Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Antivirus Pro 2010 - New Version


  • This topic is locked This topic is locked
15 replies to this topic

#1 Sheldonix

Sheldonix

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 03 February 2010 - 10:34 PM

Hi all.

Last week, a friends computer was infected by XP Antivirus Pro 2010. After searching the net, I found that most of the references to this malware program led to your forum, so I'm posting here for some removal help.

Firstly, there seem to be a couple of versions of this. The older one creates a directory in Program Files and creates what seem to be randomly generated file names.

This new version seems to only reference one single file which is AV.EXE.

I found the file in two places on the computer, one instance in the Task Manager - killing the process only made it restart itself, and the other instance was in a Prefetch file - found using Regedit, which I left untouched.

I bookmarked your site - hoping to come back here after the weekend for an update on the forum regarding the program removal.

However, yesterday, my friend noticed that some of the icons were missing from the right hand side of the taskbar and was having trouble accessing the Internet with Internet Explorer.

Upon further investigation, I have now found that the only icons showing up in the taskbar are the Volume Icon and the Safely Remove Hardware Icon - although most of the main programs show up as running in the Task Manager window - with the exception of his Firewall program and his AntiVirus program. Any attempts to start these processes, subsequently fail.

A new command named "start" has been added to the Right Click menu of all of the program icons - this is now the only way in which any other program will startup.

Inspection of the processes in the Task Manager window shows that the original AV.EXE process is no longer running - but upon running regedit which involved locating the regedit file via search and then right clicking on the file and using the "start" command, the AV.EXE file had disappeared from the Prefetch folder and had replicated itself to the following 13 registry entries.



  1. My Computer\HKEY_CLASSES_ROOT\.exe\shell\open\command
  2. My Computer\HKEY_CLASSES_ROOT\secfile\shell\open\command
  3. My Computer\HKEY_CURRENT_USER\Software\Classes\.exe\shell\\open\command
  4. My Computer\HKEY_CURRENT_USER\Software\Classes\secfile\shell\\open\command

    (Values are the same for all 4 of the above entries)

    NAME (Default)
    TYPE REG_SZ
    DATA "C:\Documents and Settings\Barry\Local Settings\Application Data\av.exe" /START"%1"%*

    NAME Isolated Command
    TYPE REG_SZ
    DATA "%1"%*
  5. My Computer\HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603

    NAME (Default)
    TYPE REG_SZ
    DATA (value not set)

    NAME 000
    TYPE REG_SZ
    DATA regedit

    NAME 001
    TYPE REG_SZ
    DATA av.exe
  6. My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

    NAME C:\Documents and Settings\Barry\Local Settings\Application Data\av.exe
    TYPE REG_SZ
    DATA av
  7. My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

    NAME (Default)
    TYPE REG_SZ
    DATA "C:\Documents and Settings\Barry\Local Settings\Application Data\av.exe"/START"C:\Program Files\Internet Explorer\iexplore.exe"
  8. My Computer\H_KEY_USERS\S-1-5-21-1482476501-1592454029-725345543-1003\Software\Classes\.exe\shell\open\command
  9. My Computer\H_KEY_USERS\S-1-5-21-1482476501-1592454029-725345543-1003\Software\Classes\secfile\shell\open\command

    (Values are the same for both of the above entries)

    NAME (Default)
    TYPE REG_SZ
    DATA "C:\Documents and Settings\Barry\Local Settings\Application Data\av.exe" /START"%1"%*

    NAME Isolated Command
    TYPE REG_SZ
    DATA "%1"%*
  10. My Computer\H_KEY_USERS\S-1-5-21-1482476501-1592454029-725345543-1003\Software\Microsoft\Search Assistant\ACMru\5603

    NAME (Default)
    TYPE REG_SZ
    DATA (value not set)

    NAME 000
    TYPE REG_SZ
    DATA regedit

    NAME 001
    TYPE REG_SZ
    DATA av.exe
  11. My Computer\H_KEY_USERS\S-1-5-21-1482476501-1592454029-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache

    NAME C:\Documents and Settings\Barry\Local Settings\Application Data\av.exe
    TYPE REG_SZ
    DATA av
  12. My Computer\H_KEY_USERS\S-1-5-21-1482476501-1592454029-725345543-1003Classes\Software\Classes\.exe\shell\open\command
  13. My Computer\H_KEY_USERS\S-1-5-21-1482476501-1592454029-725345543-1003Classes\secfile\shell\open\command

    (Values are the same for both of the above entries)

    NAME (Default)
    TYPE REG_SZ
    DATA "C:\Documents and Settings\Barry\Local Settings\Application Data\av.exe" /START"%1"%*

    NAME Isolated Command
    TYPE REG_SZ
    DATA "%1"%*
The only other discrepancy in the Task Manager window showed that iexplore.exe was running 4 times but Internet Explorer was only running once.

I've managed to download DDS and will post the results file here if requested. The only unusual item that GMER returned was the following :-

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] W32svc <-- ROOTKIT !!!

I've also managed to download and run Malwarebytes' Anti-Malware. Although unable to update itself, it found 3 infected objects which were in the registry under the Security Center heading. These were AntiVirusDisableNotify, FirewallDisableNotify and UpdateDisableNotify.

Is it possible that XP Antivirus Pro has somehow altered itself into something more problematic - or is this another, unrelated problem?

The only thing that makes me think that the two events are somehow related is the addition of the "start" menu icon - note the lower case - and no, it wasn't there previously - and the use of the lower case writing in some of the pop up menu items that XP ANtivirus Pro bombarded the screen with.

Hope this helps.






BC AdBot (Login to Remove)

 


#2 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 08 February 2010 - 04:15 AM

Hi,

can you do the next steps please:

Please download Malwarebytes' Anti-Malware from Here
If you are unable to do this from the infected computer diurectly, transfer the file from another computer.
Download the mbam-setup.exe to your desktop.

