Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected rootkits


  • This topic is locked This topic is locked
25 replies to this topic

#1 George Lee

George Lee

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 08 July 2010 - 06:28 PM

I have raised this topic on Windows Secrets Lounge without success. It has been suggested that my symptoms could be due to a faulty hard drive or voltage problems, but neither of the media offered worked. Someone else said he/she had never heard of these symptoms being caused by such a cause, and suggested I try this forum where there is more expertise available.

Below is my post to Windows Secrets for much more detail, followed by the requested logs.

I hope the GMER log is OK, it did not end as described in your instructions, but just stopped scanning, so after about 15 minutes I copied it to the desktop. At this point went wrong. I decided to print the rest of the instructions as it was getting complicated, I copied the instructions, switched on the printer, opened Word in order to edit out the part already completed, but I could not paste into the doc, nor could I close Word, Task Manager would not function and indicated the system using 100% of resources, then ZoneAlarm tried to update, at which point I switched off at the mains.

Now the details as posted on WS Lounge:

Rootkits, or presumed rootkits, are driving me crazy, and I could use some help.

4 or 5 weeks ago, whilst doing the weekly scans, defrag, etc, Avira Rootkit Detector gave an ambiguous message which I took to indicate the presence of a rootkit. There being no guidance on how to remove it, I did nothing.

Some time during the following week RU Botted warned that bots had been found. After a lengthy scan 7 vulnerabilities were recommended for deletion. After their removal Firefox was malfunctioning badly and IE was unusable for several days, but by using FF immediately after a reboot it was possible to install Chrome.

ZoneAlarm was misbehaving also, continually changing the time of scans on a random basis – very inconvenient if using the PC only to find it had slowed down or stopped to perform a scan. Also the hourly updates could takes 10 minutes or more to complete, during which time it was almost impossible to do anything else, and if updating Sharescope or Digiguide at the time – both of which use a lot of resources - gridlock tended to ensue. Several times I had to disconnect the PC from the mains to sort it out. At least I've now found out how to change to 12 hourly updates.

There was no way of knowing whether these problems were caused by a rootkit, or just that some essential files were deleted along with the bots, but the proximity in time between the two events suggests that the bots were installed by the rootkit. Perhaps I should mention that the lengthy hold-ups while ZA updates had been going on for several months, and I had already decided to change security suites when the licence runs out, but the arbitrary full scans only occurred after removing the bots.

With the help of several lounge members I was able to wipe and (hopefully) overwrite the hard-drive with dban and reinstall XP Home Edition, only for most of the problems to recur. There were no more problems with IE, so Chrome is not needed, and FF is slightly more stable, in that although it still will not close completely, it is now sometimes possible to open another copy without rebooting.

Using fixmbr to install a new Master Boot Record made no difference, so I downloaded and scanned with RootkitRevealer, which produced two entries:

HKLM\SECURITY\Policy\Secrets\ SAC* 16/06/10 O bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\ SAI* 16/06/10 O bytes Key name contains embedded nulls (*)

Security, secrets, embedded nulls – it looked as though the trouble had been located, until I checked Google and found they are legitimate files where Windows stores passwords.

Next I tried Sophos Anti-Rootkit, which found 25 unknown hidden files:

C:\Docs & Settings\Owner\Local Settings\Temp Internet Files\Content.IE5\followed by a number such as 563BAH3N\6301, 6303, 6389, 64 (remainder is off my screen)

Sophos marked the files as unknown and recommended not removing them. Nevertheless, I deleted one file and used IE for the rest of the evening, with no problems.

The next day, intending to delete some more, I did another scan, but in error used RootkitRevealer. The two HKLM files listed above appeared, followed by another 358 entries all reading

C:\System Volume Information\_restore {8FF5B3D followed by a long string of numbers and letters, only the last 2 or 3 of which differed, and ending with .RDB

326 of these files were 1.65 MB in size and marked “Hidden from Windows API”

The remaining 32 files, which appeared at the end varied in size and marked “Visible in Windows API, but not in directory index”

25 rootkits (now 44) in IE5 is difficult to explain, but another 358 in System Information is just ridiculous. Where did they come from, and why are they multiplying?

Then there is the question of why I still have a problem after wiping the hard-drive and supposedly removing everything. Is once insufficient, will repeating another two or three times make a difference, or there a better tool to use?

Or could the infection be reintroduced from my restored documents? Most are Word or Excel docs that I produced myself, but there must be a few hundred emails – should I remove the lot? Most of the application downloaded after the reinstall were scanned by ZoneAlarm and Malware bytes prior to installation, but I may have forgotten to do so on a few occasions, but I consider this an unlikely source of infection, with the symptoms being the same as previously it must have still been on the hard-drive after wiping, or in the docs restored later.

Another mystery! At this point I decided to delve deeper into Google before posting to the lounge, and chose the second link listed. This advocated shutting down System Restore, rebooting and scanning again. It worked, all the entries for System Volume Information had gone.

HOWEVER, there are now 110 new discrepancies, predominantly relating to Prefetch and a few to system32/zonealarm. What is going on? This is crazy!

Firefox is still playing up, perhaps worse than before, as everything seized up when I tried to log in
to my bank just now, necessitating a reboot. Perhaps the problem is FF rather than all the entries produced by scans, but it has been removed and reinstalled several times without improvement.

I have now spent so much time on this issue that I’m reluctant to just give up and buy a new PC, especially as cash is tight at the moment, but unless someone can provide an answer there seems no alternative.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:09:42.12 on 08/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.188 [GMT 1:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.telegraph.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/registration-free-antivirus.php
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [OpAgent] "OpAgent.exe" /agent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ScanSoft OmniPage 16-reminder] "c:\program files\scansoft\omnipage16\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipage 16\ereg\Ereg.ini"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\digigu~1.lnk - c:\program files\digiguide tv guide\Client.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276894815156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3u1tcbw9.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3u1tcbw9.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-18 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-6-18 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-6-18 528008]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-7-6 20072]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-3-16 26232]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-3-16 488816]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-6-19 582992]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-6-19 206608]
S3 MATKWQW;MATKWQW;c:\docume~1\owner\locals~1\temp\MATKWQW.exe [2010-6-22 531328]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\100.tmp --> c:\windows\system32\100.tmp [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-6-19 206608]

=============== Created Last 30 ================

2010-07-08 17:56:36 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-07 13:14:44 0 d-----w- c:\windows\system32\XPSViewer
2010-07-07 13:13:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-07 13:13:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-07 13:13:31 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-07 13:13:31 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-07 13:13:31 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-07 13:13:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-07 13:13:30 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-07 13:13:30 0 d-----w- C:\188209cb1ff21b21e4
2010-07-06 14:48:05 20072 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-07-06 10:23:55 0 d-----w- c:\program files\CPUID
2010-07-04 23:49:54 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-07-04 15:35:36 7839944 ----a-w- c:\program files\common files\lpuninstall.exe
2010-07-04 15:35:22 0 d-----w- c:\program files\LastPass
2010-07-01 13:17:31 0 d-----w- c:\program files\Sophos
2010-06-27 10:36:00 0 ----a-w- C:\outC1.tmp
2010-06-27 10:22:15 0 ----a-w- C:\outB2.tmp
2010-06-27 09:36:16 0 ----a-w- C:\out65.tmp
2010-06-27 09:24:44 0 ----a-w- C:\out55.tmp
2010-06-23 16:54:06 0 d-----w- c:\docume~1\owner\applic~1\#ISW.FS#
2010-06-20 19:35:45 0 d-----w- c:\program files\IrfanView
2010-06-20 16:25:04 0 d-----w- c:\program files\Analog Devices
2010-06-20 16:24:35 765952 ----a-w- c:\windows\system\crlds3d.dll
2010-06-20 16:24:35 732928 ----a-w- c:\windows\system32\drivers\senfilt.sys
2010-06-20 16:24:35 311296 ----a-w- c:\windows\system32\Edcrypt.dll
2010-06-20 16:24:35 260352 ----a-w- c:\windows\system32\drivers\smwdm.sys
2010-06-20 16:24:35 23040 ----a-w- c:\windows\system32\PostProc.dll
2010-06-20 13:31:40 0 d-----w- c:\program files\MSECache
2010-06-20 12:41:28 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-06-20 11:13:03 23 --sha-w- c:\windows\system32\edacded0.dat
2010-06-20 11:13:03 23 ----a-w- c:\windows\system32\bcdadac7.xml
2010-06-20 11:12:51 0 d-----w- c:\program files\jv16 PowerTools 2009
2010-06-20 09:35:56 0 d-----w- c:\program files\DigiGuide TV Guide
2010-06-20 09:34:31 20 ----a-w- C:\rules.qdb
2010-06-20 09:34:31 0 d-----w- c:\docume~1\owner\applic~1\ClipMagic
2010-06-20 09:34:19 737280 ----a-w- c:\windows\iun6002.exe
2010-06-20 09:34:18 0 d-----w- c:\program files\ClipMagic
2010-06-20 08:21:40 0 d-----w- c:\docume~1\owner\applic~1\Foxit
2010-06-20 08:21:17 0 d-----w- c:\program files\Foxit Software
2010-06-20 00:00:55 0 d-----w- c:\program files\common files\xing shared
2010-06-19 23:59:57 0 d-----w- c:\program files\common files\Real
2010-06-19 23:19:07 0 d-----w- c:\docume~1\owner\applic~1\Auslogics
2010-06-19 23:18:57 0 d-----w- c:\program files\Auslogics
2010-06-19 23:06:06 0 d-----w- c:\program files\Secunia
2010-06-19 22:59:03 0 d-----w- c:\program files\MSXML 4.0
2010-06-19 22:58:21 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-19 19:46:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-19 19:46:23 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 18:32:34 0 d-----w- C:\ShareScope
2010-06-19 17:55:52 0 ----a-w- C:\outE.tmp
2010-06-19 17:51:37 0 d-----w- c:\docume~1\owner\applic~1\Zeon
2010-06-19 17:24:22 0 d-----w- c:\program files\common files\ScanSoft Shared
2010-06-19 17:24:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Zeon
2010-06-19 17:21:39 395 ----a-w- c:\windows\MAXLINK.INI
2010-06-19 17:18:10 0 d-----w- c:\program files\ScanSoft
2010-06-19 16:55:56 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-19 16:55:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-19 16:44:09 0 d-----w- c:\program files\Canon
2010-06-19 16:36:04 389180 ----a-w- c:\windows\system32\UCS32P.DLL
2010-06-19 16:36:03 745472 ----a-w- c:\windows\system32\CNQA2403.dll
2010-06-19 16:36:03 36864 ----a-w- c:\windows\system32\CNQU81.DLL
2010-06-19 16:36:03 204800 ----a-w- c:\windows\system32\CNQL2403.dll
2010-06-19 16:36:03 0 d--h--w- C:\CanoScan
2010-06-19 08:37:59 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-19 08:37:59 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-19 08:37:47 6184 ----a-r- c:\windows\system32\cmglue.vxd
2010-06-19 08:37:22 6656 ----a-w- c:\windows\system32\CNMVS5m.DLL
2010-06-19 08:37:21 107008 ----a-w- c:\windows\system32\CNMLM5m.DLL
2010-06-19 08:37:17 73728 ----a-r- c:\windows\system32\CNMCP5m.exe
2010-06-19 08:36:58 0 d--h--w- C:\BJPrinter
2010-06-19 08:36:33 0 d-----w- c:\windows\StartHtmico
2010-06-19 08:36:33 0 d-----w- c:\windows\I865
2010-06-19 08:24:31 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-06-19 08:24:30 0 d-----w- c:\program files\Trend Micro
2010-06-19 08:08:39 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-06-19 08:08:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-06-18 20:40:45 376 ----a-w- c:\windows\ODBC.INI
2010-06-18 20:40:37 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-06-18 20:39:33 0 d-----w- c:\program files\Microsoft ActiveSync
2010-06-18 20:39:06 0 d-----w- c:\windows\SHELLNEW
2010-06-18 20:17:31 0 d-----w- c:\documents and settings\owner\Downloads
2010-06-18 19:40:38 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-06-18 19:35:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-18 19:35:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 19:35:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-18 19:35:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-18 19:22:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky SDK
2010-06-18 19:16:58 0 d-----w- c:\docume~1\owner\applic~1\MailFrontier
2010-06-18 19:03:09 0 d-----w- c:\docume~1\owner\applic~1\CheckPoint
2010-06-18 19:02:51 0 d-----w- c:\program files\CheckPoint
2010-06-18 19:02:37 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-06-18 19:02:35 72584 ----a-w- c:\windows\zllsputility.exe
2010-06-18 19:02:34 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-06-18 19:01:47 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-06-18 19:01:47 0 d-----w- c:\windows\system32\ZoneLabs
2010-06-18 19:01:44 422037 ----a-w- c:\windows\system32\vsconfig.xml
2010-06-18 19:01:43 0 d-----w- c:\program files\Zone Labs
2010-06-18 19:00:07 0 d-----w- c:\windows\Internet Logs
2010-06-18 18:04:45 0 d-----w- c:\windows\system32\scripting
2010-06-18 18:04:45 0 d-----w- c:\windows\l2schemas
2010-06-18 18:04:44 0 d-----w- c:\windows\system32\en
2010-06-18 18:04:44 0 d-----w- c:\windows\system32\bits
2010-06-18 18:01:00 0 d-----w- c:\windows\network diagnostic
2010-06-18 17:56:48 0 d-----w- c:\windows\EHome
2010-06-18 17:19:03 0 d-sh--w- c:\documents and settings\owner\IECompatCache
2010-06-18 17:17:11 0 d-sh--w- c:\documents and settings\owner\PrivacIE
2010-06-18 17:07:56 0 d-sh--w- c:\documents and settings\owner\IETldCache
2010-06-18 17:02:32 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-18 17:02:31 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-18 17:02:31 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-18 17:02:31 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-18 17:02:31 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-06-18 17:02:30 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-18 17:02:30 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-06-18 17:02:22 0 d-----w- c:\windows\ie8updates
2010-06-18 17:02:17 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-18 17:01:10 0 dc-h--w- c:\windows\ie8
2010-06-18 14:32:32 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-06-18 14:18:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-18 14:18:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-18 14:17:54 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-18 14:17:24 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-18 14:17:04 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-18 14:15:32 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-06-18 14:15:22 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-18 14:15:22 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-18 14:15:04 293376 ------w- c:\windows\system32\browserchoice.exe
2010-06-18 14:10:03 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-06-18 14:09:27 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-06-18 14:09:27 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-18 14:01:28 0 d-----w- c:\windows\system32\PreInstall
2010-06-18 14:01:27 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-18 11:21:27 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-06-18 11:20:51 43136 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2010-06-18 11:20:46 0 d-----w- c:\program files\Broadcom
2010-06-18 11:17:55 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-06-18 11:12:03 0 d-----w- c:\windows\system32\ReinstallBackups
2010-06-16 17:46:47 0 d-----w- c:\program files\Modem Helper
2010-06-16 17:44:31 90112 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-06-16 17:44:31 27786 ----a-w- c:\windows\system32\HSFCI005.dll
2010-06-16 17:44:31 174639 ----a-w- c:\windows\system32\drivers\del8D8x.cty
2010-06-16 17:44:31 11043 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2010-06-16 17:44:30 680704 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2010-06-16 17:44:30 212224 ----a-w- c:\windows\system32\drivers\HSFHWBS2.sys
2010-06-16 17:44:30 1042432 ----a-w- c:\windows\system32\drivers\HSF_DP.sys
2010-06-16 17:44:22 0 d-----w- c:\program files\CONEXANT
2010-06-16 12:23:22 0 d-----w- c:\program files\common files\ODBC
2010-06-16 12:23:18 0 d-----w- c:\program files\common files\SpeechEngines
2010-06-16 12:22:46 0 d-----r- c:\documents and settings\all users\Documents
2010-06-16 11:49:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-16 11:36:51 0 d-sh--w- c:\documents and settings\all users\DRM
2010-06-16 11:36:32 0 d--h--w- c:\program files\WindowsUpdate
2010-06-16 11:35:42 0 d-----w- c:\program files\common files\MSSoap
2010-06-16 11:34:25 0 d-----w- c:\program files\Online Services
2010-06-16 11:34:19 0 d-----w- c:\program files\Messenger
2010-06-16 11:34:16 0 d-----w- c:\program files\MSN Gaming Zone
2010-06-16 11:33:37 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-06-20 00:00:06 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-16 11:35:09 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-28 11:04:52 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 19:12:10.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:17 PM

