructions for spybot S&D

Unfortunately combofix wont run. I get the following error:

incompatible OS Combofix only works for workstations with windows xp or 2000.

I of course have win2003 server, is there another version?...I hope

Jason

#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:07 PM

Posted 31 October 2009 - 10:34 AM

Hi,

Please run RSIT from my above instructions and post back with the logfiles. Also please do this:



Step 1

Download and run Win32kDiag:




Step 2

RootRepeal - Rootkit Detector


Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Clickthe Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program







Please post back with:
  • Both RSIT-Logfiles
  • Win32kDiag-Logfile
  • Rootrepeal-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 jhoward73

jhoward73
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 31 October 2009 - 01:41 PM

Hi Tom, unfortunately, like I said in post #6 I am unable to get RSIT to run either.

RSIT
"when I try and run the RSIT.exe I get to the section where it is "Listing services and drivers" then I get this error:
"Auto It Error Line -1 variable used without being declared"
It does not create the files.

--------------------------------------

Win32kDiag.exe
I also tried running Win32kDiag.exe and although it does create a document is seems to contain an error ("warning, could not get backup privileges") and nothing that would seem useful to you. I am pasting it below anyway:
BTW, are there certain provileges I can alter that would help?

Man I am getting discouraged, nothing seems to work on Windows Server 2003

---------------------------------------

Win32kdiag.txt TEXT FILE *note "warning, could not get backup privileges"

text = "Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished! "

---------------------------------------
RootRepeal

Just so you know, I had previsouly run runscanner and attached that log file (ark.txt) on October 16th.
I ran it again so you have a newer version and attached it as RootRepeal.txt
-----------------------------------------

Thanks,
Jason

Attached Files



#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:07 PM

Posted 31 October 2009 - 02:41 PM

Hi,



We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 jhoward73

jhoward73
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 31 October 2009 - 04:30 PM

I get a "system resource interface not present" warning, click it an nothing happens. The program wont run.

Jason

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:07 PM

Posted 31 October 2009 - 05:48 PM

Let's try this one.

Download Silent Runners to your desktop.
  • Click on the Silent Runners.vbs icon to open the program
  • Then click OPEN and YES in the next screen.
  • Let the program run its course. It will tell you when it has finished its work
  • This will generate a text file on your desktop called "Startup Programs ...".
  • Save this report for your next reply here.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 jhoward73

jhoward73
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 31 October 2009 - 07:44 PM

Her you go, I got one to work!

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows Server 2003 (interpreted as Windows XP)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"swg" = ""C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"" ["Google Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Weather" = "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"Network Associates Error Reporting Service" = ""C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"" ["Network Associates, Inc."]
"PrinTray" = "C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"MSConfig" = ""C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto" [MS]
"UVS10 Preload" = "C:\Program Files\Ulead Systems\Ulead VideoStudio SE\uvPL.exe" ["Ulead Systems, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"LXBXCATS" = "rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16" [MS]
"lxbxmon.exe" = ""C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"" ["Lexmark International, Inc."]
"FaxCenterServer4_in_1" = ""C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s" [null data]
"(Default)" = "(empty string)" [file not found]
"EzPrint" = ""C:\Program Files\Lexmark 7100 Series\ezprint.exe"" ["Lexmark International Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u"

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\(Default) = "%IEHARDENADMIN_BASE_DESC%"
\StubPath = "C:\WINDOWS\system32\rundll32.exe iesetup.dll,IEHardenAdmin" [MS]
{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\(Default) = "%IEHARDENUSER_DESC%"
\StubPath = "C:\WINDOWS\system32\rundll32.exe iesetup.dll,IEHardenUser" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SnagIt Toolbar Loader"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll" ["TechSmith Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{83B80A9C-D91A-4F22-8DCF-EA7204039F79}\(Default) = "NetXfer"
-> {HKLM...CLSID} = "NXIECatcher Class"
\InProcServer32\(Default) = "C:\Program Files\Xi\NetXfer\NXIEHelper.dll" ["Xi"]
{AA102584-3B97-47e7-B9BC-75D54C110A7D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Tunebite_WebRipPlugin Class"
\InProcServer32\(Default) = "C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll" ["RapidSolution Software"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll" ["Google Inc."]
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\(Default) = "Google Dictionary Compression sdch"
-> {HKLM...CLSID} = "Google Dictionary Compression sdch"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "hticons.dll" [file not found]
"{4648F940-EFE3-4BAB-9211-3BE45CD5029D}" = "VSSShellExt"
-> {HKLM...CLSID} = "VSSShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\vssui.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {HKLM...CLSID} = "Registered ActiveX Controls"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {HKLM...CLSID} = "Developer Studio Components"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"
-> {HKLM...CLSID} = "Burn4Freecontext menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\b4fm.dll" [null data]
"{DBD8E168-244D-448C-9922-25508950D1DC}" = "Ulead UDF Driver"
-> {HKLM...CLSID} = "USIShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll" ["Ulead Systems, Inc."]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = ""C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\msdev.exe" -p %ld -e %ld" [MS]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wuauclt.exe," [MS], [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Notification Packages" = "RASSFM"|"KDCSVC"|"WDIGEST"|"scecli"