Now make sure extensions are shown. To do this, please look here
Then rename the mbam-setup.exe: to mbam-setup.com:
Then launch mbam-setup.com in order to install Malwarebytes' Anti-malware

Once Malwarebytes' Anti-Malware is installed, navigate to your Program Files\Malwarebytes' Anti-Malware folder and locate the mbam.exe in there:



rename it to mbam.com:



Now doubleclick mbam.com to launch Malwarebytes' Anti-malware.
  • Click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart, so please allow MBAM to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
This should get rid of your problem as you see in the screenshot below:



You will be prompted to reboot the computer. Once this has been done, please rename mbam.com back to mbam.exe.
You'll see that it will be able to run again.

Click here to download HijackThis.
Save HJTInstall.exe to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis
After the final dialogue box it will launch HijackThis.

Click on the scan button. It will scan and then ask you to save the log.
Save the log, and post me it in your next reply.

Also, please post the log from MBAM here for me to take a look at it.

regards,

Rosty.

Posted Image
Proud member of ASAP since 2007

#3 Sheldonix

Sheldonix
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 08 February 2010 - 05:45 PM

Hi Rosty.

Thank you for your response. Actually managed to manually download the definitions file for Malwarebytes Anti Malware yesterday. After the scan was performed, it managed to quarantine and remove the virus. I have enclosed the three log files (2 from mbam and 1 from HJT). I'm aware of the problem for security center. It's currently disabled in services and I can restart it when instructed.

Still concerned about the GMER rootkit entry. Shall I repost that to a seperate thread, or are the two incidents related?

Thanks for all your help so far.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.44
Database version: 3679
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

07/02/2010 21:48:50
mbam-log-2010-02-07 (21-48-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 157525
Time elapsed: 1 hour(s), 2 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\secfile (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{40A26A64-64FE-4A79-A82A-9164315D2B2C}\RP55\A0018985.exe (Trojan.Agent) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.44
Database version: 3709
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

08/02/2010 22:08:10
mbam-log-2010-02-08 (22-08-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 155593
Time elapsed: 1 hour(s), 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:41:51, on 08/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PEAK Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify...t.yahoo.com/%3f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonelabs.com/downloadrequest...eqId=1011551822
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Center Agent] C:\Program Files\PEAK Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Remote Control.lnk = C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10009 bytes





#4 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 09 February 2010 - 12:44 PM

Hi,
thanks for the logs I asked about.

QUOTE
I'm aware of the problem for security center. It's currently disabled in services and I can restart it when instructed.

If I was you I should restart it. In that way you're better protected.
QUOTE
Still concerned about the GMER rootkit entry. Shall I repost that to a seperate thread, or are the two incidents related?

We will take a look at this now. You may post in this thread.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Regards,

Rosty.

Posted Image
Proud member of ASAP since 2007

#5 Sheldonix

Sheldonix
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 09 February 2010 - 04:20 PM

Hi Rosty. Here is the Combofix log as requested. Restarted Security Center AFTER this was run.

ComboFix 10-02-09.01 - Barry 09/02/2010 20:51:56.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.246 [GMT 0:00]
Running from: c:\documents and settings\Barry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))
.

2010-02-09 20:30 . 2010-02-09 20:31 -------- d--h--w- c:\windows\$hf_mig$
2010-02-09 20:28 . 2010-02-09 20:30 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:21 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-09 20:21 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-09 20:21 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-09 20:21 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-09 20:21 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-09 20:21 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-02-09 20:21 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-02-08 22:50 . 2010-02-08 22:50 -------- d-----w- c:\program files\WinASO
2010-02-08 01:50 . 2010-02-08 01:50 -------- d-----w- c:\documents and settings\Barry\Local Settings\Application Data\Threat Expert
2010-02-08 01:36 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-08 01:36 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-08 01:36 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
2010-02-08 01:36 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-08 01:36 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-02-08 01:36 . 2009-10-28 01:36 1152444 ----a-w- c:\windows\UDB.zip
2010-02-08 01:32 . 2009-10-30 11:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-08 01:32 . 2009-11-09 11:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-08 01:32 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-08 01:31 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-08 01:31 . 2010-02-08 10:05 -------- d-----w- c:\program files\Spyware Doctor
2010-02-08 01:31 . 2010-02-08 01:37 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-08 01:31 . 2010-02-08 01:31 -------- d-----w- c:\documents and settings\Barry\Application Data\PC Tools
2010-02-08 01:31 . 2010-02-08 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-08 01:31 . 2010-02-09 20:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-08 01:23 . 2009-11-25 13:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-02-08 01:16 . 2010-02-08 01:16 -------- d-----w- c:\documents and settings\Barry\Application Data\CheckPoint
2010-02-08 01:16 . 2010-02-08 01:16 -------- d-----w- c:\program files\CheckPoint
2010-02-08 01:15 . 2009-11-22 15:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-02-08 01:15 . 2009-11-22 15:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-02-08 01:14 . 2009-11-22 15:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-02-08 01:11 . 2008-01-17 17:59 713216 -c----w- c:\windows\system32\dllcache\sxs.dll
2010-02-08 00:56 . 2010-02-08 00:44 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-08 00:56 . 2010-02-08 00:44 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-08 00:45 . 2010-02-08 09:33 -------- d-----w- C:\$AVG
2010-02-08 00:44 . 2010-02-08 00:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-08 00:44 . 2010-02-08 00:44 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-08 00:44 . 2010-02-08 00:44 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-08 00:44 . 2010-02-08 00:44 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-08 00:44 . 2010-02-09 18:49 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-08 00:44 . 2010-02-09 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-08 00:43 . 2010-02-08 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-07 20:04 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-07 20:04 . 2010-02-07 20:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-07 20:04 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 20:38 . 2010-02-03 20:38 -------- d-----w- c:\documents and settings\Barry\Application Data\Malwarebytes
2010-02-03 20:38 . 2010-02-03 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-25 23:04 . 2010-01-25 23:04 -------- d-----w- C:\THE SHADOWS at their very best
2010-01-19 19:41 . 2010-01-19 19:42 -------- d-----w- c:\temp\Uninstall
2010-01-19 19:41 . 2010-01-19 19:41 -------- d-----w- c:\program files\KWorld Multimedia
2010-01-19 19:40 . 2007-06-21 17:13 28672 ----a-w- c:\windows\system32\AF15BDAEX.dll
2010-01-19 19:40 . 2010-01-19 19:40 -------- d-----w- c:\temp\Driver
2010-01-19 19:27 . 2008-04-28 18:42 449024 ----a-r- c:\windows\system32\drivers\AF15BDA.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-09 20:35 . 2009-06-22 13:02 350000 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-08 01:15 . 2007-12-11 11:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-08 00:43 . 2009-04-01 18:41 -------- d-----w- c:\program files\AVG
2010-01-27 22:27 . 2007-12-11 10:38 21440 -c--a-w- c:\documents and settings\Barry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 19:46 . 2010-01-06 10:36 -------- d-----w- c:\documents and settings\Barry\Application Data\KWorld Multimedia
2010-01-19 19:42 . 2010-01-06 10:35 -------- d-----w- c:\program files\PEAK Multimedia
2009-12-21 19:14 . 2002-08-29 02:41 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-08 21:27 . 2009-12-08 21:27 79488 ----a-w- c:\documents and settings\Barry\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-01 17:20 . 2009-12-01 17:20 88614 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_11_30_22_31_21_small.dmp.zip
.

