Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Caught ave.exe and Google redirect virus


  • This topic is locked This topic is locked
48 replies to this topic

#1 maddogg

maddogg

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 03 May 2010 - 02:05 PM

A short while back I had the fake "scanner" site popup. Got out w/o going to any other site, at least not knowingly . On my next boot up I noticed a bunch of ave.exe processes opening up! Nooooooo!!! Tried to run run Malwarebytes scan, the mbam.exe file was blocked from opening. Renamed to mbam.com, ran, and found some malware and deleted (log below). Then my Google and Yahoo searches began to be redirected, so I guess I have a rootkit? More Malwarebytes, Zonealarm, and Hitman 3.5 scans show nothing so here I am.
Logs follow:

Malwarebytes:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4034

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/25/2010 8:27:51 AM
mbam-log-2010-04-25 (08-27-51).txt

Scan type: Quick scan
Objects scanned: 118075
Time elapsed: 20 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:51:38.16 on Mon 05/03/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.429 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe
svchost.exe
C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apricorn\EZ Gig II\EZGigMonitor.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\Apricorn\Schedule2\schedhlp.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HDD Health\hddhealth.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Owner\My Documents\Downloads\u3g9d4gj.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://bl123w.blu123.mail.live.com/mail/InboxLight.aspx?FolderID=00000000-0000-0000-0000-000000000001&InboxSortAscending=False&InboxSortBy=Date&n=437123048
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 95.154.227.215:40440
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
BHO: ForceField Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: ForceField Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HDDHealth] c:\program files\hdd health\hddhealth.exe -wl
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [kmw_run.exe] kmw_run.exe
mRun: [MSWheel]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [zzzHPSETUP] d:\setup.exe \RESET
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [EZGigMonitor.exe] c:\program files\apricorn\ez gig ii\EZGigMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\apricorn\ez gig ii\TimounterMonitor.exe
mRun: [Apricorn Scheduler Service] "c:\program files\common files\apricorn\schedule2\schedhlp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Syslog]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link rangebooster n dwa-642\wirelesscm.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - c:\program files\travelaxe\Travelaxe.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
TCP: {154C3869-64CC-4D90-B439-CD3BA0350F9C} = 208.67.222.222,208.67.220.220
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\r0yerloc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-27 150544]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-12-10 123280]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-12-10 41616]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-11-4 353672]
R2 ISWKL;ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-2-12 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-2-12 390536]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-2-12 54928]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-3-24 92550]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-11-30 110992]
S2 gupdate1c9b5456c964d30;Google Update Service (gupdate1c9b5456c964d30);c:\program files\google\update\GoogleUpdate.exe [2009-4-4 133104]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-11-30 100048]
S3 VmbInfce;VmbInfce;c:\windows\system32\drivers\vmbinfce.sys [2008-1-31 60416]

=============== Created Last 30 ================

2010-05-03 15:49:46 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-05-03 15:18:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-03 14:59:33 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-25 17:22:10 200 ----a-w- c:\windows\system32\bootdelete.lst
2010-04-25 17:06:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-19 13:32:59 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-05-03 15:05:44 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-03 14:13:44 5083604 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-03 14:13:43 384330272 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-03 11:30:00 699904 ----a-w- c:\windows\isRS-000.tmp
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2008-08-20 14:11:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 10:54:37.34 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:02 PM

Posted 05 May 2010 - 01:13 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS and Attach Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 05 May 2010 - 01:43 PM

Thanks a million.

I will do a fresh run and post as soon as I can.

Regards

#4 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 05 May 2010 - 02:01 PM

Here are the logs you requested.

Thanks again.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 13:50:22.43 on Wed 05/05/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.636 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe
svchost.exe
C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\WLTRAY.exe
svchost.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apricorn\EZ Gig II\EZGigMonitor.exe
C:\Program Files\Common Files\Apricorn\Schedule2\schedhlp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HDD Health\hddhealth.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://bl123w.blu123.mail.live.com/mail/InboxLight.aspx?FolderID=00000000-0000-0000-0000-000000000001&InboxSortAscending=False&InboxSortBy=Date&n=437123048
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 95.154.227.215:40440
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
BHO: ForceField Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: ForceField Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HDDHealth] c:\program files\hdd health\hddhealth.exe -wl
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [kmw_run.exe] kmw_run.exe
mRun: [MSWheel]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [zzzHPSETUP] d:\setup.exe \RESET
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [EZGigMonitor.exe] c:\program files\apricorn\ez gig ii\EZGigMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\apricorn\ez gig ii\TimounterMonitor.exe
mRun: [Apricorn Scheduler Service] "c:\program files\common files\apricorn\schedule2\schedhlp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Syslog]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link rangebooster n dwa-642\wirelesscm.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - c:\program files\travelaxe\Travelaxe.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
TCP: {154C3869-64CC-4D90-B439-CD3BA0350F9C} = 208.67.222.222,208.67.220.220
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\r0yerloc.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-08-20 14:11:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 13:53:31.39 ===============

Attached Files



#5 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:02 PM

Posted 06 May 2010 - 01:30 PM

Sorry for the delay in replying, Bleeping Computer was undergoing maintenance yesterday and I had a tough time getting onto the site.

Do you recognize the following IP address?:

95.154.227.215


I'd like a fresh GMER Log from you next. Delete GMER.exe off of your Desktop, then follow the instructions below:


Step # 1: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#6 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 07 May 2010 - 10:02 AM

Do you want me to follow these instructions like the first time I ran GMER or do I just scan as it is set when it loads? In other words, do I uncheck the other boxes like it says or not? Thanks again.

Instructions from the preparation page:

"You will now see the main GMER window. If it gives you a warning about rootkit activity and asks if you want to run a full scan, please click on the NO button. We now need to configure GMER to not use some settings. Please uncheck the following settings that we do not want in our scan.

