1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

System freezes - is it infected?

Discussion in 'Virus & Other Malware Removal' started by timothy001, Jan 25, 2011.

Thread Status:
Not open for further replies.
  1. timothy001

    timothy001 Thread Starter

    Joined:
    Jan 25, 2011
    Messages:
    1
    My problem is with windows xp system freezing on fairly regular occasions that I cannot pin to a particular activity. The xp OS runs under vmware workstation that has been solid and reliable for 18+months. I would very much appreciate an experts eye/advice on my logs.

    Logs are:

    HijackThis Log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 09:49:49, on 25/01/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\VMware\VMware Tools\vmacthlp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\VMware\VMware Tools\VMwareTray.exe
    C:\Program Files\VMware\VMware Tools\VMwareUser.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\VMware\VMware Tools\VMwareService.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110123222923.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
    O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1254580118437
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - ThinPrint GmbH - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
    O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
    O23 - Service: VMware Physical Disk Helper Service - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmacthlp.exe

    --
    End of file - 9802 bytes



    ===============================================
    ===============================================
    ===============================================
    ===============================================



    DDS Log:


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Owner at 9:51:29.59 on 25/01/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1546 [GMT 0:00]

    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*

    ============== Running Processes ===============

    C:\Program Files\VMware\VMware Tools\vmacthlp.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\VMware\VMware Tools\VMwareTray.exe
    C:\Program Files\VMware\VMware Tools\VMwareUser.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\VMware\VMware Tools\VMwareService.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110123222923.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
    mRun: [VMware Tools] c:\program files\vmware\vmware tools\VMwareTray.exe
    mRun: [VMware User Process] c:\program files\vmware\vmware tools\VMwareUser.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [<NO NAME>]
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254580118437
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: TPSvc - TPSvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\m8253m4g.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-1-23 386840]
    R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2009-8-25 17968]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-23 84072]
    R1 vmhgfs;vmhgfs;c:\windows\system32\drivers\vmhgfs.sys [2009-8-25 117552]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-24 304464]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-23 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-23 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-23 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-23 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-23 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-23 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-23 141792]
    R2 VMMEMCTL;Memory Control Driver;c:\program files\vmware\vmware tools\drivers\memctl\vmmemctl.sys [2008-9-18 14384]
    R2 VMTools;VMware Tools Service;c:\program files\vmware\vmware tools\VMwareService.exe [2008-9-18 539184]
    R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;c:\program files\vmware\vmware tools\vmacthlp.exe [2008-9-18 358960]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-23 55840]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-24 20952]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-23 152960]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-23 52104]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-23 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-23 88544]
    R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2009-8-25 53424]
    R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2009-8-25 11696]
    R3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-8-25 63920]
    R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2009-8-25 36400]
    S1 vmdebug;VMware Replay Debugging Helper;c:\windows\system32\drivers\vmdebug.sys [2008-9-18 19504]
    S1 vmrawdsk;VMware Vista Physical Disk Helper;\??\c:\program files\vmware\vmware tools\vmrawdsk.sys --> c:\program files\vmware\vmware tools\vmrawdsk.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-23 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-23 84264]
    S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\vmware\vmware tools\TPAutoConnSvc.exe [2008-9-18 238832]

    =============== Created Last 30 ================

    2011-01-24 23:31:41 -------- d-----w- c:\windows\pss
    2011-01-24 20:00:23 35888 ----a-w- c:\windows\system32\vmhgfs1.dll
    2011-01-24 18:58:55 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-01-24 16:11:55 -------- dc-h--w- c:\windows\ie8
    2011-01-24 15:27:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-24 15:26:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-24 15:26:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-23 23:16:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2011-01-23 22:28:53 -------- d-----w- c:\program files\McAfee
    2011-01-23 14:16:39 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Apple
    2011-01-23 13:56:06 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Apple Computer
    2011-01-15 16:31:02 388096 ----a-r- c:\docume~1\owner\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-01-15 16:30:53 -------- d-----w- c:\program files\Trend Micro
    2010-12-31 14:27:50 -------- d-----w- c:\program files\WinLemm

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 14:17:32 141792 ----a-w- c:\windows\system32\mfevtps.exe
    2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

