Antivir / fraud.sysguard [Archive] - Safer-Networking Forums

View Full Version : Antivir / fraud.sysguard

RobinsonCano

2010-08-01, 05:18

last night my computer went crazy with this antivir popups making it sound like my computer was being attacked. it was a bit crazy but these were the steps i took with the help from a friend.

tried spybot. it was blocked.
turned the computer off.
turned it back on.
hit f8 like a crazy.
entered safe mode.
ran spybot where it found and fixed fraud.sysguard
restarted the computer back in normal? mode.
firefox was proxy server blocked.
i switched that setting back via google search.
downloaded and ran malwarebtyes.
it found 3 things and quarantined them.

while everything seems to be running fine, i cant help but wonder if its still there, if my computer is being monitors, and if my keystrokes are being logged or something.

ive read the sticky thread and i think ive done everything that was ask correctly. here goes....

Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.116 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Documents and Settings\Administrator.N09110003\Desktop\dds.com

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.intranetbbva.com/es/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
mPolicies-system: MaxGPOScriptWait = 1200 (0x4b0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: laley.es\laleydigital
Trusted Zone: laleydigital.es\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {6FBA1221-C10B-5373-C69D-12A6577D9995} - c:\windows\system32:csrsc.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.n09\applic~1\mozilla\firefox\profiles\up2f9avd.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-6-2 59904]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-6-2 98304]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2007-1-18 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2007-1-18 29184]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2008-6-2 117024]

=============== Created Last 30 ================

2010-07-31 07:12:50 0 d-----w- c:\docume~1\admini~1.n09\applic~1\Malwarebytes
2010-07-31 07:12:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 07:12:31 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-07-31 07:12:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 07:12:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 06:38:35 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-31 06:04:05 0 d-----w- c:\windows\pss
2010-07-08 22:44:32 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-08 22:44:32 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-07 21:12:57 0 d-----w- c:\program files\Webteh
2010-07-04 17:08:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-04 17:08:28 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-04 17:08:26 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-04 17:08:26 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-03 17:28:04 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-03 17:28:04 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-07-02 18:35:24 0 d-----w- c:\documents and settings\administrator.n09110003\Tracing
2010-07-02 18:23:19 0 d-----w- c:\program files\Microsoft
2010-07-02 18:23:00 0 d-----w- c:\program files\Windows Live SkyDrive
2010-07-02 18:19:45 0 d-----w- c:\program files\common files\Windows Live
2010-07-02 18:07:35 0 d-----w- c:\docume~1\alluse~1.win\applic~1\AIM
2010-07-02 18:07:07 0 d-----w- c:\program files\AIM
2010-07-02 18:07:03 0 d-----w- c:\program files\common files\Software Update Utility
2010-07-02 18:06:58 0 d-----w- c:\program files\common files\AOL
2010-07-02 18:06:04 451 ---ha-w- C:\IPH.PH

==================== Find3M ====================

2007-11-22 03:26:02 3917824 --sha-r- c:\windows\system32\ntlfs.sys

============= FINISH: 22:06:37.90 ===============

JonTom

2010-08-01, 19:54

Hello RobinsonCano and :welcome:

My name is JonTom.

Malware Logs can sometimes take a lot of time to research and interpret.

Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

Before we begin I would like to take a closer look at your system.

Please scan your system with GMER

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please post the GMER log in your next reply.

If you encounter any difficulties just come back and let me know.

RobinsonCano

2010-08-01, 22:50

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-01 16:49:19
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.N09\LOCALS~1\Temp\pxliypog.sys

---- System - GMER 1.0.15 ----

SSDT 815A9109 ZwCreateThread

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] USER32.dll!TrackPopupMenu 7E4650EE 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2824] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)

---- EOF - GMER 1.0.15 ----

JonTom

2010-08-01, 23:34

Hello RobinsonCano

Thank you for the GMER log.

Is this a networked company machine? Please let me know.

downloaded and ran malwarebtyes.
it found 3 things and quarantined them.

Please post the MBAM log that was produced when you scanned your machine (You can find it by opening MBAM and clicking on the "Logs" tab).

RobinsonCano

2010-08-01, 23:44

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4373

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/31/2010 2:47:24 AM
mbam-log-2010-07-31 (02-47-24).txt

Scan type: Full scan (C:\|)
Objects scanned: 271725
Time elapsed: 31 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator.N09110003\Local Settings\Temporary Internet Files\Content.IE5\F1MR971W\7781ad[2].exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\u085950.RDEXBBVA\Application Data\sdra64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AD8F9D70-CF7E-4526-8105-3467FD234E0C}\RP156\A0042054.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.

JonTom

2010-08-02, 00:11

Hello RobinsonCano

Thank you for the log.

Please work your way through the following steps:

Combofix

Download ComboFix from one of the following locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

RobinsonCano

2010-08-02, 01:02

ComboFix 10-07-31.04 - Administrator 08/01/2010 18:50:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.177 [GMT -5:00]
Running from: c:\documents and settings\Administrator.N09110003\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\AutoRun.inf

----- BITS: Possible infected sites -----

hxxp://S8091S05:80
.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-08-01 03:00 . 2010-08-01 03:01 -------- d-----w- c:\program files\ERUNT
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\Malwarebytes
2010-07-31 07:12 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-07-31 07:12 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 06:38 . 2010-07-31 06:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-31 05:24 . 2010-07-31 06:57 -------- d-----w- c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu
2010-07-28 00:59 . 2010-07-28 01:02 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\Winamp
2010-07-28 00:59 . 2010-07-28 00:59 -------- d-----w- c:\program files\Winamp
2010-07-08 22:44 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-08 22:44 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-07 21:12 . 2010-07-07 21:12 -------- d-----w- c:\program files\Webteh
2010-07-04 17:08 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-04 17:08 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-04 17:08 . 2004-08-04 03:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-04 17:08 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-03 17:28 . 2010-07-03 17:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-07-03 17:28 . 2010-07-03 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 18:34 . 2010-07-02 18:19 47032 ----a-w- c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 18:23 . 2010-07-02 18:23 -------- d-----w- c:\program files\Microsoft
2010-07-02 18:23 . 2010-07-02 18:22 -------- d-----w- c:\program files\Windows Live
2010-07-02 18:23 . 2010-07-02 18:23 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-02 18:19 . 2010-07-02 18:19 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-02 18:09 . 2010-07-02 18:08 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\acccore
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\program files\AIM
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-07-02 18:06 . 2010-07-02 18:06 -------- d-----w- c:\program files\Common Files\AOL
2010-07-02 18:00 . 2010-07-02 18:00 -------- d-----w- c:\program files\Google
2010-07-01 22:36 . 2010-07-01 22:36 0 ----a-w- c:\windows\nsreg.dat
2007-11-22 03:26 . 2008-09-18 21:05 3917824 --sha-r- c:\windows\system32\ntlfs.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-06-19 101144]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-06-19 84760]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-06-19 125720]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 98304]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-03 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-03 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-03 49202]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-03 20480]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UpdaterUI.exe" [2006-10-30 131072]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 1200 (0x4b0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logoff\0\0]
"Script"=\\BBVA_PANAMA.local\NETLOGON\fondo.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logon\0\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\Doc_Escaneados.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logon\1\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\BT-DSP.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15767\Scripts\Logoff\0\0]
"Script"=\\BBVA_PANAMA.local\NETLOGON\fondo.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15767\Scripts\Logon\0\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\BT-DSP.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [6/2/2008 8:31 PM 59904]
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\At1.job
- c:\windows\System32\Reinicio.exe [2009-03-23 16:26]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: laley.es\laleydigital
Trusted Zone: laleydigital.es\www
FF - ProfilePath - c:\documents and settings\Administrator.N09110003\Application Data\Mozilla\Firefox\Profiles\up2f9avd.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{6FBA1221-C10B-5373-C69D-12A6577D9995} - c:\windows\system32:csrsc.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 18:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(944)
c:\windows\system32\EntApi.dll
.
Completion time: 2010-08-01 19:00:42
ComboFix-quarantined-files.txt 2010-08-02 00:00

Pre-Run: 36,936,237,056 bytes free
Post-Run: 37,023,821,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3E5C2B8B7A44C230E6CA9DBBDEAC9820

JonTom

2010-08-02, 08:51

Hello RobinsonCano

Thank you for the log.