Posted 12 July 2010 - 08:11 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#3 George Lee

George Lee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 13 July 2010 - 09:57 AM

Has my reply actually gone, as UPLOAD seems to refer to adding the attachment rather than the entire message.

#4 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:17 PM

Posted 14 July 2010 - 07:24 AM

Hi,

Please post the new logs the same way you did in your first post.

Thanks!
PW

#5 George Lee

George Lee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 14 July 2010 - 09:20 AM

3rd Attempt. As far as I can tell, they have all been made as the original posting, by clicking Upload.

Summary of the problem

1. Firefox
a. Noscript still working, but icon rarely appears on screen, making it impossible to access sites requiring flash, etc. Prior to reformatting PC my old sites accessible, but not after reformat, until I discovered that Tools, Add-ons, Noscript, Options allowed me to add my favourite site to the white list.

b. LastPass icon appears even less often. Possible to access it from the web and copy and paste details over, but much less convenient than it opening in FF.

c. Firefox will not close completely. When I finish using it and close down, then later want to go online, it will no open. Sometimes a pop up says there is a copy open but is not responding, pleases close that first – which is impossible. When removing and reinstalling FF in an attempt to cure the problem, impossible to remove because still open, had to reboot PC, then delete FF.

2. Internet Explorer
All this forced me to try IE, but a pop-up said ‘Scripts usually safe, do you wish to run scripts?’ I click OK and the pop up reappears, making it impossible to move beyond the home page.

This problem disappeared after reformatting. IE now working OK, including LastPass, except that it takes IE a minute or more to open.

3. ZoneAlarm
As detailed in my original post, prone to performing full scans at 12.30 almost every day, instead of the specified time (this seems to happen less frequently during the past week) and the very slow updates, leading to gridlock if coinciding with another application using a lot or resources.

4. System Restore
When it became apparent after removing the bots that I had a major problem I turned to System Restore, but there was only one Restore Point, created an hour or so previously, i.e. after the infection had occurred.

I discovered that one can create several restore points during a day and they will be available until the system next creates one, when the others will disappear. This has continued since the reformat. I noticed that new restore points were being created with every application reinstalled, but all disappeared at some stage.

When researching on Google the 300+ System Volume Information rootkits that had appeared, there was a posting suggesting closing System Restore and rebooting. This was when I noticed that there was only one restore point present. The hint worked, inasmuch as the 300+ rootkits had been replaced by 110 different ones.

NB I have refrained from adding updates to the PC since sending the previous logs.
-----------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 11:32:52.68 on 13/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.313 [GMT 1:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.telegraph.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/registration-free-antivirus.php
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [OpAgent] "OpAgent.exe" /agent
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ScanSoft OmniPage 16-reminder] "c:\program files\scansoft\omnipage16\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipage 16\ereg\Ereg.ini"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\digigu~1.lnk - c:\program files\digiguide tv guide\Client.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276894815156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3u1tcbw9.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3u1tcbw9.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-18 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-6-18 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-6-18 528008]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-7-6 20072]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-3-16 26232]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-3-16 488816]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-6-19 582992]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-6-19 206608]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 MATKWQW;MATKWQW;c:\docume~1\owner\locals~1\temp\MATKWQW.exe [2010-6-22 531328]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\100.tmp --> c:\windows\system32\100.tmp [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-6-19 206608]

=============== Created Last 30 ================

2010-07-11 22:08:47 69 ----a-w- c:\windows\NeroDigital.ini
2010-07-11 19:39:14 364544 ------w- c:\windows\system32\TwnLib4.dll
2010-07-11 19:39:14 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-07-11 19:39:11 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-07-11 19:39:11 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-07-11 19:39:10 476320 ------w- c:\windows\system32\ImagXpr7.dll
2010-07-11 19:39:10 1568768 ------w- c:\windows\system32\ImagX7.dll
2010-07-11 19:39:09 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-07-11 19:38:28 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2010-07-11 19:38:27 0 d-----w- c:\program files\CyberLink DVD Solution
2010-07-11 17:57:32 57344 ----a-w- c:\windows\uneng.exe
2010-07-11 17:50:48 283648 ----a-w- c:\windows\uninst.exe
2010-07-11 17:50:45 0 d-----w- c:\documents and settings\owner\WINDOWS
2010-07-08 17:56:36 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-07 13:14:44 0 d-----w- c:\windows\system32\XPSViewer
2010-07-07 13:13:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-07 13:13:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-07 13:13:31 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-07 13:13:31 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-07 13:13:31 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-07 13:13:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-07 13:13:30 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-07 13:13:30 0 d-----w- C:\188209cb1ff21b21e4
2010-07-06 14:48:05 20072 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-07-06 10:23:55 0 d-----w- c:\program files\CPUID
2010-07-04 23:49:54 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-07-04 15:35:36 7957504 ----a-w- c:\program files\common files\lpuninstall.exe
2010-07-04 15:35:22 0 d-----w- c:\program files\LastPass
2010-07-01 13:17:31 0 d-----w- c:\program files\Sophos
2010-06-23 16:54:06 0 d-----w- c:\docume~1\owner\applic~1\#ISW.FS#
2010-06-20 19:35:45 0 d-----w- c:\program files\IrfanView
2010-06-20 16:25:04 0 d-----w- c:\program files\Analog Devices
2010-06-20 16:24:35 765952 ----a-w- c:\windows\system\crlds3d.dll
2010-06-20 16:24:35 732928 ----a-w- c:\windows\system32\drivers\senfilt.sys
2010-06-20 16:24:35 311296 ----a-w- c:\windows\system32\Edcrypt.dll
2010-06-20 16:24:35 260352 ----a-w- c:\windows\system32\drivers\smwdm.sys
2010-06-20 16:24:35 23040 ----a-w- c:\windows\system32\PostProc.dll
2010-06-20 13:31:40 0 d-----w- c:\program files\MSECache
2010-06-20 12:41:28 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-06-20 11:13:03 23 --sha-w- c:\windows\system32\edacded0.dat
2010-06-20 11:13:03 23 ----a-w- c:\windows\system32\bcdadac7.xml
2010-06-20 11:12:51 0 d-----w- c:\program files\jv16 PowerTools 2009
2010-06-20 09:35:56 0 d-----w- c:\program files\DigiGuide TV Guide
2010-06-20 09:34:31 20 ----a-w- C:\rules.qdb
2010-06-20 09:34:31 0 d-----w- c:\docume~1\owner\applic~1\ClipMagic
2010-06-20 09:34:19 737280 ----a-w- c:\windows\iun6002.exe
2010-06-20 09:34:18 0 d-----w- c:\program files\ClipMagic
2010-06-20 08:21:40 0 d-----w- c:\docume~1\owner\applic~1\Foxit
2010-06-20 08:21:17 0 d-----w- c:\program files\Foxit Software
2010-06-20 00:00:55 0 d-----w- c:\program files\common files\xing shared
2010-06-19 23:59:57 0 d-----w- c:\program files\common files\Real
2010-06-19 23:19:07 0 d-----w- c:\docume~1\owner\applic~1\Auslogics
2010-06-19 23:18:57 0 d-----w- c:\program files\Auslogics
2010-06-19 23:06:06 0 d-----w- c:\program files\Secunia
2010-06-19 22:59:03 0 d-----w- c:\program files\MSXML 4.0
2010-06-19 22:58:21 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-19 19:46:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-19 19:46:23 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 18:32:34 0 d-----w- C:\ShareScope
2010-06-19 17:55:52 0 ----a-w- C:\outE.tmp
2010-06-19 17:51:37 0 d-----w- c:\docume~1\owner\applic~1\Zeon
2010-06-19 17:24:22 0 d-----w- c:\program files\common files\ScanSoft Shared
2010-06-19 17:24:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Zeon
2010-06-19 17:21:39 395 ----a-w- c:\windows\MAXLINK.INI
2010-06-19 17:18:10 0 d-----w- c:\program files\ScanSoft
2010-06-19 16:55:56 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-19 16:55:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-19 16:44:09 0 d-----w- c:\program files\Canon
2010-06-19 16:36:04 389180 ----a-w- c:\windows\system32\UCS32P.DLL
2010-06-19 16:36:03 745472 ----a-w- c:\windows\system32\CNQA2403.dll
2010-06-19 16:36:03 36864 ----a-w- c:\windows\system32\CNQU81.DLL
2010-06-19 16:36:03 204800 ----a-w- c:\windows\system32\CNQL2403.dll
2010-06-19 16:36:03 0 d--h--w- C:\CanoScan
2010-06-19 08:37:59 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-19 08:37:59 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-19 08:37:47 6184 ----a-r- c:\windows\system32\cmglue.vxd
2010-06-19 08:37:22 6656 ----a-w- c:\windows\system32\CNMVS5m.DLL
2010-06-19 08:37:21 107008 ----a-w- c:\windows\system32\CNMLM5m.DLL
2010-06-19 08:37:17 73728 ----a-r- c:\windows\system32\CNMCP5m.exe
2010-06-19 08:36:58 0 d--h--w- C:\BJPrinter
2010-06-19 08:36:33 0 d-----w- c:\windows\StartHtmico
2010-06-19 08:36:33 0 d-----w- c:\windows\I865
2010-06-19 08:24:31 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-06-19 08:24:30 0 d-----w- c:\program files\Trend Micro
2010-06-19 08:08:39 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-06-19 08:08:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-06-18 20:40:45 376 ----a-w- c:\windows\ODBC.INI
2010-06-18 20:40:37 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-06-18 20:39:33 0 d-----w- c:\program files\Microsoft ActiveSync
2010-06-18 20:39:06 0 d-----w- c:\windows\SHELLNEW
2010-06-18 20:17:31 0 d-----w- c:\documents and settings\owner\Downloads
2010-06-18 19:40:38 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-06-18 19:35:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-18 19:35:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 19:35:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-18 19:35:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-18 19:22:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky SDK
2010-06-18 19:16:58 0 d-----w- c:\docume~1\owner\applic~1\MailFrontier
2010-06-18 19:03:09 0 d-----w- c:\docume~1\owner\applic~1\CheckPoint
2010-06-18 19:02:51 0 d-----w- c:\program files\CheckPoint
2010-06-18 19:02:37 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-06-18 19:02:35 72584 ----a-w- c:\windows\zllsputility.exe
2010-06-18 19:02:34 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-06-18 19:01:47 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-06-18 19:01:47 0 d-----w- c:\windows\system32\ZoneLabs
2010-06-18 19:01:44 422037 ----a-w- c:\windows\system32\vsconfig.xml
2010-06-18 19:01:43 0 d-----w- c:\program files\Zone Labs
2010-06-18 19:00:07 0 d-----w- c:\windows\Internet Logs
2010-06-18 18:04:45 0 d-----w- c:\windows\system32\scripting
2010-06-18 18:04:45 0 d-----w- c:\windows\l2schemas
2010-06-18 18:04:44 0 d-----w- c:\windows\system32\en
2010-06-18 18:04:44 0 d-----w- c:\windows\system32\bits
2010-06-18 18:01:00 0 d-----w- c:\windows\network diagnostic
2010-06-18 17:56:48 0 d-----w- c:\windows\EHome
2010-06-18 17:19:03 0 d-sh--w- c:\documents and settings\owner\IECompatCache
2010-06-18 17:17:11 0 d-sh--w- c:\documents and settings\owner\PrivacIE
2010-06-18 17:07:56 0 d-sh--w- c:\documents and settings\owner\IETldCache
2010-06-18 17:02:32 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-18 17:02:31 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-18 17:02:31 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-18 17:02:31 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-18 17:02:31 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-06-18 17:02:30 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-18 17:02:30 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-06-18 17:02:22 0 d-----w- c:\windows\ie8updates
2010-06-18 17:02:17 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-18 17:01:10 0 dc-h--w- c:\windows\ie8
2010-06-18 14:32:32 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-06-18 14:18:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-18 14:18:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-18 14:17:54 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-18 14:17:24 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-18 14:17:04 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-18 14:15:32 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-06-18 14:15:22 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-18 14:15:22 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-18 14:15:04 293376 ------w- c:\windows\system32\browserchoice.exe
2010-06-18 14:10:03 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-06-18 14:09:27 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-06-18 14:09:27 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-18 14:01:28 0 d-----w- c:\windows\system32\PreInstall
2010-06-18 14:01:27 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-18 11:21:27 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-06-18 11:20:51 43136 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2010-06-18 11:20:46 0 d-----w- c:\program files\Broadcom
2010-06-18 11:17:55 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-06-18 11:12:03 0 d-----w- c:\windows\system32\ReinstallBackups
2010-06-16 17:46:47 0 d-----w- c:\program files\Modem Helper
2010-06-16 17:44:31 90112 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-06-16 17:44:31 27786 ----a-w- c:\windows\system32\HSFCI005.dll
2010-06-16 17:44:31 174639 ----a-w- c:\windows\system32\drivers\del8D8x.cty
2010-06-16 17:44:31 11043 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2010-06-16 17:44:30 680704 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2010-06-16 17:44:30 212224 ----a-w- c:\windows\system32\drivers\HSFHWBS2.sys
2010-06-16 17:44:30 1042432 ----a-w- c:\windows\system32\drivers\HSF_DP.sys
2010-06-16 17:44:22 0 d-----w- c:\program files\CONEXANT
2010-06-16 12:23:22 0 d-----w- c:\program files\common files\ODBC
2010-06-16 12:23:18 0 d-----w- c:\program files\common files\SpeechEngines
2010-06-16 12:22:46 0 d-----r- c:\documents and settings\all users\Documents
2010-06-16 11:49:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-16 11:36:51 0 d-sh--w- c:\documents and settings\all users\DRM
2010-06-16 11:36:32 0 d--h--w- c:\program files\WindowsUpdate
2010-06-16 11:35:42 0 d-----w- c:\program files\common files\MSSoap
2010-06-16 11:34:25 0 d-----w- c:\program files\Online Services
2010-06-16 11:34:19 0 d-----w- c:\program files\Messenger
2010-06-16 11:34:16 0 d-----w- c:\program files\MSN Gaming Zone
2010-06-16 11:33:37 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-06-20 00:00:06 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-16 11:35:09 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-28 11:04:52 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 11:33:33.00 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-13 12:53:44
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xEFA60542]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwClose [0xEFA60DBA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEF90A25A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateEvent [0xEFA61DCC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEF90383A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xEF9250AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateMutant [0xEFA61CA4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xEFA60148]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEF90AA2C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEF91EF48]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEF91F370]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEF929802]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateSemaphore [0xEFA61EFE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xEFA63784]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateThread [0xEFA60A58]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEF90AB8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xEFA63176]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEF9046FC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xEF926B54]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xEF92644A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xEFA61524]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEF91DD2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwEnumerateKey [0xEFA5FE80]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xEFA5FF2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwFsControlFile [0xEFA61330]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xEF8FCA2A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEF92751E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEF92775C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xEF929BBE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xEFA60076]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenEvent [0xEFA61E6E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEF9041EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenKey [0xEFA5F592]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenMutant [0xEFA61D3C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEF921460]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenSection [0xEFA637AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenSemaphore [0xEFA61FA0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEF92104E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwProtectVirtualMemory [0xEF937264]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryKey [0xEFA5FFD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xEFA5FBFC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQuerySection [0xEFA63B50]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryValueKey [0xEFA5F84C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueueApcThread [0xEFA6349E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xEF9285E4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEF927ED8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwReplyPort [0xEFA6232A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xEFA621F0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEF909DF2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xEF929044]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwResumeThread [0xEFA64028]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSaveKey [0xEFA5F1FE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEF90A526]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetContextThread [0xEFA60C76]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEF904B06]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationObject [0xEF937128]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetInformationToken [0xEFA6286C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xEF928B6C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xEF8FC0B8]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xEF925B6E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSuspendProcess [0xEFA63D74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSuspendThread [0xEFA63E9C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEF92006C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xEF91FD9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwTerminateThread [0xEFA6080E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xEF8FCE7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xEFA63A06]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xEFA60998]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [2C, AA, 90, EF, 48, EF, 91, ...] {SUB AL, 0xaa; NOP ; OUT DX, EAX; DEC EAX; OUT DX, EAX; XCHG ECX, EAX; OUT DX, EAX; JO 0xfffffffffffffffd; XCHG ECX, EAX; OUT DX, EAX}
.text ntoskrnl.exe!_abnormal_termination + 114 804E2780 16 Bytes [02, 98, 92, EF, FE, 1E, A6, ...]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [2A, CA, 8F, EF, 1E, 75, 92, ...]
.text ntoskrnl.exe!_abnormal_termination + 34C 804E29B8 16 Bytes [E4, 85, 92, EF, D8, 7E, 92, ...]
.text ntoskrnl.exe!_abnormal_termination + 3CC 804E2A38 1 Byte [06]
.text ...
.text ntoskrnl.exe!IoIsOperationSynchronous 804E876A 5 Bytes JMP EFA55DAE \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512939 5 Bytes JMP EFA559D4 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab)
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7D31F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[124] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[124] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20C39270 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[284] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[284] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[284] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[284] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[284] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[284] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[284] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[284] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 209B37DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWDMP.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20C39270 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20AA3D71 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 20AA3BA8 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20AA3CD3 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20AA3E15 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20AA3C29 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20AA3F07 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] WS2_32.dll!WSASendDisconnect 71AC0A22 5 Bytes JMP 20AA409B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20AA3FCE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[620] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[620] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[620] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[620] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[620] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[620] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[620] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\wuauclt.exe[620] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[804] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[804] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[804] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[804] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[804] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[804] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[804] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[804] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[900] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[900] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[900] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[900] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[900] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[900] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[900] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[900] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[948] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[948] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[948] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[948] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[948] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[960] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[960] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[960] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[960] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[960] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[1024] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[1024] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[1024] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[1024] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[1024] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[1024] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[1024] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\Owner\Desktop\gmer\gmer.exe[1024] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1396] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1396] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1396] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1396] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1396] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1396] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1396] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1396] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1472] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1472] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1472] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1472] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1472] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1472] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1472] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1472] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 209B37DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWDMP.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20C39270 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20AA3D71 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 20AA3BA8 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20AA3CD3 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20AA3E15 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20AA3C29 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20AA3F07 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] WS2_32.dll!WSASendDisconnect 71AC0A22 5 Bytes JMP 20AA409B C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1560] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20AA3FCE C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWFWMON.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1572] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1572] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe[1596] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe[1596] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe[1596] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe[1596] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe[1596] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe[1596] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe[1596] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe[1596] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1956] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1956] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1956] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1956] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1956] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1956] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2268] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2268] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2268] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2268] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2268] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2268] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2268] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[2268] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[2288] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[2288] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[2288] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[2288] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[2288] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[2288] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[2288] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[2288] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2672] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2672] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2672] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2672] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2672] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2672] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2672] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2672] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2752] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2752] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2752] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2752] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2752] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2752] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2752] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2752] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Outlook Express\msimn.exe[2796] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Outlook Express\msimn.exe[2796] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Outlook Express\msimn.exe[2796] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Outlook Express\msimn.exe[2796] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Outlook Express\msimn.exe[2796] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Outlook Express\msimn.exe[2796] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Outlook Express\msimn.exe[2796] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Outlook Express\msimn.exe[2796] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3028] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3028] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3028] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3028] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3028] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 209B37DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWDMP.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3028] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3028] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3028] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3028] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3032] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3032] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3032] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3032] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3032] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3032] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3032] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3032] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3080] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3080] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3080] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3080] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3080] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3080] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3080] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3080] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[3172] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[3172] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[3172] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[3172] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[3172] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[3172] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[3172] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[3172] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3184] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3184] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3184] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3184] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3184] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3184] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3184] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3184] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3212] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3212] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3212] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3212] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3212] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3212] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3212] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3212] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[3328] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[3328] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[3328] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[3328] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[3328] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[3328] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[3328] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[3328] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Secunia\PSI\psi.exe[3456] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Secunia\PSI\psi.exe[3456] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Secunia\PSI\psi.exe[3456] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Secunia\PSI\psi.exe[3456] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Secunia\PSI\psi.exe[3456] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Secunia\PSI\psi.exe[3456] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Secunia\PSI\psi.exe[3456] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Secunia\PSI\psi.exe[3456] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----


#6 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:17 PM

Posted 16 July 2010 - 10:58 AM

Hello George Lee

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#7 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:17 PM

Posted 17 July 2010 - 06:23 PM

Hi George Lee,

QUOTE
3rd Attempt. As far as I can tell, they have all been made as the original posting, by clicking Upload

Are you saying you that copy/paste does not work?

QUOTE
All this forced me to try IE, but a pop-up said ‘Scripts usually safe, do you wish to run scripts?’
I click OK and the pop up reappears, making it impossible to move beyond the home page.
This problem disappeared after reformatting.


Here is some information for future reference.

"This message is related to having the ability to run Java and ActiveX scripts turned off in your browser. In other words, through your settings, you are not allowing your browser to execute these scripts and to display usually vital content. Most websites today use at least some Java script. Java scripts can be used to update your status bar, to display time, to execute some events when you move your mouse over something, to open new window when you click on something, and so on. Therefore, it is necessary to have scripting capability turned on.
If your scripting is turned off, you will get this message before your browser executes every script on a page. If the page that you are trying to view contains 10 scripts, you will get 10 messages."

"Fixing your computer so that this message does not display anymore is easy. Follow these steps:"

Internet Explorer
-> Tools
-> Internet Options
-> Security
-> Select a zone - Internet
-> Custom level
-> Scroll almost to the bottom
-> Scripting
-> Active scripting - Enable

http://www.maxi-pedia.com/scripts+are+usua...+scripts+to+run

QUOTE
HOWEVER, there are now 110 new discrepancies, predominantly relating to Prefetch and a few to system32/zonealarm. What is going on? This is crazy
!
If you are referring to the entries in the GMER log there is no visible indication of a rootkit. "...most of the listings are actually dumps of raw memory"

Step 1.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply please include the following:

Combofix.txt

Thanks!!
PW

#8 George Lee

George Lee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 18 July 2010 - 11:54 AM

First, the answers to your questions, then the log.

1. No problem with copy and paste, it was the posting of the reply causing the hassle.
After adding the attachment(s) I clicked upload to post the reply, but it didn't work.
The last time I chose 'add reply', although this had been used to open the reply panel, and it worked. Hopefully it will be the same today.

2. Scripts. Usually when I clicked OK the IE page would open, after I removed the bots
the pop up kept kept repeating. If as you say there might be 6 or more scripts and the
message would repeat for each, that explains it, as I would give up after 3 - 4 attempts.
Following your instructions I found that scripts were enabled (explaining why the
problem has disappeared since reformatting. I noticed also that security was set at
medium-high, whereas I had it on high previously, IE being notoriously insecure.

3. The reference to 110 new rootkits has nothing to do with GMER, it was part of my
posting to Windows Secrets before I was referred to Bleeping Computer.

Hopefully the log is OK.

ComboFix 10-07-16.02 - Owner 18/07/2010 16:11:23.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.295 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\outE.tmp

.
((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-13 17:20 . 2010-07-12 12:24 822784 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3u1tcbw9.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-07-11 23:01 . 2010-07-11 23:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2010-07-11 23:00 . 2010-07-11 23:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Ahead
2010-07-11 19:39 . 2004-07-09 07:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2010-07-11 19:39 . 2000-06-26 09:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-07-11 19:39 . 2004-07-26 15:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-07-11 19:39 . 2004-07-26 15:16 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-07-11 19:39 . 2004-07-26 15:16 476320 ------w- c:\windows\system32\ImagXpr7.dll
2010-07-11 19:39 . 2004-07-26 15:16 1568768 ------w- c:\windows\system32\ImagX7.dll
2010-07-11 19:39 . 2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-07-11 19:39 . 2010-07-11 19:39 -------- d-----w- c:\program files\Common Files\Ahead
2010-07-11 19:39 . 2010-07-11 19:39 -------- d-----w- c:\program files\Ahead
2010-07-11 19:38 . 2004-10-01 14:00 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2010-07-11 19:38 . 2010-07-11 19:38 -------- d-----w- c:\program files\CyberLink DVD Solution
2010-07-11 18:35 . 2010-07-11 18:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2010-07-11 18:29 . 2010-07-11 18:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Roxio
2010-07-11 17:57 . 2010-07-11 17:57 57344 ----a-w- c:\windows\uneng.exe
2010-07-11 17:50 . 1996-01-09 08:38 283648 ----a-w- c:\windows\uninst.exe
2010-07-11 17:50 . 2010-07-11 17:50 -------- d-----w- c:\documents and settings\Owner\WINDOWS
2010-07-07 13:14 . 2010-07-07 13:14 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-07 13:14 . 2010-07-07 13:14 -------- d-----w- c:\program files\MSBuild
2010-07-07 13:14 . 2010-07-07 13:14 -------- d-----w- c:\program files\Reference Assemblies
2010-07-07 13:14 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-07 13:13 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-07 13:13 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-07 13:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-07 13:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-07 13:13 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-07 13:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-07 13:13 . 2010-07-07 13:14 -------- d-----w- C:\188209cb1ff21b21e4
2010-07-07 13:13 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-07 13:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 19:00 . 2010-07-07 17:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2010-07-06 14:48 . 2010-05-11 11:00 20072 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-07-06 10:23 . 2010-07-06 10:23 -------- d-----w- c:\program files\CPUID
2010-07-04 23:49 . 2010-05-26 09:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-07-04 15:35 . 2010-07-12 14:58 7957504 ----a-w- c:\program files\Common Files\lpuninstall.exe
2010-07-04 15:35 . 2010-07-12 14:58 -------- d-----w- c:\program files\LastPass
2010-07-02 09:43 . 2010-07-02 09:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-01 13:17 . 2010-07-01 13:17 -------- d-----w- c:\program files\Sophos
2010-06-23 16:54 . 2010-07-12 14:51 -------- d-----w- c:\documents and settings\Owner\Application Data\#ISW.FS#
2010-06-20 19:35 . 2010-06-20 19:35 -------- d-----w- c:\program files\IrfanView
2010-06-20 16:24 . 2005-01-27 14:31 260352 ----a-w- c:\windows\system32\drivers\smwdm.sys
2010-06-20 16:24 . 2004-10-05 15:10 23040 ----a-w- c:\windows\system32\PostProc.dll
2010-06-20 16:24 . 2004-09-23 06:55 311296 ----a-w- c:\windows\system32\Edcrypt.dll
2010-06-20 16:24 . 2004-09-17 08:02 732928 ----a-w- c:\windows\system32\drivers\senfilt.sys
2010-06-20 16:24 . 2001-09-19 11:47 765952 ----a-w- c:\windows\system\crlds3d.dll
2010-06-20 13:31 . 2010-06-20 13:31 -------- d-----w- c:\program files\MSECache
2010-06-20 12:41 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-06-20 11:13 . 2010-06-20 11:13 23 --sha-w- c:\windows\system32\edacded0.dat
2010-06-20 11:12 . 2010-06-20 11:13 -------- d-----w- c:\program files\jv16 PowerTools 2009
2010-06-20 09:35 . 2010-07-18 09:49 -------- d-----w- c:\program files\DigiGuide TV Guide
2010-06-20 09:34 . 2010-07-18 10:08 -------- d-----w- c:\documents and settings\Owner\Application Data\ClipMagic
2010-06-20 09:34 . 2010-06-20 09:33 737280 ----a-w- c:\windows\iun6002.exe
2010-06-20 09:34 . 2010-06-21 20:35 -------- d-----w- c:\program files\ClipMagic
2010-06-20 08:21 . 2010-06-20 08:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit
2010-06-20 08:21 . 2010-06-20 08:21 -------- d-----w- c:\program files\Foxit Software
2010-06-20 00:01 . 2010-06-20 00:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-20 00:01 . 2010-06-20 00:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-19 23:19 . 2010-06-19 23:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics
2010-06-19 23:18 . 2010-06-19 23:18 -------- d-----w- c:\program files\Auslogics
2010-06-19 23:06 . 2010-06-19 23:06 -------- d-----w- c:\program files\Secunia
2010-06-19 22:59 . 2010-06-19 22:59 -------- d-----w- c:\program files\MSXML 4.0
2010-06-19 22:58 . 2008-04-13 18:39 7552 -c--a-w- c:\windows\system32\dllcache\mskssrv.sys
2010-06-19 22:58 . 2008-04-13 18:39 7552 ----a-w- c:\windows\system32\drivers\MSKSSRV.sys
2010-06-19 22:58 . 2008-04-13 18:39 4992 -c--a-w- c:\windows\system32\dllcache\mspqm.sys
2010-06-19 22:58 . 2008-04-13 18:39 4992 ----a-w- c:\windows\system32\drivers\MSPQM.sys
2010-06-19 22:58 . 2008-04-13 18:39 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys
2010-06-19 22:58 . 2008-04-13 18:39 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2010-06-19 22:58 . 2010-06-19 22:58 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-19 22:58 . 2001-08-17 12:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-06-19 22:58 . 2001-08-17 12:57 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2010-06-19 22:58 . 2008-04-14 00:11 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2010-06-19 22:58 . 2008-04-14 00:11 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-06-19 19:47 . 2010-06-19 19:47 -------- d-----w- c:\program files\Common Files\Java
2010-06-19 19:47 . 2010-06-19 19:47 -------- d-----w- c:\windows\Sun
2010-06-19 19:47 . 2010-06-19 19:47 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ce676b9-n\msvcp71.dll
2010-06-19 19:47 . 2010-06-19 19:47 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ce676b9-n\jmc.dll
2010-06-19 19:47 . 2010-06-19 19:47 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ce676b9-n\msvcr71.dll
2010-06-19 19:46 . 2010-06-19 19:46 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6fd1af13-n\decora-sse.dll
2010-06-19 19:46 . 2010-06-19 19:46 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6fd1af13-n\decora-d3d.dll
2010-06-19 19:46 . 2010-06-19 19:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 19:45 . 2010-06-19 19:45 -------- d-----w- c:\program files\Java
2010-06-19 18:32 . 2010-07-18 13:07 -------- d-----w- C:\ShareScope
2010-06-19 17:51 . 2010-06-19 17:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Zeon
2010-06-19 17:45 . 2010-06-19 17:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Scansoft
2010-06-19 17:33 . 2010-06-19 17:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ScanSoft
2010-06-19 17:24 . 2010-06-19 17:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Zeon
2010-06-19 17:24 . 2010-06-19 17:24 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-06-19 17:24 . 2010-06-19 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Zeon
2010-06-19 17:19 . 2010-06-19 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-06-19 17:19 . 2010-06-19 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-06-19 17:18 . 2010-06-19 17:24 -------- d-----w- c:\program files\ScanSoft
2010-06-19 16:57 . 2010-07-09 17:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2010-06-19 16:55 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-19 16:55 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-19 16:44 . 2010-06-19 16:45 -------- d-----w- c:\program files\Canon
2010-06-19 16:36 . 2003-01-15 11:39 389180 ----a-w- c:\windows\system32\UCS32P.DLL
2010-06-19 16:36 . 2010-06-19 16:36 -------- d-----w- C:\CanoScan
2010-06-19 16:36 . 2003-01-29 09:43 745472 ----a-w- c:\windows\system32\CNQA2403.dll
2010-06-19 16:36 . 2003-01-16 07:43 36864 ----a-w- c:\windows\system32\CNQU81.DLL
2010-06-19 16:36 . 2003-01-16 07:43 204800 ----a-w- c:\windows\system32\CNQL2403.dll
2010-06-19 16:02 . 2010-06-19 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-19 16:02 . 2010-06-19 16:02 -------- d-----w- c:\program files\NOS
2010-06-19 08:37 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-19 08:37 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-19 08:37 . 2003-07-30 05:00 6656 ----a-w- c:\windows\system32\CNMVS5m.DLL
2010-06-19 08:37 . 2003-07-30 05:00 48128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP5m.DLL
2010-06-19 08:37 . 2003-07-30 05:00 16384 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD5m.DLL
2010-06-19 08:37 . 2003-07-30 05:00 107008 ----a-w- c:\windows\system32\CNMLM5m.DLL
2010-06-19 08:37 . 2003-05-13 18:50 73728 ----a-r- c:\windows\system32\CNMCP5m.exe
2010-06-19 08:36 . 2010-06-19 08:36 -------- d-----w- C:\BJPrinter
2010-06-19 08:36 . 2010-06-19 08:36 -------- d-----w- c:\windows\I865
2010-06-19 08:36 . 2010-06-19 08:36 -------- d-----w- c:\windows\StartHtmico
2010-06-19 08:24 . 2008-03-02 02:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-06-19 08:24 . 2010-06-19 08:24 -------- d-----w- c:\program files\Trend Micro
2010-06-19 08:24 . 2010-06-19 08:24 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2010-06-19 08:08 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-06-18 20:40 . 2007-04-09 12:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-06-18 20:40 . 2007-04-09 12:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-06-18 20:39 . 2010-06-18 20:39 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-18 20:39 . 2010-06-18 20:39 -------- d-----w- c:\windows\SHELLNEW
2010-06-18 20:33 . 2010-06-18 20:33 -------- d-----r- C:\MSOCache
2010-06-18 20:29 . 2010-07-18 10:09 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\LastPass
2010-06-18 20:19 . 2010-06-18 20:19 0 ----a-w- c:\windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 12:44 . 2010-07-13 12:47 1934336 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-07-13 12:44 . 2010-07-13 12:47 1934336 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-07-11 19:38 . 2010-06-16 17:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-07 14:55 . 2010-06-16 11:46 22600 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-03 19:03 . 2010-07-03 19:05 1733632 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-07-03 19:03 . 2010-07-03 19:05 1733632 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-06-25 00:06 . 2010-06-25 07:43 2176000 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-06-25 00:06 . 2010-06-25 07:43 2176000 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-06-20 16:25 . 2010-06-20 16:25 -------- d-----w- c:\program files\Analog Devices
2010-06-20 16:24 . 2010-06-16 17:46 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-20 00:01 . 2010-06-20 00:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-20 00:01 . 2010-06-20 00:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-20 00:01 . 2010-06-20 00:01 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-06-20 00:01 . 2010-06-20 00:01 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-06-20 00:01 . 2010-06-20 00:01 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-20 00:01 . 2010-06-20 00:01 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-06-20 00:01 . 2010-06-20 00:01 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-20 00:01 . 2010-06-19 23:59 -------- d-----w- c:\program files\Common Files\Real
2010-06-20 00:01 . 2010-06-20 00:00 -------- d-----w- c:\program files\Real
2010-06-20 00:00 . 2010-06-20 00:00 -------- d-----w- c:\program files\Common Files\xing shared
2010-06-20 00:00 . 2006-07-11 17:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-19 22:57 . 2010-06-16 17:44 -------- d-----w- c:\program files\CONEXANT
2010-06-18 22:09 . 2010-06-18 22:24 1701888 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-06-18 22:09 . 2010-06-18 22:24 1701888 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-06-18 19:21 . 2010-06-16 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-18 18:06 . 2010-06-16 11:37 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-18 11:20 . 2010-06-18 11:20 -------- d-----w- c:\program files\Broadcom
2010-06-18 11:12 . 2010-06-18 11:12 -------- d-----w- c:\program files\Intel
2010-06-16 17:46 . 2010-06-16 17:46 -------- d-----w- c:\program files\Modem Helper
2010-06-16 11:49 . 2010-06-16 11:49 -------- d-----w- c:\program files\Alwil Software
2010-06-16 11:38 . 2010-06-16 11:38 -------- d-----w- c:\program files\microsoft frontpage
2010-06-16 11:35 . 2010-06-16 11:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-28 11:04 . 2010-05-28 11:04 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-03-24 1038728]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-03-16 730480]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 328992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-19 202256]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2010-7-4 7957504]
Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2010-7-4 7957504]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
DigiGuide TV Guide.lnk - c:\program files\DigiGuide TV Guide\Client.exe [2010-6-20 570416]
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-5-28 911920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [06/07/2010 15:48 20072]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [16/03/2010 09:55 26232]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [16/03/2010 09:55 488816]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [19/06/2010 09:24 582992]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [28/05/2010 12:04 14896]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [19/06/2010 09:24 206608]
S?4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [18/06/2010 20:35 38224]
S3 MATKWQW;MATKWQW;c:\docume~1\Owner\LOCALS~1\Temp\MATKWQW.exe --> c:\docume~1\Owner\LOCALS~1\Temp\MATKWQW.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\100.tmp --> c:\windows\system32\100.tmp [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [19/06/2010 09:24 206608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1292428093-1085031214-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-07-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1292428093-1085031214-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.telegraph.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/registration-free-antivirus.php
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3u1tcbw9.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3u1tcbw9.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-OpAgent - OpAgent.exe
HKCU-Run-PowerBar - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-18 16:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????l?@?l?@?D?????B~????????????&?B~l?@?l?@????? ?????????????D~0?B~????&?B~?xB~x????????xB~???????? ???????????s??|x???0???????????Q?stA?B~????????????????!???????N???????l?@?l?@?????zwB~????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\100.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(960)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-07-18 16:23:58
ComboFix-quarantined-files.txt 2010-07-18 15:23

Pre-Run: 101,717,217,280 bytes free
Post-Run: 104,377,495,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 439182A4AE73FA542F28B639FDFF80C0


#9 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:17 PM

Posted 19 July 2010 - 12:41 PM

Hello George Lee,

Step 1.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-s.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Step 2.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Folder::
c:\documents and settings\All Users\Application Data\Alwil Software
c:\program files\Alwil Software

Driver::
MATKWQW

File::
c:\docume~1\Owner\LOCALS~1\Temp\MATKWQW.exe

Registry::
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"PowerBar"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
In your next reply please include the following:

ComboFix.txt
Eset scan results
<< Note: If nothing is found there will be no report.

How is your computer running? Any problems?

Thanks!!
PW

#10 George Lee

George Lee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 19 July 2010 - 07:24 PM

Hi,
It’s admirable that as an unpaid volunteer you seem to be there almost every day. It is very much appreciated.

I have not had much success this evening. Step 1 was no trouble, there was only update 20 to be removed. Java was out of date for the same reason as my having a load of Microsoft patches waiting to be installed, i.e I was told not to make any alterations to the PC whilst you were working on the case.

Step 2 was a real hassle. The only copy of Combofix found by search was on the desktop, with no indication of whether it was Combofix.exe or the actual programme. Dragging the CFScript.txt to it produced an ‘open with’ pop up and the txt. icon was still on the desktop. Nothing happened for quite a while, then it started working, paused for a long time, then rebooted the system. An even longer pause, 10 -15 minutes, then the log appeared. But I have no idea whether it is any use because of (1) uncertainty as to whether it was the Combofix.exe file and (2) rebooting restarted ZoneAlarm and I started getting a series of requests to allow certain actions – all of which I allowed – until I remembered that all antivirus, etc. software should be off, so I belatedly closed ZA. If it’s no good I will do it again.

Step 3 an utter failure. Clicking ESET Online Scanner did nothing, regardless of whether I used the heading or the smaller panel. No terms of use or start button. Eventually I decided to use Firefox, hoping the installer would solve the problem, but again, clicking the scanner button failed to bring an installer download.

The only thing I can think of is the statement that administrator privileges are required, but as the only user of the PC presumably I am the administrator – I was able to reformat the hard drive without this sort of problem. Hopefully you can suggest a way round this.

Combofix.txt follows.

ComboFix 10-07-16.02 - Owner 19/07/2010 20:58:11.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.327 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\docume~1\Owner\LOCALS~1\Temp\MATKWQW.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Alwil Software
c:\program files\Alwil Software

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MATKWQW
-------\Service_MATKWQW


