Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

fqpmdsitssd.exe preventing DDS and asam.exe found


  • This topic is locked This topic is locked
9 replies to this topic

#1 taranta babu

taranta babu

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 30 May 2010 - 02:33 PM

Hello and thanks in advance for reading this.
I have found fqpmdsitssd.exe (from now on I'll refer to it as "fqp...") and asam.exe in my wife's computer. the computer was giving fake "warning messages" about being infected. I was not able to run any other programs once asam.exe and fqp... started not even windows task manager. However, if I restart the computer, and task manager before fqp... I could kill fqp... from the processes tab.

I read the the posting by Orange Blossom [post="http://www.bleepingcomputer.com/forums/index.php?showtopic=317367&view=findpost&p=1761824"]here[/post] and I followed the provided links to here.

I could not run DDS without killing fqp... as I described above. After that I did run DDS. the results are here (I am also attaching attach.txt here I will post the gmer results in the next posting):

DDS (Ver_10-03-17.01) - NTFSx86
Run by safa at 13:15:21.21 on Sun 05/30/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1254.90.1033.18.510.171 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\safa\Local Settings\Application Data\asam.exe
C:\Documents and Settings\safa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
uSearch Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: DeskshopBrowserHelper Class: {8db3d69d-da5e-4165-b781-72a761790672} - c:\windows\system32\BhoDshop.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\safa\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [uehmibpv] c:\documents and settings\safa\local settings\application data\oencexcwh\fqpmdsitssd.exe
uRun: [asam] c:\documents and settings\safa\local settings\application data\asam.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [TpShocks] TpShocks.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [uehmibpv] c:\documents and settings\safa\local settings\application data\oencexcwh\fqpmdsitssd.exe
mRun: [asam] c:\documents and settings\safa\local settings\application data\asam.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - c:\program files\secure online account numbers\SOAN.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209693295484
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D5D17C21-1719-4640-B0B2-4F3262419920} - hxxps://www.isbank.com.tr/Internet/lib/JaguarEdit4ISB.CAB
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

P2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2006-2-14 221191]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-2-3 58464]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-2-3 102463]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2006-6-8 29184]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-10-24 102400]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-2-3 116864]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1980-1-1 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-1-29 11520]

=============== Created Last 30 ================

2010-05-30 16:47:19 0 ----a-w- c:\documents and settings\safa\defogger_reenable
2010-05-29 18:50:23 25 ----a-w- c:\windows\herjek.config

==================== Find3M ====================

2010-04-17 03:04:35 11712 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-04-12 21:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2006-06-01 20:02:13 77408 ----a-w- c:\program files\COMPUTUS.EXE
2006-05-11 22:24:15 88 --sh--r- c:\windows\system32\752A45A96B.sys
2006-05-11 22:24:40 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-02 02:57:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 13:16:37.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 taranta babu

taranta babu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 30 May 2010 - 03:03 PM

... and this is the GMER log file.
Thanks for your help...


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-30 15:58:50
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\safa\LOCALS~1\Temp\ugtdypog.sys


---- System - GMER 1.0.15 ----

SSDT FF6AF109 ZwCreateThread

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[288] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[536] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[644] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\services.exe[972] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\lsass.exe[984] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\System32\svchost.exe[1760] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1908] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] kernel32.dll!PeekNamedPipe 7C860977 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] msvcrt.dll!system 77C293C7 5 Bytes JMP 3700775C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 370076A2 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 3700771E C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] msvcrt.dll!_write 77C30303 5 Bytes JMP 370076E0 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] WS2_32.dll!select 71AB30A8 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] WS2_32.dll!socket 71AB4211 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] WS2_32.dll!bind 71AB4480 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] WS2_32.dll!send 71AB4C27 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)
.text C:\WINDOWS\Explorer.EXE[2504] WS2_32.dll!recv 71AB676F 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll (EntAPI/Network Associates, Inc)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000e9bdd43f8
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000e9bdd43f8 (not active ControlSet)

---- EOF - GMER 1.0.15 ----


#3 taranta babu

taranta babu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 30 May 2010 - 03:48 PM

