Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Conflkr| Windows System_32 x| ISWSHEX.swl


  • This topic is locked This topic is locked
5 replies to this topic

#1 LoladotLola

LoladotLola

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 25 June 2010 - 12:49 AM

Computer slows down until program won't open anymore. Problem seems similar to this thread:

http://www.bleepingcomputer.com/forums/t/262499/somehow-got-infected-with-a-trojan-that-wont-go-away/

Ran Root Repeal and it found a lot of problems similar to the thread above^^

I am including the Root Repeal log as well as the DDS log. DDS and GMER logs are attached.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/06/24 23:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: IsDrv122.sys
Image Path: H:\WINDOWS\System32\Drivers\IsDrv122.sys
Address: 0xB5563000 Size: 211840 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: H:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB583A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: H:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "H:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb8ab16b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c3d630

#: 037 Function Name: NtCreateFile
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c36d80

#: 041 Function Name: NtCreateKey
Status: Hooked by "H:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb8ab1574

#: 046 Function Name: NtCreatePort
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c3de40

#: 047 Function Name: NtCreateProcess
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c54d30

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c55150

#: 050 Function Name: NtCreateSection
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c5f240

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b02f90

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0xbae9e40c

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c3dfb0

#: 062 Function Name: NtDeleteFile
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c37c60

#: 063 Function Name: NtDeleteKey
Status: Hooked by "" at address 0xbae9e41b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "H:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb8ab1a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c53e70

#: 097 Function Name: NtLoadDriver
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b00f80

#: 098 Function Name: NtLoadKey
Status: Hooked by "" at address 0xbae9e42a

#: 099 Function Name: NtLoadKey2
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c5d2b0

#: 116 Function Name: NtOpenFile
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c37750

#: 119 Function Name: NtOpenKey
Status: Hooked by "H:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb8ab164e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c57450

#: 125 Function Name: NtOpenSection
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b03170

#: 128 Function Name: NtOpenThread
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c57020

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b03910

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "H:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb8ab176e

#: 192 Function Name: NtRenameKey
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c5e430

#: 193 Function Name: NtReplaceKey
Status: Hooked by "" at address 0xbae9e434

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c3d180

#: 204 Function Name: NtRestoreKey
Status: Hooked by "H:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb8ab172e

#: 206 Function Name: NtResumeThread
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b03c10

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c3d910

#: 213 Function Name: NtSetContextThread
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b03f90

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b04560

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8affc40

#: 247 Function Name: NtSetValueKey
Status: Hooked by "H:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb8ab18ae

#: 254 Function Name: NtSuspendThread
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b03bc0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c55d20

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c55a50

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b02a20

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b011c0

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b00be0

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8affbc0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8affc00

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c3bd80

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c3bee0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c3c030

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c39710

#: 502 Function Name: NtUserSendInput
Status: Hooked by "H:\WINDOWS\System32\vsdatant.sys" at address 0xb8c3c470

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b04180

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "H:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xb8b04390

==EOF==




DDS (Ver_10-03-17.01) - NTFSx86
Run by getgoinc at 23:42:53.12 on Thu 06/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1247.670 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1368 [VPS 100303-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
I:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
H:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
H:\Program Files\CheckPoint\ZAForceField\ForceField.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Avira\AntiVir Desktop\sched.exe
H:\Program Files\Avira\AntiVir Desktop\avguard.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\System32\svchost.exe -k HPZ12
H:\WINDOWS\System32\svchost.exe -k HPZ12
H:\WINDOWS\System32\svchost.exe -k imgsvc
H:\WINDOWS\SOUNDMAN.EXE
I:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\Avira\AntiVir Desktop\avgnt.exe
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
K:\Acrobat 9.0\Acrobat\Acrotray.exe
K:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
W:\Proport-2.2\Ex\ProPort.exe
H:\Program Files\Common Files\Java\Java Update\jusched.exe
H:\WINDOWS\system32\ctfmon.exe
I:\PROGRA~1\Webshots\Webshots.scr
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\system32\notepad.exe
H:\Program Files\Internet Explorer\iexplore.exe
K:\RootRepeal\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.escapeartist.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - i:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - h:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - h:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - h:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - i:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - h:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {A057A204-BACC-4D26-8287-79A187E26987} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRunOnce: [RegistryBooster] "h:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [InCD] i:\program files\ahead\incd\InCD.exe
mRun: [TrojanScanner] i:\program files\trojan remover\Trjscan.exe
mRun: [avgnt] "h:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "h:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe ARM] "h:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "k:\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: []
mRun: [Acrobat Assistant 8.0] "k:\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "h:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "k:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "h:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ProPort StartUp] w:\proport-2.2\ex\ProPort.exe /StartUp
mRun: [SunJavaUpdateSched] "h:\program files\common files\java\java update\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: h:\docume~1\getgoinc\startm~1\programs\startup\webshots.lnk - i:\program files\webshots\Launcher.exe
IE: Append Link Target to Existing PDF - h:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - h:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - h:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - h:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - g:\progra~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - h:\program files\yahoo!\common\yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272591609578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli msdkat2r.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;h:\windows\system32\drivers\aswSP.sys [2010-1-2 114768]
R1 avgio;avgio;h:\program files\avira\antivir desktop\avgio.sys [2010-2-10 11608]
R1 KLIF;KLIF;h:\windows\system32\drivers\klif.sys [2010-4-24 186128]
R1 vcdrom;Virtual CD-ROM Device Driver;j:\virtualcontrolpanel\ex\VCdRom.sys [2001-12-19 8576]
R1 vsdatant;vsdatant;h:\windows\system32\vsdatant.sys [2010-4-24 486280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;h:\program files\avira\antivir desktop\sched.exe [2010-2-10 108289]
R2 AntiVirService;Avira AntiVir Guard;h:\program files\avira\antivir desktop\avguard.exe [2010-2-10 185089]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [2010-1-2 20560]
R2 avgntflt;avgntflt;h:\windows\system32\drivers\avgntflt.sys [2009-5-9 56816]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;h:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;h:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 vsmon;TrueVector Internet Monitor;h:\windows\system32\zonelabs\vsmon.exe -service --> h:\windows\system32\zonelabs\vsmon.exe -service [?]
S0 jlewgdjq;jlewgdjq; [x]
S2 avast! Antivirus;avast! Antivirus;h:\program files\alwil software\avast4\ashServ.exe [2010-1-2 138680]
S2 ohlivsai;Volume Manager Support;h:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S2 scrutinizer_filed;Scrutinizer Filer Service;i:\scruti~1\html\scrut_filer.exe --> i:\scruti~1\html\scrut_filer.exe [?]
S3 avast! Mail Scanner;avast! Mail Scanner;h:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-2 254040]
S3 avast! Web Scanner;avast! Web Scanner;h:\program files\alwil software\avast4\ashWebSv.exe [2010-1-2 352920]
S3 ICDUSB2;Sony IC Recorder (P);h:\windows\system32\drivers\IcdUsb2.sys [2007-10-14 39048]