    ============= FINISH: 9:52:26.23 ===============


    ===============================================
    ===============================================
    ===============================================
    ===============================================


    Attaching Attach.txt


    ===============================================
    ===============================================
    ===============================================
    ===============================================

    Ark Log:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-25 11:39:38
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\vmscsi1Port1Path0Target0Lun0 VMware,_ rev.1.0_
    Running: 8pf7k44n.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwtorfod.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9EBD0E0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9EBD0F4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9EBD120]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9EBD176]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9EBD0CC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9EBD0A4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9EBD0B8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9EBD10A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9EBD14C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9EBD136]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9EBD1A0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9EBD18C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9EBD160]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B9EBD164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP B9EBD17A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP B9EBD190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6040 5 Bytes JMP B9EBD150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP B9EBD0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP B9EBD0BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP B9EBD1A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP B9EBD13A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP B9EBD10E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP B9EBD0E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP B9EBD0F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP B9EBD124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP B9EBD0D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    ? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0168000A
    .text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01680036
    .text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0168001B
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02010000
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 020100AE
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02010093
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02010FB9
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02010076
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0201005B
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02010F6D
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 020100BF
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02010F30
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02010F4B
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02010F0B
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02010FD4
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02010FEF
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02010F94
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02010040
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02010025
    .text C:\WINDOWS\Explorer.EXE[184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02010F5C
    .text C:\WINDOWS\Explorer.EXE[184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01F10022
    .text C:\WINDOWS\Explorer.EXE[184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01F10047
    .text C:\WINDOWS\Explorer.EXE[184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01F10011
    .text C:\WINDOWS\Explorer.EXE[184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01F10000
    .text C:\WINDOWS\Explorer.EXE[184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01F10F80
    .text C:\WINDOWS\Explorer.EXE[184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01F10FEF
    .text C:\WINDOWS\Explorer.EXE[184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01F10F9B
    .text C:\WINDOWS\Explorer.EXE[184] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [11, 8A]
    .text C:\WINDOWS\Explorer.EXE[184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01F10FB6
    .text C:\WINDOWS\Explorer.EXE[184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01F00075
    .text C:\WINDOWS\Explorer.EXE[184] msvcrt.dll!system 77C293C7 5 Bytes JMP 01F0005A
    .text C:\WINDOWS\Explorer.EXE[184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01F00038
    .text C:\WINDOWS\Explorer.EXE[184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01F00000
    .text C:\WINDOWS\Explorer.EXE[184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01F00049
    .text C:\WINDOWS\Explorer.EXE[184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01F0001D
    .text C:\WINDOWS\Explorer.EXE[184] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01EE0000
    .text C:\WINDOWS\Explorer.EXE[184] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01EE0FEF
    .text C:\WINDOWS\Explorer.EXE[184] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01EE0025
    .text C:\WINDOWS\Explorer.EXE[184] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 01EE0FCA
    .text C:\WINDOWS\Explorer.EXE[184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01EF0000
    .text C:\WINDOWS\system32\services.exe[1048] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FE5
    .text C:\WINDOWS\system32\services.exe[1048] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0004001B
    .text C:\WINDOWS\system32\services.exe[1048] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040000
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E00FEF
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E00086
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E00075
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E00058
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E00047
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E0002C
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E000BC
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E000AB
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E00F45
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E000DE
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E00F2A
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E00FA5
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E00000
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E00F80
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E00011
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E00FC0
    .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E000CD
    .text C:\WINDOWS\system32\services.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FDB
    .text C:\WINDOWS\system32\services.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F8D
    .text C:\WINDOWS\system32\services.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0007002C
    .text C:\WINDOWS\system32\services.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070011
    .text C:\WINDOWS\system32\services.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F9E
    .text C:\WINDOWS\system32\services.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
    .text C:\WINDOWS\system32\services.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070FAF
    .text C:\WINDOWS\system32\services.exe[1048] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
    .text C:\WINDOWS\system32\services.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FC0
    .text C:\WINDOWS\system32\services.exe[1048] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060058
    .text C:\WINDOWS\system32\services.exe[1048] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FCD
    .text C:\WINDOWS\system32\services.exe[1048] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0006002C
    .text C:\WINDOWS\system32\services.exe[1048] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
    .text C:\WINDOWS\system32\services.exe[1048] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0006003D
    .text C:\WINDOWS\system32\services.exe[1048] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060011
    .text C:\WINDOWS\system32\services.exe[1048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
    .text C:\WINDOWS\system32\lsass.exe[1060] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B80000
    .text C:\WINDOWS\system32\lsass.exe[1060] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B80FDB
    .text C:\WINDOWS\system32\lsass.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B80011
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0087
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F9C
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0FB9