I also ran rootkit unhooker and here are the results
thanks:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xF78E6000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 3325952 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2367488 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7C6B000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1331200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF7747000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 835584 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xBF2F4000 C:\WINDOWS\System32\ativvaxx.dll 643072 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF8258000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF3325000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7669000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF342A000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF097D000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xF75C6000 C:\WINDOWS\system32\drivers\btaudio.sys 319488 bytes (Broadcom Corporation., Bluetooth Audio Device)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF0A4C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF78A6000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF07D000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 212992 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xF76C7000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF83F7000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF0B2D000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF822B000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF7813000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 180224 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xF3395000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF3402000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF8383000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF32FF000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xEFDB0000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF7882000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7C12000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF785F000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF0B5A000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xF33E0000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF7C36000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 135168 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF783F000 C:\WINDOWS\system32\drivers\aeaudio.sys 131072 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)
0xF8336000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF83A9000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF83C8000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF01E0000 C:\WINDOWS\system32\drivers\naiavf5x.sys 118784 bytes (McAfee Inc., Anti-Virus File System Filter Driver)
0xF8211000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF113F000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF1126000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8356000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF32AE000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF82F8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF7730000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEFD99000 C:\DOCUME~1\safa\LOCALS~1\Temp\ugtdypog.sys 94208 bytes
0xF0F08000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xF1180000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF830F000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xF836E000 Shockprf.sys 86016 bytes (Lenovo, Shockproof Disk Driver)
0xF0CC3000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7C57000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF3483000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF82E5000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF8324000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF83E6000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF76F7000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF32C6000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF7DB0000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF85D6000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF8596000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7DD0000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8716000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7DF0000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF86C6000 C:\WINDOWS\system32\drivers\mvstdi5x.sys 61440 bytes (Network Associates, Inc., Anti-Virus Mini-Firewall Driver)
0xF85E6000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF0EA8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF8686000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF85A6000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF8566000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7DE0000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF85F6000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8546000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF8616000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF86F6000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7DC0000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8536000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8606000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF8586000 sbp2port.sys 45056 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0xF352E000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF8526000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF8646000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF8636000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF8556000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7E00000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF8626000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF86D6000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF04F5000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF8576000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF350E000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8706000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF88F6000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF890E000 C:\WINDOWS\System32\drivers\Smapint.sys 32768 bytes (Microsoft Corporation, SMAPI I/O)
0xF888E000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF88A6000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF88DE000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF87A6000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF8926000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF891E000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF8896000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF889E000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF88D6000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF8906000 C:\WINDOWS\System32\drivers\TDSMAPI.SYS 24576 bytes
0xF87DE000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF8886000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF88E6000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF88EE000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF87AE000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF88BE000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF88AE000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF88C6000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF88B6000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF88FE000 C:\WINDOWS\System32\Drivers\TPHKDRV.SYS 20480 bytes (IBM Corporation, ThinkPad Hotkey Driver)
0xF8916000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF11C2000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF893E000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF8A1A000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF0A10000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface DRIVER)
0xF81B8000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF102E000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8A16000 C:\WINDOWS\system32\DRIVERS\nsctpm11.sys 16384 bytes (National Semiconductor Corp., TPM Device Driver)
0xF8A12000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF12AA000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8942000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF8936000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF893A000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF75B6000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF02C5000 C:\WINDOWS\system32\drivers\EntDrv51.sys 12288 bytes (Network Associates, Inc, EntDrv)
0xF89F2000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xF8A1E000 C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys 12288 bytes (Lenovo., ThinkPad Power Management Driver)
0xF81D4000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF8A22000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)
0xF89FA000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF1052000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 12288 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF8A02000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF8A64000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8A2A000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8A72000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8A3C000 C:\WINDOWS\SYSTEM32\EGATHDRV.SYS 8192 bytes (IBM Corporation, IBM eGatherer Kernel Module)
0xF8A62000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8A26000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8A66000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8A52000 C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS 8192 bytes (Microsoft Corporation, Physical Memory Driver)
0xF8A68000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8A6E000 C:\WINDOWS\System32\Drivers\ShockMgr.SYS 8192 bytes (Lenovo., ShockMgr Device Driver)
0xF8A58000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF8A5A000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8A7E000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8A56000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8A28000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8C08000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8C34000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8BE1000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8AEF000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF8AEE000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF8BAF000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8B9B000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\6RG09ETW\aly[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\6RG09ETW\aly[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\6RG09ETW\dnr[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\6RG09ETW\dsx[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\6RG09ETW\dsx[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\6RG09ETW\efn[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\6RG09ETW\efn[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\6RG09ETW\wbr[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\akd[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\akd[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\fpu[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\ldm[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\ldm[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\ppw[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\ppw[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\ppw[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\swb[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\F6ZP4Z4B\udf[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\K7A39JNL\fhj[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\K7A39JNL\gun[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\K7A39JNL\gun[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\K7A39JNL\hyx[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\K7A39JNL\hyx[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\K7A39JNL\hyx[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\K7A39JNL\ric[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\K7A39JNL\ric[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\K7A39JNL\vcy[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\ZP2W890U\apb[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\ZP2W890U\hpi[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\ZP2W890U\hpi[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\ZP2W890U\tfx[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\ZP2W890U\tfx[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\ZP2W890U\yrd[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\ZP2W890U\yrd[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\ZP2W890U\yrd[1].htm
!-->[Hidden] C:\Documents and Settings\safa\Local Settings\Temporary Internet Files\Content.IE5\ZP2W890U\yyy[1].htm
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006AA8A, Type: Inline - RelativeJump 0x80541A8A-->80541A91 [ntkrnlpa.exe]