((((((((((((((((((((((((((((( SnapShot@2010-02-09_19.17.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-11 10:15 . 2009-01-07 17:21 26144 c:\windows\system32\spupdsvc.exe
+ 2007-12-11 10:15 . 2009-01-07 18:21 26144 c:\windows\system32\spupdsvc.exe
+ 2007-12-11 10:15 . 2009-01-07 18:20 16928 c:\windows\system32\spmsg.dll
- 2007-12-11 10:15 . 2009-01-07 17:20 16928 c:\windows\system32\spmsg.dll
+ 2002-08-29 02:41 . 2009-03-08 04:31 46592 c:\windows\system32\pngfilt.dll
- 2002-08-29 02:41 . 2009-03-08 03:31 46592 c:\windows\system32\pngfilt.dll
- 2009-01-07 17:20 . 2009-01-07 17:20 23552 c:\windows\system32\normaliz.dll
+ 2009-01-07 17:20 . 2009-01-07 18:20 23552 c:\windows\system32\normaliz.dll
- 2009-01-07 17:20 . 2009-01-07 17:20 24576 c:\windows\system32\nlsdl.dll
+ 2009-01-07 17:20 . 2009-01-07 18:20 24576 c:\windows\system32\nlsdl.dll
+ 2002-08-29 02:39 . 2009-03-08 04:31 48128 c:\windows\system32\mshtmler.dll
- 2002-08-29 02:39 . 2009-03-08 03:31 48128 c:\windows\system32\mshtmler.dll
- 2002-08-29 02:41 . 2009-03-08 03:31 66560 c:\windows\system32\mshtmled.dll
+ 2002-08-29 02:41 . 2009-03-08 04:31 66560 c:\windows\system32\mshtmled.dll
- 2001-08-18 12:00 . 2009-03-08 03:31 45568 c:\windows\system32\mshta.exe
+ 2001-08-18 12:00 . 2009-03-08 04:31 45568 c:\windows\system32\mshta.exe
+ 2009-03-08 04:31 . 2009-03-08 04:31 13312 c:\windows\system32\msfeedssync.exe
- 2009-03-08 03:31 . 2009-03-08 03:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-03-08 04:31 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
- 2009-03-08 03:31 . 2009-03-08 03:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2002-08-29 02:41 . 2009-03-08 04:34 43008 c:\windows\system32\licmgr10.dll
- 2002-08-29 02:41 . 2009-03-08 03:34 43008 c:\windows\system32\licmgr10.dll
- 2001-08-18 12:00 . 2009-03-08 03:33 25600 c:\windows\system32\jsproxy.dll
+ 2001-08-18 12:00 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
+ 2002-08-29 02:40 . 2009-03-08 04:32 94720 c:\windows\system32\inseng.dll
- 2002-08-29 02:40 . 2009-03-08 03:32 94720 c:\windows\system32\inseng.dll
+ 2002-08-29 02:40 . 2009-03-08 04:31 34816 c:\windows\system32\imgutil.dll
- 2002-08-29 02:40 . 2009-03-08 03:31 34816 c:\windows\system32\imgutil.dll
+ 2009-03-08 03:32 . 2009-03-08 04:32 36864 c:\windows\system32\ieudinit.exe
- 2009-03-08 03:32 . 2009-03-08 03:32 36864 c:\windows\system32\ieudinit.exe
- 2002-08-29 02:40 . 2009-03-08 03:32 71680 c:\windows\system32\iesetup.dll
+ 2002-08-29 02:40 . 2009-03-08 04:32 71680 c:\windows\system32\iesetup.dll
- 2001-08-18 12:00 . 2009-03-08 03:32 55808 c:\windows\system32\iernonce.dll
+ 2001-08-18 12:00 . 2009-03-08 04:32 55808 c:\windows\system32\iernonce.dll
+ 2009-01-07 17:20 . 2009-01-07 18:20 26112 c:\windows\system32\idndl.dll
- 2009-01-07 17:20 . 2009-01-07 17:20 26112 c:\windows\system32\idndl.dll
- 2009-03-08 03:31 . 2009-03-08 03:31 59904 c:\windows\system32\icardie.dll
+ 2009-03-08 04:31 . 2009-03-08 04:31 59904 c:\windows\system32\icardie.dll
- 2009-03-08 03:31 . 2009-03-08 03:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2009-03-08 04:31 . 2009-03-08 04:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2009-03-08 04:31 . 2009-03-08 04:31 48128 c:\windows\system32\dllcache\mshtmler.dll
- 2002-08-29 02:39 . 2009-03-08 03:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2009-03-08 04:31 . 2009-03-08 04:31 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2002-08-29 02:41 . 2009-03-08 03:31 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2001-08-18 12:00 . 2009-03-08 03:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-03-08 04:31 . 2009-03-08 04:31 45568 c:\windows\system32\dllcache\mshta.exe
- 2002-08-29 02:41 . 2009-03-08 03:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2002-08-29 02:41 . 2009-03-08 04:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2001-08-18 12:00 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2001-08-18 12:00 . 2009-03-08 03:33 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2002-08-29 02:40 . 2009-03-08 03:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2002-08-29 02:40 . 2009-03-08 04:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2009-03-08 04:31 . 2009-03-08 04:31 34816 c:\windows\system32\dllcache\imgutil.dll
- 2009-03-08 03:31 . 2009-03-08 03:31 34816 c:\windows\system32\dllcache\imgutil.dll
- 2002-08-29 02:40 . 2009-03-08 03:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2002-08-29 02:40 . 2009-03-08 04:32 71680 c:\windows\system32\dllcache\iesetup.dll
- 2001-08-18 12:00 . 2009-03-08 03:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2001-08-18 12:00 . 2009-03-08 04:32 55808 c:\windows\system32\dllcache\iernonce.dll
- 2007-12-11 09:57 . 2009-03-08 03:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2007-12-11 09:57 . 2009-03-08 04:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2001-08-18 12:00 . 2009-03-08 04:33 18944 c:\windows\system32\dllcache\corpol.dll
- 2001-08-18 12:00 . 2009-03-08 03:33 18944 c:\windows\system32\dllcache\corpol.dll
- 2001-08-18 12:00 . 2009-03-08 03:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2001-08-18 12:00 . 2009-03-08 04:32 72704 c:\windows\system32\dllcache\admparse.dll
- 2001-08-18 12:00 . 2009-03-08 03:33 18944 c:\windows\system32\corpol.dll
+ 2001-08-18 12:00 . 2009-03-08 04:33 18944 c:\windows\system32\corpol.dll
+ 2001-08-18 12:00 . 2009-03-08 04:32 72704 c:\windows\system32\admparse.dll
- 2001-08-18 12:00 . 2009-03-08 03:32 72704 c:\windows\system32\admparse.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 12800 c:\windows\ie8updates\KB978207-IE8\xpshims.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 55296 c:\windows\ie8updates\KB978207-IE8\msfeedsbs.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 25600 c:\windows\ie8updates\KB978207-IE8\jsproxy.dll
+ 2010-02-09 20:30 . 2009-03-08 04:33 12288 c:\windows\ie8updates\KB976325-IE8\xpshims.dll
+ 2010-02-09 20:30 . 2009-03-08 04:31 55296 c:\windows\ie8updates\KB976325-IE8\msfeedsbs.dll
+ 2010-02-09 20:30 . 2009-03-08 04:33 25600 c:\windows\ie8updates\KB976325-IE8\jsproxy.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 37888 c:\windows\ie8\url.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 37888 c:\windows\ie8\url.dll