Please work through the following steps

Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").

NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.

Copy and Paste the text in the quotebox below into the open Notepad window:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
Trusted Zone: laley.es\laleydigital
Trusted Zone: laleydigital.es\www

AtJob::

DirLook::
c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu

Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.

Close any open browsers.

Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Refering to the picture below, drag CFScript.txt into ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Once the log is produced, re-engage your resident anti virus.

Please make all files and folders VISIBLE:

Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
Choose to "Show hidden files and folders."
Uncheck the "Hide protected operating system files" and the "Hide extensions for know file types" boxes.
Close the window with "OK".

Please scan the following files

Please visit Virus Total by clicking here. (http://www.virustotal.com/)
Click the Browse button and search for the following file (if present): c:\windows\System32\Reinicio.exe
Click Open.
Then click Send File.
Please be patient while the file is scanned.
If Virus Total tells you that the file has already been scanned, click "reanalyse now".

Once the scan results appear, copy and paste them into Notepad and repeat the procedure for the following file(s):

c:\windows\system32\ntlfs.sys

Please provide the ComboFix log and the Virus total Scan results in your next reply.

NOTE: You may need to make more than one post to fit all of the information in.

RobinsonCano

2010-08-02, 14:44

good morning. something i started to notice today. this computer has this mcafee virus scan enterprise program. and it wasnt listed on the link you sent me. and something as simple as right clicking it in the task bar doesn't work. i have figured out how to disable it so that its not on at restart. its a checkbox that i uncheck and hit apply. and while that works, for some reason after a few minutes i see that it enables itself. sometimes half way through whatever it is you asked me to.

RobinsonCano

2010-08-02, 14:46

ignore last post. i think ive figured it out. gonna do step 1 (the drag and drop again)

RobinsonCano

2010-08-02, 14:50

yeah, that didnt work either. i enables itself after a few minutes. do i continue?

JonTom

2010-08-02, 20:48

Hello RobinsonCano

for some reason after a few minutes i see that it enables itself This is related to the Corporate Version of McAfee that your laptop has installed. It is specifically designed only to allow very short disable times so as to maintain the security/integrity of business servers etc.

the laptop belonged to BBVA. whenever they get new ones, they take the olds one and 'wipe them clean' and donate them to different schools, charities, etc. i got one of the donated ones recently. It looks as though the company did not remove the installed Corporate security program. As this is the corporate edition, and since this machine was donated to you, it is very likely that the security program is no longer supoported/kept up to date (unless you have an active subscription). As for how to disable the program for extended periods of time, ordinarily this would be done by the system administrator (the company IT department). As this machine has been donated to you this option is not available.

Given that you are now using this machine for home computing you would be better off with an AV and Firewall designed specifically for you needs. I can provide links to free software that is both reliable and trustworthy should you wish to uninstall the current program (probably best, and it would certainly give you more control over what it does and when). Please let me know.

sometimes half way through whatever it is you asked me to. Did ComboFix complete its run when McAfee re-enabled itself? Was a log produced? Please check at C:\ComboFix.txt

RobinsonCano

2010-08-02, 21:30

yeah, i tried to updates the definitions on that VirusScan, it never seems to work or fully download. the definitions are 16 months old. seems the computer was just sitting around for a while. so im ok uninstalling it if it helps our cause.

RobinsonCano

2010-08-02, 21:33

Did ComboFix complete its run when McAfee re-enabled itself? Was a log produced? Please check at C:\ComboFix.txt

step 1 from your last instructions. the drag and drop. yes.

ComboFix 10-07-31.04 - Administrator 08/02/2010 8:31.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.251 [GMT -5:00]
Running from: c:\documents and settings\Administrator.N09110003\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.N09110003\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.

2010-08-01 03:00 . 2010-08-01 03:01 -------- d-----w- c:\program files\ERUNT
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\Malwarebytes
2010-07-31 07:12 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-07-31 07:12 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 06:38 . 2010-07-31 06:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-31 05:24 . 2010-07-31 06:57 -------- d-----w- c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu
2010-07-28 00:59 . 2010-07-28 01:02 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\Winamp
2010-07-28 00:59 . 2010-07-28 00:59 -------- d-----w- c:\program files\Winamp
2010-07-08 22:44 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-08 22:44 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-07 21:12 . 2010-07-07 21:12 -------- d-----w- c:\program files\Webteh
2010-07-04 17:08 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-04 17:08 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-04 17:08 . 2004-08-04 03:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-04 17:08 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-03 17:28 . 2010-07-03 17:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-07-03 17:28 . 2010-07-03 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 18:34 . 2010-07-02 18:19 47032 ----a-w- c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 18:23 . 2010-07-02 18:23 -------- d-----w- c:\program files\Microsoft
2010-07-02 18:23 . 2010-07-02 18:22 -------- d-----w- c:\program files\Windows Live
2010-07-02 18:23 . 2010-07-02 18:23 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-02 18:19 . 2010-07-02 18:19 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-02 18:09 . 2010-07-02 18:08 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\acccore
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\program files\AIM
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-07-02 18:06 . 2010-07-02 18:06 -------- d-----w- c:\program files\Common Files\AOL
2010-07-02 18:00 . 2010-07-02 18:00 -------- d-----w- c:\program files\Google
2010-07-01 22:36 . 2010-07-01 22:36 0 ----a-w- c:\windows\nsreg.dat
2007-11-22 03:26 . 2008-09-18 21:05 3917824 --sha-r- c:\windows\system32\ntlfs.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-06-19 101144]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-06-19 84760]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-06-19 125720]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 98304]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-03 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-03 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-03 49202]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-03 20480]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UpdaterUI.exe" [2006-10-30 131072]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 1200 (0x4b0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logoff\0\0]
"Script"=\\BBVA_PANAMA.local\NETLOGON\fondo.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logon\0\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\Doc_Escaneados.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logon\1\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\BT-DSP.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15767\Scripts\Logoff\0\0]
"Script"=\\BBVA_PANAMA.local\NETLOGON\fondo.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15767\Scripts\Logon\0\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\BT-DSP.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [6/2/2008 8:31 PM 59904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator.N09110003\Application Data\Mozilla\Firefox\Profiles\up2f9avd.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 08:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\EntApi.dll
.
Completion time: 2010-08-02 08:40:17
ComboFix-quarantined-files.txt 2010-08-02 13:40
ComboFix2.txt 2010-08-02 00:00

Pre-Run: 37,064,454,144 bytes free
Post-Run: 37,004,247,040 bytes free

- - End Of File - - 905D997DD0D8EC9E82E8C17FF9557CD8

JonTom

2010-08-02, 22:22

Hello RobinsonCano

Thank you for the ComboFix log.

Please DO NOT surf the web until you have a new AV and Firewall installed <===== Very Important!

If you have uninstalled McAfee, please run the following tool and continue with the steps below before scanning the files at Virus Total:

Download and run the McAfee Removal Tool

I can see that you have remnants of McAfee present on your system. To remove these, please do the following:
Download the McAfee Removal Tool by clicking here (http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe) and save the file (called MCPR.exe) to your desktop.
Double click on MCPR.exe to run the removal tool.
Once you receive the "Cleanup Successful" message, restart your computer.

For more information about this removal tool please click here. (http://service.mcafee.com/FAQDocument.aspx?id=TS100507)

Security programs

You can find links to three trusted programs below (just choose 1).

Avast! (http://www.avast.com/free-antivirus-download)
Avira AntiVir (http://www.free-av.com/)
MicroSoft Security Essentials (http://www.microsoft.com/security_essentials/)

For a free Firewall you could try the following:
Comodo Personal Firewall (http://www.comodo.com/home/download/download.php?prod=firewall)
NOTE: If you use a Third Party AnitiVirus, make sure you uncheck the option to install Comodo AntiVirus when you install Comodo Firewall.

IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system.

Once you have installed the AV, update the program, then continue with the VirusTotal scans.

If you run into any problems just come back and let me know.

RobinsonCano

2010-08-02, 23:41

ok. just so have this straight before i proceed.

1. uninstall McAfee.
2. McAfee removal tool.
3. new AV. im going with Microsoft Securty Essentials
4. new firewall. Comodo.
5 then go back to previous post and do numbers 2 and 3 there.

correct?

p.s. i appreciate you being so patient with me.

JonTom

2010-08-02, 23:52

:bigthumb:

You can of course choose whichever AV/Firewall you prefer (I was just providing a few suggestions but there are many more available).

i appreciate you being so patient with me.

No problem RobinsonCano :)

RobinsonCano

2010-08-02, 23:53

:bigthumb:

You can of course choose whichever AV/Firewall you prefer (I was just providing a few suggestions but there are many more available).

No problem RobinsonCano :)

im honestly going with what you provided cause i dont know any better. :/

RobinsonCano

2010-08-03, 00:12

hit a snag. i did add remove programs. and removed McAfee VirusScan Enterprise.

McAfee removal tool says "McAfee Enterprise software detected. Cannot continue. Please contact McAfee techincal support."

RobinsonCano

2010-08-03, 00:33

does this help?

http://service.mcafee.com/FAQDocument.aspx?id=TS100376&lc=1033

JonTom

2010-08-03, 00:58

Hello RobinsonCano

I think the link you provided concerns programs that interfere with McAfee installations rather than running the removal tool itself.

If you have uninstalled the program through Add/Remove programs go ahead and try the AV/Firewall installation.

If you still run into problems let me know, but it is late here now so I will get back to you tommorrow.

RobinsonCano

2010-08-03, 01:03

ok. will do. thanks.

RobinsonCano

2010-08-03, 05:29

a progress update.

i got Microsoft Security Essentials up and running. the initial definitions update was really slow going. but it seems simple enough to use. currently got real time protection running which is similar to teatimer? we might have to fiddle with the settings later.

also got Comodo firewall up and running. i did the firewall only. nothing else. this is the correct action right? i have no idea how to use this or how to set it up properly. but its running.

computer gets really slow at times. task manager shows some crazy numbers with svchost.exe. :/

off to do the rest.

RobinsonCano

2010-08-03, 07:14

first virus total scan.

ntivirus Version Last Update Result
AhnLab-V3 2010.08.03.00 2010.08.03 -
AntiVir 8.2.4.32 2010.08.02 -
Antiy-AVL 2.0.3.7 2010.08.02 -
Authentium 5.2.0.5 2010.08.03 -
Avast 4.8.1351.0 2010.08.02 -
Avast5 5.0.332.0 2010.08.02 -
AVG 9.0.0.851 2010.08.03 -
BitDefender 7.2 2010.08.03 -
CAT-QuickHeal 11.00 2010.08.02 -
ClamAV 0.96.0.3-git 2010.08.03 -
Comodo 5626 2010.08.03 -
DrWeb 5.0.2.03300 2010.08.03 -
Emsisoft 5.0.0.34 2010.07.30 -
eSafe 7.0.17.0 2010.08.02 -
eTrust-Vet 36.1.7757 2010.08.02 -
F-Prot 4.6.1.107 2010.08.03 -
F-Secure 9.0.15370.0 2010.08.03 -
Fortinet 4.1.143.0 2010.08.02 -
GData 21 2010.08.03 -
Ikarus T3.1.1.84.0 2010.08.03 -
Jiangmin 13.0.900 2010.08.01 -
Kaspersky 7.0.0.125 2010.08.03 -
McAfee 5.400.0.1158 2010.08.03 -
McAfee-GW-Edition 2010.1 2010.08.02 -
Microsoft 1.6004 2010.08.02 -
NOD32 5335 2010.08.02 -
Norman 6.05.11 2010.08.02 -
nProtect 2010-08-02.02 2010.08.02 -
Panda 10.0.2.7 2010.08.02 -
PCTools 7.0.3.5 2010.08.03 -
Prevx 3.0 2010.08.03 -
Rising 22.59.01.01 2010.08.03 -
Sophos 4.56.0 2010.08.03 -
Sunbelt 6677 2010.08.03 -
SUPERAntiSpyware 4.40.0.1006 2010.08.03 -
Symantec 20101.1.1.7 2010.08.03 -
TheHacker 6.5.2.1.328 2010.07.30 -
TrendMicro 9.120.0.1004 2010.08.03 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.03 -
VBA32 3.12.12.7 2010.08.02 -
ViRobot 2010.8.3.3968 2010.08.03 -
VirusBuster 5.0.27.0 2010.08.02 -
Additional information
File size: 32768 bytes
MD5...: f467fe72baceea180a782824fda01097
SHA1..: 6081325064b98baa293b7536cf14dbe6ad875583
SHA256: ca25e29e6ba0f687d4bd24054425d6e2de3381c5fce47f0804358f3a744d70b7
ssdeep: 192:BNpmcZOKoBfXI02vH22tKRg+NGIV/Rax1AGKhuBgkAh3HglTAfr41iI:LpJZ
1oJb2HZtKtNGIV/e6ygalmr41iI
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14bc
timedatestamp.....: 0x473338c8 (Thu Nov 08 16:26:48 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x46d0 0x5000 4.85 5d6a7ea97978b1233b6bd8234a5c1307
.data 0x6000 0x9fc 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x7000 0x8e8 0x1000 1.95 2305c4483ae53761a2051fa201c4943f

( 1 imports )
> MSVBVM60.DLL: __vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, _adj_fprem1, -, __vbaStrCat, -, -, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVargVar, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, -, __vbaFPException, __vbaStrVarVal, __vbaVarCat, __vbaDateVar, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaVarSetVar, -, __vbaLateMemCall, -, __vbaVarDup, __vbaVarLateMemCallLd, __vbaVarCopy, _CIatan, __vbaForEachVar, _allmul, _CItan, -, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Microsoft Visual Basic 6 (90.9%)
Win32 Executable Generic (6.1%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Video Player F.P.
copyright....: n/a
product......: Reinicio
description..: n/a
original name: Reinicio.exe
internal name: Reinicio
file version.: 1.00
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

RobinsonCano

2010-08-03, 07:17

second virustotal scan.

File ntlfs.sys received on 2010.08.03 05:15:57 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/42 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2010.08.03.00 2010.08.03 -
AntiVir 8.2.4.32 2010.08.02 -
Antiy-AVL 2.0.3.7 2010.08.02 -
Authentium 5.2.0.5 2010.08.03 -
Avast 4.8.1351.0 2010.08.02 -
Avast5 5.0.332.0 2010.08.02 -
AVG 9.0.0.851 2010.08.03 -
BitDefender 7.2 2010.08.03 -
CAT-QuickHeal 11.00 2010.08.02 -
ClamAV 0.96.0.3-git 2010.08.03 -
Comodo 5626 2010.08.03 -
DrWeb 5.0.2.03300 2010.08.03 -
Emsisoft 5.0.0.34 2010.07.30 -
eSafe 7.0.17.0 2010.08.02 -
eTrust-Vet 36.1.7757 2010.08.02 -
F-Prot 4.6.1.107 2010.08.03 -
F-Secure 9.0.15370.0 2010.08.03 -
Fortinet 4.1.143.0 2010.08.02 -
GData 21 2010.08.03 -
Ikarus T3.1.1.84.0 2010.08.03 -
Jiangmin 13.0.900 2010.08.01 -
Kaspersky 7.0.0.125 2010.08.03 -
McAfee 5.400.0.1158 2010.08.03 -
McAfee-GW-Edition 2010.1 2010.08.02 -
Microsoft 1.6004 2010.08.02 -
NOD32 5335 2010.08.02 -
Norman 6.05.11 2010.08.02 -
nProtect 2010-08-02.02 2010.08.02 -
Panda 10.0.2.7 2010.08.02 -
PCTools 7.0.3.5 2010.08.03 -
Prevx 3.0 2010.08.03 -
Rising 22.59.01.01 2010.08.03 -
Sophos 4.56.0 2010.08.03 -
Sunbelt 6677 2010.08.03 -
SUPERAntiSpyware 4.40.0.1006 2010.08.03 -
Symantec 20101.1.1.7 2010.08.03 -
TheHacker 6.5.2.1.328 2010.07.30 -
TrendMicro 9.120.0.1004 2010.08.03 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.03 -
VBA32 3.12.12.7 2010.08.02 -
ViRobot 2010.8.3.3968 2010.08.03 -
VirusBuster 5.0.27.0 2010.08.02 -
Additional information
File size: 3917824 bytes
MD5...: a2164a9736a0c93b95a9ed667572bec5
SHA1..: f08fb5981cd0d4fc0efbe8733b11bafa8191abcc
SHA256: 7b61a8011a2efa724649ba96dca44b570d1982ad5337a4bfb890b7a93e22eea7
ssdeep: 98304:oFq3lKDzbrbRYoYt5vNaMfb5mJcj7PyLiDI7FtoWlYr:RVKD/Rf0n7P+eI
3oWlYr
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: MP3 audio (ID3 v1.x tag) (71.4%)
MP3 audio (28.5%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

