Antivir / fraud.sysguard

Status
Not open for further replies.
R

RobinsonCano

New member
last night my computer went crazy with this antivir popups making it sound like my computer was being attacked. it was a bit crazy but these were the steps i took with the help from a friend.

tried spybot. it was blocked.
turned the computer off.
turned it back on.
hit f8 like a crazy.
entered safe mode.
ran spybot where it found and fixed fraud.sysguard
restarted the computer back in normal? mode.
firefox was proxy server blocked.
i switched that setting back via google search.
downloaded and ran malwarebtyes.
it found 3 things and quarantined them.

while everything seems to be running fine, i cant help but wonder if its still there, if my computer is being monitors, and if my keystrokes are being logged or something.

ive read the sticky thread and i think ive done everything that was ask correctly. here goes....



Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.116 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Documents and Settings\Administrator.N09110003\Desktop\dds.com

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.intranetbbva.com/es/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
mPolicies-system: MaxGPOScriptWait = 1200 (0x4b0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: laley.es\laleydigital
Trusted Zone: laleydigital.es\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {6FBA1221-C10B-5373-C69D-12A6577D9995} - c:\windows\system32:csrsc.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.n09\applic~1\mozilla\firefox\profiles\up2f9avd.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-6-2 59904]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-6-2 98304]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2007-1-18 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2007-1-18 29184]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2008-6-2 117024]

=============== Created Last 30 ================

2010-07-31 07:12:50 0 d-----w- c:\docume~1\admini~1.n09\applic~1\Malwarebytes
2010-07-31 07:12:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 07:12:31 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-07-31 07:12:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 07:12:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 06:38:35 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-31 06:04:05 0 d-----w- c:\windows\pss
2010-07-08 22:44:32 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-08 22:44:32 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-07 21:12:57 0 d-----w- c:\program files\Webteh
2010-07-04 17:08:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-04 17:08:28 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-04 17:08:26 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-04 17:08:26 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-03 17:28:04 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-03 17:28:04 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-07-02 18:35:24 0 d-----w- c:\documents and settings\administrator.n09110003\Tracing
2010-07-02 18:23:19 0 d-----w- c:\program files\Microsoft
2010-07-02 18:23:00 0 d-----w- c:\program files\Windows Live SkyDrive
2010-07-02 18:19:45 0 d-----w- c:\program files\common files\Windows Live
2010-07-02 18:07:35 0 d-----w- c:\docume~1\alluse~1.win\applic~1\AIM
2010-07-02 18:07:07 0 d-----w- c:\program files\AIM
2010-07-02 18:07:03 0 d-----w- c:\program files\common files\Software Update Utility
2010-07-02 18:06:58 0 d-----w- c:\program files\common files\AOL
2010-07-02 18:06:04 451 ---ha-w- C:\IPH.PH

==================== Find3M ====================

2007-11-22 03:26:02 3917824 --sha-r- c:\windows\system32\ntlfs.sys

============= FINISH: 22:06:37.90 ===============
 
Hello RobinsonCano and :welcome:

My name is JonTom.

  • Malware Logs can sometimes take a lot of time to research and interpret.
  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.


Before we begin I would like to take a closer look at your system.


  1. Please scan your system with GMER


    gmer_zip.gif

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in your reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Please post the GMER log in your next reply.

    If you encounter any difficulties just come back and let me know.
 
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-01 16:49:19
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.N09\LOCALS~1\Temp\pxliypog.sys


---- System - GMER 1.0.15 ----

SSDT 815A9109 ZwCreateThread

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[420] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[640] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[736] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\System32\svchost.exe[1332] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] USER32.dll!TrackPopupMenu 7E4650EE 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2824] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0A00638C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0A00634E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0A006500 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0A006446 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0A0064C2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0A006408 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 0A0063CA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0A006484 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0A00653E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] msvcrt.dll!system 77C293C7 5 Bytes JMP 0A00676C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0A0066B2 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] msvcrt.dll!_read 77C2FAA3 5 Bytes JMP 0A00672E C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] msvcrt.dll!_write 77C30303 5 Bytes JMP 0A0066F0 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WININET.dll!InternetOpenA 771C574E 5 Bytes JMP 0A006826 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WININET.dll!InternetOpenUrlA 771C5A01 5 Bytes JMP 0A0067E8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 0A0067AA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 0A006636 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0A00657C C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 0A0065F8 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!send 71AB428A 5 Bytes JMP 0A0065BA C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)
.text C:\WINDOWS\Explorer.EXE[2844] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0A006674 C:\WINDOWS\system32\EntApi.dll (EntAPI/McAfee, Inc)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)

---- EOF - GMER 1.0.15 ----
 
Hello RobinsonCano

Thank you for the GMER log.