+ 2010-02-09 20:29 . 2009-03-08 14:23 58464 c:\windows\ie8\spuninst\iecustom.dll
- 2009-04-01 23:17 . 2009-03-08 13:23 58464 c:\windows\ie8\spuninst\iecustom.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 39424 c:\windows\ie8\pngfilt.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 39424 c:\windows\ie8\pngfilt.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 96256 c:\windows\ie8\occache.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 96256 c:\windows\ie8\occache.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 56832 c:\windows\ie8\mshtmler.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 56832 c:\windows\ie8\mshtmler.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 29184 c:\windows\ie8\mshta.exe
+ 2010-02-09 20:28 . 2004-08-04 00:56 29184 c:\windows\ie8\mshta.exe
+ 2010-02-09 20:28 . 2004-08-04 00:56 22016 c:\windows\ie8\licmgr10.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 22016 c:\windows\ie8\licmgr10.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 15872 c:\windows\ie8\jsproxy.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 15872 c:\windows\ie8\jsproxy.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 96256 c:\windows\ie8\inseng.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 96256 c:\windows\ie8\inseng.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 35840 c:\windows\ie8\imgutil.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 35840 c:\windows\ie8\imgutil.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 93184 c:\windows\ie8\iexplore.exe
+ 2010-02-09 20:28 . 2004-08-04 00:56 93184 c:\windows\ie8\iexplore.exe
- 2009-04-01 23:16 . 2004-08-04 00:56 62976 c:\windows\ie8\iesetup.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 62976 c:\windows\ie8\iesetup.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 48640 c:\windows\ie8\iernonce.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 48640 c:\windows\ie8\iernonce.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 81920 c:\windows\ie8\ieencode.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 81920 c:\windows\ie8\ieencode.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 34304 c:\windows\ie8\ie4uinit.exe
+ 2010-02-09 20:28 . 2004-08-04 00:56 34304 c:\windows\ie8\ie4uinit.exe
- 2009-04-01 23:16 . 2004-08-04 00:56 38912 c:\windows\ie8\hmmapi.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 38912 c:\windows\ie8\hmmapi.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 35328 c:\windows\ie8\corpol.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 35328 c:\windows\ie8\corpol.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 99840 c:\windows\ie8\advpack.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 99840 c:\windows\ie8\advpack.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 61440 c:\windows\ie8\admparse.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 61440 c:\windows\ie8\admparse.dll
+ 2010-02-09 20:31 . 2009-03-08 04:35 2048 c:\windows\ie8updates\KB978506-IE8\iecompat.dll
- 2009-01-07 17:21 . 2009-01-07 17:21 121856 c:\windows\system32\xmllite.dll
+ 2009-01-07 17:21 . 2009-01-07 18:21 121856 c:\windows\system32\xmllite.dll
+ 2009-03-08 04:34 . 2009-03-08 04:34 208384 c:\windows\system32\WinFXDocObj.exe
- 2009-03-08 03:34 . 2009-03-08 03:34 208384 c:\windows\system32\WinFXDocObj.exe
- 2002-08-29 02:41 . 2009-03-08 03:34 236544 c:\windows\system32\webcheck.dll
+ 2002-08-29 02:41 . 2009-03-08 04:34 236544 c:\windows\system32\webcheck.dll
+ 2002-08-29 02:41 . 2009-03-08 04:33 420352 c:\windows\system32\vbscript.dll
- 2002-08-29 02:41 . 2009-03-08 03:33 420352 c:\windows\system32\vbscript.dll
+ 2002-08-29 02:41 . 2009-03-08 04:34 105984 c:\windows\system32\url.dll
- 2002-08-29 02:41 . 2009-03-08 03:34 105984 c:\windows\system32\url.dll
- 2002-08-29 02:41 . 2009-01-07 17:20 474112 c:\windows\system32\shlwapi.dll
+ 2002-08-29 02:41 . 2009-01-07 18:20 474112 c:\windows\system32\shlwapi.dll
+ 2001-08-18 12:00 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
+ 2002-08-29 02:41 . 2009-03-08 04:32 611840 c:\windows\system32\mstime.dll
- 2002-08-29 02:41 . 2009-03-08 03:32 611840 c:\windows\system32\mstime.dll
- 2002-08-29 02:41 . 2009-03-08 03:34 193536 c:\windows\system32\msrating.dll
+ 2002-08-29 02:41 . 2009-03-08 04:34 193536 c:\windows\system32\msrating.dll
+ 2001-08-18 12:00 . 2009-03-08 04:22 156160 c:\windows\system32\msls31.dll
- 2001-08-18 12:00 . 2009-03-08 03:22 156160 c:\windows\system32\msls31.dll
- 2009-03-08 03:32 . 2009-03-08 03:32 594432 c:\windows\system32\msfeeds.dll
+ 2009-03-08 04:32 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-07 17:20 . 2009-01-07 18:20 265720 c:\windows\system32\msdbg2.dll
- 2009-01-07 17:20 . 2009-01-07 17:20 265720 c:\windows\system32\msdbg2.dll
- 2001-08-18 12:00 . 2009-03-08 03:33 726528 c:\windows\system32\jscript.dll
+ 2001-08-18 12:00 . 2009-03-08 04:33 726528 c:\windows\system32\jscript.dll
+ 2009-03-08 04:22 . 2009-03-08 04:22 164352 c:\windows\system32\ieui.dll
- 2009-03-08 03:22 . 2009-03-08 03:22 164352 c:\windows\system32\ieui.dll
+ 2002-08-29 02:40 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
+ 2002-08-29 02:40 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
+ 2009-03-08 04:11 . 2009-03-08 04:11 445952 c:\windows\system32\ieapfltr.dll
- 2009-03-08 03:11 . 2009-03-08 03:11 445952 c:\windows\system32\ieapfltr.dll
- 2001-08-18 12:00 . 2009-03-08 03:32 163840 c:\windows\system32\ieakui.dll
+ 2001-08-18 12:00 . 2009-03-08 04:32 163840 c:\windows\system32\ieakui.dll
- 2002-08-29 02:40 . 2009-03-08 03:33 229376 c:\windows\system32\ieaksie.dll
+ 2002-08-29 02:40 . 2009-03-08 04:33 229376 c:\windows\system32\ieaksie.dll
- 2002-08-29 02:40 . 2009-03-08 03:33 125952 c:\windows\system32\ieakeng.dll
+ 2002-08-29 02:40 . 2009-03-08 04:33 125952 c:\windows\system32\ieakeng.dll
+ 2002-08-29 02:41 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
- 2002-08-29 02:41 . 2009-03-08 03:32 173056 c:\windows\system32\ie4uinit.exe
- 2002-08-29 02:40 . 2009-03-08 03:31 216064 c:\windows\system32\dxtrans.dll
+ 2002-08-29 02:40 . 2009-03-08 04:31 216064 c:\windows\system32\dxtrans.dll
- 2002-08-29 02:40 . 2009-03-08 03:31 348160 c:\windows\system32\dxtmsft.dll
+ 2002-08-29 02:40 . 2009-03-08 04:31 348160 c:\windows\system32\dxtmsft.dll
+ 2009-03-08 04:34 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 04:34 . 2009-03-08 04:34 236544 c:\windows\system32\dllcache\webcheck.dll
- 2009-03-08 03:34 . 2009-03-08 03:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2007-12-11 09:57 . 2009-03-08 04:33 759296 c:\windows\system32\dllcache\VGX.dll
- 2007-12-11 09:57 . 2009-03-08 03:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2009-03-08 04:33 . 2009-03-08 04:33 420352 c:\windows\system32\dllcache\vbscript.dll
- 2009-03-08 03:33 . 2009-03-08 03:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2009-03-08 04:34 . 2009-03-08 04:34 105984 c:\windows\system32\dllcache\url.dll
- 2009-03-08 03:34 . 2009-03-08 03:34 105984 c:\windows\system32\dllcache\url.dll
- 2009-01-07 17:20 . 2009-01-07 17:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-01-07 18:20 . 2009-01-07 18:20 134144 c:\windows\system32\dllcache\sqmapi.dll
- 2009-01-07 17:20 . 2009-01-07 17:20 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-01-07 18:20 . 2009-01-07 18:20 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-03-08 04:34 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
+ 2002-08-29 02:41 . 2009-03-08 04:32 611840 c:\windows\system32\dllcache\mstime.dll
- 2002-08-29 02:41 . 2009-03-08 03:32 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-03-08 03:34 . 2009-03-08 03:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2009-03-08 04:34 . 2009-03-08 04:34 193536 c:\windows\system32\dllcache\msrating.dll
- 2001-08-18 12:00 . 2009-03-08 03:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2001-08-18 12:00 . 2009-03-08 04:22 156160 c:\windows\system32\dllcache\msls31.dll
- 2009-03-08 03:33 . 2009-03-08 03:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-03-08 04:33 . 2009-03-08 04:33 726528 c:\windows\system32\dllcache\jscript.dll
- 2009-03-08 13:09 . 2009-03-08 13:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2009-03-08 14:09 . 2009-03-08 14:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2009-03-08 04:31 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2002-08-29 02:40 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2001-08-18 12:00 . 2009-03-08 04:32 163840 c:\windows\system32\dllcache\ieakui.dll
- 2001-08-18 12:00 . 2009-03-08 03:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2002-08-29 02:40 . 2009-03-08 04:33 229376 c:\windows\system32\dllcache\ieaksie.dll
- 2002-08-29 02:40 . 2009-03-08 03:33 229376 c:\windows\system32\dllcache\ieaksie.dll
- 2002-08-29 02:40 . 2009-03-08 03:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2002-08-29 02:40 . 2009-03-08 04:33 125952 c:\windows\system32\dllcache\ieakeng.dll
- 2002-08-29 02:41 . 2009-03-08 03:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2002-08-29 02:41 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 04:31 . 2009-03-08 04:31 216064 c:\windows\system32\dllcache\dxtrans.dll
- 2009-03-08 03:31 . 2009-03-08 03:31 216064 c:\windows\system32\dllcache\dxtrans.dll
- 2009-03-08 03:31 . 2009-03-08 03:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-03-08 04:31 . 2009-03-08 04:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-03-08 04:32 . 2009-03-08 04:32 128512 c:\windows\system32\dllcache\advpack.dll
- 2002-08-29 02:40 . 2009-03-08 03:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2002-08-29 02:40 . 2009-03-08 04:32 128512 c:\windows\system32\advpack.dll
- 2002-08-29 02:40 . 2009-03-08 03:32 128512 c:\windows\system32\advpack.dll
+ 2010-02-09 20:31 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB978506-IE8\spuninst\updspapi.dll
+ 2010-02-09 20:31 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB978506-IE8\spuninst\spuninst.exe
+ 2010-02-09 20:31 . 2009-10-29 07:45 916480 c:\windows\ie8updates\KB978207-IE8\wininet.dll
+ 2010-02-09 20:31 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB978207-IE8\spuninst\updspapi.dll
+ 2010-02-09 20:31 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB978207-IE8\spuninst\spuninst.exe
+ 2010-02-09 20:31 . 2009-10-29 07:45 206848 c:\windows\ie8updates\KB978207-IE8\occache.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 594432 c:\windows\ie8updates\KB978207-IE8\msfeeds.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 246272 c:\windows\ie8updates\KB978207-IE8\ieproxy.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 184320 c:\windows\ie8updates\KB978207-IE8\iepeers.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 387584 c:\windows\ie8updates\KB978207-IE8\iedkcs32.dll
+ 2010-02-09 20:31 . 2009-10-28 14:40 173056 c:\windows\ie8updates\KB978207-IE8\ie4uinit.exe
+ 2010-02-09 20:30 . 2009-03-08 04:34 914944 c:\windows\ie8updates\KB976325-IE8\wininet.dll
+ 2010-02-09 20:30 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB976325-IE8\spuninst\updspapi.dll
+ 2010-02-09 20:30 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB976325-IE8\spuninst\spuninst.exe
+ 2010-02-09 20:30 . 2009-03-08 04:34 109568 c:\windows\ie8updates\KB976325-IE8\occache.dll
+ 2010-02-09 20:30 . 2009-03-08 04:32 594432 c:\windows\ie8updates\KB976325-IE8\msfeeds.dll
+ 2010-02-09 20:30 . 2009-03-08 04:33 246784 c:\windows\ie8updates\KB976325-IE8\ieproxy.dll
+ 2010-02-09 20:30 . 2009-03-08 04:31 183808 c:\windows\ie8updates\KB976325-IE8\iepeers.dll
+ 2010-02-09 20:30 . 2009-03-08 14:09 391536 c:\windows\ie8updates\KB976325-IE8\iedkcs32.dll
+ 2010-02-09 20:30 . 2009-03-08 04:32 173056 c:\windows\ie8updates\KB976325-IE8\ie4uinit.exe
+ 2010-02-09 20:28 . 2004-08-04 00:56 656384 c:\windows\ie8\wininet.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 656384 c:\windows\ie8\wininet.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 276480 c:\windows\ie8\webcheck.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 276480 c:\windows\ie8\webcheck.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 848384 c:\windows\ie8\vgx.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 848384 c:\windows\ie8\vgx.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 417792 c:\windows\ie8\vbscript.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 417792 c:\windows\ie8\vbscript.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 601088 c:\windows\ie8\urlmon.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 601088 c:\windows\ie8\urlmon.dll
- 2009-04-01 23:17 . 2009-01-07 17:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2010-02-09 20:29 . 2009-01-07 18:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2010-02-09 20:29 . 2009-01-07 18:20 231456 c:\windows\ie8\spuninst\spuninst.exe
- 2009-04-01 23:17 . 2009-01-07 17:20 231456 c:\windows\ie8\spuninst\spuninst.exe
- 2009-04-01 23:16 . 2004-08-04 00:56 473600 c:\windows\ie8\shlwapi.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 473600 c:\windows\ie8\shlwapi.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 530432 c:\windows\ie8\mstime.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 530432 c:\windows\ie8\mstime.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 146432 c:\windows\ie8\msrating.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 146432 c:\windows\ie8\msrating.dll
+ 2010-02-09 20:28 . 2001-08-18 12:00 146432 c:\windows\ie8\msls31.dll
- 2009-04-01 23:16 . 2001-08-18 12:00 146432 c:\windows\ie8\msls31.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 448512 c:\windows\ie8\mshtmled.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 448512 c:\windows\ie8\mshtmled.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 450560 c:\windows\ie8\jscript.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 450560 c:\windows\ie8\jscript.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 249344 c:\windows\ie8\iepeers.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 249344 c:\windows\ie8\iepeers.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 323584 c:\windows\ie8\iedkcs32.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 323584 c:\windows\ie8\iedkcs32.dll
+ 2010-02-09 20:28 . 2001-08-18 12:00 221184 c:\windows\ie8\ieakui.dll
- 2009-04-01 23:16 . 2001-08-18 12:00 221184 c:\windows\ie8\ieakui.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 216576 c:\windows\ie8\ieaksie.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 216576 c:\windows\ie8\ieaksie.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 139264 c:\windows\ie8\ieakeng.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 139264 c:\windows\ie8\ieakeng.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 201728 c:\windows\ie8\dxtrans.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 201728 c:\windows\ie8\dxtrans.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 357888 c:\windows\ie8\dxtmsft.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 357888 c:\windows\ie8\dxtmsft.dll
+ 2002-08-29 02:41 . 2009-12-21 19:14 1208832 c:\windows\system32\urlmon.dll
+ 2002-08-29 02:41 . 2009-01-07 18:20 1497088 c:\windows\system32\shdocvw.dll
- 2002-08-29 02:41 . 2009-01-07 17:20 1497088 c:\windows\system32\shdocvw.dll
+ 2002-08-29 02:41 . 2009-12-21 19:14 5942784 c:\windows\system32\mshtml.dll
+ 2009-03-08 04:32 . 2009-12-21 19:14 1985536 c:\windows\system32\iertutil.dll
+ 2009-02-06 21:07 . 2009-02-06 21:07 3698584 c:\windows\system32\ieapfltr.dat
- 2009-02-06 20:07 . 2009-02-06 20:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2009-03-08 04:34 . 2009-12-21 19:14 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2009-01-07 18:20 . 2009-01-07 18:20 1497088 c:\windows\system32\dllcache\shdocvw.dll
- 2009-01-07 17:20 . 2009-01-07 17:20 1497088 c:\windows\system32\dllcache\shdocvw.dll
+ 2009-03-08 04:41 . 2009-12-21 19:14 5942784 c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-07 18:20 . 2009-01-07 18:20 1022976 c:\windows\system32\dllcache\browseui.dll
- 2009-01-07 17:20 . 2009-01-07 17:20 1022976 c:\windows\system32\dllcache\browseui.dll
- 2002-08-29 02:40 . 2009-01-07 17:20 1022976 c:\windows\system32\browseui.dll
+ 2002-08-29 02:40 . 2009-01-07 18:20 1022976 c:\windows\system32\browseui.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 1208832 c:\windows\ie8updates\KB978207-IE8\urlmon.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 5940736 c:\windows\ie8updates\KB978207-IE8\mshtml.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 1985536 c:\windows\ie8updates\KB978207-IE8\iertutil.dll
+ 2010-02-09 20:30 . 2009-03-08 04:34 1206784 c:\windows\ie8updates\KB976325-IE8\urlmon.dll
+ 2010-02-09 20:30 . 2009-03-08 04:41 5937152 c:\windows\ie8updates\KB976325-IE8\mshtml.dll
+ 2010-02-09 20:30 . 2009-03-08 04:32 1985024 c:\windows\ie8updates\KB976325-IE8\iertutil.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 1483264 c:\windows\ie8\shdocvw.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 1483264 c:\windows\ie8\shdocvw.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 3003392 c:\windows\ie8\mshtml.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 3003392 c:\windows\ie8\mshtml.dll
- 2009-04-01 23:16 . 2004-08-04 00:56 1016832 c:\windows\ie8\browseui.dll
+ 2010-02-09 20:28 . 2004-08-04 00:56 1016832 c:\windows\ie8\browseui.dll
+ 2009-04-01 23:11 . 2010-02-01 11:26 30364104 c:\windows\system32\MRT.exe
+ 2009-03-08 04:39 . 2009-12-21 19:14 11070464 c:\windows\system32\ieframe.dll
+ 2010-02-09 20:31 . 2009-10-29 07:45 11069952 c:\windows\ie8updates\KB978207-IE8\ieframe.dll
+ 2010-02-09 20:30 . 2009-03-08 04:39 11063808 c:\windows\ie8updates\KB976325-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 17:22 333192 -c--a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Center Agent"="c:\program files\PEAK Multimedia\HyperMediaCenter\DTVR\Scheduled.exe" [2008-04-14 1519616]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-12-12 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Barry\Start Menu\Programs\Startup\
Remote Control.lnk - c:\program files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe [2010-1-19 81920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-2-21 1167360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-08 00:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"44470:TCP"= 44470:TCP:PrefetchIntel IntelPolicy
"13673:UDP"= 13673:UDP:PrefetchIntel 64Profiles
"40446:TCP"= 40446:TCP:PrefetchIntel Assemblieswinsxs
"37023:UDP"= 37023:UDP:PrefetchIntel PublishWorks