[1188]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1188]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1188]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1188]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1188]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1188]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1188]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1188]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1188]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1188]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1188]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1188]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1188]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1188]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1188]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1188]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1188]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[1288]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1288]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1288]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1288]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1288]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1288]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1288]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1288]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1288]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1288]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1288]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1288]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1288]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1288]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1288]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1288]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1288]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[1324]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1324]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1324]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1324]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1324]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1324]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1324]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1324]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1324]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1324]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1324]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1324]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1324]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1324]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1324]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1324]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1324]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[1364]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1364]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1364]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1364]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1364]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1364]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1364]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1364]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1364]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1364]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1364]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1364]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1364]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1364]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1364]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1364]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1364]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[1432]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1432]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1432]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1432]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1432]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1432]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1432]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1432]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1432]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1432]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1432]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1432]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1432]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1432]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1432]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1432]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1432]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[1520]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1520]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1520]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1520]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1520]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1520]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1520]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1520]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1520]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1520]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1520]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1520]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1520]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1520]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1520]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1520]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1520]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[1704]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1704]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1704]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1704]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1704]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1704]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1704]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1704]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1704]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1704]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1704]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1704]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1704]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1704]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1704]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1704]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1704]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[1760]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1760]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1760]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1760]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1760]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1760]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1760]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1760]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1760]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1760]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1760]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1760]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1760]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1760]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1760]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1760]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1760]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[1816]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1816]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1816]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1816]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1816]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1816]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1816]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1816]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1816]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1816]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1816]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1816]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1816]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1816]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1816]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1816]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1816]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[1908]FrameworkService.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[2504]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[2504]explorer.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[2504]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[2504]explorer.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[2504]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[2504]explorer.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[2504]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[2504]explorer.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[2504]explorer.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[2504]explorer.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[2504]explorer.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[2504]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[2504]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[2504]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[2504]explorer.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[2504]explorer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[2504]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->00000000 [shimeng.dll]
[2504]explorer.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[2504]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[2504]explorer.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[2504]explorer.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[2504]explorer.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[2504]explorer.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[288]naPrdMgr.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[448]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[448]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[448]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[448]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[448]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[448]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[448]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[448]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[448]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[448]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[448]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[448]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[448]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[448]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[448]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[448]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[448]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[536]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[536]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[536]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[536]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[536]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[536]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[536]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[536]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[536]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[536]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[536]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[536]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[536]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[536]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[536]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[536]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[536]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[644]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[644]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[644]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[644]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[644]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[644]svchost.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[644]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[644]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[644]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[644]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[644]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[644]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[644]svchost.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[644]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[644]svchost.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[644]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[644]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[972]services.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[972]services.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[972]services.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[972]services.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[972]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[972]services.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[972]services.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[972]services.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[972]services.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[972]services.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[972]services.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[972]services.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[972]services.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[972]services.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[972]services.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[972]services.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[972]services.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]
[984]lsass.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [entapi.dll]
[984]lsass.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [entapi.dll]
[984]lsass.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [entapi.dll]
[984]lsass.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [entapi.dll]
[984]lsass.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [entapi.dll]
[984]lsass.exe-->kernel32.dll-->PeekNamedPipe, Type: Inline - RelativeJump 0x7C860977-->00000000 [entapi.dll]
[984]lsass.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [entapi.dll]
[984]lsass.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [entapi.dll]
[984]lsass.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [entapi.dll]
[984]lsass.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->00000000 [entapi.dll]
[984]lsass.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00000000 [entapi.dll]
[984]lsass.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D9513D4-->00000000 [entapi.dll]
[984]lsass.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x71AB4480-->00000000 [entapi.dll]
[984]lsass.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [entapi.dll]
[984]lsass.exe-->ws2_32.dll-->select, Type: Inline - RelativeJump 0x71AB30A8-->00000000 [entapi.dll]
[984]lsass.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [entapi.dll]
[984]lsass.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [entapi.dll]