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
<<!>> x-sdch\CLSID = "{B1759355-3EEC-4C1E-B0F1-B719FE26E377}"
-> {HKLM...CLSID} = "Google Dictionary Compression filter"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll" ["Google Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
ShellPlusContextMenu\(Default) = "{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}"
-> {HKLM...CLSID} = "Burn4Freecontext menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\b4fm.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

"LowRiskFileTypes" = (REG_SZ) zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav
{unrecognized setting}

"SaveZoneInformation" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ShowSuperHidden" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

"DisableCMD" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"disablecad" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

G:\
<<!>> G:\AUTORUN.INF -> "open=setup.exe" ["Western Digital Corporation"]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

CanonZB4PicturesOnArrival\
"Provider" = "ZoomBrowser EX"
"InvokeProgID" = "Zb.AutoplayHandler"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Zb.AutoplayHandler\shell\open\command\(Default) = "C:\Program Files\Canon\ZoomBrowser EX\Program\ZoomBrowser.exe /AUTOPLAY "%1"" [empty string]

EpShowApp\
"Provider" = "Lexmark Fast Pics"
"InvokeProgID" = "EzPrint"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\EzPrint\shell\Play\DropTarget\CLSID = "{225F2F50-F37D-4eb3-B3A6-F675C9B52C83}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Program Files\Lexmark 7100 Series\ezprint.exe" ["Lexmark International Inc."]

MediaCapture9Music\
"Provider" = "Media Import"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Audio"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Audio\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -audio %L" ["Sonic Solutions"]

MediaCapture9Photos\
"Provider" = "Media Import"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Photo"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Photo\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -photo %L" ["Sonic Solutions"]

MediaCapture9VideoCamera\
"Provider" = "Media Import"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "C:\WINDOWS\system32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MediaCapture9Videos\
"Provider" = "Media Import"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Video"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Video\command\(Default) = "C:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -video %L" ["Sonic Solutions"]

MSWMEncVCArrival\
"Provider" = "Windows Media Encoder 9 Series"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Windows Media Components\Encoder\WMEnc.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "C:\WINDOWS\system32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RoxioSCAudioCDTask33\
"Provider" = "Roxio Creator Audio"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {8E376824-EA6C-4CB7-AA05-A30CB84D359B}" [null data]

RoxioSCCopyCD33\
"Provider" = "Sonic Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCCopyDisc33\
"Provider" = "Sonic Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCDataProject33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch Data" [null data]

RoxioSCDataTask33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {D085B12D-4D9B-49C2-8323-5053831CBD54}" [null data]

UVSFolder\
"Provider" = "Ulead VideoStudio SE"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Ulead Systems\Ulead VideoStudio SE\vstudio.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "C:\WINDOWS\system32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"wuauclt.exe" -> shortcut to: "C:\WINDOWS\system32\wuauclt.exe" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit Inc."]
"Service Manager" -> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]


Enabled Scheduled Tasks:
------------------------

"Spybot - Search & Destroy - Scheduled Task" -> launches: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 15


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "Google Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" ["Google Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "Google Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" ["Google Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\SOFTWARE\Classes\CLSID\{E16DC1FE-7C34-43F2-B754-F3AD12DDF97C}\(Default) = "Google Find Bar"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" ["Google Inc."]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Experience Lookup Service, AeLookupSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\aelupsvc.dll" [MS]}
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
HTTP SSL, HTTPFilter, "C:\WINDOWS\system32\lsass.exe" [MS]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
lxbx_device, lxbx_device, "C:\WINDOWS\system32\lxbxcoms.exe -service" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
MemeoBackgroundService, MemeoBackgroundService, "C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe" [null data]
Microsoft Search, MSSEARCH, ""C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe"" [MS]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"" ["Network Associates, Inc."]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
World Wide Web Publishing Service, W3SVC, "C:\WINDOWS\System32\svchost.exe -k iissvcs" {"C:\WINDOWS\system32\inetsrv\iisw3adm.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
7100 Series Port\Driver = "lxbxlmpm.DLL" ["Lexmark International, Inc."]
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Fax Lexmark 7100 Series Port\Driver = "LXBXPMON.DLL" [null data]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Office Live Meeting 2007 Document Writer Monitor\Driver = "lmdimon8.dll" ["Microsoft Corporation."]
Microsoft Office Live Meeting Document Writer Monitor\Driver = "lmdimon.dll" [MS]


---------- (launch time: 2009-10-31 18:51:27)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 55 seconds, including 5 seconds for message boxes)

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:07 PM

Posted 01 November 2009 - 03:42 AM

Hi,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users