Is this a networked company machine? Please let me know.

downloaded and ran malwarebtyes.
it found 3 things and quarantined them.
Click to expand...

Please post the MBAM log that was produced when you scanned your machine (You can find it by opening MBAM and clicking on the "Logs" tab).
 
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4373

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/31/2010 2:47:24 AM
mbam-log-2010-07-31 (02-47-24).txt

Scan type: Full scan (C:\|)
Objects scanned: 271725
Time elapsed: 31 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator.N09110003\Local Settings\Temporary Internet Files\Content.IE5\F1MR971W\7781ad[2].exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\u085950.RDEXBBVA\Application Data\sdra64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AD8F9D70-CF7E-4526-8105-3467FD234E0C}\RP156\A0042054.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
 
Hello RobinsonCano

Thank you for the log.

Please work your way through the following steps:


  1. Combofix

    • Download ComboFix from one of the following locations:

      Link 1
      Link 2

    • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
    • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RC1.png

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    RC2-1.png

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
 
ComboFix 10-07-31.04 - Administrator 08/01/2010 18:50:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.177 [GMT -5:00]
Running from: c:\documents and settings\Administrator.N09110003\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\AutoRun.inf

----- BITS: Possible infected sites -----

hxxp://S8091S05:80
.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-08-01 03:00 . 2010-08-01 03:01 -------- d-----w- c:\program files\ERUNT
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\Malwarebytes
2010-07-31 07:12 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-07-31 07:12 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 06:38 . 2010-07-31 06:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-31 05:24 . 2010-07-31 06:57 -------- d-----w- c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu
2010-07-28 00:59 . 2010-07-28 01:02 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\Winamp
2010-07-28 00:59 . 2010-07-28 00:59 -------- d-----w- c:\program files\Winamp
2010-07-08 22:44 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-08 22:44 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-07 21:12 . 2010-07-07 21:12 -------- d-----w- c:\program files\Webteh
2010-07-04 17:08 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-04 17:08 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-04 17:08 . 2004-08-04 03:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-04 17:08 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-03 17:28 . 2010-07-03 17:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-07-03 17:28 . 2010-07-03 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 18:34 . 2010-07-02 18:19 47032 ----a-w- c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 18:23 . 2010-07-02 18:23 -------- d-----w- c:\program files\Microsoft
2010-07-02 18:23 . 2010-07-02 18:22 -------- d-----w- c:\program files\Windows Live
2010-07-02 18:23 . 2010-07-02 18:23 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-02 18:19 . 2010-07-02 18:19 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-02 18:09 . 2010-07-02 18:08 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\acccore
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\program files\AIM
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-07-02 18:06 . 2010-07-02 18:06 -------- d-----w- c:\program files\Common Files\AOL
2010-07-02 18:00 . 2010-07-02 18:00 -------- d-----w- c:\program files\Google
2010-07-01 22:36 . 2010-07-01 22:36 0 ----a-w- c:\windows\nsreg.dat
2007-11-22 03:26 . 2008-09-18 21:05 3917824 --sha-r- c:\windows\system32\ntlfs.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-06-19 101144]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-06-19 84760]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-06-19 125720]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 98304]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-03 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-03 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-03 49202]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-03 20480]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UpdaterUI.exe" [2006-10-30 131072]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 1200 (0x4b0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logoff\0\0]
"Script"=\\BBVA_PANAMA.local\NETLOGON\fondo.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logon\0\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\Doc_Escaneados.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logon\1\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\BT-DSP.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15767\Scripts\Logoff\0\0]
"Script"=\\BBVA_PANAMA.local\NETLOGON\fondo.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15767\Scripts\Logon\0\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\BT-DSP.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [6/2/2008 8:31 PM 59904]
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\At1.job
- c:\windows\System32\Reinicio.exe [2009-03-23 16:26]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: laley.es\laleydigital
Trusted Zone: laleydigital.es\www
FF - ProfilePath - c:\documents and settings\Administrator.N09110003\Application Data\Mozilla\Firefox\Profiles\up2f9avd.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{6FBA1221-C10B-5373-C69D-12A6577D9995} - c:\windows\system32:csrsc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 18:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(944)
c:\windows\system32\EntApi.dll
.
Completion time: 2010-08-01 19:00:42
ComboFix-quarantined-files.txt 2010-08-02 00:00

Pre-Run: 36,936,237,056 bytes free
Post-Run: 37,023,821,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3E5C2B8B7A44C230E6CA9DBBDEAC9820
 
Hello RobinsonCano

Thank you for the log.