============== File Associations ===============

inifile=dffgfgb.exe %1

=============== Created Last 30 ================

2010-06-25 00:01:29 552 ----a-w- h:\windows\system32\d3d8caps.dat
2010-06-23 10:19:57 231 ----a-w- h:\windows\pp_sysini.bak
2010-06-23 10:19:56 881 ----a-w- h:\windows\pp_winini.bak
2010-06-11 05:51:57 0 d-sh--w- h:\documents and settings\getgoinc\PrivacIE
2010-06-11 05:47:00 0 d-sh--w- h:\documents and settings\getgoinc\IETldCache
2010-06-11 05:21:26 0 d-----w- h:\windows\ie8updates
2010-06-11 05:18:34 0 dc-h--w- h:\windows\ie8
2010-06-11 05:10:22 12800 -c----w- h:\windows\system32\dllcache\xpshims.dll
2010-06-11 05:10:20 743424 -c----w- h:\windows\system32\dllcache\iedvtool.dll
2010-06-11 05:10:19 247808 -c----w- h:\windows\system32\dllcache\ieproxy.dll
2010-06-11 05:09:39 41984 -c----w- h:\windows\system32\dllcache\iecompat.dll
2010-06-09 23:13:43 411368 ----a-w- h:\windows\system32\deployJava1.dll
2010-06-07 08:21:28 16128 -c--a-w- h:\windows\system32\dllcache\modemcsa.sys
2010-06-07 08:21:28 16128 ----a-w- h:\windows\system32\drivers\MODEMCSA.sys

==================== Find3M ====================

2010-06-25 04:11:36 164128 --sha-w- h:\windows\system32\drivers\fidbox2.dat
2010-06-25 03:53:30 18916 ----a-w- h:\windows\system32\tfak.dll
2010-06-25 03:26:44 23720 --sha-w- h:\windows\system32\drivers\fidbox2.idx
2010-05-06 10:41:53 916480 ----a-w- h:\windows\system32\wininet.dll
2010-05-04 09:32:44 40624 ---ha-w- h:\windows\system32\mlfcache.dat
2010-04-24 21:28:07 4212 ---ha-w- h:\windows\system32\zllictbl.dat
2010-04-03 22:25:26 112056 ----a-w- h:\windows\system32\acaptuser32.dll
2009-12-13 05:11:13 16384 --sha-w- h:\windows\system32\config\systemprofile\cookies\index.dat

============= FINISH: 23:46:08.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:23 PM

Posted 30 June 2010 - 07:17 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 LoladotLola

LoladotLola
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 30 June 2010 - 11:50 PM

Thank you, Elise, for your instructive reply. I'm still experiencing problems. My machine now crashes at least once or twice daily. Often it gets hung up I am opening a page on a site on the Internet. Something is using a goodly amount of CPU energy; there seem to be a large number of new, never before seen programs running on my computer.

I've included a new OTL log with its extra.txt as well as another GMER log. I appreciate your assistance.

OTL logfile created on: 6/30/2010 9:23:27 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = K:\RootRepeal
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = H: | %SystemRoot% = H:\WINDOWS | %ProgramFiles% = H:\Program Files
Drive C: | 16.60 Gb Total Space | 6.03 Gb Free Space | 36.34% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 6.66 Gb Total Space | 1.95 Gb Free Space | 29.29% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 19.53 Gb Total Space | 7.68 Gb Free Space | 39.29% Space Free | Partition Type: NTFS
Drive H: | 24.42 Gb Total Space | 11.12 Gb Free Space | 45.54% Space Free | Partition Type: NTFS
Drive I: | 19.53 Gb Total Space | 15.55 Gb Free Space | 79.62% Space Free | Partition Type: NTFS
Drive J: | 14.65 Gb Total Space | 6.05 Gb Free Space | 41.30% Space Free | Partition Type: NTFS
Drive K: | 54.30 Gb Total Space | 11.09 Gb Free Space | 20.42% Space Free | Partition Type: NTFS
Drive L: | 3.91 Gb Total Space | 2.52 Gb Free Space | 64.53% Space Free | Partition Type: NTFS
Drive M: | 3.91 Gb Total Space | 0.98 Gb Free Space | 25.00% Space Free | Partition Type: NTFS
Drive N: | 3.90 Gb Total Space | 1.56 Gb Free Space | 39.95% Space Free | Partition Type: FAT32
Drive O: | 3.91 Gb Total Space | 0.98 Gb Free Space | 24.91% Space Free | Partition Type: NTFS
Drive P: | 8.98 Gb Total Space | 0.77 Gb Free Space | 8.63% Space Free | Partition Type: NTFS
Drive Q: | 3.91 Gb Total Space | 0.68 Gb Free Space | 17.42% Space Free | Partition Type: NTFS
Drive R: | 3.91 Gb Total Space | 0.51 Gb Free Space | 13.04% Space Free | Partition Type: NTFS
Drive S: | 3.91 Gb Total Space | 0.80 Gb Free Space | 20.48% Space Free | Partition Type: NTFS
Drive T: | 3.91 Gb Total Space | 0.43 Gb Free Space | 10.95% Space Free | Partition Type: NTFS
Drive U: | 4.88 Gb Total Space | 0.99 Gb Free Space | 20.36% Space Free | Partition Type: NTFS
Drive V: | 5.03 Gb Total Space | 0.69 Gb Free Space | 13.75% Space Free | Partition Type: NTFS
Drive W: | 298.02 Gb Total Space | 3.49 Gb Free Space | 1.17% Space Free | Partition Type: FAT32
Drive X: | 4.89 Gb Total Space | 0.19 Gb Free Space | 3.96% Space Free | Partition Type: NTFS

