Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search results redirected to "toseeka" website


  • This topic is locked This topic is locked
18 replies to this topic

#1 LitlElvis

LitlElvis

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 03 August 2009 - 02:47 PM

Recently IE searches in Yahoo and Google are intemittently redirected to a "toseeka" webite with some combination of my search string input into its search input field.

Please let me know where to start...

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 03 August 2009 - 02:54 PM

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.
Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 LitlElvis

LitlElvis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 03 August 2009 - 04:16 PM

Thanks for the quick response!

MBAM log is below:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/3/2009 2:14:48 PM
mbam-log-2009-08-03 (14-14-48).txt

Scan type: Quick Scan
Objects scanned: 104658
Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 03 August 2009 - 07:55 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 LitlElvis

LitlElvis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 04 August 2009 - 10:55 AM

After GMER was done, I had to reboot to get internet access again, so the "copied" data was lost. I'm posting the "gmer.log" information as it was saved. Let me know if I need to re-scan with GMER.

GMER 1.0.15.15011 [fp5q0goj.exe] - http://www.gmer.net
Rootkit scan 2009-08-04 08:44:05
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAD47A9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAD47AA41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAD47A958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAD47A96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAD47AA55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAD47AA81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAD47AAEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAD47AAD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAD47A9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAD47AB1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAD47AA2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAD47A930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAD47A944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAD47A9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAD47AB57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAD47AAC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAD47AAAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAD47AA6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAD47AB43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAD47AB2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAD47A996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAD47A982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAD47AA97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAD47AA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAD47AB05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAD47AA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAD47A9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP AD47A9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP AD47A9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP AD47A9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP AD47AA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP AD47A9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP AD47A934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP AD47A948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP AD47A986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP AD47A970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP AD47A95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP AD47A99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP AD47AA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219E8 7 Bytes JMP AD47AAB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP AD47AA9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP AD47AB09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP AD47AAC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP AD47AA6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP AD47AA45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP AD47AA59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP AD47AA85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 7 Bytes JMP AD47AAF3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425A 2 Bytes JMP AD47AADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey + 3 8062425D 4 Bytes [E5, 2C, 90, 90] {IN EAX, 0x2c; NOP ; NOP }
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP AD47AA31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP AD47AB5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625168 5 Bytes JMP AD47AB33 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585C 5 Bytes JMP AD47AB47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP AD47AB1F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? cuvgmx.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[224] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[224] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[388] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[388] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\McAfee\VirusScan\McShield.exe[400] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\McAfee\VirusScan\McShield.exe[400] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[496] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\McAfee\MPF\MPFSrv.exe[496] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F6D
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0062
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0051
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0040
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB0F3C
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0084
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0EEB
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0F06
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB009F
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB002F
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB0073
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB0FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB0F21
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] ADVAPI32.DLL!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DA002F
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] ADVAPI32.DLL!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DA007D
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] ADVAPI32.DLL!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DA0FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] ADVAPI32.DLL!RegOpenKeyW 77DD7946 5 Bytes JMP 00DA0014
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] ADVAPI32.DLL!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DA006C
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] ADVAPI32.DLL!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DA0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] ADVAPI32.DLL!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DA0051
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] ADVAPI32.DLL!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DA0040
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] MSVCRT.DLL!_wsystem 77C2931E 5 Bytes JMP 00D90049
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] MSVCRT.DLL!system 77C293C7 5 Bytes JMP 00D90038
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] MSVCRT.DLL!_creat 77C2D40F 5 Bytes JMP 00D90FC8
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] MSVCRT.DLL!_open 77C2F566 5 Bytes JMP 00D90000
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] MSVCRT.DLL!_wcreat 77C2FC9B 5 Bytes JMP 00D90027
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] MSVCRT.DLL!_wopen 77C30055 5 Bytes JMP 00D90FE3
.text C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x00D01000, 0x12153, 0xE0000040]
.data C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe[572] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x00D141A1]
.text C:\WINDOWS\system32\winlogon.exe[736] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\winlogon.exe[736] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070069
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F7E
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070058
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0007008E
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F48
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F1A
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F2B
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F09
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F59
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0007009F
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F86
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FA1
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060043
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FB2
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005005C
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 0005004B
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005003A
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[780] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\services.exe[780] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F65
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80F8A
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80F9B
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80058
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8003D
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80081
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F39
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80F14
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800AD
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800C8
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80FB6
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FDB
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F54
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F8002C
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F8009C
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70F9B