  1. Please work through the following steps

    • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the quotebox below into the open Notepad window:

      DDS::
      uInternet Settings,ProxyServer = http=127.0.0.1:5643
      uInternet Settings,ProxyOverride = <local>
      Trusted Zone: laley.es\laleydigital
      Trusted Zone: laleydigital.es\www

      AtJob::

      DirLook::
      c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu
      Click to expand...

    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

      CFScriptB-4.gif



    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.

  2. Please make all files and folders VISIBLE:

    • Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
    • Choose to "Show hidden files and folders."
    • Uncheck the "Hide protected operating system files" and the "Hide extensions for know file types" boxes.
    • Close the window with "OK".

  3. Please scan the following files

    • Please visit Virus Total by clicking here.
    • Click the Browse button and search for the following file (if present): c:\windows\System32\Reinicio.exe
    • Click Open.
    • Then click Send File.
    • Please be patient while the file is scanned.
    • If Virus Total tells you that the file has already been scanned, click "reanalyse now".
    • Once the scan results appear, copy and paste them into Notepad and repeat the procedure for the following file(s):

    c:\windows\system32\ntlfs.sys

    • Please provide the ComboFix log and the Virus total Scan results in your next reply.

      NOTE: You may need to make more than one post to fit all of the information in.
 
good morning. something i started to notice today. this computer has this mcafee virus scan enterprise program. and it wasnt listed on the link you sent me. and something as simple as right clicking it in the task bar doesn't work. i have figured out how to disable it so that its not on at restart. its a checkbox that i uncheck and hit apply. and while that works, for some reason after a few minutes i see that it enables itself. sometimes half way through whatever it is you asked me to.
 
Hello RobinsonCano

for some reason after a few minutes i see that it enables itself
Click to expand...
This is related to the Corporate Version of McAfee that your laptop has installed. It is specifically designed only to allow very short disable times so as to maintain the security/integrity of business servers etc.

the laptop belonged to BBVA. whenever they get new ones, they take the olds one and 'wipe them clean' and donate them to different schools, charities, etc. i got one of the donated ones recently.
Click to expand...
It looks as though the company did not remove the installed Corporate security program. As this is the corporate edition, and since this machine was donated to you, it is very likely that the security program is no longer supoported/kept up to date (unless you have an active subscription). As for how to disable the program for extended periods of time, ordinarily this would be done by the system administrator (the company IT department). As this machine has been donated to you this option is not available.

Given that you are now using this machine for home computing you would be better off with an AV and Firewall designed specifically for you needs. I can provide links to free software that is both reliable and trustworthy should you wish to uninstall the current program (probably best, and it would certainly give you more control over what it does and when). Please let me know.

sometimes half way through whatever it is you asked me to.
Click to expand...
Did ComboFix complete its run when McAfee re-enabled itself? Was a log produced? Please check at C:\ComboFix.txt
 
yeah, i tried to updates the definitions on that VirusScan, it never seems to work or fully download. the definitions are 16 months old. seems the computer was just sitting around for a while. so im ok uninstalling it if it helps our cause.
 
JonTom said:
Did ComboFix complete its run when McAfee re-enabled itself? Was a log produced? Please check at C:\ComboFix.txt
Click to expand...

step 1 from your last instructions. the drag and drop. yes.

ComboFix 10-07-31.04 - Administrator 08/02/2010 8:31.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.251 [GMT -5:00]
Running from: c:\documents and settings\Administrator.N09110003\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.N09110003\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.