JonTom

2010-08-03, 08:13

Hello RobinsonCano

Thank you for the Scan logs and for the progress update.

this is the correct action right? You did it right. Good job!

computer gets really slow at times. This may be due to the presence of McAfee remnants on your system, or it could be that the new programs draw heavily on system resources.

Lets find out and try to do something about it if we can. Please work your way through the following steps:

Security Check

Please download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe) and save the file (called securitycheck.exe) to your desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply.

Download and run OTL by Oldtimer

Please download OTL by Oldtimer by clicking here (http://oldtimer.geekstogo.com/OTL.exe) and save the file (called OTL.exe) to your desktop.
Close all open windows on your computer then Double click on the OTL.exe icon to run the program.
Check the boxes beside "LOP Check" and "Purity Check".
Under Custom Scan paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT

Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.

When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please Copy and Paste the contents of both files in your next reply. You may need two posts to fit them both in.

Please post the Security Check log and the OTL logs in your next reply.

RobinsonCano

2010-08-03, 14:27

Security Check

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 2
Out of date service pack!! (http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3)
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.1.53.64
Adobe Reader 8.1.2 - Español
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
Microsoft Security Essentials msseces.exe
````````````````````````````````
DNS Vulnerability Check:

``````````End of Log````````````

RobinsonCano

2010-08-03, 15:29

OTL.tet

OTL logfile created on: 8/3/2010 8:34:14 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Administrator.N09110003\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 147.00 Mb Available Physical Memory | 29.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 34.09 Gb Free Space | 61.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: N09110003
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/03 08:29:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.N09110003\Desktop\OTL.exe
PRC - [2010/07/25 12:46:24 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/25 12:46:13 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/12 11:32:48 | 000,074,752 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Winamp\winampa.exe
PRC - [2010/06/01 19:00:52 | 001,778,480 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2010/06/01 19:00:40 | 002,039,240 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/30 03:06:10 | 000,229,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2006/10/30 03:06:10 | 000,131,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
PRC - [2006/10/30 03:06:10 | 000,098,304 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2006/10/12 03:10:54 | 000,241,775 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
PRC - [2006/10/12 03:10:54 | 000,049,263 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
PRC - [2005/03/18 06:18:56 | 000,098,304 | R--- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
PRC - [2004/10/14 09:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2004/08/04 03:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (SafeList) ==========

MOD - [2010/08/03 08:29:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.N09110003\Desktop\OTL.exe
MOD - [2010/06/01 19:00:52 | 000,278,288 | ---- | M] (COMODO) -- C:\WINDOWS\system32\guard32.dll
MOD - [2006/08/25 08:45:56 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/04 07:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2010/06/01 19:00:52 | 001,778,480 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2006/10/30 03:06:10 | 000,098,304 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2005/11/14 00:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/04 03:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\kbstuff5.sys -- (kbstuff)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\idisw2km.sys -- (idisw2km)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.N09\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/06/04 11:55:58 | 000,229,312 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2010/06/01 19:00:24 | 000,087,824 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2010/06/01 19:00:22 | 000,025,240 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2007/03/01 12:47:48 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2004/11/16 12:46:38 | 000,190,592 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/06/27 02:50:00 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2001/08/17 07:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/27 00:15:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/25 12:46:37 | 000,000,000 | ---D | M]

[2010/07/01 17:37:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.N09110003\Application Data\Mozilla\Extensions
[2010/07/01 17:37:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.N09110003\Application Data\Mozilla\Firefox\Profiles\up2f9avd.default\extensions
[2010/07/01 17:33:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/02 08:37:07 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Aplicación auxiliar de vínculos de Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Client Access Check Version] C:\Program Files\IBM\Client Access\cwbckver.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Express Welcome] C:\Program Files\IBM\Client Access\cwbwlwiz.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Help Update] C:\Program Files\IBM\Client Access\cwbinhlp.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\cwbsvstr.exe (IBM Corporation)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UpdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: MaxGPOScriptWait = 1200
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\NPJPI150_09.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.74.166 68.87.68.166
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bbva.igrupobbva
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator.N09110003\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator.N09110003\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/16 10:43:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465059307421696)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/03 08:29:32 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.N09110003\Desktop\OTL.exe
[2010/08/02 23:02:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\COMODO
[2010/08/02 22:44:47 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
[2010/08/02 22:37:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Comodo Downloader
[2010/08/02 22:29:16 | 058,570,184 | ---- | C] (COMODO) -- C:\Documents and Settings\Administrator.N09110003\Desktop\cfw_installer_x86.exe
[2010/08/02 21:16:44 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/08/02 21:05:16 | 011,862,384 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator.N09110003\Desktop\mssefullinstall-x86fre-en-us-xp.exe
[2010/08/02 18:19:30 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/01 18:47:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/01 18:44:37 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/01 18:44:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/01 18:44:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/01 18:44:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/01 18:44:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/31 22:02:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/31 22:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/31 21:59:28 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Administrator.N09110003\Desktop\erunt-setup.exe
[2010/07/31 02:12:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.N09110003\Application Data\Malwarebytes
[2010/07/31 02:12:33 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/31 02:12:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010/07/31 02:12:30 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/31 02:12:29 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/31 01:04:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/07/31 00:24:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu
[2010/07/27 19:59:29 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp
[2010/07/27 19:59:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.N09110003\Application Data\Winamp
[2010/07/08 17:44:32 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidserv.dll
[2010/07/07 16:12:57 | 000,000,000 | ---D | C] -- C:\Program Files\Webteh
[2010/07/04 12:08:32 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2010/07/04 12:08:28 | 000,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2010/07/04 12:08:26 | 000,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/03 08:29:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.N09110003\Desktop\OTL.exe
[2010/08/03 08:23:14 | 000,869,051 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\SecurityCheck.exe
[2010/08/03 08:19:48 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/08/03 08:14:52 | 000,000,465 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2010/08/03 08:14:29 | 000,000,512 | ---- | M] () -- C:\WINDOWS\randseed.rnd
[2010/08/03 08:14:26 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/03 08:14:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/03 02:51:31 | 007,340,032 | -H-- | M] () -- C:\Documents and Settings\Administrator.N09110003\NTUSER.DAT
[2010/08/03 02:51:11 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator.N09110003\ntuser.ini
[2010/08/03 02:50:55 | 003,238,030 | -H-- | M] () -- C:\Documents and Settings\Administrator.N09110003\Local Settings\Application Data\IconCache.db
[2010/08/02 22:48:23 | 000,001,653 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO Firewall.lnk
[2010/08/02 22:37:02 | 058,570,184 | ---- | M] (COMODO) -- C:\Documents and Settings\Administrator.N09110003\Desktop\cfw_installer_x86.exe
[2010/08/02 21:16:47 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Microsoft Security Essentials.lnk
[2010/08/02 21:14:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/02 21:09:34 | 011,862,384 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator.N09110003\Desktop\mssefullinstall-x86fre-en-us-xp.exe
[2010/08/02 18:03:21 | 001,373,616 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\MCPR.exe
[2010/08/02 08:37:21 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/02 08:37:07 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/01 18:48:04 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/01 18:17:23 | 003,748,898 | R--- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\ComboFix.exe
[2010/08/01 15:47:11 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\gmer.zip
[2010/07/31 22:00:59 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\ERUNT.lnk
[2010/07/31 21:59:32 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Administrator.N09110003\Desktop\erunt-setup.exe
[2010/07/31 02:12:36 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/31 01:38:35 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/07/30 00:07:08 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/28 19:32:12 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\Microsoft Office Excel 2003.lnk
[2010/07/27 19:59:39 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Winamp.lnk
[2010/07/17 00:27:03 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\Internet Explorer.lnk
[2010/07/07 17:19:10 | 000,002,509 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\Microsoft Office Word 2003.lnk
[2010/07/07 17:14:01 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/07/07 16:24:43 | 000,000,403 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\My Documents.lnk
[2010/07/07 16:15:54 | 000,000,793 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Application Data\Microsoft\Internet Explorer\Quick Launch\BS.Player FREE.lnk
[2010/07/07 16:15:54 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\BS.Player FREE.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/03 08:23:14 | 000,869,051 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\SecurityCheck.exe
[2010/08/02 22:48:23 | 000,001,653 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\COMODO Firewall.lnk
[2010/08/02 21:22:02 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/08/02 21:16:47 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Microsoft Security Essentials.lnk
[2010/08/02 18:03:22 | 001,373,616 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\MCPR.exe
[2010/08/01 18:48:04 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/01 18:48:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/01 18:44:37 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/01 18:44:36 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/01 18:44:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/01 18:44:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/01 18:44:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/01 18:16:52 | 003,748,898 | R--- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\ComboFix.exe
[2010/08/01 15:47:15 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\gmer.zip
[2010/07/31 22:00:59 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\ERUNT.lnk
[2010/07/31 02:12:36 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/31 01:38:35 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/07/27 19:59:39 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Winamp.lnk
[2010/07/17 00:27:03 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\Internet Explorer.lnk
[2010/07/07 17:19:10 | 000,002,509 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\Microsoft Office Word 2003.lnk
[2010/07/07 17:18:40 | 000,002,495 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\Microsoft Office Excel 2003.lnk
[2010/07/07 16:24:43 | 000,000,403 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\My Documents.lnk
[2010/07/07 16:15:54 | 000,000,793 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Application Data\Microsoft\Internet Explorer\Quick Launch\BS.Player FREE.lnk
[2010/07/07 16:15:54 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Desktop\BS.Player FREE.lnk
[2010/07/06 22:07:38 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\Administrator.N09110003\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/18 16:05:59 | 003,917,824 | RHS- | C] () -- C:\WINDOWS\System32\ntlfs.sys
[2008/06/02 20:23:07 | 000,000,465 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2008/06/02 20:16:47 | 000,000,251 | ---- | C] () -- C:\WINDOWS\System32\drivers\hlldrvr.sys
[2008/06/02 20:16:25 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\cwbrw.dll
[2008/06/02 20:16:25 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\qxdaedrs.dll
[2008/06/02 20:16:25 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbwiz.dll
[2008/06/02 19:48:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/06/02 18:46:30 | 000,106,496 | R--- | C] () -- C:\WINDOWS\System32\vshp1020.dll
[2004/08/04 07:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/07/02 13:09:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.N09110003\Application Data\acccore
[2010/07/02 13:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AIM
[2010/08/02 18:02:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates
[2010/08/03 08:19:48 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/06/02 13:58:54 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/06/02 13:58:54 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/06/02 13:58:54 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/06/01 19:00:20 | 000,015,464 | ---- | M] (COMODO) -- C:\WINDOWS\system32\drivers\cmderd.sys
[2010/06/04 11:55:58 | 000,229,312 | ---- | M] (COMODO) -- C:\WINDOWS\system32\drivers\cmdGuard.sys
[2010/06/01 19:00:22 | 000,025,240 | ---- | M] (COMODO) -- C:\WINDOWS\system32\drivers\cmdhlp.sys
[2010/06/01 19:00:24 | 000,087,824 | ---- | M] (COMODO) -- C:\WINDOWS\system32\drivers\inspect.sys
< End of report >

RobinsonCano

2010-08-03, 15:33

OTL extras

OTL Extras logfile created on: 8/3/2010 8:34:14 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Administrator.N09110003\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 147.00 Mb Available Physical Memory | 29.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 34.09 Gb Free Space | 61.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: N09110003
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0EC5AE85-BAED-400D-95E6-A3528FC9B124}" = Livelink Office Editor
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}" = Adobe Flash Player 9 ActiveX
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{AC76BA86-7AD7-1034-7B44-A81200000003}" = Adobe Reader 8.1.2 - Español
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom NetXtreme Ethernet Controller
"{CC6B1BB4-4E06-4A5B-A166-B371B551324B}" = COMODO Internet Security
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{FCDC3CDD-F53E-4239-8CA5-BC492942931B}" = SMS Advanced Client
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_7" = AIM 7
"BSPlayerf" = BS.Player FREE
"ClientAccessExpress" = IBM AS/400 Client Access Express para Windows
"ERUNT_is1" = ERUNT 1.1j
"HP-LaserJet 1020 series" = LaserJet 1020 series
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom NetXtreme Ethernet Controller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"OrderReminder HP LaserJet 1020" = OrderReminder HP LaserJet 1020
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/3/2010 12:03:46 AM | Computer Name = N09110003 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 8/3/2010 12:04:46 AM | Computer Name = N09110003 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 8/3/2010 12:41:21 AM | Computer Name = N09110003 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 8/3/2010 12:41:53 AM | Computer Name = N09110003 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 8/3/2010 1:04:46 AM | Computer Name = N09110003 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 8/3/2010 1:54:53 AM | Computer Name = N09110003 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 8/3/2010 1:55:53 AM | Computer Name = N09110003 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 8/3/2010 2:32:04 AM | Computer Name = N09110003 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 8/3/2010 3:52:15 AM | Computer Name = N09110003 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 8/3/2010 9:14:26 AM | Computer Name = N09110003 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

[ System Events ]
Error - 8/3/2010 3:18:16 AM | Computer Name = N09110003 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 8/3/2010 3:33:51 AM | Computer Name = N09110003 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 8/3/2010 3:40:20 AM | Computer Name = N09110003 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 8/3/2010 3:52:15 AM | Computer Name = N09110003 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain BBVA due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 8/3/2010 3:52:17 AM | Computer Name = N09110003 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/3/2010 9:14:26 AM | Computer Name = N09110003 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain BBVA due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 8/3/2010 9:14:32 AM | Computer Name = N09110003 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/3/2010 9:20:10 AM | Computer Name = N09110003 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 8/3/2010 9:35:13 AM | Computer Name = N09110003 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 8/3/2010 10:05:17 AM | Computer Name = N09110003 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 59 minutes. NtpClient has no source of accurate
time.

< End of report >

JonTom

2010-08-03, 21:07

Hello Robinsoncano

Thank you for the logs.

Security check reveals that you still have the Windows Firewall engaged. If you want to run Comodo, you must first switch off the Windows Firewall.

Do not run more than ONE Firewall and ONE real time antivirus on your machine.

Information on how to configure Comodo can be found in the links below:

http://forums.comodo.com/guides-cis/install-configure-comodo-firewall-v41-for-maximum-protection-min-alerts-t57944.0.html

http://personalfirewall.comodo.com/Comodo_Internet_Security_User_Guide.pdf

It appears that you have several remnants of McAfee products on your machine that the removal tool is unable to deal with. This may be one reason why your machine now appears to run slower. Another reason may be the amount of RAM you have installed:

503.00 Mb Total Physical Memory Installing extra RAM would almost certainly increase your system performance. However, lets try to deal with the McAfee remnants first, then follow with a few scans:

Please open OTL

Copy and paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL.