Edited by taranta babu, 30 May 2010 - 07:46 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:56 PM

Posted 01 June 2010 - 09:43 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#5 taranta babu

taranta babu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 02 June 2010 - 12:01 AM

Hi Blade,
Thank you for your reply. I did run combofix (as renamed.exe). first it asked if I wanted to install the new version of combofix huh.gif when I said yes all went as you outlined in your reply. it produced two logs combofix.txt and log.txt. They might be identical; however to be on the safe side I am including both below. when I restarted the computer all seemed to be working fine unsure.gif I hope that is the case--you will be the judge of that.

thanks again...


COMBOFIX.TXT
----------------------------------------------------------
ComboFix 10-06-01.01 - safa 06/02/2010 0:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1254.90.1033.18.510.267 [GMT -4:00]
Running from: c:\documents and settings\safa\Desktop\renamed.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\safa\Local Settings\Application Data\asam.exe
c:\documents and settings\safa\Local Settings\Application Data\oencexcwh
c:\documents and settings\safa\Local Settings\Application Data\oencexcwh\fqpmdsitssd.exe
c:\documents and settings\safa\Local Settings\Application Data\syssvc.exe
c:\windows\herjek.config

.
((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-05-23 17:11 . 2010-05-23 17:11 503808 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bfb9336-n\msvcp71.dll
2010-05-23 17:11 . 2010-05-23 17:11 61440 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5170aac9-n\decora-sse.dll
2010-05-23 17:11 . 2010-05-23 17:11 499712 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bfb9336-n\jmc.dll
2010-05-23 17:11 . 2010-05-23 17:11 348160 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bfb9336-n\msvcr71.dll
2010-05-23 17:11 . 2010-05-23 17:11 12800 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5170aac9-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 18:39 . 2010-01-31 23:46 -------- d-----w- c:\documents and settings\safa\Application Data\ZoomBrowser EX
2010-05-26 18:37 . 2010-01-31 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-05-19 14:07 . 2008-09-06 18:18 -------- d-----w- c:\documents and settings\safa\Application Data\Skype
2010-05-16 23:20 . 2010-04-26 12:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-12 16:30 . 2008-08-27 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-23 02:13 . 2010-04-23 02:13 -------- d-----w- c:\program files\Common Files\Java
2010-03-11 12:38 . 1980-01-01 08:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 1980-01-01 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 1980-01-01 08:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 1980-01-01 08:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2006-06-01 20:02 . 2006-02-23 12:09 77408 ----a-w- c:\program files\COMPUTUS.EXE
2006-05-11 22:24 . 2006-05-11 21:29 88 --sh--r- c:\windows\system32\752A45A96B.sys
2006-05-11 22:24 . 2006-05-11 21:25 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-8-23 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-14 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 03:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 00:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-01-22 01:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-09-02 09:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-17 12:46 133104 ----atw- c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-25 18:56 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-02-14 18:16 512000 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
2002-10-09 02:28 40960 ----a-w- c:\windows\system32\TpScrLk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2796:UDP"= 2796:UDP:Windows Media Format SDK (napster.exe)
"2797:UDP"= 2797:UDP:Windows Media Format SDK (napster.exe)