2010-08-01 03:00 . 2010-08-01 03:01 -------- d-----w- c:\program files\ERUNT
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\Malwarebytes
2010-07-31 07:12 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-07-31 07:12 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 07:12 . 2010-07-31 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-31 06:38 . 2010-07-31 06:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-31 05:24 . 2010-07-31 06:57 -------- d-----w- c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu
2010-07-28 00:59 . 2010-07-28 01:02 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\Winamp
2010-07-28 00:59 . 2010-07-28 00:59 -------- d-----w- c:\program files\Winamp
2010-07-08 22:44 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-08 22:44 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-07 21:12 . 2010-07-07 21:12 -------- d-----w- c:\program files\Webteh
2010-07-04 17:08 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-04 17:08 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-04 17:08 . 2004-08-04 03:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-04 17:08 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-03 17:28 . 2010-07-03 17:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-07-03 17:28 . 2010-07-03 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 18:34 . 2010-07-02 18:19 47032 ----a-w- c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 18:23 . 2010-07-02 18:23 -------- d-----w- c:\program files\Microsoft
2010-07-02 18:23 . 2010-07-02 18:22 -------- d-----w- c:\program files\Windows Live
2010-07-02 18:23 . 2010-07-02 18:23 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-02 18:19 . 2010-07-02 18:19 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-02 18:09 . 2010-07-02 18:08 -------- d-----w- c:\documents and settings\Administrator.N09110003\Application Data\acccore
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\program files\AIM
2010-07-02 18:07 . 2010-07-02 18:07 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-07-02 18:06 . 2010-07-02 18:06 -------- d-----w- c:\program files\Common Files\AOL
2010-07-02 18:00 . 2010-07-02 18:00 -------- d-----w- c:\program files\Google
2010-07-01 22:36 . 2010-07-01 22:36 0 ----a-w- c:\windows\nsreg.dat
2007-11-22 03:26 . 2008-09-18 21:05 3917824 --sha-r- c:\windows\system32\ntlfs.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Administrator.N09110003\Local Settings\Application Data\snuemqsiu ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-06-19 101144]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-06-19 84760]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-06-19 125720]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 98304]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-03 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-03 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-03 49202]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-03 20480]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UpdaterUI.exe" [2006-10-30 131072]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 1200 (0x4b0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logoff\0\0]
"Script"=\\BBVA_PANAMA.local\NETLOGON\fondo.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logon\0\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\Doc_Escaneados.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15613\Scripts\Logon\1\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\BT-DSP.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15767\Scripts\Logoff\0\0]
"Script"=\\BBVA_PANAMA.local\NETLOGON\fondo.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-920026266-725345543-15767\Scripts\Logon\0\0]
"Script"=\\bbva_panama.local\SysVol\bbva_panama.local\scripts\BT-DSP.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [6/2/2008 8:31 PM 59904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator.N09110003\Application Data\Mozilla\Firefox\Profiles\up2f9avd.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 08:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\EntApi.dll
.
Completion time: 2010-08-02 08:40:17
ComboFix-quarantined-files.txt 2010-08-02 13:40
ComboFix2.txt 2010-08-02 00:00

Pre-Run: 37,064,454,144 bytes free
Post-Run: 37,004,247,040 bytes free

- - End Of File - - 905D997DD0D8EC9E82E8C17FF9557CD8
 
Hello RobinsonCano

Thank you for the ComboFix log.

Please DO NOT surf the web until you have a new AV and Firewall installed <===== Very Important!

If you have uninstalled McAfee, please run the following tool and continue with the steps below before scanning the files at Virus Total:


  1. Download and run the McAfee Removal Tool

    • I can see that you have remnants of McAfee present on your system. To remove these, please do the following:
    • Download the McAfee Removal Tool by clicking here and save the file (called MCPR.exe) to your desktop.
    • Double click on MCPR.exe to run the removal tool.
    • Once you receive the "Cleanup Successful" message, restart your computer.

    For more information about this removal tool please click here.


  2. Security programs

    • You can find links to three trusted programs below (just choose 1).


    • For a free Firewall you could try the following:
    • Comodo Personal Firewall
    • NOTE: If you use a Third Party AnitiVirus, make sure you uncheck the option to install Comodo AntiVirus when you install Comodo Firewall.

    • IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system.

    Once you have installed the AV, update the program, then continue with the VirusTotal scans.

    If you run into any problems just come back and let me know.
 
ok. just so have this straight before i proceed.

1. uninstall McAfee.
2. McAfee removal tool.
3. new AV. im going with Microsoft Securty Essentials
4. new firewall. Comodo.
5 then go back to previous post and do numbers 2 and 3 there.

correct?

p.s. i appreciate you being so patient with me.
 
:bigthumb:

You can of course choose whichever AV/Firewall you prefer (I was just providing a few suggestions but there are many more available).

i appreciate you being so patient with me.
Click to expand...

No problem RobinsonCano :)
 
hit a snag. i did add remove programs. and removed McAfee VirusScan Enterprise.

McAfee removal tool says "McAfee Enterprise software detected. Cannot continue. Please contact McAfee techincal support."
 
Status
Not open for further replies.
Back
Top