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FCA
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0062
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00BF
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F77
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F2D
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F52
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00EB
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FDB
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0025
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00A2
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0051
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0040
    .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00D0
    .text C:\WINDOWS\system32\lsass.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FA8
    .text C:\WINDOWS\system32\lsass.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F83
    .text C:\WINDOWS\system32\lsass.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FB9
    .text C:\WINDOWS\system32\lsass.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FD4
    .text C:\WINDOWS\system32\lsass.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0040
    .text C:\WINDOWS\system32\lsass.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FE5
    .text C:\WINDOWS\system32\lsass.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB002F
    .text C:\WINDOWS\system32\lsass.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0014
    .text C:\WINDOWS\system32\lsass.exe[1060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0FA6
    .text C:\WINDOWS\system32\lsass.exe[1060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FC1
    .text C:\WINDOWS\system32\lsass.exe[1060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FE3
    .text C:\WINDOWS\system32\lsass.exe[1060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
    .text C:\WINDOWS\system32\lsass.exe[1060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FD2
    .text C:\WINDOWS\system32\lsass.exe[1060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA001D
    .text C:\WINDOWS\system32\lsass.exe[1060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B9000A
    .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FD0FEF
    .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FD0FD4
    .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD000A
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02420000
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0242007F
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02420F8A
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02420FA5
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02420062
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0242002C
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024200C1
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02420F6F
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02420F5E
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024200F7
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02420112
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02420047
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02420011
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0242009A
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02420FCA
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02420FDB
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024200D2
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02410FD4
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02410F8A
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02410FE5
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02410025
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02410051
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0241000A
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02410040
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02410FB9
    .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0F95
    .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FA6
    .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FD2
    .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
    .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FB7
    .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FEF
    .text C:\WINDOWS\system32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FE5
    .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C70FE5
    .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C70FC3
    .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C70FD4
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0000
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0F68
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0053
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0F79
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0036
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0F9E
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0093
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F57
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB00BF
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB0F26
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB00DA
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB0025
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0FDB
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB0078
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0FAF
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0FC0
    .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB00AE
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA0FC0
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA0F79
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA001B
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA0FDB
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0F8A
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA0000
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CA0FA5
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP 50C03388
    .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA002C
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C9005D
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C9004C
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C9001D
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C90FE3
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C90FD2
    .text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C9000C
    .text C:\WINDOWS\system32\svchost.exe[1336] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C80000
    .text C:\WINDOWS\System32\svchost.exe[1496] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 04140FE5
    .text C:\WINDOWS\System32\svchost.exe[1496] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04140FB9
    .text C:\WINDOWS\System32\svchost.exe[1496] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 04140FD4
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04190FEF
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04190F79
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04190F94
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04190062
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04190051
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04190036
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04190F43
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04190089
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 041900C1
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 041900B0
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04190F17
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04190FA5
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0419000A
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04190F5E
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04190FCA
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0419001B
    .text C:\WINDOWS\System32\svchost.exe[1496] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04190F28
    .text C:\WINDOWS\System32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04180FA5
    .text C:\WINDOWS\System32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04180F65
    .text C:\WINDOWS\System32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04180FCA
    .text C:\WINDOWS\System32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04180000
    .text C:\WINDOWS\System32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04180F80
    .text C:\WINDOWS\System32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04180FE5
    .text C:\WINDOWS\System32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 04180022
    .text C:\WINDOWS\System32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04180011
    .text C:\WINDOWS\System32\svchost.exe[1496] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04170F8B
    .text C:\WINDOWS\System32\svchost.exe[1496] msvcrt.dll!system 77C293C7 5 Bytes JMP 04170FA6
    .text C:\WINDOWS\System32\svchost.exe[1496] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04170FB7