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70058
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F7003D
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F7002C
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60064
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F60049
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F6001D
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F6002E
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F6000C
.text C:\WINDOWS\system32\lsass.exe[792] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\lsass.exe[792] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90F5E
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90053
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90042
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90025
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90F8A
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F9007F
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F9006E
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F90EF0
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90F0B
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F90ED5
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F90F79
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F90FE5
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F90F43
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90FA5
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F90F1C
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FB9
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80F86
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80FCA
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80043
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89]
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80FA8
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70025
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70F9A
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70FC6
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FB5
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70FD7
.text C:\WINDOWS\system32\svchost.exe[964] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[964] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50F83
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50F94
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50062
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50051
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50036
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D500B5
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D500A4
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50F26
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50F37
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50F0B
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50FAF
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D5000A
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50093
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50025
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D50F52
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D4002C
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D4005F
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D40FDB
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D4004E
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D40FB6
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F4, 88]
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D4003D
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30F81
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30F9C
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30FD2
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FAD
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D3000C
.text C:\WINDOWS\system32\svchost.exe[1056] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1056] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C1009A
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C1007F
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10FB6
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10058
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F6D
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C100B5
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C100EB
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10F52
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10F2D
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10FD1
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10011
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10F8A
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C1002C
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C100D0
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00036
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00F83
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00F94
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C00FAF
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E0, 88] {LOOPNZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00FC0
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0033
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0018
.text C:\WINDOWS\system32\svchost.exe[1128] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1128] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 054C0FEF
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 054C0F68
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 054C0053
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 054C0036
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 054C0F83
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 054C0F9E
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 054C00B0
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 054C009F
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 054C00E6
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 054C00D5
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 054C00F7
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 054C0025
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 054C000A
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 054C0082
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 054C0FB9
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 054C0FD4
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 054C0F4D
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 054B0FAF
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 054B0F54
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 054B0FC0
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 054B0000
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 054B0F6F
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 054B0FEF
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 054B0F8A
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6B, 8D]
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 054B0011
.text C:\WINDOWS\System32\svchost.exe[1152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 053E0FC1
.text C:\WINDOWS\System32\svchost.exe[1152] msvcrt.dll!system 77C293C7 5 Bytes JMP 053E0FD2
.text C:\WINDOWS\System32\svchost.exe[1152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 053E0FE3
.text C:\WINDOWS\System32\svchost.exe[1152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 053E0000
.text C:\WINDOWS\System32\svchost.exe[1152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 053E0042
.text C:\WINDOWS\System32\svchost.exe[1152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 053E0011
.text C:\WINDOWS\System32\svchost.exe[1152] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1152] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 053C0FEF
.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 053C0FDE
.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 053C0014
.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 053C0025
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0067
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F72
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B004A
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0F8D
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0FB2
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0F44
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B008C
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B00B8
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0F1F
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B0EFA
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0039
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0FDE
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0F61
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0FCD
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0014
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B009D
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0FB9
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0F68
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0FCA
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0F79
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007A0F9E
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9A, 88]
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0025
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790044
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790FB9
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790018
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790029
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FDE
.text C:\WINDOWS\system32\svchost.exe[1236] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1236] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F68
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F83
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00051
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00040
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00025
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A0009F
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F4D
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F10
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F21
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A000BA
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00F9E
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00078