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [08/02/2010 01:32 207792]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/02/2010 00:44 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/02/2010 00:44 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [08/02/2010 00:43 285392]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [08/02/2010 01:36 112592]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [14/10/2009 13:30 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [14/10/2009 13:30 476528]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [13/12/2007 11:07 18944]
S2 W32svc;Universal Component;c:\windows\system32\svchost.exe -k netsvcs [18/08/2001 12:00 14336]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [08/02/2010 01:31 359624]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
W32svc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 04:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/login_verify...t.yahoo.com/%3f
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://update.zonelabs.com/downloadrequest?updtConfId=4&updtReqId=1011551822
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant =
Trusted Zone: motive.com\pbttbc.bt
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 21:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32svc]
"ServiceDll"="c:\windows\system32\eozsy.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(784)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(560)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msi.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
.
Completion time: 2010-02-09 21:12:15
ComboFix-quarantined-files.txt 2010-02-09 21:12

Pre-Run: 47,710,605,312 bytes free
Post-Run: 47,640,776,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 14A9528DE37EBC9623BDC3E2FEB91C00




#6 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 09 February 2010 - 04:45 PM

Hi,

this log looks clean! How are things running?
Posted Image
Proud member of ASAP since 2007

#7 Sheldonix

Sheldonix
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 February 2010 - 08:58 AM

Hi Rosty.

Yes, the log looks clean, thank you. The computer is running fine - if a little slow - but it has been doing that since the installation of AVG 9.

Done another scan with GMER and the same warning keeps appearing.

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] W32svc <-- ROOTKIT !!!

#8 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 10 February 2010 - 11:14 AM

Have you already cleaned your temporary internet files and others?
Posted Image
Proud member of ASAP since 2007

#9 Sheldonix

Sheldonix
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 February 2010 - 01:33 PM

Yes, cleaned everything out already.

#10 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 10 February 2010 - 01:34 PM

Can you post the complete log from GMER?
Posted Image
Proud member of ASAP since 2007

#11 Sheldonix

Sheldonix
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 February 2010 - 01:38 PM

OK, give me a minute to run the scan. Thanks for all the help so far, by the way.

#12 Sheldonix

Sheldonix
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 February 2010 - 02:00 PM

Um, it would seem that I can no longer run a GMER scan. The computer reboots halfway through the scan process. Will try it once more and if I have a further problem, I'll run it in safe mode.

Edited by Sheldonix, 10 February 2010 - 02:02 PM.