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - [2006/10/30 03:06:10 | 000,229,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2006/10/30 03:06:10 | 000,131,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
PRC - [2006/10/30 03:06:10 | 000,098,304 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
SRV - [2006/10/30 03:06:10 | 000,098,304 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UpdaterUI.exe (McAfee, Inc.)
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

:Services
McAfeeFramework

:Files
C:\Documents and Settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu
C:\Program Files\McAfee
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe

:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

Once you have pasted the information into the Custom Scans/Fixes box, click the "Run Fix" button at the top.
Allow the program to run unhindered.
Your machine will re-start itself. This is normal.
A log will be created after your machine reboots. Please post the contents of the log in your next reply.

RobinsonCano

2010-08-03, 21:11

this is gonna be a stupid question. is windows firewall on this laptop itself? or on the wireless network connection im currently on?

RobinsonCano

2010-08-03, 21:33

note. once we get this all fixed and running properly. yes, ill look into a RAM upgrade. :fear:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Process naPrdMgr.exe killed successfully!
No active process named UpdaterUI.exe was found!
No active process named FrameworkService.exe was found!
Service McAfeeFramework stopped successfully!
Service McAfeeFramework deleted successfully!
C:\Program Files\McAfee\Common Framework\FrameworkService.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\McAfeeUpdaterUI deleted successfully.
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe moved successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
========== SERVICES/DRIVERS ==========
Error: No service named McAfeeFramework was found to stop!
Service\Driver key McAfeeFramework not found.
========== FILES ==========
C:\Documents and Settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu folder moved successfully.
C:\Program Files\McAfee\Common Framework\0409 folder moved successfully.
C:\Program Files\McAfee\Common Framework folder moved successfully.
C:\Program Files\McAfee folder moved successfully.
File\Folder C:\Program Files\McAfee\Common Framework\naPrdMgr.exe not found.
File\Folder C:\Program Files\McAfee\Common Framework\UpdaterUI.exe not found.
File\Folder C:\Program Files\McAfee\Common Framework\FrameworkService.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 2656 bytes
->Temporary Internet Files folder emptied: 2931648 bytes

User: Administrator.N09110003
->Temp folder emptied: 673253 bytes
->Temporary Internet Files folder emptied: 1425634 bytes
->FireFox cache emptied: 42651914 bytes
->Flash cache emptied: 40003 bytes

User: All Users

User: All Users.WINDOWS

User: Ctx_StreamingSvc
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 47690 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: pa00849
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: pa00884

User: u0703
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: u085950.BBVA
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3040909 bytes
->Java cache emptied: 763036 bytes
->Flash cache emptied: 405 bytes

User: u085950.RDEXBBVA
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: xe16290
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 29674 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1373616 bytes

Total Files Cleaned = 51.00 mb

[EMPTYFLASH]

User: Administrator

User: Administrator.N09110003
->Flash cache emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Ctx_StreamingSvc

User: Default User

User: Default User.WINDOWS

User: LocalService

User: LocalService.NT AUTHORITY

User: NetworkService

User: NetworkService.NT AUTHORITY

User: pa00849

User: pa00884

User: u0703

User: u085950.BBVA
->Flash cache emptied: 0 bytes

User: u085950.RDEXBBVA
->Flash cache emptied: 0 bytes

User: xe16290

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.9.1 log created on 08032010_152318

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

JonTom

2010-08-04, 00:03

Hello Robinsoncano

is windows firewall on this laptop itself? It is. You can find it by doing the following:

Click on "Start".
Click on "Control Panel".
Click on "Windows Firewall".

I am checking through your OTL log now.

If you run into any problems just let me know.

RobinsonCano

2010-08-04, 00:35

Hello Robinsoncano

It is. You can find it by doing the following:

Click on "Start".
Click on "Control Panel".
Click on "Windows Firewall".

I am checking through your OTL log now.

If you run into any problems just let me know.

im gonna assume that Comodo is a better firewall than the windows firewall? will look through the set up links tonight after dinner and get it running properly.

JonTom

2010-08-04, 01:17

RobinsonCano

2010-08-04, 15:08

Hello RobinsonCano

It blocks both inbound and outbound traffic and so is considered to have the edge over the MS Firewall which only blocks inbound material.

However, that being said, a firewall is a firewall, and you should have one running on your system. I'll leave it up to you to decide which one to go for. Regardless of which one you choose it is essential that you have one installed.

Let me know how you get on.

Just turned midnight for me. We'll pick up again tommorrow :)

good morning. :)

this is great info. thanks. ive just turned off windows firewall. and i am looking at the links you provided to properly set up Comodo firewall.

i got a popup from Comodo pretty much right after i killed windows firewall. saying svchost.exe is a safe program / procedure. but that it was currently trying to connect to another computer. ?! ive blocked that.

fidding with Comodo now.

RobinsonCano

2010-08-04, 16:14

Comodo firewall is set up.
Upon startup the sandbox goes to work. I don't know most of these items are. Except for winamp. lol. So they are still in the sandbox for now.
On my latest restart, DEP killed spooler subsystem app. ?

RobinsonCano

2010-08-04, 17:10

Upon startup the sandbox goes to work. I don't know most of these items are. Except for winamp. lol. So they are still in the sandbox for now.

i figured this out. most of them are apart of this IBM client access program that is on the computer.

svchost is still hogging up the little memory i have. if we get this computer fixed, i do plan a RAM upgrade. ususally within 15 mins or so of connecting to the internet its in the 150,000k and the computer starts to crawl. but before that happens, it runs smoothly. so far the only thing that helps is to disable my internet connection for a few minutes.

JonTom

2010-08-04, 18:53

Hello RobinsonCano

i got a popup from Comodo pretty much right after i killed windows firewall. saying svchost.exe is a safe program / procedure. but that it was currently trying to connect to another computer. ?! ive blocked that. It will take a while to optimise the settings for your system. From what I have read, the warnings from Comodo are quite frequent at first and then become less frequent over time as you allow the applications you trust to cross the firewall.

As for svchost.exe, it is a generic process that is commonly found on machines. It is not unusual to find multiple instances of svchost.exe running on a system. The process can drain system resources depending on how many applications it is running.

As for it trying to connect to another computer, not too sure. Are you machines networked perhaps? Something for you to think about.

Anyway, I'll leave to you to fiddle with the settings in your own time. Also, please remember, Comodo was only a suggestion. If you do not like it, there are many others you can try.

most of them are apart of this IBM client access program that is on the computer. We can take care of that program later if you wish. For now though, I would like to make sure that your system is clean.

Please do the following:

MalwareBytes AntiMalware:

I can see that you have MBAM installed.
Double click on your MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.

Please update your Java

Click on "Start", then on "Control Panel".
Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find (J2SE Runtime Environment 5.0 Update 9).
Reboot your computer.
Next, download the latest version of Java by clicking here (http://java.sun.com/javase/downloads/index.jsp)
Scroll down the page until you reach "Java Platform Standard Edition".
Beneath this and to the right, you will see a link marked "Download JRE".
Click on the "Download JRE" link.
Select the platform (Windows, in your case), multi language.
Accept the license agreement and click on "Continue".
You do not have to register if you do not want to (the registration step is optional).
Scroll down and click on the file called jre-6u21-windows-i586.exe located under "Windows Offline Installation".
Save the file to your desktop.
Do not select Run.
Double click on the saved file (jre-6u21-windows-i586.exe) to install the update.
Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.

Please perform the following scan:

This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.

It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
DO NOT surf the net while your resident protection is disabled!
Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.

Please perform a Kaspersky Online Scan of your computer by clicking here (http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1240137288999) or here (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html).

Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run (at times it may appear to stall).
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report. To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
If you need help performing the above steps, an animated tutorial can be found here. (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

Please post the MBAM log and the Kaspersky Online Scan log in your next reply.

Also, please describe how your machine is behaving now. Are you still experiencing problems?