Computer Name: GETGOXP
Current User Name: getgoinc
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/30 21:22:40 | 000,574,464 | ---- | M] (OldTimer Tools) -- K:\RootRepeal\OTL.exe
PRC - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2010/06/23 13:51:30 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- K:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2010/04/03 16:44:26 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- K:\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2010/03/16 14:56:07 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- H:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/14 08:30:26 | 000,476,528 | ---- | M] (Check Point Software Technologies) -- H:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2009/10/14 08:30:06 | 000,730,480 | ---- | M] (Check Point Software Technologies) -- H:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- H:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- H:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- H:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2007/10/29 17:28:48 | 003,294,544 | ---- | M] (Webshots.com) -- I:\Program Files\Webshots\Webshots.scr
PRC - [2006/01/16 17:46:12 | 000,878,592 | ---- | M] (Nero AG) -- I:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2006/01/16 11:46:28 | 001,398,272 | ---- | M] (Nero AG) -- I:\Program Files\Ahead\InCD\InCD.exe
PRC - [2004/08/03 23:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\explorer.exe
PRC - [2004/02/09 03:54:14 | 000,065,024 | ---- | M] (Realtek Semiconductor Corp.) -- H:\WINDOWS\SOUNDMAN.EXE
PRC - [2002/09/06 12:05:40 | 000,129,472 | ---- | M] (the Digital Underground) -- W:\Proport-2.2\Ex\ProPort.exe


========== Modules (SafeList) ==========

MOD - [2010/06/30 21:22:40 | 000,574,464 | ---- | M] (OldTimer Tools) -- K:\RootRepeal\OTL.exe
MOD - [2009/10/14 08:30:36 | 000,628,080 | ---- | M] (Check Point Software Technologies) -- H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
MOD - [2009/07/12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009/07/12 01:09:20 | 000,554,832 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
MOD - [2004/08/03 23:57:02 | 001,050,624 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/03 22:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (scrutinizer_filed)
SRV - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- H:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2010/04/19 01:37:51 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- H:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Stopped] -- H:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- H:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/10/14 08:30:26 | 000,476,528 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- H:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- H:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- H:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2006/01/16 17:46:12 | 000,878,592 | ---- | M] (Nero AG) [Auto | Running] -- I:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2006/01/16 11:46:12 | 000,878,592 | ---- | M] (Nero AG) [Auto | Stopped] -- H:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)
SRV - [2003/04/01 21:08:30 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- H:\WINDOWS\system32\IcdSptSv.exe -- (ICDSPTSV)


========== Driver Services (SafeList) ==========

DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- H:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2010/02/12 15:26:58 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- H:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/01/14 11:27:32 | 000,186,128 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/11/24 18:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- H:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 18:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 18:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- H:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 18:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 18:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- H:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 18:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/10/14 08:30:02 | 000,025,208 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- H:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2009/05/11 09:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- H:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/12/15 22:04:24 | 000,025,216 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- H:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2008/10/14 01:15:42 | 000,004,608 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Stopped] -- H:\WINDOWS\system32\drivers\vncmirror.sys -- (vncmirror)
DRV - [2006/01/17 10:09:34 | 000,102,016 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- H:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2006/01/17 10:09:28 | 000,029,440 | ---- | M] (Nero AG) [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2006/01/17 04:09:26 | 000,032,640 | ---- | M] (Nero AG) [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\InCDrm.sys -- (incdrm)
DRV - [2004/12/10 22:30:42 | 001,903,338 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- H:\WINDOWS\system32\drivers\IntelS51.sys -- (IntelS51) Intel®
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- H:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/02/18 10:51:08 | 000,610,988 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- H:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/12/11 10:54:14 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Running] -- H:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/07/02 03:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- H:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2002/11/28 20:23:24 | 000,039,048 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- H:\WINDOWS\system32\drivers\IcdUsb2.sys -- (ICDUSB2) Sony IC Recorder (P)
DRV - [2001/12/19 11:45:00 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- J:\VirtualControlPanel\Ex\VCdRom.sys -- (vcdrom)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- H:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/10 07:00:00 | 000,003,252 | ---- | M] () [Kernel | System | Running] -- H:\WINDOWS\system32\drivers\PQNTDRV.SYS -- (PQNTDrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-343818398-448539723-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.escapeartist.com/
IE - HKU\S-1-5-21-343818398-448539723-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://youthinkwhat.com"
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.47.4
FF - prefs.js..extensions.enabledItems: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}:3.0.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}:0.8.6.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.33
FF - prefs.js..extensions.enabledItems: seo4firefox@seobook.com:3.3.3
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.5.9
FF - prefs.js..extensions.enabledItems: {07EBF7FC-6C41-4F3E-91D3-9A4DD83148EE}:1.9.1
FF - prefs.js..extensions.enabledItems: {14FF08DF-5C1E-44C7-949D-91D24C4B7008}:1.9.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.1
FF - prefs.js..extensions.enabledItems: {FFB96CC1-7EB3-449D-B827-DB661701C6BB}:1.5.53.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{07EBF7FC-6C41-4F3E-91D3-9A4DD83148EE}: H:\Documents and Settings\getgoinc\Local Settings\Application Data\{07EBF7FC-6C41-4F3E-91D3-9A4DD83148EE} [2009/12/16 11:53:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{14FF08DF-5C1E-44C7-949D-91D24C4B7008}: H:\Documents and Settings\getgoinc\Local Settings\Application Data\{14FF08DF-5C1E-44C7-949D-91D24C4B7008} [2010/01/02 12:01:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: H:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/16 14:57:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: H:\Program Files\CheckPoint\ZAForceField\TrustChecker [2010/06/14 18:49:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: J:\Program Files\Mozilla Firefox\components [2010/06/28 01:21:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: J:\Program Files\Mozilla Firefox\plugins [2010/06/28 01:21:19 | 000,000,000 | ---D | M]