((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-19 19:10 . 2010-07-19 19:10 -------- d-----w- c:\program files\Common Files\Java
2010-07-13 17:20 . 2010-07-12 12:24 822784 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3u1tcbw9.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-07-11 23:01 . 2010-07-11 23:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2010-07-11 23:00 . 2010-07-11 23:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Ahead
2010-07-11 19:39 . 2004-07-09 07:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2010-07-11 19:39 . 2000-06-26 09:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-07-11 19:39 . 2004-07-26 15:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-07-11 19:39 . 2004-07-26 15:16 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-07-11 19:39 . 2004-07-26 15:16 476320 ------w- c:\windows\system32\ImagXpr7.dll
2010-07-11 19:39 . 2004-07-26 15:16 1568768 ------w- c:\windows\system32\ImagX7.dll
2010-07-11 19:39 . 2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-07-11 19:39 . 2010-07-11 19:39 -------- d-----w- c:\program files\Common Files\Ahead
2010-07-11 19:39 . 2010-07-11 19:39 -------- d-----w- c:\program files\Ahead
2010-07-11 19:38 . 2004-10-01 14:00 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2010-07-11 19:38 . 2010-07-11 19:38 -------- d-----w- c:\program files\CyberLink DVD Solution
2010-07-11 18:35 . 2010-07-11 18:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2010-07-11 18:29 . 2010-07-11 18:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Roxio
2010-07-11 17:57 . 2010-07-11 17:57 57344 ----a-w- c:\windows\uneng.exe
2010-07-11 17:50 . 1996-01-09 08:38 283648 ----a-w- c:\windows\uninst.exe
2010-07-11 17:50 . 2010-07-11 17:50 -------- d-----w- c:\documents and settings\Owner\WINDOWS
2010-07-07 13:14 . 2010-07-07 13:14 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-07 13:14 . 2010-07-07 13:14 -------- d-----w- c:\program files\MSBuild
2010-07-07 13:14 . 2010-07-07 13:14 -------- d-----w- c:\program files\Reference Assemblies
2010-07-07 13:14 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-07 13:13 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-07 13:13 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-07 13:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-07 13:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-07 13:13 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-07 13:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-07 13:13 . 2010-07-07 13:14 -------- d-----w- C:\188209cb1ff21b21e4
2010-07-07 13:13 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-07 13:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-06 19:00 . 2010-07-07 17:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2010-07-06 14:48 . 2010-05-11 11:00 20072 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-07-06 10:23 . 2010-07-06 10:23 -------- d-----w- c:\program files\CPUID
2010-07-04 23:49 . 2010-05-26 09:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-07-04 15:35 . 2010-07-12 14:58 7957504 ----a-w- c:\program files\Common Files\lpuninstall.exe
2010-07-04 15:35 . 2010-07-12 14:58 -------- d-----w- c:\program files\LastPass
2010-07-02 09:43 . 2010-07-02 09:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-01 13:17 . 2010-07-01 13:17 -------- d-----w- c:\program files\Sophos
2010-06-23 16:54 . 2010-07-12 14:51 -------- d-----w- c:\documents and settings\Owner\Application Data\#ISW.FS#
2010-06-20 19:35 . 2010-06-20 19:35 -------- d-----w- c:\program files\IrfanView
2010-06-20 16:24 . 2005-01-27 14:31 260352 ----a-w- c:\windows\system32\drivers\smwdm.sys
2010-06-20 16:24 . 2004-10-05 15:10 23040 ----a-w- c:\windows\system32\PostProc.dll
2010-06-20 16:24 . 2004-09-23 06:55 311296 ----a-w- c:\windows\system32\Edcrypt.dll
2010-06-20 16:24 . 2004-09-17 08:02 732928 ----a-w- c:\windows\system32\drivers\senfilt.sys
2010-06-20 16:24 . 2001-09-19 11:47 765952 ----a-w- c:\windows\system\crlds3d.dll
2010-06-20 13:31 . 2010-06-20 13:31 -------- d-----w- c:\program files\MSECache
2010-06-20 12:41 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-06-20 11:13 . 2010-06-20 11:13 23 --sha-w- c:\windows\system32\edacded0.dat
2010-06-20 11:12 . 2010-06-20 11:13 -------- d-----w- c:\program files\jv16 PowerTools 2009
2010-06-20 09:35 . 2010-07-19 11:26 -------- d-----w- c:\program files\DigiGuide TV Guide
2010-06-20 09:34 . 2010-07-19 19:13 -------- d-----w- c:\documents and settings\Owner\Application Data\ClipMagic
2010-06-20 09:34 . 2010-06-20 09:33 737280 ----a-w- c:\windows\iun6002.exe
2010-06-20 09:34 . 2010-06-21 20:35 -------- d-----w- c:\program files\ClipMagic
2010-06-20 08:21 . 2010-06-20 08:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit
2010-06-20 08:21 . 2010-06-20 08:21 -------- d-----w- c:\program files\Foxit Software
2010-06-20 00:01 . 2010-06-20 00:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-20 00:01 . 2010-06-20 00:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-19 23:19 . 2010-06-19 23:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics
2010-06-19 23:18 . 2010-06-19 23:18 -------- d-----w- c:\program files\Auslogics
2010-06-19 23:06 . 2010-06-19 23:06 -------- d-----w- c:\program files\Secunia
2010-06-19 22:59 . 2010-06-19 22:59 -------- d-----w- c:\program files\MSXML 4.0
2010-06-19 22:58 . 2008-04-13 18:39 7552 -c--a-w- c:\windows\system32\dllcache\mskssrv.sys
2010-06-19 22:58 . 2008-04-13 18:39 7552 ----a-w- c:\windows\system32\drivers\MSKSSRV.sys
2010-06-19 22:58 . 2008-04-13 18:39 4992 -c--a-w- c:\windows\system32\dllcache\mspqm.sys
2010-06-19 22:58 . 2008-04-13 18:39 4992 ----a-w- c:\windows\system32\drivers\MSPQM.sys
2010-06-19 22:58 . 2008-04-13 18:39 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys
2010-06-19 22:58 . 2008-04-13 18:39 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2010-06-19 22:58 . 2010-06-19 22:58 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-19 22:58 . 2001-08-17 12:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-06-19 22:58 . 2001-08-17 12:57 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2010-06-19 22:58 . 2008-04-14 00:11 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2010-06-19 22:58 . 2008-04-14 00:11 4096 ----a-w- c:\windows\system32\ksuser.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 19:20 . 2010-06-18 19:02 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-19 19:08 . 2010-06-19 19:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-13 12:44 . 2010-07-13 12:47 1934336 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-07-13 12:44 . 2010-07-13 12:47 1934336 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-07-11 19:38 . 2010-06-16 17:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-09 17:20 . 2010-06-19 16:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2010-07-07 14:55 . 2010-06-16 11:46 22600 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-03 19:03 . 2010-07-03 19:05 1733632 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-07-03 19:03 . 2010-07-03 19:05 1733632 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-06-25 00:06 . 2010-06-25 07:43 2176000 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-06-25 00:06 . 2010-06-25 07:43 2176000 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-06-20 16:25 . 2010-06-20 16:25 -------- d-----w- c:\program files\Analog Devices
2010-06-20 16:24 . 2010-06-16 17:46 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-20 00:01 . 2010-06-20 00:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-20 00:01 . 2010-06-20 00:01 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-20 00:01 . 2010-06-20 00:01 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-06-20 00:01 . 2010-06-20 00:01 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-06-20 00:01 . 2010-06-20 00:01 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-20 00:01 . 2010-06-20 00:01 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-06-20 00:01 . 2010-06-20 00:01 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-20 00:01 . 2010-06-19 23:59 -------- d-----w- c:\program files\Common Files\Real
2010-06-20 00:01 . 2010-06-20 00:00 -------- d-----w- c:\program files\Real
2010-06-20 00:00 . 2010-06-20 00:00 -------- d-----w- c:\program files\Common Files\xing shared
2010-06-20 00:00 . 2006-07-11 17:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-19 22:57 . 2010-06-16 17:44 -------- d-----w- c:\program files\CONEXANT
2010-06-19 19:47 . 2010-06-19 19:47 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ce676b9-n\msvcp71.dll
2010-06-19 19:47 . 2010-06-19 19:47 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ce676b9-n\jmc.dll
2010-06-19 19:47 . 2010-06-19 19:47 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ce676b9-n\msvcr71.dll
2010-06-19 19:46 . 2010-06-19 19:46 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6fd1af13-n\decora-sse.dll
2010-06-19 19:46 . 2010-06-19 19:46 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6fd1af13-n\decora-d3d.dll
2010-06-19 19:45 . 2010-06-19 19:45 -------- d-----w- c:\program files\Java
2010-06-19 17:51 . 2010-06-19 17:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Zeon
2010-06-19 17:33 . 2010-06-19 17:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ScanSoft
2010-06-19 17:24 . 2010-06-19 17:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Zeon
2010-06-19 17:24 . 2010-06-19 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-06-19 17:24 . 2010-06-19 17:24 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-06-19 17:24 . 2010-06-19 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Zeon
2010-06-19 17:24 . 2010-06-19 17:18 -------- d-----w- c:\program files\ScanSoft
2010-06-19 17:19 . 2010-06-19 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-06-19 16:45 . 2010-06-19 16:44 -------- d-----w- c:\program files\Canon
2010-06-19 16:02 . 2010-06-19 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-19 16:02 . 2010-06-19 16:02 -------- d-----w- c:\program files\NOS
2010-06-19 08:24 . 2010-06-19 08:24 -------- d-----w- c:\program files\Trend Micro
2010-06-19 08:24 . 2010-06-19 08:24 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2010-06-18 22:09 . 2010-06-18 22:24 1701888 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-06-18 22:09 . 2010-06-18 22:24 1701888 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-06-18 20:39 . 2010-06-18 20:39 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-18 20:19 . 2010-06-18 20:19 0 ----a-w- c:\windows\nsreg.dat
2010-06-18 19:40 . 2010-06-18 19:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-06-18 19:35 . 2010-06-18 19:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-18 19:35 . 2010-06-18 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-18 19:22 . 2010-06-18 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2010-06-18 19:16 . 2010-06-18 19:16 -------- d-----w- c:\documents and settings\Owner\Application Data\MailFrontier
2010-06-18 19:03 . 2010-06-18 19:03 -------- d-----w- c:\documents and settings\Owner\Application Data\CheckPoint
2010-06-18 19:02 . 2010-06-18 19:02 -------- d-----w- c:\program files\CheckPoint
2010-06-18 19:01 . 2010-06-18 19:01 -------- d-----w- c:\program files\Zone Labs
2010-06-18 18:06 . 2010-06-16 11:37 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-18 11:20 . 2010-06-18 11:20 -------- d-----w- c:\program files\Broadcom
2010-06-18 11:12 . 2010-06-18 11:12 -------- d-----w- c:\program files\Intel
2010-06-16 17:46 . 2010-06-16 17:46 -------- d-----w- c:\program files\Modem Helper
2010-06-16 11:38 . 2010-06-16 11:38 -------- d-----w- c:\program files\microsoft frontpage
2010-06-16 11:35 . 2010-06-16 11:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-28 11:04 . 2010-05-28 11:04 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2010-06-18 19:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2010-06-18 19:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-18_15.20.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-19 20:09 . 2010-07-19 20:09 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 90081 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0010.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 90097 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0009.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 90071 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0008.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 90093 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0007.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 90088 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0006.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 90109 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0005.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 90108 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0004.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 90098 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0003.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 82742 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0002.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 64536 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0001.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 55054 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0011.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 67776 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0010.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 66945 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0009.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 90101 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0008.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 90084 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0007.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 90126 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0006.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 90072 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0005.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 90092 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0004.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 54989 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0003.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 90101 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0002.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 82693 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0001.dat
+ 2010-07-13 18:02 . 2010-07-19 19:23 90079 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0010.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90087 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0009.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90072 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0008.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90097 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0007.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90083 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0006.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90101 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0005.dat
+ 2010-06-18 19:55 . 2010-07-19 19:23 90109 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0004.dat
+ 2010-06-18 19:55 . 2010-07-19 19:23 90094 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0003.dat
+ 2010-06-18 19:55 . 2010-07-19 19:23 82739 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0002.dat
+ 2010-06-18 19:53 . 2010-07-19 19:23 64541 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0001.dat
+ 2010-06-18 19:58 . 2010-07-19 11:27 55054 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0011.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 67776 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0010.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 66945 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0009.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 90101 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0008.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 90084 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0007.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 90126 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0006.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 90072 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0005.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 90092 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0004.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 54989 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0003.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 90101 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0002.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 82693 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0001.dat
+ 2010-07-13 18:02 . 2010-07-19 19:23 90079 c:\windows\system32\ZoneLabs\avsys\bases\apu0010.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90087 c:\windows\system32\ZoneLabs\avsys\bases\apu0009.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90072 c:\windows\system32\ZoneLabs\avsys\bases\apu0008.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90097 c:\windows\system32\ZoneLabs\avsys\bases\apu0007.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90083 c:\windows\system32\ZoneLabs\avsys\bases\apu0006.dat
+ 2010-07-02 10:09 . 2010-07-19 19:23 90101 c:\windows\system32\ZoneLabs\avsys\bases\apu0005.dat
+ 2010-06-18 19:55 . 2010-07-19 19:23 90109 c:\windows\system32\ZoneLabs\avsys\bases\apu0004.dat
+ 2010-06-18 19:02 . 2010-07-19 19:23 90094 c:\windows\system32\ZoneLabs\avsys\bases\apu0003.dat
+ 2010-06-18 19:02 . 2010-07-19 19:23 82739 c:\windows\system32\ZoneLabs\avsys\bases\apu0002.dat
+ 2010-06-18 19:02 . 2010-07-19 19:23 64541 c:\windows\system32\ZoneLabs\avsys\bases\apu0001.dat
+ 2010-07-19 20:08 . 2010-07-19 20:16 2883 c:\windows\Temp\sdk8\Report\g_objid.dat
+ 2010-07-19 20:08 . 2010-07-19 20:16 3972 c:\windows\Temp\sdk8\Report\g_objdt.dat
+ 2010-07-19 20:08 . 2010-07-19 20:16 2304 c:\windows\Temp\sdk8\Report\g_objbt.dat
+ 2010-07-19 19:23 . 2010-07-19 19:23 5017 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0011.dat
+ 2010-06-18 19:55 . 2010-07-19 11:27 1725 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0000.dat
- 2010-06-18 19:55 . 2010-07-18 09:47 1725 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0000.dat
+ 2010-07-17 18:14 . 2010-07-19 19:23 8630 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0011.dat
- 2010-06-18 19:02 . 2010-07-18 09:47 1725 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0000.dat
+ 2010-06-18 19:02 . 2010-07-19 11:27 1725 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0000.dat
+ 2010-07-17 18:14 . 2010-07-19 19:23 8630 c:\windows\system32\ZoneLabs\avsys\bases\apu0011.dat
+ 2010-07-19 20:09 . 2010-07-19 20:09 196608 c:\windows\Temp\sfdb.dat
+ 2010-07-19 20:09 . 2010-07-19 20:09 262144 c:\windows\Temp\iswift.dat
+ 2010-07-19 19:09 . 2010-07-19 19:08 153376 c:\windows\system32\javaws.exe
- 2010-06-19 19:46 . 2010-06-19 19:46 153376 c:\windows\system32\javaws.exe
+ 2010-07-19 19:09 . 2010-07-19 19:08 145184 c:\windows\system32\javaw.exe
- 2010-06-19 19:46 . 2010-06-19 19:46 145184 c:\windows\system32\javaw.exe
- 2010-06-19 19:46 . 2010-06-19 19:46 145184 c:\windows\system32\java.exe
+ 2010-07-19 19:09 . 2010-07-19 19:08 145184 c:\windows\system32\java.exe
+ 2010-07-19 19:10 . 2010-07-19 19:10 180224 c:\windows\Installer\51468.msi
+ 2010-07-19 19:08 . 2010-07-19 19:08 677376 c:\windows\Installer\51463.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-03-24 1038728]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-03-16 730480]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 328992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-19 202256]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2010-7-4 7957504]
Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2010-7-4 7957504]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
DigiGuide TV Guide.lnk - c:\program files\DigiGuide TV Guide\Client.exe [2010-6-20 570416]
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-5-28 911920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [06/07/2010 15:48 20072]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [16/03/2010 09:55 26232]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [16/03/2010 09:55 488816]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [19/06/2010 09:24 582992]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [19/06/2010 09:24 206608]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\100.tmp --> c:\windows\system32\100.tmp [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [28/05/2010 12:04 14896]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [19/06/2010 09:24 206608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1292428093-1085031214-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-07-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1292428093-1085031214-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.telegraph.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/registration-free-antivirus.php
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3u1tcbw9.default\
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3u1tcbw9.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 21:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\100.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(696)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(776)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-19 21:26:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-19 20:26
ComboFix2.txt 2010-07-18 15:23

Pre-Run: 104,511,250,432 bytes free
Post-Run: 104,008,937,472 bytes free

- - End Of File - - 3EC0F8C6C13BA96225E92D61EA946F47


#11 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:17 PM

Posted 20 July 2010 - 12:31 PM

Hi George Lee,

QUOTE
The only copy of Combofix found by search was on the desktop,

ComboFix Worked like a charm. thumbup2.gif

QUOTE
an utter failure. Clicking ESET Online Scanner did nothing, regardless of whether I used the heading or the smaller panel. No terms of use or start button

Let's try a different online scanner.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Please provide the Bitdefender report in your next reply.

Thanks!!
PW

#12 George Lee

George Lee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 20 July 2010 - 07:54 PM

Hi,
Once again, an evening without success.

The first attempt to scan with Bitdefender ended with a message that it was unable to update the virus definitions, and asked if I wished to scan anyway. I declined.

The second attempt showed 100% virus definition update quite quickly, then did nothing for more than 30 mins., with no indication that it was scanning, so I aborted.

The third time was allowed to run for over an hour, but still hadn’t even started to update the definitions, at which point I decided the problem might be that the screen saver was interfering with the scan, not to mention the monitor powering off after 30 mins. By the time I had found out how to cancel them it was clear that the scan was not going to get anywhere so I again aborted. Amazingly, once I clicked close in Task Manager it started to scan briefly before closing down.

The next attempt again reported it was unable to update the definitions, but I let the scan proceed. The very brief log attached.

The 5th attempt reached 97% completion with the definitions, then stopped for about an hour. At this point I decided to let it run all night and see what was there in the morning, but some time later there was a message about no internet connection, so I decided to see if there was a better connection with Firefox.

However, using FF there is only a 60 second scan available, which took several minutes, after downloading a FF add-on. Log attached.

I don’t know where we go from here, as there seems to be something on this PC preventing the completion of an online scan.

BitDefender Online Scanner - Real Time Virus Report

Generated at: Tue, Jul 20, 2010 - 23:33:36

--------------------------------------------------------------------------------
Scan Info

Scanned Files
123982

Infected Files
0

Virus Detected

No virus found.

--------------------------------------------------------------------------------

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world


QuickScan Beta 32-bit v0.9.9.23
-------------------------------
Scan date: Wed Jul 21 01:03:20 2010
Machine ID: 547527E4

C:\Program Files\Mozilla Firefox - could not be accessed

No infection found.
-------------------

Processes
---------
<unsigned> InstallShield Update Service 2808 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

<verified> Firefox 3424 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> Intel® Common User Interface 2568 C:\WINDOWS\system32\hkcmd.exe
<verified> Java™ Platform SE 6 U21 1084 C:\Program Files\Java\jre6\bin\jqs.exe
<verified> Java™ Platform SE Auto Updater 2 0 3276 C:\Program Files\Common Files\Java\Java Update\jusched.exe
<verified> Microsoft® Windows® Operating System 3052 C:\Program Files\Outlook Express\msimn.exe
<verified> Microsoft® Windows® Operating System 1076 C:\WINDOWS\Explorer.EXE
<verified> Microsoft® Windows® Operating System 396 C:\WINDOWS\System32\alg.exe
<verified> Microsoft® Windows® Operating System 768 C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 3292 C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System 956 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 944 C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 528 C:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 272 C:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 1440 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 892 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1116 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1180 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1304 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 1404 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1592 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 3088 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 800 C:\WINDOWS\system32\winlogon.exe
<verified> Microsoft® Windows® Operating System 2180 C:\WINDOWS\system32\wuauclt.exe
<verified> RealPlayer (32-bit) 2976 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
<verified> Secunia PSI 3332 C:\Program Files\Secunia\PSI\psi.exe
<verified> SMax4PNP Application 3044 C:\Program Files\Analog Devices\Core\smax4pnp.exe
<verified> Trend Micro RUBotted . 1124 C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
<verified> Trend Micro RUBotted . 2628 C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
<verified> TrueVector Service 1652 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
<verified> ZoneAlarm Client 2592 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
<verified> ZoneAlarm ForceField 3672 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
<verified> ZoneAlarm ForceField 132 C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe


Network activity
----------------
Process TMRUBotted.exe (1124) connected on port 443 (HTTP over SSL) --> rbt.trendmicro.com
Process firefox.exe (3424) connected on port 80 (HTTP) --> CRL.VERISIGN.NET
Process firefox.exe (3424) connected on port 80 (HTTP) --> a92-122-127-240.deploy.akamaitechnologies.com
Process firefox.exe (3424) connected on port 80 (HTTP) --> CRL.VERISIGN.NET
Process ForceField.exe (3672) connected on port 80 (HTTP) --> a92-122-126-243.deploy.akamaitechnologies.com

Process svchost.exe (1180) listens on ports: 135 (RPC)
Process svchost.exe (1592) listens on ports: 2869 (SSDP event notification, UPNP)


Autoruns and critical files
---------------------------
<unsigned> Ahead Software Gmbh NeroCheck C:\WINDOWS\system32\NeroCheck.exe
<unsigned> InstallShield Update Service C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
<unsigned> InstallShield Update Service C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

<verified> DigiGuide Loader C:\Program Files\DigiGuide TV Guide\Client.exe
<verified> Intel® Common User Interface C:\WINDOWS\system32\hkcmd.exe
<verified> Intel® Common User Interface C:\WINDOWS\system32\igfxsrvc.dll
<verified> Intel® Common User Interface C:\WINDOWS\system32\igfxtray.exe
<verified> Java™ Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> RealPlayer (32-bit) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
<verified> RealUpgrade C:\Program Files\Real\RealUpgrade\realupgrade.exe
<verified> Secunia PSI C:\Program Files\Secunia\PSI\psi.exe
<verified> SMax4PNP Application C:\Program Files\Analog Devices\Core\smax4pnp.exe
<verified> SSBkgdUpdate C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
<verified> SSEreg C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe
<verified> Trend Micro RUBotted . C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
<verified> Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll
<verified> ZoneAlarm Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
<verified> ZoneAlarm ForceField C:\Program Files\CheckPoint\ZAForceField\ForceField.exe


Browser plugins
---------------
<unsigned> bdoscandel.exe C:\WINDOWS\bdoscandel.exe
<unsigned> bdscanonline C:\WINDOWS\Downloaded Program Files\oscan82.ocx
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
<unsigned> ipsupd.dll C:\WINDOWS\Downloaded Program Files\ipsupd.dll
<unsigned> Java™ Platform SE 6 U21 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
<unsigned> RealJukebox NS Plugin C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
<unsigned> RealJukebox NS Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> RealPlayer Version Plugin C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
<unsigned> RealPlayer Version Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> RealPlayer™ HTML5VideoShim Plug-In ( C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

<verified> BitDefender QuickScan C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3u1tcbw9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3u1tcbw9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> Flash® Player Installer/Uninstaller C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
<verified> Foxit Reader Plugin for Mozilla C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
<verified> getPlus+® C:\WINDOWS\Downloaded Program Files\gp.ocx
<verified> getPlusPlus for Adobe 16263 C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
<verified> Java Deployment Toolkit 6.0.210.6 C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
<verified> Java™ Platform SE 6 U21 c:\program files\java\jre6\bin\jp2ssv.dll
<verified> Java™ Platform SE 6 U21 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<verified> LastPass Toolbar c:\program files\lastpass\lpbar.dll
<verified> Messenger C:\Program Files\Messenger\msmsgs.exe
<verified> Microsoft Office 2003 C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
<verified> Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> RealPlayer Download and Record Plugin c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
<verified> RealPlayer™ G2 LiveConnect-Enabled P C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
<verified> RealPlayer™ G2 LiveConnect-Enabled P C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<verified> Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> ZoneAlarm ForceField C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll


Missing files
-------------
File not found: C:\ComboFix\catchme.sys
referenced in: HKLM\System\ControlSet001\services\catchme\"ImagePath"

File not found: C:\WINDOWS\System32\appmgmts.dll
referenced in: HKLM\System\ControlSet001\services\AppMgmt\Parameters\"ServiceDll"

File not found: C:\WINDOWS\system32\100.tmp
referenced in: HKLM\System\ControlSet001\services\MEMSWEEP2\"ImagePath"