RobinsonCano

2010-08-04, 20:25

here is step 1. MalwareBytes scan. please note, while the log did pop up I was not prompted to do a restart.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4389

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

8/4/2010 2:22:44 PM
mbam-log-2010-08-04 (14-22-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 268020
Time elapsed: 1 hour(s), 12 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

RobinsonCano

2010-08-04, 21:07

step 2. Java update complete.

gonna do step 3 now. quick question, i dont need to disable spybot right since the teatimer is still disabled correct? just the microsoft securities essentials?

and from the looks of it this will be running a while. so i guess we pick up tomorrow.

JonTom

2010-08-05, 00:43

Hello Robinsoncano

i dont need to disable spybot right since the teatimer is still disabled correct? just the microsoft securities essentials? :bigthumb:

Let me know if you have any problems :)

RobinsonCano

2010-08-05, 02:34

i keep getting this error

Launch of the Java Application is interrupted. Please establish an uninterrupted internet connection for work with this program.

i dunno what im doing wrong. i even disabled the wireless and used a wired to connect to the internet.

RobinsonCano

2010-08-05, 02:37

Also, please describe how your machine is behaving now. Are you still experiencing problems?
[/list]

ever since i did step 2, the update and the scan of malwarebytes, its been running much much smoother and fast. most of the time its little to no lag. control alt delete to peek at my processes is immediate. there was one instance earlier this afternoon where svchost.exe took over again. as much as 200,000k. it just sorta zaps the computer of life. while this was something that happened constantly, its happening much less since this afternoon.

JonTom

2010-08-05, 08:46

Hello RobinsonCano

Lets try this scan instead:

Please run the following scan

Note: You will need to use Internet Explorer for this scan.
Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
Please disable your real time security programs before performing the scan.

Scan your system with Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use.
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Push the "Start" button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png

Please post the ESET log in your next reply.

RobinsonCano

2010-08-05, 16:08

ESETScan

C:\Qoobox\Quarantine\C\WINDOWS\system32\autorun.inf.vir INF/Autorun.gen trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{AD8F9D70-CF7E-4526-8105-3467FD234E0C}\RP157\A0042743.inf INF/Autorun.gen trojan cleaned by deleting - quarantined

Question. Do I check boxes for uninstall and/or delete quarantined files?

JonTom

2010-08-05, 16:21

Hello RobinsonCano

Do I check boxes for uninstall and/or delete quarantined files? Don't do anything with them right now. They can cause no harm to your system where they are.

I will get back to you later today with the next steps :)

JonTom

2010-08-05, 20:33

Hello RobinsonCano

The ESET log has detected infected files in ComboFix quarantine and also in one of your system restore points. We will deal with these in the steps below:

Please Uninstall Combofix

Click on "Start" and then on "Run".
Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.

Do you wish to keep the IBM client access program on your machine?

We can disable it so it does not run when your system starts (then you can run it manually if you ever need it) or alternatively, we can remove it completely or leave it where it is. Please let me know, then we will continue with the rest of the clean up procedure.

RobinsonCano

2010-08-06, 01:46

i sent you a PM with a dumb question. lol.

RobinsonCano

2010-08-06, 01:47

never got an email notification on your last reply. havent been ignoring it. working on it now.

RobinsonCano

2010-08-06, 02:08

update. Combofix is uninstalled. it asked me to disable my AV so it could get it done without interferance. and my sandbox on comodo went off like crazy went it was finishing. all of them were combofix related so i hit allow.

ibm client access. i have no idea what that is or does. :confused:

RobinsonCano

2010-08-06, 17:49

when i uninstalled that combofix and the comodo sandbox went off like crazy its like my computer is back to square one again. it just stalls.

can i run those last two scans again before we continue?

You may need to empty the sandbox.

Feel free to run another ESET scan and post the log in your forum thread.

I ran ESET scan again. It came up empty. No infections. So there was no "List of found threats" link. The quarantine link did show the two hits from the first ESET scan.

sandbox shows that it is empty.

IMB client access. I still don't exactly know what it is. So lets remove it I think.

JonTom

2010-08-06, 21:24

Hello Robinsoncano

I ran ESET scan again. It came up empty. No infections. I am not sure why your firewall is playing up after uninstalling ComboFix. Whatever is behind it, it does not appear to be malware related.

IMB client access. I still don't exactly know what it is. So lets remove it I think. As you wish :)

Please work your way through the following steps:

Please open OTL

Copy and paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL.

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Client Access Check Version] C:\Program Files\IBM\Client Access\cwbckver.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Express Welcome] C:\Program Files\IBM\Client Access\cwbwlwiz.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Help Update] C:\Program Files\IBM\Client Access\cwbinhlp.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\cwbsvstr.exe (IBM Corporation)

:Files
C:\Program Files\IBM

:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

Once you have pasted the information into the Custom Scans/Fixes box, click the "Run Fix" button at the top.
Allow the program to run unhindered.
Your machine will re-start itself. This is normal.
A log will be created after your machine reboots. Please post the contents of the log in your next reply.

RobinsonCano

2010-08-06, 21:46

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Client Access Check Version deleted successfully.
C:\Program Files\IBM\Client Access\cwbckver.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Client Access Express Welcome deleted successfully.
C:\Program Files\IBM\Client Access\cwbwlwiz.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Client Access Help Update deleted successfully.
C:\Program Files\IBM\Client Access\cwbinhlp.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Client Access Service deleted successfully.
C:\Program Files\IBM\Client Access\cwbsvstr.exe moved successfully.
========== FILES ==========
C:\Program Files\IBM\Client Access\Shared folder moved successfully.
C:\Program Files\IBM\Client Access\Mri2931 folder moved successfully.
C:\Program Files\IBM\Client Access\Emulator\Private folder moved successfully.
C:\Program Files\IBM\Client Access\Emulator\PdfPdt folder moved successfully.
C:\Program Files\IBM\Client Access\Emulator folder moved successfully.
C:\Program Files\IBM\Client Access\Classes folder moved successfully.
C:\Program Files\IBM\Client Access folder moved successfully.
C:\Program Files\IBM folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.N09110003
->Temp folder emptied: 1860640 bytes
->Temporary Internet Files folder emptied: 8379855 bytes
->Java cache emptied: 124352 bytes
->FireFox cache emptied: 87182995 bytes
->Flash cache emptied: 5320 bytes

User: All Users

User: All Users.WINDOWS

User: Ctx_StreamingSvc
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 343 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 39360 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: pa00849
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: pa00884

User: u0703
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: u085950.BBVA
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: u085950.RDEXBBVA
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: xe16290
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 35184 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 635313640 bytes

Total Files Cleaned = 699.00 mb

[EMPTYFLASH]

User: Administrator

User: Administrator.N09110003
->Flash cache emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Ctx_StreamingSvc

User: Default User

User: Default User.WINDOWS
->Flash cache emptied: 0 bytes

User: LocalService

User: LocalService.NT AUTHORITY
->Flash cache emptied: 0 bytes

User: NetworkService

User: NetworkService.NT AUTHORITY

User: pa00849

User: pa00884

User: u0703

User: u085950.BBVA
->Flash cache emptied: 0 bytes

User: u085950.RDEXBBVA
->Flash cache emptied: 0 bytes

User: xe16290

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.9.1 log created on 08062010_153700

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

JonTom

2010-08-06, 22:15

Hello RobinsonCano

Thank you for the log.

Please scan your system with DDS and post the log created.

RobinsonCano

2010-08-06, 22:41

working on it.

svchost.exe plus wuauclt.exe are hogging my memory. im on a different computer post this.