[2010/05/04 15:34:16 | 000,000,000 | ---D | M] -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Extensions
[2010/05/04 15:34:16 | 000,000,000 | ---D | M] -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/06/30 00:52:38 | 000,000,000 | ---D | M] -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions
[2009/11/07 12:18:22 | 000,000,000 | ---D | M] (SeoQuake) -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2010/01/27 21:48:53 | 000,000,000 | ---D | M] (Html Validator) -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
[2009/01/28 13:52:51 | 000,000,000 | ---D | M] (CookieSafe) -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
[2010/04/24 18:00:28 | 000,000,000 | ---D | M] (DownloadHelper) -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/05/02 20:41:31 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2010/04/09 11:45:52 | 000,000,000 | ---D | M] (No name found) -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2009/12/08 01:36:12 | 000,000,000 | ---D | M] (No name found) -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2008/09/24 18:10:52 | 000,000,000 | ---D | M] -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions\moveplayer@movenetworks.com
[2010/06/11 12:23:02 | 000,000,000 | ---D | M] -- H:\Documents and Settings\getgoinc\Application Data\Mozilla\Firefox\Profiles\mlzb1xnm.default\extensions\seo4firefox@seobook.com

O1 HOSTS File: ([2010/04/23 15:12:21 | 000,001,780 | ---- | M]) - H:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 adobe.activate.com
O1 - Hosts: 127.0.0.1 adobeereg.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 125.252.224.90
O1 - Hosts: 127.0.0.1 125.252.224.91
O1 - Hosts: 127.0.0.1 hl2rcv.adobe.com
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - I:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - H:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (ZoneAlarm Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - H:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - I:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - H:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (no name) - ID - No CLSID value found.
O3 - HKU\S-1-5-21-343818398-448539723-682003330-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-343818398-448539723-682003330-1003\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - H:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] K:\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] K:\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] H:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [InCD] I:\Program Files\Ahead\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [ISW] H:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [ProPort StartUp] W:\Proport-2.2\Ex\ProPort.exe (the Digital Underground)
O4 - HKLM..\Run: [SoundMan] H:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [TkBellExe] H:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TrojanScanner] I:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software)
O4 - HKLM..\Run: [ZoneAlarm Client] K:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] H:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] H:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-343818398-448539723-682003330-1003..\RunOnce: [RegistryBooster] H:\Program Files\Uniblue\RegistryBooster\launcher.exe (Uniblue Systems Limited)
O4 - Startup: H:\Documents and Settings\getgoinc\Start Menu\Programs\Startup\Webshots.lnk = I:\Program Files\Webshots\Launcher.exe (Webshots.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-343818398-448539723-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-343818398-448539723-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-343818398-448539723-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\Program Files\Microsoft Office2\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} H:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1272591609578 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.3.0.116 76.2.127.122
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (acaptuser32.dll) - H:\WINDOWS\System32\acaptuser32.dll (Adobe Systems Incorporated)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - H:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: H:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: H:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/10 09:32:24 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/01/01 13:36:52 | 000,000,000 | -H-- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/01/04 12:32:08 | 000,000,000 | ---D | M] - K:\Autoruns -- [ NTFS ]
O32 - AutoRun File - [2005/08/11 09:39:17 | 000,000,000 | ---D | M] - M:\AutoresponderEGGS -- [ NTFS ]
O32 - AutoRun File - [2005/05/22 02:23:16 | 000,000,000 | ---D | M] - S:\AutoBloggerCall -- [ NTFS ]
O32 - AutoRun File - [2010/06/02 00:33:00 | 000,000,000 | ---- | M] () - W:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2010/02/12 13:53:02 | 000,000,000 | ---D | M] - W:\Autoruns -- [ FAT32 ]
O33 - MountPoints2\Y\Shell - "" = AutoRun