#13 Sheldonix

Sheldonix
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 10 February 2010 - 08:11 PM

What a nightmare!!! (As you can probably tell by the amount of time taken)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-11 00:52:29
Windows 5.1.2600 Service Pack 2
Running: 0nztrbuo.exe; Driver: C:\DOCUME~1\Barry\LOCALS~1\Temp\pxtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEBCB1630]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEBCAAD80]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF8439E52]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEBCB1E40]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF841ACDE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF841AED0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEBCB1FB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEBCABC60]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF843A640]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF843A8F4]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEBCD1080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEBCD12B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEBCAB750]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF8438B44]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF843AD60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEBCD1A40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEBCB1180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xEBCD20D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEBCAC080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xEBCD28E0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF843A112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF841A984]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 107 804E2DD8 12 Bytes [40, 1E, CB, EB, DE, AC, 41, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Kodak\printer\center\KodakSvc.exe[128] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Kodak\printer\center\KodakSvc.exe[128] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Kodak\printer\center\KodakSvc.exe[128] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Kodak\printer\center\KodakSvc.exe[128] KERNEL32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Kodak\printer\center\KodakSvc.exe[128] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Kodak\printer\center\KodakSvc.exe[128] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Kodak\printer\center\KodakSvc.exe[128] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Kodak\printer\center\KodakSvc.exe[128] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[216] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[216] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[216] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[216] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[216] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[216] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[216] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[216] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wdfmgr.exe[276] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wdfmgr.exe[276] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wdfmgr.exe[276] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wdfmgr.exe[276] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wdfmgr.exe[276] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wdfmgr.exe[276] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wdfmgr.exe[276] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wdfmgr.exe[276] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[388] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[388] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[388] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[388] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[388] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[388] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[388] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[388] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[480] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[480] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[480] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[480] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[480] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[608] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[608] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[608] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[608] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[608] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[608] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[608] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[608] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[704] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[704] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[704] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[748] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[748] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[748] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[748] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[748] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[760] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[760] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[760] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[760] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[760] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[912] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[912] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1044] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1044] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1156] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1156] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1156] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1156] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1156] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[1312] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[1312] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[1312] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[1312] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[1312] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[1312] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[1312] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[1312] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1384] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1384] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1384] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1384] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1384] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1384] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[1432] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[1432] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[1432] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[1432] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[1432] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[1432] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[1432] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[1432] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1636] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1636] USER32.dll!ChangeClipboardChain + 14 77D6F4A6 5 Bytes JMP 20C291E8 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[1700] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[1700] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[1700] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[1700] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[1700] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[1700] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[1700] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[1700] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1876] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1876] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1876] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1876] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1876] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1876] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1876] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1876] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2324] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2324] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2324] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2324] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2324] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2324] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2324] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2324] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2344] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2344] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2344] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2344] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2344] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2344] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2344] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2344] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2428] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2428] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2428] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2428] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2428] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2428] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2428] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2428] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe[2440] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe[2440] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe[2440] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe[2440] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe[2440] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe[2440] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe[2440] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe[2440] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe[2680] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe[2680] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe[2680] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe[2680] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe[2680] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe[2680] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe[2680] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe[2680] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3120] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3120] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3120] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3120] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3120] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3120] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3120] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3120] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Barry\Desktop\0nztrbuo.exe[3428] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Barry\Desktop\0nztrbuo.exe[3428] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Barry\Desktop\0nztrbuo.exe[3428] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Barry\Desktop\0nztrbuo.exe[3428] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Barry\Desktop\0nztrbuo.exe[3428] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Barry\Desktop\0nztrbuo.exe[3428] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Barry\Desktop\0nztrbuo.exe[3428] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Barry\Desktop\0nztrbuo.exe[3428] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EBCB7080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EBCB6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EBCB77C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EBCB53D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EBCB53D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EBCB7080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EBCB6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EBCB77C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EBCB7080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EBCB77C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EBCB6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EBCB53D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EBCB77C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EBCB7080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EBCB6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EBCB53D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EBCB7080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EBCB6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EBCB77C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [EBCD8480] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EBCB7080] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EBCB53D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EBCB77C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EBCB6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [EBCACF40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EBCACDB0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [EBCAD170] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [EBCAC7B0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Kodak\printer\center\KodakSvc.exe[128] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\Program Files\Common Files\Motive\McciCMService.exe[216] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\wdfmgr.exe[276] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\System32\svchost.exe[480] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\wuauclt.exe[608] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\winlogon.exe[704] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\lsass.exe[760] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\svchost.exe[912] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\svchost.exe[960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\System32\svchost.exe[1044] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\System32\svchost.exe[1156] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\svchost.exe[1216] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\System32\alg.exe[1312] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\Explorer.EXE[1384] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\wscntfy.exe[1432] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\spoolsv.exe[1700] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[1876] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2324] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\system32\ctfmon.exe[2344] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2428] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe[2440] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\Program Files\PEAK Multimedia\DVB-T Utilities\AFRCtl.exe[2680] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\WINDOWS\System32\wbem\wmiprvse.exe[3120] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT C:\Documents and Settings\Barry\Desktop\0nztrbuo.exe[3428] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] W32svc <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\W32svc@DisplayName Universal Component
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32svc@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32svc@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32svc@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32svc@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32svc@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32svc@Description Provides automatic configuration for the 802.11 adapters
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32svc\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32svc\Parameters@ServiceDll C:\WINDOWS\system32\eozsy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\W32svc@DisplayName Universal Component
Reg HKLM\SYSTEM\ControlSet003\Services\W32svc@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\W32svc@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\W32svc@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\W32svc@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\W32svc@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\W32svc@Description Provides automatic configuration for the 802.11 adapters
Reg HKLM\SYSTEM\ControlSet003\Services\W32svc\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\W32svc\Parameters@ServiceDll C:\WINDOWS\system32\eozsy.dll

---- EOF - GMER 1.0.15 ----




#14 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 11 February 2010 - 05:22 AM

Hi again,

I'm afraid the next is an false positive:
QUOTE
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] W32svc <-- ROOTKIT !!!


Please read the next topic: http://www.google.be/url?sa=t&source=w...dqQ10mINB5Y83oA

Posted Image
Proud member of ASAP since 2007

#15 Sheldonix

Sheldonix
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:27 PM

Posted 11 February 2010 - 08:14 AM

Hi Rosty.

Yes, I would agree with you after reading that topic.

The computer sems to be running fine now.

Thank you once again for all of your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users