* IAT/EAT
* Drives/Partition other than Systemdrive, which is typically C:\
* Show All (This is important, so do not miss it.)

When done, the screen should look similar to Figure 13 below.


Reduced: 73% of original size [ 699 x 529 ] - Click to view full image
Unchecked GMER options
Figure 13: Options we want unchecked in GMER


Once your screen look similar to the above, click on the Scan button to scan your computer for rootkits. This may take a while, so please be patient. When it has finished you will be back at the main screen as shown in the figure below.


#7 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:02 PM

Posted 07 May 2010 - 02:12 PM

Go ahead and run GMER according to the instructions that I posted in my previous post (Post #5 of this thread). smile.gif

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#8 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 07 May 2010 - 09:57 PM

No, I don't know that ISP.

The file was too large to upload.

Do I want to have all those boxes checked, or just system?

It took forever to do the scan.

Much longer than the first one.

What now?

Thanks

#9 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 07 May 2010 - 10:00 PM

Only 352kb actually, but would not upload.

Any tips?

Thanks

#10 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 07 May 2010 - 10:33 PM

Can't even cut and paste it?

Help please!!

#11 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 07 May 2010 - 10:36 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-07 21:50:27
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\agryraog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF443EFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF443BC80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF4456170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF443F580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF4453900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF4453B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF4457B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF443F670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF443C210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF44569F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF44567A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF4453280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF4456F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF4456F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xF4457D90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF443C070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF4455180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF4454F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF44576F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF4457150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF443EBE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF4457540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF443F190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF443C440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF44564E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF4454200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF4454080]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [80, F5, 43, F4, 00, 39, 45, ...] {XOR CH, 0x43; HLT ; ADD [ECX], BH; INC EBP; HLT ; ADC [EBX], BH; INC EBP; HLT }
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre6\bin\jqs.exe[208] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[208] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\Pelmiced.exe[240] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Pelmiced.exe[240] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\Pelmiced.exe[240] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\Explorer.EXE[404] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[404] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\spoolsv.exe[780] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\spoolsv.exe[780] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[880] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1012] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1052] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\System32\bcmwltry.exe[1124] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\System32\bcmwltry.exe[1124] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\bcmwltry.exe[1124] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1132] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\winlogon.exe[1224] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\winlogon.exe[1224] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1224] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\services.exe[1280] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\services.exe[1280] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1280] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\lsass.exe[1292] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\lsass.exe[1292] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1292] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\Ati2evxx.exe[1460] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1484] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1484] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1592] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[1640] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1676] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[1676] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1676] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008F000C
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1676] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 06F0000A
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1676] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 06EF000A
.text C:\WINDOWS\system32\msdtc.exe[1712] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\msdtc.exe[1712] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\msdtc.exe[1712] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\msdtc.exe[1712] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\System32\SCardSvr.exe[1728] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\SCardSvr.exe[1728] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\System32\SCardSvr.exe[1728] RPCRT4.dll!RpcImpersonateClient

.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe[1760] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1816] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1816] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe[1844] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1864] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1864] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\Ati2evxx.exe[2004] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\Program Files\Apoint\Apoint.exe[2300] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Apoint\Apoint.exe[2300] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\Program Files\Apoint\Apoint.exe[2300] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2408] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\System32\alg.exe[2444] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2444] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\System32\alg.exe[2444] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\kmw_run.exe[2456] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\kmw_run.exe[2456] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\kmw_run.exe[2456] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 3 Bytes JMP 21695D0B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] ADVAPI32.dll!ImpersonateNamedPipeClient + 4 77DD742A 1 Byte [A9]
.text C:\WINDOWS\system32\wscntfy.exe[2472] ADVAPI32.dll!SetThreadToken 77DDF193 3 Bytes JMP 21695EC0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wscntfy.exe[2472] ADVAPI32.dll!SetThreadToken + 4 77DDF197 1 Byte [A9]
.text C:\WINDOWS\system32\wscntfy.exe[2472] RPCRT4.dll!RpcImpersonateClient 77E7A436 5 Bytes JMP 21695C87 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 216956A5 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 216958D9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 20008AC0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 21695380 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 200085D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 200086D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 2169519F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!GetKeyState 7E429ED9 5 Bytes JMP 20007FD0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!GetAsyncKeyState 7E42A78F 5 Bytes JMP 20008050 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!MoveWindow + A5 7E42B343 5 Bytes JMP 20007ED0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 21695166 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 20007F00 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!SendInput 7E42F140 5 Bytes JMP 200081F0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!UnhookWinEvent + 27 7E4318D3 5 Bytes JMP 20007EA0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!keybd_event 7E466783 5 Bytes JMP 200081A0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\WLTRAY.exe[2516] USER32.dll!GetRawInputData 7E46CCBE 5 Bytes JMP 200080D0 C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll (ZoneAlarm ForceField/Check Point Software Technologies)

#12 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 07 May 2010 - 10:38 PM

Sorry, can't get it posted.

Thanks

#13 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 08 May 2010 - 05:44 AM

Post #11 is the log I got.

Is that what you were wanting?

Thanks again

#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:02 PM

Posted 08 May 2010 - 12:05 PM

Since it didn't look like GMER completed its run/you didn't get a complete log, let's try another rootkit scanner in its place.


Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items only:
      Process
      Kernel Modes
      SSDT
      Kernel Hooks
      Hidden Files
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 maddogg

maddogg
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 08 May 2010 - 12:16 PM

I think I can get the complete GMER log posted later.

I tried to split it into 2 parts but now I think I can post the whole log but it will be Sun. morning as I am away from the infected

PC today. I'll run the new scan if I can't get the entire GMER log posted.

Thanks a million for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users