RobinsonCano

2010-08-06, 22:48

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 16:43:34.65 on Fri 08/06/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.198 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.N09110003\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
mPolicies-system: MaxGPOScriptWait = 1200 (0x4b0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.n09\applic~1\mozilla\firefox\profiles\up2f9avd.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1778480]

=============== Created Last 30 ================

2010-08-06 01:46:56 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-08-05 14:20:47 0 d-----w- c:\program files\ESET
2010-08-04 19:53:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-04 19:53:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-04 15:00:30 0 d-----w- C:\spoolerlogs
2010-08-04 14:48:38 0 d--h--w- C:\VritualRoot
2010-08-03 20:23:18 0 d-----w- C:\_OTL
2010-08-03 04:02:25 0 d-----w- c:\docume~1\alluse~1.win\applic~1\COMODO
2010-08-03 03:44:47 0 d-----w- c:\program files\COMODO
2010-08-03 03:37:50 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Comodo Downloader
2010-08-03 02:16:44 0 d-----w- c:\program files\Microsoft Security Essentials
2010-08-01 23:47:53 0 d-sha-r- C:\cmdcons
2010-07-31 07:12:50 0 d-----w- c:\docume~1\admini~1.n09\applic~1\Malwarebytes
2010-07-31 07:12:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 07:12:31 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-07-31 07:12:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 07:12:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 06:38:35 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-31 06:04:05 0 d-----w- c:\windows\pss
2010-07-08 22:44:32 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-08 22:44:32 21504 ----a-w- c:\windows\system32\hidserv.dll

==================== Find3M ====================

2010-06-02 00:00:52 278288 ----a-w- c:\windows\system32\guard32.dll
2007-11-22 03:26:02 3917824 --sha-r- c:\windows\system32\ntlfs.sys

============= FINISH: 16:45:09.92 ===============

JonTom

2010-08-06, 23:58

Hello RobinsonCano

Your logs appear to be clean! Great job :bigthumb:

svchost.exe plus wuauclt.exe are hogging my memory. im on a different computer post this. The ESET scan shows that your system is clean, and as mentioned before extra RAM will help.

wuauclt.exe is the AutoUpdate Client for Windows and is nothing to worry about (It is probably trying to download XP Service Pack 3, which you really should install).

Since your system appears to be clean but seems to be running more slowly, you can always experiment with different security programs to see which ones are lightest on system resources, however when it comes to running multiple processes, RAM is king.

Please work your way through the following clean up and update steps:

Please perform the following cleanup procedure

Double click on the OTL.exe icon on your desktop to run the program. (Note: If you are running Vista, right-click on the file and choose Run As Administrator).
Once OTL has opened, click on the "CleanUp!" button.
Follow any prompts that you receive.

Removal of Tools

You no longer need Security Check or the McAfee Removal Tool. Please delete them from your system.

Your Internet Explorer is out of date

A newer version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)

Please install XP Service Pack 3

XP Service Pack 3 contains many more security features that are not present in Service Pack 2.
Instructions for downloading XP Service Pack 3 can be found here. (http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx)

Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.

Finally, please take the time to read through the information provided below:

Enhance your System Security

For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)

IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.

Web Browsers and Browser Security

Firefox

Firefox is generally considered to have greater browsing security in comparison to other popular programs. You can download Firefox 3.0 from here. (http://www.mozilla.com/en-US/firefox/)

No-Script

If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)

Internet Explorer

The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)

SpywareBlaster

If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)

Web of Trust

When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)

Keep your Software Updated

Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)

Passwords

Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)

General Reading

How did I get infected in the first place? (http://www.spywareinfoforum.com/index.php?showtopic=60955)

PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)

How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)

Learn How To Combat Malware

Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)

RobinsonCano

2010-08-07, 00:03

clean is good! and i do have a RAM investment on my to do list. but i dont even know where to start on that.

holy toledo at the list of things in that last post. i will get to them one by one and give you an update.

but... check back tomorrow.

:cowboy:

RobinsonCano

2010-08-07, 00:10

question 1. teatimer back on? This would run along with Comodo Firewall and Microsoft Security Essentials. Or should I just use Spybot as an on demand thing like Malwarebytes?

JonTom

2010-08-07, 00:20

Hello RobinsonCano

holy toledo at the list of things in that last post
i will get to them one by one and give you an update. Please be aware that these are only general suggestions. You may not need all (or any) of the things listed - it is just for extra information.

Please make sure that you only have ONE antivirus and ONE firewall running on your system.

teatimer back on? I tend to use Spybot as an on-demand scanner and have TeaTimer switched off. However, as a test, you could always switch it on and see how it works out. You'll know soon enough if you have to disable it :cool:

check back tomorrow :bigthumb:

RobinsonCano

2010-08-07, 20:22

this box just popped up twice on my computer.

CWBNL0202-CWBMSGBX.DLL

both times i hit the 'x' and not the 'ok' button.

RobinsonCano

2010-08-07, 20:25

this box just popped up twice on my computer.

CWBNL0202-CWBMSGBX.DLL

both times i hit the 'x' and not the 'ok' button.

it does this when i got to the control panel and when i click on add / remove programs.

JonTom

2010-08-07, 21:28

Hello RobinsonCano

The message you are receiving may be related to the IBM client access program you had on your machine. I did a little looking on Google and it sounds as though you may need to delete the CWBMSGBX.DLL file from your system.

More information about the message you are receiving can be found here:

http://www.techsupportforum.com/microsoft-support/win-98-me-support/56752-no-windows.html

http://social.answers.microsoft.com/Forums/en-US/xphardware/thread/b957bb6d-a440-4bd0-a459-f5a561454ab2

Note that this message does not appear to be malware related so it is really up to you if you want to follow through and remove the file.

If you chose to remove it, here is some information:

Right-click your "Start" button and select "Search".
Under "All or Part of the Filename:", type "CWBMSGBX.DLL" (without the quotation marks).
Under "Look in", select "Local Hard Drives (C: )" and the click on "Search".
Once the search is complete, Delete the file that is found.

As you system appears to be clean, I will have to hand you over to some trusted Tech Forums for further assistance should you need it:

http://forums.whatthetech.com/index.php?showforum=119

http://www.techsupportforum.com/microsoft-support/windows-xp-support/

Hope this helps :)

RobinsonCano

2010-08-08, 02:58

an update! and a few simple questions.

1. OTL is done. It did the self delete and rebooted my machine. :bigthumb:

2. Security Check and McAfee Removal Tool were not found under add / remove programs. So I just deleted the .exe files from the my desktop. Is this correct?

3. I never use IE. I'm a firefox person. But I'm trying to update it anyways. It just keeps saying its downloading... :/ I'll figure it out or wait it out.

4. Service Pack 3 installed. Took forever, but it worked. :bigthumb:

5. Thanks for all the suggestions, links, and info. They are being read. No script sounds like a winner to me.

questions.

1. What about ERUNT and Gmer? Can i get rid of them?

2. The malware found on my machine. How dangerous were they? Should I be worried? i.e. Passwords or worse.

3. At one point I plugged an external HD into this machine. Thoughts or concerns?

4. How do I thank you?

RobinsonCano

2010-08-08, 03:16

JonTom

2010-08-08, 11:55

Hello RobinsonCano

So I just deleted the .exe files from the my desktop. Is this correct? Thats right. You do not need to uninstall them, deleting them from the desktop is all that is required.

What about ERUNT and Gmer? Can i get rid of them? GMER should have been removed automatically when you removed OTL. If not, delete it from your desktop. ERUNT is a great tool. If it were me I would keep it.

How dangerous were they? Should I be worried? Difficult to answer. It is always a good idea to change your passwords regularly, and since you have had some nasties on your system changing them now would be wise.

At one point I plugged an external HD into this machine. Thoughts or concerns? Plug it in and scan it with your resident AV. You may also be abe to scan it with MBAM by selecting the external drive from the list of scan options that appear after you select "Full Scan".

worked like a charm Phew!

How do I thank you? You already have :)

Best wishes
JonTom

RobinsonCano

2010-08-08, 16:44

Difficult to answer. It is always a good idea to change your passwords regularly, and since you have had some nasties on your system changing them now would be wise.

will work on that thanks.

Plug it in and scan it with your resident AV. You may also be abe to scan it with MBAM by selecting the external drive from the list of scan options that appear after you select "Full Scan".

and ill give that a whirl when i get home. thanks.

JonTom

2010-08-13, 07:55

Since this problem appears to be resolved this topic is now closed.

Glad we could help :)

If you are the topic starter and need this topic reopened, please PM a staff member (include the address of this thread in your request).

Everyone else please start a new topic.

Best wishes
JonTom