Scan
----
<unsigned> MD5: 73fd4b6593af94cfd98b21c7d1548f53 C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
<unsigned> MD5: 26ab21e66adb7b60175052446a2308ec C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
<unsigned> MD5: e95b5495656c68d12c41711a96072949 C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3u1tcbw9.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
<unsigned> MD5: 750c0f40b57f72280a5c0ba1ab40fedc C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\samplesites.dll
<unsigned> MD5: d2aeadfd998706b4216315b2bd3fa79e C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
<unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 C:\Program Files\Java\jre6\bin\msvcr71.dll
<unsigned> MD5: a30e72106d943a9fd7b4ed21b71533cb C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
<unsigned> MD5: 6f9b85c270d7287011670411801c9dbf C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: a0b507e037c3d2369f42a7bbfd08d878 C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned> MD5: edf657cc6d35e4bff1e4f144eb5e027f C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
<unsigned> MD5: 8908ac33d36f55a60a87a5290360fa27 C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
<unsigned> MD5: 7206da15f187595389741f85dc47d2a5 C:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: edf657cc6d35e4bff1e4f144eb5e027f C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> MD5: 8908ac33d36f55a60a87a5290360fa27 C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> MD5: f519ac92d4cfe8eae2dce4df51e5f32b C:\Program Files\Secunia\PSI\psires.dll
<unsigned> MD5: eb5477fea1c8c236548f2afe6168fab8 C:\Program Files\Trend Micro\RUBotted\libcurl.dll
<unsigned> MD5: 802badd73ccfcf4d5a77b38a2ed0d1fd C:\Program Files\Trend Micro\RUBotted\libeay32.dll
<unsigned> MD5: 35cee7d56d7e19d2595807ba08129201 C:\Program Files\Trend Micro\RUBotted\libexpat.dll
<unsigned> MD5: 356d374db97233bc41cb262f799777ea C:\Program Files\Trend Micro\RUBotted\sqlite3.dll
<unsigned> MD5: 6c0115f81e8804c87b8a7031a80876e0 C:\Program Files\Trend Micro\RUBotted\ssleay32.dll
<unsigned> MD5: a379b75a6ffe4dfd3184f35f0141ce91 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
<unsigned> MD5: b75e2a565ae6b03dd3941a5dd4e2f31c C:\WINDOWS\bdoscandel.exe
<unsigned> MD5: 3fea9d2edf23b0283c7a66c8dea380bd C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<unsigned> MD5: cdbe35ea59bc9223e4f800bd1db82d27 C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> MD5: 2b1c4c87eb20addba59dca975e28dffb C:\WINDOWS\Downloaded Program Files\ipsupd.dll
<unsigned> MD5: 3f4413dcd8d3bbabf08f68f25e6d60e1 C:\WINDOWS\Downloaded Program Files\isusweb.dll
<unsigned> MD5: a9f9db72cad15e93ad756acff7e4c7dd C:\WINDOWS\Downloaded Program Files\oscan82.ocx
<unsigned> MD5: 84853b3fd012251690570e9e7e43343f C:\WINDOWS\system32\drivers\cercsr6.sys
<unsigned> MD5: a94dc60a90efd7a35c36d971e3ee7470 C:\WINDOWS\system32\msvcp71.dll
<unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 C:\WINDOWS\system32\msvcr71.dll
<unsigned> MD5: 3e4c03cefad8de135263236b61a49c90 C:\WINDOWS\system32\NeroCheck.exe
<unsigned> MD5: 35127501a7187f9ed0208767a1d56701 C:\WINDOWS\system32\ZoneLabs\avsys\Arj.ppl
<unsigned> MD5: 83c66d184589051dfe8faf3ebebb35f5 C:\WINDOWS\system32\ZoneLabs\avsys\avlib.ppl
<unsigned> MD5: a88f636429789458f771f9fc5211a17f C:\WINDOWS\system32\ZoneLabs\avsys\avpgs.ppl
<unsigned> MD5: 4179a65a5592558c5b6d7aef290976b1 C:\WINDOWS\system32\ZoneLabs\avsys\AvpMgr.ppl
<unsigned> MD5: edac33fa0036d2e8a845118c43b65771 C:\WINDOWS\system32\ZoneLabs\avsys\avs.ppl
<unsigned> MD5: f7573d0d4d0527e2ef1d52b41026113b C:\WINDOWS\system32\ZoneLabs\avsys\avspm.ppl
<unsigned> MD5: 6297d55597d1e6397c6999e20b7d5958 C:\WINDOWS\system32\ZoneLabs\avsys\bases\kavsys.kdl
<unsigned> MD5: ae1ae6b67af9f4c342d4993d8e6af540 C:\WINDOWS\system32\ZoneLabs\avsys\bases\kjim.kdl
<unsigned> MD5: 2ae6cb8191bb680d0d0b416a89cb425d C:\WINDOWS\system32\ZoneLabs\avsys\bases\klavemu.kdl
<unsigned> MD5: 6cd2497c4fcfdaa288f742d52b11ac2b C:\WINDOWS\system32\ZoneLabs\avsys\bases\mark.kdl
<unsigned> MD5: af23a75a8d47f8e322e4a27ff14e2c80 C:\WINDOWS\system32\ZoneLabs\avsys\bases\qscan.kdl
<unsigned> MD5: 987fb16f4b51f66bf7d89d0628e4f474 C:\WINDOWS\system32\ZoneLabs\avsys\bases\webav.kdl
<unsigned> MD5: 17c05f774666e78cf8fc352d859d980b C:\WINDOWS\system32\ZoneLabs\avsys\btimages.ppl
<unsigned> MD5: 13db5f0a261e712390ad2c8439766797 C:\WINDOWS\system32\ZoneLabs\avsys\CAB.ppl
<unsigned> MD5: 3dc0b57e9aed5a83ee0d16c6a204a9d8 C:\WINDOWS\system32\ZoneLabs\avsys\crpthlpr.ppl
<unsigned> MD5: aa6ea0bd489c7da338333ef1d6869e4d C:\WINDOWS\system32\ZoneLabs\avsys\dmap.ppl
<unsigned> MD5: 9d178e0078ebf721e9583334718ca337 C:\WINDOWS\system32\ZoneLabs\avsys\dtreg.ppl
<unsigned> MD5: 2a341d0b33ae97dcfe518b495ddd488a C:\WINDOWS\system32\ZoneLabs\avsys\filemap.ppl
<unsigned> MD5: aba37f6cd8aa5bbec62fb456d020d786 C:\WINDOWS\system32\ZoneLabs\avsys\FsDrvPlg.ppl
<unsigned> MD5: 198353e0d495142514343d5ef1582cd7 C:\WINDOWS\system32\ZoneLabs\avsys\fssync.dll
<unsigned> MD5: f79fd7fe335e96b1db85ef7831db0563 C:\WINDOWS\system32\ZoneLabs\avsys\HashCont.ppl
<unsigned> MD5: ba8783dc28d5df4af68a67de4c44e682 C:\WINDOWS\system32\ZoneLabs\avsys\HashMD5.PPL
<unsigned> MD5: 0246333a98147926a4608295f36c91b3 C:\WINDOWS\system32\ZoneLabs\avsys\HCCMP.ppl
<unsigned> MD5: b2d254a0412e261a009f6a82416c9d24 C:\WINDOWS\system32\ZoneLabs\avsys\icheck3.ppl
<unsigned> MD5: eaa3a395915bdbef11d7fc6be7596ab7 C:\WINDOWS\system32\ZoneLabs\avsys\IWGen.ppl
<unsigned> MD5: 56e69e0a1a8b5ae38f505a5a23976624 C:\WINDOWS\system32\ZoneLabs\avsys\kave8.dll
<unsigned> MD5: bae3e2309ac9d1979dbddc2e21d1f65e C:\WINDOWS\system32\ZoneLabs\avsys\kavess.dll
<unsigned> MD5: f355485cf24ef2597aec773437fcfa27 C:\WINDOWS\system32\ZoneLabs\avsys\klsrlsvc.ppl
<unsigned> MD5: 8a4ab00885af6ae8e16743a13f97a500 C:\WINDOWS\system32\ZoneLabs\avsys\lha.ppl
<unsigned> MD5: 41615129546386da5099995f20690c8b C:\WINDOWS\system32\ZoneLabs\avsys\MailMsg.ppl
<unsigned> MD5: 577aed659ff2740e5a47fabada88885c C:\WINDOWS\system32\ZoneLabs\avsys\mdb.ppl
<unsigned> MD5: 59cd76bfba742e7658d1aced3db04d7c C:\WINDOWS\system32\ZoneLabs\avsys\minizip.ppl
<unsigned> MD5: 99906a28fe89293a53d451dbc3e0c27b C:\WINDOWS\system32\ZoneLabs\avsys\mkavio.ppl
<unsigned> MD5: da381d874947a1f62602c57fd2ec0294 C:\WINDOWS\system32\ZoneLabs\avsys\msoe.ppl
<unsigned> MD5: 55660b580996db2ac8d13c37cbeed1cd C:\WINDOWS\system32\ZoneLabs\avsys\nfio.ppl
<unsigned> MD5: cde1fedef99ccbf6263177ac29ad8f42 C:\WINDOWS\system32\ZoneLabs\avsys\oas.ppl
<unsigned> MD5: 3c0600a2f1d5534832f15f8722b74748 C:\WINDOWS\system32\ZoneLabs\avsys\params.ppl
<unsigned> MD5: 88b9c3ef2cc4e247690bb16a47504054 C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
<unsigned> MD5: 655e6287ce6eebd5487407a315cfd82c C:\WINDOWS\system32\ZoneLabs\avsys\procmon.ppl
<unsigned> MD5: babbae99e7f0e653bec2e498e954e85b C:\WINDOWS\system32\ZoneLabs\avsys\propmap.ppl
<unsigned> MD5: 8f4bc2630d317d68bc2eab5ea48dc069 C:\WINDOWS\system32\ZoneLabs\avsys\queue.dll
<unsigned> MD5: 717df07db676dda1a0d93879a0d48e65 C:\WINDOWS\system32\ZoneLabs\avsys\rar.ppl
<unsigned> MD5: a2f921066b58dab29caffec42697c6d5 C:\WINDOWS\system32\ZoneLabs\avsys\regmap.ppl
<unsigned> MD5: 4e27c49cce65c49eda589b2cd24579cc C:\WINDOWS\system32\ZoneLabs\avsys\Report.ppl
<unsigned> MD5: b501d2df56fe089315564c5dbc951b2d C:\WINDOWS\system32\ZoneLabs\avsys\ReportDB.ppl
<unsigned> MD5: fc50c9341e6900d0b3565a7639c70574 C:\WINDOWS\system32\ZoneLabs\avsys\schedule.ppl
<unsigned> MD5: 8949d6a24ca5baf2aa8a421669cc7b3a C:\WINDOWS\system32\ZoneLabs\avsys\thpimpl.ppl
<unsigned> MD5: 8109f429ca9b2eadf00488f882a2a0e4 C:\WINDOWS\system32\ZoneLabs\avsys\Timer.ppl
<unsigned> MD5: 305c4ac8f41ca8b830a57882c5b7b0f4 C:\WINDOWS\system32\ZoneLabs\avsys\tm.ppl
<unsigned> MD5: 0b02f707dc2cb86c0b3abf4b35768ca1 C:\WINDOWS\system32\ZoneLabs\avsys\UniArc.ppl
<unsigned> MD5: 2c9b24680afb2c717bfa3633c7c414a2 C:\WINDOWS\system32\ZoneLabs\avsys\volenum.ppl
<unsigned> MD5: 2809c3bdfe07430aa6ea87e63d5d76ca C:\WINDOWS\system32\ZoneLabs\avsys\WDiskIO.ppl
<unsigned> MD5: f0135e9ab9abb5459979074da21743d6 C:\WINDOWS\system32\ZoneLabs\avsys\WinReg.ppl
<unsigned> MD5: 3b5f0bf4125688a531fa21c823ea6193 C:\WINDOWS\system32\ZoneLabs\dbghelp.dll

The following file(s) must be uploaded for server-side scanning:
C:\Program Files\Secunia\PSI\psires.dll

Upload started - 1 file(s)
psires.dll (371712)
Upload speed - 26 KB/s
Upload finished - 1 uploaded, 0 failed

The uploaded file(s) were found clean.

Scan finished - communication took 17 sec
Total traffic - 0.44 MB sent, 2.77 KB recvd
Scanned 1191 files and modules - 237 seconds

==============================================================================





#13 George Lee

George Lee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 21 July 2010 - 11:06 AM

Latest news.

I tried ESET again this afternoon and this time it worked, although I had to close Zonealarm and rely on the MS and router firewalls to prevent any nasties infecting the PC, as it warned that ZA could effect the result.

No infections were detected, but unfortunately I clicked finish at the end, which took me to a page trying to get me to buy their system, so there is no log to forward.

Only when I went back to your instructions did I see that I should have clicked the back button and saved the log. Do I need to repeat the scan, if it will work again?

#14 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:17 PM

Posted 22 July 2010 - 11:05 AM

Hello George Lee,

QUOTE
I tried ESET again this afternoon and this time it worked, although I had to close Zonealarm
thumbup2.gif

QUOTE
No infections were detected, but unfortunately I clicked finish at the end, which took me to a page trying to get me to buy their system, so there is no log to forward.

Eset scan results << Note: If nothing is found there will be no report. smile.gif

Let's get a final look at your system.
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

In your next reply please include the following:

DDS scan results


Thanks!!
PW

#15 George Lee

George Lee
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 22 July 2010 - 01:22 PM

Hello dwgib,

I have not included the DDS attachment as you didn't request it, but it's still on my desktop if required.

Sounds as though I will soon be able to install the Windows patches from last week.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:06:17.15 on 22/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.305 [GMT 1:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\ClipMagic\clipmagic.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\dwwin.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.telegraph.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/registration-free-antivirus.php
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ScanSoft OmniPage 16-reminder] "c:\program files\scansoft\omnipage16\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipage 16\ereg\Ereg.ini"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\digigu~1.lnk - c:\program files\digiguide tv guide\Client.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276894815156
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3u1tcbw9.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3u1tcbw9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3u1tcbw9.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3u1tcbw9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-18 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-6-18 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-6-18 528008]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-7-6 20072]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-3-16 26232]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-6-19 206608]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\100.tmp --> c:\windows\system32\100.tmp [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-6-19 206608]

=============== Created Last 30 ================

2010-07-21 15:01:15 0 d-----w- c:\program files\ESET
2010-07-21 00:02:52 0 d-----w- c:\docume~1\owner\applic~1\QuickScan
2010-07-19 19:09:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-18 15:09:58 0 d-sha-r- C:\cmdcons
2010-07-18 15:04:12 77312 ----a-w- c:\windows\MBR.exe
2010-07-18 15:04:11 98816 ----a-w- c:\windows\sed.exe
2010-07-18 15:04:11 256512 ----a-w- c:\windows\PEV.exe
2010-07-18 15:04:11 161792 ----a-w- c:\windows\SWREG.exe
2010-07-11 22:08:47 69 ----a-w- c:\windows\NeroDigital.ini
2010-07-11 19:39:14 364544 ------w- c:\windows\system32\TwnLib4.dll
2010-07-11 19:39:14 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-07-11 19:39:11 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-07-11 19:39:11 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-07-11 19:39:10 476320 ------w- c:\windows\system32\ImagXpr7.dll
2010-07-11 19:39:10 1568768 ------w- c:\windows\system32\ImagX7.dll
2010-07-11 19:39:09 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-07-11 19:38:28 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2010-07-11 19:38:27 0 d-----w- c:\program files\CyberLink DVD Solution
2010-07-11 17:57:32 57344 ----a-w- c:\windows\uneng.exe
2010-07-11 17:50:48 283648 ----a-w- c:\windows\uninst.exe
2010-07-11 17:50:45 0 d-----w- c:\documents and settings\owner\WINDOWS
2010-07-08 17:56:36 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-07 13:14:44 0 d-----w- c:\windows\system32\XPSViewer
2010-07-07 13:13:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-07 13:13:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-07 13:13:31 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-07 13:13:31 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-07 13:13:31 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-07 13:13:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-07 13:13:30 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-07 13:13:30 0 d-----w- C:\188209cb1ff21b21e4
2010-07-06 14:48:05 20072 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-07-06 10:23:55 0 d-----w- c:\program files\CPUID
2010-07-04 23:49:54 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-07-04 15:35:36 7957504 ----a-w- c:\program files\common files\lpuninstall.exe
2010-07-04 15:35:22 0 d-----w- c:\program files\LastPass
2010-07-01 13:17:31 0 d-----w- c:\program files\Sophos
2010-06-23 16:54:06 0 d-----w- c:\docume~1\owner\applic~1\#ISW.FS#

==================== Find3M ====================

2010-07-22 08:54:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-19 19:08:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-20 09:33:14 737280 ----a-w- c:\windows\iun6002.exe
2010-06-20 00:00:06 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-16 11:35:09 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-28 11:04:52 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 19:07:23.40 ===============





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users