O33 - MountPoints2\Y\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\Y\Shell\AutoRun\command - "" = Y:\Autoplay.exe -- File not found
O34 - HKLM BootExecute: (rmgael.nt) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-343818398-448539723-682003330-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/06/30 13:45:38 | 000,000,000 | RH-D | C] -- H:\Documents and Settings\getgoinc\Recent
[2010/06/26 12:52:27 | 000,103,936 | ---- | C] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\zlcommdb.dll
[2010/06/26 12:52:26 | 000,069,120 | ---- | C] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\zlcomm.dll
[2010/06/24 19:05:32 | 000,332,800 | ---- | C] (Microsoft Corporation) -- H:\WINDOWS\System32\dllcache\netapi32.dll
[2010/06/23 04:24:01 | 000,000,000 | ---D | C] -- H:\Documents and Settings\getgoinc\Local Settings\Application Data\Ahead
[2010/06/17 15:42:04 | 000,000,000 | ---D | C] -- H:\Documents and Settings\getgoinc\My Documents\June17
[2010/06/11 01:57:33 | 000,000,000 | ---D | C] -- H:\Program Files\NOS
[2010/06/11 00:51:57 | 000,000,000 | -HSD | C] -- H:\Documents and Settings\getgoinc\PrivacIE
[2010/06/11 00:47:00 | 000,000,000 | -HSD | C] -- H:\Documents and Settings\getgoinc\IETldCache
[2010/06/11 00:21:26 | 000,000,000 | ---D | C] -- H:\WINDOWS\ie8updates
[2010/06/11 00:18:34 | 000,000,000 | -H-D | C] -- H:\WINDOWS\ie8
[2010/06/11 00:10:20 | 000,743,424 | ---- | C] (Microsoft Corporation) -- H:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/09 18:14:44 | 000,000,000 | ---D | C] -- H:\Documents and Settings\All Users\Application Data\Sun
[2010/06/09 18:13:43 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- H:\WINDOWS\System32\deployJava1.dll
[2010/06/09 18:13:43 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- H:\WINDOWS\System32\javaws.exe
[2010/06/09 18:13:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- H:\WINDOWS\System32\javaw.exe
[2010/06/09 18:13:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- H:\WINDOWS\System32\java.exe
[2010/06/07 03:21:28 | 000,016,128 | ---- | C] (Microsoft Corporation) -- H:\WINDOWS\System32\drivers\MODEMCSA.sys
[2010/06/07 03:21:28 | 000,016,128 | ---- | C] (Microsoft Corporation) -- H:\WINDOWS\System32\dllcache\modemcsa.sys
[4 H:\WINDOWS\*.tmp files -> H:\WINDOWS\*.tmp -> ]
[1 H:\WINDOWS\System32\*.tmp files -> H:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/30 21:23:48 | 000,000,284 | ---- | M] () -- H:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-343818398-448539723-682003330-1003.job
[2010/06/30 21:23:47 | 000,000,292 | ---- | M] () -- H:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-448539723-682003330-1003.job
[2010/06/30 21:20:51 | 000,182,048 | -HS- | M] () -- H:\WINDOWS\System32\drivers\fidbox2.dat
[2010/06/30 18:01:04 | 000,000,448 | ---- | M] () -- H:\WINDOWS\tasks\ParetoLogic Registration.job
[2010/06/30 16:14:48 | 000,018,916 | ---- | M] () -- H:\WINDOWS\System32\tfak.dll
[2010/06/30 16:14:48 | 000,000,881 | ---- | M] () -- H:\WINDOWS\pp_winini.bak
[2010/06/30 16:14:48 | 000,000,231 | ---- | M] () -- H:\WINDOWS\pp_sysini.bak
[2010/06/30 16:13:39 | 000,000,006 | -H-- | M] () -- H:\WINDOWS\tasks\SA.DAT
[2010/06/30 16:12:48 | 000,002,048 | --S- | M] () -- H:\WINDOWS\bootstat.dat
[2010/06/30 16:02:29 | 000,026,444 | -HS- | M] () -- H:\WINDOWS\System32\drivers\fidbox2.idx
[2010/06/30 16:02:22 | 008,912,896 | -H-- | M] () -- H:\Documents and Settings\getgoinc\NTUSER.DAT
[2010/06/30 16:02:22 | 000,000,278 | -HS- | M] () -- H:\Documents and Settings\getgoinc\ntuser.ini
[2010/06/30 16:01:52 | 000,260,359 | ---- | M] () -- H:\WINDOWS\System32\ProPort.prt
[2010/06/30 02:05:30 | 000,000,664 | ---- | M] () -- H:\WINDOWS\System32\d3d9caps.dat
[2010/06/28 01:24:57 | 000,002,206 | ---- | M] () -- H:\WINDOWS\System32\wpa.dbl
[2010/06/26 12:52:47 | 000,421,441 | ---- | M] () -- H:\WINDOWS\System32\vsconfig.xml
[2010/06/26 12:52:43 | 000,004,212 | -H-- | M] () -- H:\WINDOWS\System32\zllictbl.dat
[2010/06/26 12:52:43 | 000,000,644 | ---- | M] () -- H:\Documents and Settings\getgoinc\Desktop\ZoneAlarm Security.lnk
[2010/06/25 02:02:06 | 000,000,737 | ---- | M] () -- H:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/24 19:01:29 | 000,000,552 | ---- | M] () -- H:\WINDOWS\System32\d3d8caps.dat
[2010/06/23 13:51:22 | 001,238,528 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\zpeng25.dll
[2010/06/23 13:51:20 | 000,110,080 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\vsxml.dll
[2010/06/23 13:51:20 | 000,103,936 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\zlcommdb.dll
[2010/06/23 13:51:20 | 000,069,120 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\zlcomm.dll
[2010/06/23 13:51:20 | 000,043,008 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\vswmi.dll
[2010/06/23 13:51:18 | 000,713,728 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\vsutil.dll
[2010/06/23 13:51:18 | 000,302,592 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\vspubapi.dll
[2010/06/23 13:51:18 | 000,228,864 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\vsinit.dll