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2/3/2006 12:55 PM 58464]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [10/24/2008 12:09 PM 102400]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 4:00 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:00 PM 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/29/2009 9:37 PM 11520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 03:00]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 03:00]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2135978963-2117337748-3787718861-1005Core.job
- c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 12:46]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2135978963-2117337748-3787718861-1005UA.job
- c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 12:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {D5D17C21-1719-4640-B0B2-4F3262419920} - hxxps://www.isbank.com.tr/Internet/lib/JaguarEdit4ISB.CAB
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-uehmibpv - c:\documents and settings\safa\Local Settings\Application Data\oencexcwh\fqpmdsitssd.exe
HKCU-Run-asam - c:\documents and settings\safa\Local Settings\Application Data\asam.exe
HKLM-Run-uehmibpv - c:\documents and settings\safa\Local Settings\Application Data\oencexcwh\fqpmdsitssd.exe
HKLM-Run-asam - c:\documents and settings\safa\Local Settings\Application Data\asam.exe
MSConfigStartUp-BLOG - c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL
MSConfigStartUp-EZEJMNAP - c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
MSConfigStartUp-PWRMGRTR - c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
MSConfigStartUp-TPKMAPHELPER - c:\program files\ThinkPad\Utilities\TpKmapAp.exe
MSConfigStartUp-UpdateManager - c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
AddRemove-Ad-Aware SE Personal - c:\progra~1\Lavasoft\AD-AWA~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 00:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2135978963-2117337748-3787718861-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\EntApi.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-02 00:34:42
ComboFix-quarantined-files.txt 2010-06-02 04:34

Pre-Run: 22,151,372,800 bytes free
Post-Run: 22,168,875,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 4A756C2A04A57258646E5AF1925BE211

LOG.TXT
ComboFix 10-06-01.01 - safa 06/02/2010 0:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1254.90.1033.18.510.267 [GMT -4:00]
Running from: c:\documents and settings\safa\Desktop\renamed.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\safa\Local Settings\Application Data\asam.exe
c:\documents and settings\safa\Local Settings\Application Data\oencexcwh
c:\documents and settings\safa\Local Settings\Application Data\oencexcwh\fqpmdsitssd.exe
c:\documents and settings\safa\Local Settings\Application Data\syssvc.exe
c:\windows\herjek.config