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FB9
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F32
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0036
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0FAF
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F001B
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0FC0
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009F006C
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0051
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0F9C
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0027
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E000C
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0FB7
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FDE
.text C:\WINDOWS\system32\svchost.exe[1300] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1300] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024A0FEF
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024A0F72
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024A0067
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024A0F8D
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024A0F9E
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024A0FB9
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024A0F4D
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024A0093
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024A00CE
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024A0F2B
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024A0F1A
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024A0040
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024A000A
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024A0082
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024A0FD4
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024A001B
.text C:\WINDOWS\Explorer.EXE[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024A0F3C
.text C:\WINDOWS\Explorer.EXE[1364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02490FB9
.text C:\WINDOWS\Explorer.EXE[1364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0249005B
.text C:\WINDOWS\Explorer.EXE[1364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0249000A
.text C:\WINDOWS\Explorer.EXE[1364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02490FD4
.text C:\WINDOWS\Explorer.EXE[1364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0249004A
.text C:\WINDOWS\Explorer.EXE[1364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02490FEF
.text C:\WINDOWS\Explorer.EXE[1364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02490FA8
.text C:\WINDOWS\Explorer.EXE[1364] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [69, 8A]
.text C:\WINDOWS\Explorer.EXE[1364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02490025
.text C:\WINDOWS\Explorer.EXE[1364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02480051
.text C:\WINDOWS\Explorer.EXE[1364] msvcrt.dll!system 77C293C7 5 Bytes JMP 02480036
.text C:\WINDOWS\Explorer.EXE[1364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02480FC6
.text C:\WINDOWS\Explorer.EXE[1364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02480000
.text C:\WINDOWS\Explorer.EXE[1364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0248001B
.text C:\WINDOWS\Explorer.EXE[1364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02480FD7
.text C:\WINDOWS\Explorer.EXE[1364] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 0246000A
.text C:\WINDOWS\Explorer.EXE[1364] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 02460FE5
.text C:\WINDOWS\Explorer.EXE[1364] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 0246001B
.text C:\WINDOWS\Explorer.EXE[1364] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 0246002C
.text C:\WINDOWS\Explorer.EXE[1364] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\Explorer.EXE[1364] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\spoolsv.exe[1524] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\spoolsv.exe[1524] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F70
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F81
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE005B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F44
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE008C
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F1F
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00B8
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F0E
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE004A
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F5F
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00A7
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FC0
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093007D
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093006C
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F84
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920F95
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC1
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB0
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FD2
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1596] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[1596] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1596] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\eHome\ehRecvr.exe[1640] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\eHome\ehRecvr.exe[1640] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\eHome\ehSched.exe[1656] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\eHome\ehSched.exe[1656] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[1764] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[1764] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Java\jre6\bin\jqs.exe[2008] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Java\jre6\bin\jqs.exe[2008] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2028] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2028] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2268] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2268] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\ehome\mcrdsvc.exe[2304] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\ehome\mcrdsvc.exe[2304] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe[2728] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe[2728] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F66
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F77
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F88
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FC0
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F1A
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B006C
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B008E
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B007D
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0ED0
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F4B
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B002C
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F09
.text C:\WINDOWS\system32\wuauclt.exe[2876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\wuauclt.exe[2876] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0025
.text C:\WINDOWS\system32\wuauclt.exe[2876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC6
.text C:\WINDOWS\system32\wuauclt.exe[2876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FAB
.text C:\WINDOWS\system32\wuauclt.exe[2876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0051
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0036
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[2876] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\wuauclt.exe[2876] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B400A4
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40093
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40082
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40FB9
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40051
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40F7E
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B400C6
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40106
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B400EB
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B40F52
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40FCA
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B4001B
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B400B5
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40036
.text C:\WINDOWS\system32\dllhost.exe[3496] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B40F6D
.text C:\WINDOWS\system32\dllhost.exe[3496] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B2005F
.text C:\WINDOWS\system32\dllhost.exe[3496] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B2004E
.text C:\WINDOWS\system32\dllhost.exe[3496] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20018
.text C:\WINDOWS\system32\dllhost.exe[3496] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\dllhost.exe[3496] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20029
.text C:\WINDOWS\system32\dllhost.exe[3496] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FDE
.text C:\WINDOWS\system32\dllhost.exe[3496] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B30FA8
.text C:\WINDOWS\system32\dllhost.exe[3496] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B30065
.text C:\WINDOWS\system32\dllhost.exe[3496] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B30FC3
.text C:\WINDOWS\system32\dllhost.exe[3496] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B30FD4
.text C:\WINDOWS\system32\dllhost.exe[3496] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B3004A
.text C:\WINDOWS\system32\dllhost.exe[3496] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B30FE5
.text C:\WINDOWS\system32\dllhost.exe[3496] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B3002F
.text C:\WINDOWS\system32\dllhost.exe[3496] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B30014
.text C:\WINDOWS\system32\dllhost.exe[3496] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\dllhost.exe[3496] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\alg.exe[3932] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\alg.exe[3932] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 04 August 2009 - 11:09 AM