[2010/06/23 13:51:18 | 000,112,128 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\vsdata.dll
[2010/06/23 13:51:18 | 000,108,032 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\vsmonapi.dll
[2010/06/23 13:51:18 | 000,058,368 | ---- | M] (Check Point Software Technologies LTD) -- H:\WINDOWS\System32\vsregexp.dll
[2010/06/18 21:20:24 | 000,012,800 | ---- | M] () -- H:\Documents and Settings\getgoinc\Application Data\Settings.cfg
[2010/06/11 14:36:48 | 000,000,116 | ---- | M] () -- H:\WINDOWS\NeroDigital.ini
[2010/06/11 00:47:08 | 000,000,818 | ---- | M] () -- H:\Documents and Settings\getgoinc\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/06/09 18:13:23 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- H:\WINDOWS\System32\deployJava1.dll
[2010/06/09 18:13:23 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- H:\WINDOWS\System32\javaws.exe
[2010/06/09 18:13:23 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- H:\WINDOWS\System32\javaw.exe
[2010/06/09 18:13:23 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- H:\WINDOWS\System32\java.exe
[2010/06/09 18:13:23 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- H:\WINDOWS\System32\javacpl.cpl
[2010/06/07 03:22:24 | 000,507,204 | ---- | M] () -- H:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/07 03:22:24 | 000,430,496 | ---- | M] () -- H:\WINDOWS\System32\perfh009.dat
[2010/06/07 03:22:24 | 000,067,220 | ---- | M] () -- H:\WINDOWS\System32\perfc009.dat
[4 H:\WINDOWS\*.tmp files -> H:\WINDOWS\*.tmp -> ]
[1 H:\WINDOWS\System32\*.tmp files -> H:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/30 21:00:04 | 000,000,284 | ---- | C] () -- H:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-343818398-448539723-682003330-1003.job
[2010/06/26 12:52:43 | 000,000,644 | ---- | C] () -- H:\Documents and Settings\getgoinc\Desktop\ZoneAlarm Security.lnk
[2010/06/25 02:02:06 | 000,000,737 | ---- | C] () -- H:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/24 19:01:29 | 000,000,552 | ---- | C] () -- H:\WINDOWS\System32\d3d8caps.dat
[2010/06/23 05:19:57 | 000,000,231 | ---- | C] () -- H:\WINDOWS\pp_sysini.bak
[2010/06/23 05:19:56 | 000,000,881 | ---- | C] () -- H:\WINDOWS\pp_winini.bak
[2010/02/12 14:52:23 | 000,009,216 | ---- | C] () -- H:\WINDOWS\nvapi.dll
[2009/05/16 22:59:45 | 000,000,801 | ---- | C] () -- H:\WINDOWS\ScanSpyware.INI
[2009/05/02 13:19:27 | 000,000,020 | ---- | C] () -- H:\WINDOWS\ShellIcon32.dll
[2009/01/24 12:54:41 | 000,003,252 | ---- | C] () -- H:\WINDOWS\System32\drivers\PQNTDRV.SYS
[2008/11/10 15:01:36 | 000,087,209 | ---- | C] () -- H:\WINDOWS\System32\iq012006.DLL
[2008/11/10 15:01:36 | 000,087,208 | ---- | C] () -- H:\WINDOWS\System32\iq032006.DLL
[2008/11/10 15:01:36 | 000,087,206 | ---- | C] () -- H:\WINDOWS\System32\iq022006.DLL
[2008/11/10 15:01:36 | 000,087,204 | ---- | C] () -- H:\WINDOWS\System32\iq042006.DLL
[2008/11/10 15:01:36 | 000,087,203 | ---- | C] () -- H:\WINDOWS\System32\sq022006.DLL
[2008/11/10 15:01:36 | 000,087,201 | ---- | C] () -- H:\WINDOWS\System32\sq012006.DLL
[2008/11/10 15:01:36 | 000,087,176 | ---- | C] () -- H:\WINDOWS\System32\sq042006.DLL
[2008/11/10 15:01:36 | 000,087,172 | ---- | C] () -- H:\WINDOWS\System32\sq032006.DLL
[2008/11/10 15:01:36 | 000,087,136 | ---- | C] () -- H:\WINDOWS\System32\IN993344.DLL
[2008/06/27 16:08:26 | 000,000,419 | ---- | C] () -- H:\WINDOWS\MAXLINK.INI
[2008/06/02 16:35:11 | 000,000,116 | ---- | C] () -- H:\WINDOWS\NeroDigital.ini
[2008/02/18 02:11:26 | 000,000,115 | ---- | C] () -- H:\WINDOWS\cdplayer.ini
[2008/02/16 00:15:21 | 000,162,304 | ---- | C] () -- H:\WINDOWS\System32\ztvunrar36.dll
[2008/02/16 00:15:21 | 000,153,088 | ---- | C] () -- H:\WINDOWS\System32\UNRAR3.dll
[2008/02/16 00:15:21 | 000,077,312 | ---- | C] () -- H:\WINDOWS\System32\ztvunace26.dll
[2008/02/16 00:15:21 | 000,075,264 | ---- | C] () -- H:\WINDOWS\System32\unacev2.dll
[2008/01/13 13:25:08 | 000,018,916 | ---- | C] () -- H:\WINDOWS\System32\tfak.dll
[2007/10/14 23:00:28 | 000,000,000 | ---- | C] () -- H:\WINDOWS\DVEdit.INI
[2007/10/14 21:15:08 | 000,024,576 | ---- | C] () -- H:\WINDOWS\System32\IcdSptSvps.dll
[2007/10/14 21:15:07 | 000,122,880 | ---- | C] () -- H:\WINDOWS\System32\trc.dll
[2007/10/14 21:15:07 | 000,081,920 | ---- | C] () -- H:\WINDOWS\System32\dsp_trc.dll
[2007/09/22 20:01:31 | 000,000,164 | ---- | C] () -- H:\WINDOWS\avrack.ini
[2007/09/22 20:01:29 | 000,155,648 | ---- | C] () -- H:\WINDOWS\System32\RTLCPAPI.dll
[2007/09/11 02:33:51 | 000,000,376 | ---- | C] () -- H:\WINDOWS\ODBC.INI
[2005/06/11 11:47:00 | 000,045,056 | ---- | C] () -- H:\WINDOWS\System32\fpprintmon.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- H:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 07:00:00 | 000,027,440 | ---- | C] () -- H:\WINDOWS\System32\drivers\secdrv.sys
[2001/08/23 07:00:00 | 000,000,002 | ---- | C] () -- H:\WINDOWS\System32\touch32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> H:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 108 bytes -> H:\Documents and Settings\All Users\Application Data\TEMP:CDF51F17
< End of report >