.
((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-05-23 17:11 . 2010-05-23 17:11 503808 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bfb9336-n\msvcp71.dll
2010-05-23 17:11 . 2010-05-23 17:11 61440 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5170aac9-n\decora-sse.dll
2010-05-23 17:11 . 2010-05-23 17:11 499712 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bfb9336-n\jmc.dll
2010-05-23 17:11 . 2010-05-23 17:11 348160 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bfb9336-n\msvcr71.dll
2010-05-23 17:11 . 2010-05-23 17:11 12800 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5170aac9-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 18:39 . 2010-01-31 23:46 -------- d-----w- c:\documents and settings\safa\Application Data\ZoomBrowser EX
2010-05-26 18:37 . 2010-01-31 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-05-19 14:07 . 2008-09-06 18:18 -------- d-----w- c:\documents and settings\safa\Application Data\Skype
2010-05-16 23:20 . 2010-04-26 12:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-12 16:30 . 2008-08-27 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-23 02:13 . 2010-04-23 02:13 -------- d-----w- c:\program files\Common Files\Java
2010-03-11 12:38 . 1980-01-01 08:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 1980-01-01 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 1980-01-01 08:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 1980-01-01 08:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2006-06-01 20:02 . 2006-02-23 12:09 77408 ----a-w- c:\program files\COMPUTUS.EXE
2006-05-11 22:24 . 2006-05-11 21:29 88 --sh--r- c:\windows\system32\752A45A96B.sys
2006-05-11 22:24 . 2006-05-11 21:25 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-8-23 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-14 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 03:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 00:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-01-22 01:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-09-02 09:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-17 12:46 133104 ----atw- c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-25 18:56 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-02-14 18:16 512000 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
2002-10-09 02:28 40960 ----a-w- c:\windows\system32\TpScrLk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2796:UDP"= 2796:UDP:Windows Media Format SDK (napster.exe)
"2797:UDP"= 2797:UDP:Windows Media Format SDK (napster.exe)

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2/3/2006 12:55 PM 58464]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [10/24/2008 12:09 PM 102400]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 4:00 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:00 PM 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/29/2009 9:37 PM 11520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 03:00]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 03:00]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2135978963-2117337748-3787718861-1005Core.job
- c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 12:46]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2135978963-2117337748-3787718861-1005UA.job
- c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 12:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {D5D17C21-1719-4640-B0B2-4F3262419920} - hxxps://www.isbank.com.tr/Internet/lib/JaguarEdit4ISB.CAB
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-uehmibpv - c:\documents and settings\safa\Local Settings\Application Data\oencexcwh\fqpmdsitssd.exe
HKCU-Run-asam - c:\documents and settings\safa\Local Settings\Application Data\asam.exe
HKLM-Run-uehmibpv - c:\documents and settings\safa\Local Settings\Application Data\oencexcwh\fqpmdsitssd.exe
HKLM-Run-asam - c:\documents and settings\safa\Local Settings\Application Data\asam.exe
MSConfigStartUp-BLOG - c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL
MSConfigStartUp-EZEJMNAP - c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
MSConfigStartUp-PWRMGRTR - c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
MSConfigStartUp-TPKMAPHELPER - c:\program files\ThinkPad\Utilities\TpKmapAp.exe
MSConfigStartUp-UpdateManager - c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
AddRemove-Ad-Aware SE Personal - c:\progra~1\Lavasoft\AD-AWA~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 00:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2135978963-2117337748-3787718861-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\EntApi.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-02 00:34:42
ComboFix-quarantined-files.txt 2010-06-02 04:34

Pre-Run: 22,151,372,800 bytes free
Post-Run: 22,168,875,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 4A756C2A04A57258646E5AF1925BE211



#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:56 PM

Posted 03 June 2010 - 01:17 AM

Hello taranta babu

QUOTE
They might be identical; however to be on the safe side I am including both below.

The two logs are indeed identical. Should this behavior repeat, you need only include one. smile.gif

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

DDS::
uInternet Settings,ProxyServer =


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix log
How is the computer running now?

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#7 taranta babu

taranta babu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 03 June 2010 - 08:42 AM

Hello and thank you Blade, here is the new file. I just restarted the computer and it seem to be working fine. one of the problems earlier on was inability to connect to internet using google or iexplorer. it I am not sure if the problem was related to fqp.. or asam.exe or something else. but now the PC seem to be working and connecting well. As you might gather I am writing these from another PC. Do you think I should run similar tests on this one?