Hello please do these first.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 LitlElvis

LitlElvis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 04 August 2009 - 05:28 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/04/2009 at 02:22 PM

Application Version : 4.27.1000

Core Rules Database Version : 4037
Trace Rules Database Version: 1977

Scan type : Complete Scan
Total Scan Time : 00:37:47

Memory items scanned : 271
Memory threats detected : 0
Registry items scanned : 6437
Registry threats detected : 0
File items scanned : 66217
File threats detected : 0

RootRepeal log below, note: this was run in standard mode, I wasn't sure if the computer still needed to be run in Safe mode.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/04 15:16
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA6AED000 Size: 872448 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA3DB8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\mcafee_nxf4jbqk38hks09
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Program Files\AOL Games\Boggle\bogglesa.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP11\A0003599.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP12\A0003653.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP13\A0003722.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP19\A0004018.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP2\A0001035.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP21\A0004139.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP3\A0001072.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP4\A0002108.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP8\A0003420.exe:{EB9E7F04-FEEC-DB24-9B3B-6505F34AC093}
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\brett\local settings\temp\~dfa426.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\MISP\mcupdate\
Status: Invisible to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xaecbedf0

==EOF==

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 04 August 2009 - 07:20 PM

Do you still get redirected?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 LitlElvis

LitlElvis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 04 August 2009 - 07:46 PM

Unfortunately, yes. Not everytime... probably 1 out of 3.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 04 August 2009 - 08:15 PM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 LitlElvis

LitlElvis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 05 August 2009 - 01:18 PM

GooredFix by jpshortstuff (12.07.09)
Log created at 11:15 on 05/08/2009 (Brett)
Firefox version [Unable to determine]

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:42 03/08/2009]

-=E.O.F=-

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 05 August 2009 - 03:07 PM

If you are still being redirected we will run Dreweb.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 LitlElvis

LitlElvis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 05 August 2009 - 06:59 PM

I was not able to "select all" after the DrWeb scan completed, however, during the scan it prompted me once whether to move some of the found files (I chose "move all") and once on whether or not to delete the A0008487.dll file listed below.

Here is the DrWeb.csv results:

setup.exe/data026\data009;C:\Program Files\Online Services\AOL Setup\comps\acs\acssetup.exe/data026;Trojan.PWS.GoldSpy.origin;;
data026;C:\Program Files\Online Services\AOL Setup\comps\acs;Archive contains infected objects;;
acssetup.exe;C:\Program Files\Online Services\AOL Setup\comps\acs;Archive contains infected objects;Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\AOL Setup\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\AOL Setup\comps\coach;Archive contains infected objects;Moved.;
tbsetup.exe\data009;C:\Program Files\Online Services\AOL Setup\comps\tb\tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
tbsetup.exe;C:\Program Files\Online Services\AOL Setup\comps\tb;Archive contains infected objects;Moved.;
A0008487.dll;C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP49;Trojan.Fakealert.4709;Deleted.;
A0009109.exe/data026\data009;C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP53\A0009109.exe/data026;Trojan.PWS.GoldSpy.origin;;
data026;C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP53;Archive contains infected objects;;
A0009109.exe;C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP53;Archive contains infected objects;Moved.;
A0009110.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP53\A0009110.exe;Adware.Gdown;;
A0009110.exe;C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP53;Archive contains infected objects;Moved.;
A0009111.exe\data009;C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP53\A0009111.exe;Trojan.PWS.GoldSpy.origin;;
A0009111.exe;C:\System Volume Information\_restore{4E4AE733-5FB3-4BC7-8A3C-31D1B7644714}\RP53;Archive contains infected objects;Moved.;

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 05 August 2009 - 08:49 PM

Hello, this is good we dumped Goldspy. There are things in Sstem restore we will get last.
Do you use AOL? There were infected Archive files.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 LitlElvis

LitlElvis
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 06 August 2009 - 12:53 AM

I don't use AOL, but I think some games have been downloaded from their site/servers.

I ran MBAM in normal mode, the end of you message said to reboot to normal mode after the scan but made no mention of scanning in safe mode... should I have scanned in safe mode?

Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 3

8/5/2009 10:49:59 PM
mbam-log-2009-08-05 (22-49-59).txt

Scan type: Quick Scan
Objects scanned: 105124
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users