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-01 00:32:28
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: H:\DOCUME~1\getgoinc\LOCALS~1\Temp\fxldqpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB8AC06B8]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB8C39534]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB8C33782]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB8AC0574]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB8C39CC0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xB8B11730]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xB8B118A0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xB8B12340]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB8B11F90]
SSDT BAECB104 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB8C39DF6]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB8C34398]
SSDT BAECB113 ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB8AC0A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB8AC014C]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xB8B0FF80]
SSDT BAECB122 ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB8C54B44]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB8C33FAA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB8AC064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB8AC008C]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xB8B12170]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB8AC00F0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xB8B12910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB8AC076E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB8C558D2]
SSDT BAECB12C ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB8C390F4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB8AC072E]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xB8B12C10]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xB8B12F90]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xB8B13560]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xB8B0EC40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB8AC08AE]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xB8B12BC0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xB8B102F0]
SSDT BAECB0FF ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwWriteVirtualMemory [0xB8B11A20]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[284] [0xB8B0DD40]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[285] [0xB8B0DD50]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[286] [0xB8B0DD60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[287] [0xB8B0DD80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[288] [0xB8B0DDA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[289] [0xB8B0DDD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[290] [0xB8B0DDE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[291] [0xB8B0DE00]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[292] [0xB8B0DE10]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[293] [0xB8B0DED0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[294] [0xB8B0DFA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[295] [0xB8B0DFE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[296] [0xB8B0E020]

Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IoIsOperationSynchronous 804E8EBA 5 Bytes JMP B8B13E80 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804FDAF1 5 Bytes JMP B8B13980 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)
init H:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xBA396510]

---- User code sections - GMER 1.0.15 ----

.text H:\WINDOWS\Explorer.EXE[164] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\Explorer.EXE[164] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\Explorer.EXE[164] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\Explorer.EXE[164] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\Explorer.EXE[164] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\Explorer.EXE[164] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\Explorer.EXE[164] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\Explorer.EXE[164] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[172] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[172] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[172] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[172] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[172] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[172] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[704] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[704] USER32.dll!ChangeClipboardChain + 14 77D6F4A6 5 Bytes JMP 20C291E8 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\winlogon.exe[964] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\winlogon.exe[964] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\winlogon.exe[964] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\winlogon.exe[964] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\winlogon.exe[964] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\winlogon.exe[964] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\winlogon.exe[964] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\services.exe[1008] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\services.exe[1008] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\services.exe[1008] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\services.exe[1008] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\services.exe[1008] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\services.exe[1008] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\lsass.exe[1020] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\lsass.exe[1020] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\lsass.exe[1020] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\lsass.exe[1020] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\lsass.exe[1020] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1192] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1192] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1192] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1192] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1192] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1280] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\svchost.exe[1280] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\spoolsv.exe[1376] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\spoolsv.exe[1376] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\spoolsv.exe[1376] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\spoolsv.exe[1376] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\spoolsv.exe[1376] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\spoolsv.exe[1376] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\spoolsv.exe[1376] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\spoolsv.exe[1376] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1428] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1428] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1428] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1428] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1428] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCDsrv.exe[1464] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCDsrv.exe[1464] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCDsrv.exe[1464] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCDsrv.exe[1464] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCDsrv.exe[1464] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCDsrv.exe[1464] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCDsrv.exe[1464] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCDsrv.exe[1464] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1624] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1624] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1752] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1752] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1752] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1752] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1752] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1752] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Java\jre6\bin\jqs.exe[1916] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Java\jre6\bin\jqs.exe[1916] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Java\jre6\bin\jqs.exe[1916] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Java\jre6\bin\jqs.exe[1916] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Java\jre6\bin\jqs.exe[1916] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Java\jre6\bin\jqs.exe[1916] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Java\jre6\bin\jqs.exe[1916] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Java\jre6\bin\jqs.exe[1916] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1980] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1980] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1980] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1980] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1980] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1980] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1980] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[1980] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[2012] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[2012] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[2012] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[2012] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[2012] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[2012] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\svchost.exe[2012] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\alg.exe[2432] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\alg.exe[2432] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\alg.exe[2432] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\alg.exe[2432] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\alg.exe[2432] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\alg.exe[2432] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\alg.exe[2432] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\System32\alg.exe[2432] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\RootRepeal\GMER\Ex\gmer.exe[2624] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\RootRepeal\GMER\Ex\gmer.exe[2624] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\RootRepeal\GMER\Ex\gmer.exe[2624] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\RootRepeal\GMER\Ex\gmer.exe[2624] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\RootRepeal\GMER\Ex\gmer.exe[2624] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\RootRepeal\GMER\Ex\gmer.exe[2624] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\RootRepeal\GMER\Ex\gmer.exe[2624] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\RootRepeal\GMER\Ex\gmer.exe[2624] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\SOUNDMAN.EXE[2940] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\SOUNDMAN.EXE[2940] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\SOUNDMAN.EXE[2940] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\SOUNDMAN.EXE[2940] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\SOUNDMAN.EXE[2940] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\SOUNDMAN.EXE[2940] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\SOUNDMAN.EXE[2940] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\SOUNDMAN.EXE[2940] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCD.exe[2996] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCD.exe[2996] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCD.exe[2996] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCD.exe[2996] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCD.exe[2996] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCD.exe[2996] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCD.exe[2996] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\Program Files\Ahead\InCD\InCD.exe[2996] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3048] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3048] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3048] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3048] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3048] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3048] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3048] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3048] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Real\Update_OB\realsched.exe[3064] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Real\Update_OB\realsched.exe[3064] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Real\Update_OB\realsched.exe[3064] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Real\Update_OB\realsched.exe[3064] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Real\Update_OB\realsched.exe[3064] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Real\Update_OB\realsched.exe[3064] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Real\Update_OB\realsched.exe[3064] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Real\Update_OB\realsched.exe[3064] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\Acrobat 9.0\Acrobat\Acrotray.exe[3100] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\Acrobat 9.0\Acrobat\Acrotray.exe[3100] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\Acrobat 9.0\Acrobat\Acrotray.exe[3100] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\Acrobat 9.0\Acrobat\Acrotray.exe[3100] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\Acrobat 9.0\Acrobat\Acrotray.exe[3100] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\Acrobat 9.0\Acrobat\Acrotray.exe[3100] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\Acrobat 9.0\Acrobat\Acrotray.exe[3100] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text K:\Acrobat 9.0\Acrobat\Acrotray.exe[3100] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text W:\Proport-2.2\Ex\ProPort.exe[3124] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text W:\Proport-2.2\Ex\ProPort.exe[3124] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text W:\Proport-2.2\Ex\ProPort.exe[3124] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text W:\Proport-2.2\Ex\ProPort.exe[3124] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text W:\Proport-2.2\Ex\ProPort.exe[3124] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text W:\Proport-2.2\Ex\ProPort.exe[3124] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text W:\Proport-2.2\Ex\ProPort.exe[3124] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text W:\Proport-2.2\Ex\ProPort.exe[3124] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\ctfmon.exe[3188] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\ctfmon.exe[3188] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\ctfmon.exe[3188] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\ctfmon.exe[3188] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\ctfmon.exe[3188] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\ctfmon.exe[3188] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\ctfmon.exe[3188] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\ctfmon.exe[3188] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\taskmgr.exe[3292] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\taskmgr.exe[3292] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\taskmgr.exe[3292] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\taskmgr.exe[3292] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\taskmgr.exe[3292] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\taskmgr.exe[3292] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\taskmgr.exe[3292] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text H:\WINDOWS\system32\taskmgr.exe[3292] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\PROGRA~1\Webshots\Webshots.scr[3408] ntdll.dll!NtAccessCheckByType 7C90D3B8 5 Bytes JMP 20C28709 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\PROGRA~1\Webshots\Webshots.scr[3408] ntdll.dll!NtImpersonateClientOfPort 7C90DADB 5 Bytes JMP 20C28CD0 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\PROGRA~1\Webshots\Webshots.scr[3408] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 20C28923 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\PROGRA~1\Webshots\Webshots.scr[3408] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C283E4 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\PROGRA~1\Webshots\Webshots.scr[3408] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7C97 5 Bytes JMP 20C28DD5 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\PROGRA~1\Webshots\Webshots.scr[3408] ADVAPI32.dll!SetThreadToken 77DD7E3D 5 Bytes JMP 20C28FAE H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\PROGRA~1\Webshots\Webshots.scr[3408] USER32.dll!FindWindowW 77D6F245 5 Bytes JMP 20C281D2 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text I:\PROGRA~1\Webshots\Webshots.scr[3408] USER32.dll!FindWindowA 77D6F3C6 5 Bytes JMP 20C28207 H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B8C3E672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B8C3E4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B8C3ECBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B8C3CC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B8C3CC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B8C3E672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B8C3E4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B8C3ECBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B8C3E672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B8C3ECBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B8C3E4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B8C3CC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B8C3ECBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B8C3E672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B8C3E4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B8C3CC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B8C3E672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B8C3E4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B8C3ECBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B8C1C3C4] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B8C3E672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B8C3CC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B8C3ECBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B8C3E4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [B8C3541C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B8C352AA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B8C3560C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [B8C34D40] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT H:\WINDOWS\Explorer.EXE[164] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\System32\svchost.exe[172] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\system32\winlogon.exe[964] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\system32\services.exe[1008] @ H:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT H:\WINDOWS\system32\services.exe[1008] @ H:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000
IAT H:\WINDOWS\system32\services.exe[1008] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\system32\lsass.exe[1020] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\system32\svchost.exe[1192] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\system32\svchost.exe[1280] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\system32\spoolsv.exe[1376] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\System32\svchost.exe[1428] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT I:\Program Files\Ahead\InCD\InCDsrv.exe[1464] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\System32\svchost.exe[1624] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\System32\svchost.exe[1752] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\Program Files\Java\jre6\bin\jqs.exe[1916] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\System32\svchost.exe[1980] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\System32\svchost.exe[2012] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\System32\alg.exe[2432] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT K:\RootRepeal\GMER\Ex\gmer.exe[2624] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\SOUNDMAN.EXE[2940] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT I:\Program Files\Ahead\InCD\InCD.exe[2996] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3048] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\Program Files\Common Files\Real\Update_OB\realsched.exe[3064] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT K:\Acrobat 9.0\Acrobat\Acrotray.exe[3100] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT W:\Proport-2.2\Ex\ProPort.exe[3124] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\system32\ctfmon.exe[3188] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT H:\WINDOWS\system32\taskmgr.exe[3292] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
IAT I:\PROGRA~1\Webshots\Webshots.scr[3408] @ H:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C282D4] H:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D617C7BF-00DE-7518-AED3-F009BCAB7381}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D617C7BF-00DE-7518-AED3-F009BCAB7381}@haakiobhjobgppia 0x66 0x61 0x65 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D617C7BF-00DE-7518-AED3-F009BCAB7381}@ianiphafdpiefopdfk 0x69 0x61 0x62 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D617C7BF-00DE-7518-AED3-F009BCAB7381}@halhdkfccnikgmbi 0x69 0x61 0x62 0x66 ...

---- EOF - GMER 1.0.15 ----

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:23 PM

Posted 01 July 2010 - 03:47 AM

Hello again,

First of all, your logs show you are using pirated Adobe software. esides legal issues, this brings almost sure also malware with it. Before continuing, please remove this software, otherwise you risk ending up with unusable applications, since our tools recognize and remove malware that comes with these illegal programs.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:23 PM

Posted 07 July 2010 - 06:02 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:23 PM

Posted 21 July 2010 - 06:24 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users