best,

----------------------------------------
ComboFix 10-06-02.04 - safa 06/03/2010 9:05.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1254.90.1033.18.510.258 [GMT -4:00]
Running from: c:\documents and settings\safa\Desktop\renamed.exe
Command switches used :: c:\documents and settings\safa\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-02 04:21 . 2010-06-02 04:34 -------- d-----w- C:\renamed
2010-05-23 17:11 . 2010-05-23 17:11 503808 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bfb9336-n\msvcp71.dll
2010-05-23 17:11 . 2010-05-23 17:11 61440 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5170aac9-n\decora-sse.dll
2010-05-23 17:11 . 2010-05-23 17:11 499712 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bfb9336-n\jmc.dll
2010-05-23 17:11 . 2010-05-23 17:11 348160 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bfb9336-n\msvcr71.dll
2010-05-23 17:11 . 2010-05-23 17:11 12800 ----a-w- c:\documents and settings\safa\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5170aac9-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 18:39 . 2010-01-31 23:46 -------- d-----w- c:\documents and settings\safa\Application Data\ZoomBrowser EX
2010-05-26 18:37 . 2010-01-31 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-05-19 14:07 . 2008-09-06 18:18 -------- d-----w- c:\documents and settings\safa\Application Data\Skype
2010-05-16 23:20 . 2010-04-26 12:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-12 16:30 . 2008-08-27 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-23 02:13 . 2010-04-23 02:13 -------- d-----w- c:\program files\Common Files\Java
2010-03-11 12:38 . 1980-01-01 08:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 1980-01-01 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 1980-01-01 08:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 1980-01-01 08:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2006-06-01 20:02 . 2006-02-23 12:09 77408 ----a-w- c:\program files\COMPUTUS.EXE
2006-05-11 22:24 . 2006-05-11 21:29 88 --sh--r- c:\windows\system32\752A45A96B.sys
2006-05-11 22:24 . 2006-05-11 21:25 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-06-02_04.31.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-02 18:21 . 2010-06-02 18:21 16384 c:\windows\Temp\Perflib_Perfdata_700.dat
+ 2008-02-13 12:55 . 2010-06-02 04:57 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2010-01-27 00:58 . 2010-01-27 00:58 256280 c:\windows\system32\Macromed\Flash\FlashUtil10e.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-8-23 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-14 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 03:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 00:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-01-22 01:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-09-02 09:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-17 12:46 133104 ----atw- c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-25 18:56 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-02-14 18:16 512000 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
2002-10-09 02:28 40960 ----a-w- c:\windows\system32\TpScrLk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2796:UDP"= 2796:UDP:Windows Media Format SDK (napster.exe)
"2797:UDP"= 2797:UDP:Windows Media Format SDK (napster.exe)

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2/3/2006 12:55 PM 58464]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [10/24/2008 12:09 PM 102400]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 4:00 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:00 PM 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/29/2009 9:37 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 03:00]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 03:00]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2135978963-2117337748-3787718861-1005Core.job
- c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 12:46]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2135978963-2117337748-3787718861-1005UA.job
- c:\documents and settings\safa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 12:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {D5D17C21-1719-4640-B0B2-4F3262419920} - hxxps://www.isbank.com.tr/Internet/lib/JaguarEdit4ISB.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 09:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2135978963-2117337748-3787718861-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\notifyf2.dll

- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\EntApi.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1468)
c:\windows\system32\WININET.dll
c:\windows\system32\EntApi.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-03 09:16:13
ComboFix-quarantined-files.txt 2010-06-03 13:16
ComboFix2.txt 2010-06-02 04:34

Pre-Run: 22,174,756,864 bytes free
Post-Run: 22,153,510,912 bytes free

- - End Of File - - DB1F53109A94248F3422EFDB7CD9E5A0



#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:56 PM

Posted 04 June 2010 - 03:22 PM

Hello taranta babu.

Glad to hear things are working better.

Just a bit more to do here.
  • Click on Start>Run
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************

Your machine appears to be clean!

If you disabled emulation drivers earlier, you can re-enable them now if you wish:

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

***************************************************

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfectionI recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache!
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programs in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostsMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select at least one of them (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

Edited by Blade Zephon, 04 June 2010 - 03:22 PM.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#9 taranta babu

taranta babu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 09 June 2010 - 07:23 AM

Thank you Blade for very helpful and selfless work. This is a wonderful site and I will be sure to mention it to anyone who is encountering issues with their computers.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:56 PM

Posted 10 June 2010 - 12:50 AM

Glad I could help thumbup.gif

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users