    .text C:\WINDOWS\System32\svchost.exe[1496] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04170FEF
    .text C:\WINDOWS\System32\svchost.exe[1496] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0417000C
    .text C:\WINDOWS\System32\svchost.exe[1496] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04170FDE
    .text C:\WINDOWS\System32\svchost.exe[1496] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04160FEF
    .text C:\WINDOWS\System32\svchost.exe[1496] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04150FE5
    .text C:\WINDOWS\System32\svchost.exe[1496] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 04150000
    .text C:\WINDOWS\System32\svchost.exe[1496] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04150FCA
    .text C:\WINDOWS\System32\svchost.exe[1496] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 04150FAF
    .text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00740000
    .text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0074001B
    .text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00740FE5
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780000
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780062
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780F6D
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780047
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780F8A
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780036
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F41
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0078007D
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007800D0
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007800BF
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007800E1
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780FAF
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FEF
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780F52
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FCA
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0078001B
    .text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007800A4
    .text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770FA8
    .text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770039
    .text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FB9
    .text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00770FDE
    .text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770028
    .text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770FEF
    .text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00770F7C
    .text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [97, 88]
    .text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770F8D
    .text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]
    .text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760022
    .text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760F97
    .text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760FC3
    .text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760FEF
    .text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760FB2
    .text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760FDE
    .text C:\WINDOWS\System32\svchost.exe[1616] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750000
    .text C:\WINDOWS\System32\svchost.exe[1740] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900000
    .text C:\WINDOWS\System32\svchost.exe[1740] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900FD4
    .text C:\WINDOWS\System32\svchost.exe[1740] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900FE5
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0071
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F7C
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F97
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0FA8
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0025
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F33
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F44
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00C2
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00B1
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB00D3
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB004A
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB000A
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F6B
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FB9
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FCA
    .text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0096
    .text C:\WINDOWS\System32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0FB9
    .text C:\WINDOWS\System32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0F72
    .text C:\WINDOWS\System32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0FCA
    .text C:\WINDOWS\System32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA000A
    .text C:\WINDOWS\System32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0F8D
    .text C:\WINDOWS\System32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FE5
    .text C:\WINDOWS\System32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BA0F9E
    .text C:\WINDOWS\System32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DA, 88]
    .text C:\WINDOWS\System32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0025
    .text C:\WINDOWS\System32\svchost.exe[1740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930F97
    .text C:\WINDOWS\System32\svchost.exe[1740] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930FB2
    .text C:\WINDOWS\System32\svchost.exe[1740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930018
    .text C:\WINDOWS\System32\svchost.exe[1740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930FEF
    .text C:\WINDOWS\System32\svchost.exe[1740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FC3
    .text C:\WINDOWS\System32\svchost.exe[1740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FDE
    .text C:\WINDOWS\System32\svchost.exe[1740] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00910FEF
    .text C:\WINDOWS\System32\svchost.exe[1740] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00910014
    .text C:\WINDOWS\System32\svchost.exe[1740] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00910FDE
    .text C:\WINDOWS\System32\svchost.exe[1740] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 0091002F
    .text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000
    .text C:\WINDOWS\System32\svchost.exe[1860] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B60000
    .text C:\WINDOWS\System32\svchost.exe[1860] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60FDB
    .text C:\WINDOWS\System32\svchost.exe[1860] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B60011
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0069
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0058
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0047
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0036
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FAF
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F3C
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0084
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0EF5
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F10
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0EE4
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F94
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA000A
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F63
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA001B
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FCA
    .text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F21
    .text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FC3
    .text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90F97
    .text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90FD4
    .text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FEF
    .text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90FA8
    .text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90000
    .text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B9004A
    .text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90039
    .text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80F9C
    .text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80FB7
    .text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FE3
    .text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
    .text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FC8
    .text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80011
    .text C:\WINDOWS\System32\svchost.exe[1860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70FEF
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2596] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3208] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----


     

    Attached Files:

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/976919

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice