1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Google searches redirect / Windows theme changes randomly / random pop ups

Discussion in 'Virus & Other Malware Removal' started by Motorbreath, Feb 16, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Motorbreath

    Motorbreath Thread Starter

    Joined:
    Feb 12, 2011
    Messages:
    10
    Hey guys, I'm new here.

    Down to business , Now - For about a week or so I've been having this problem.
    Every time I search on google and click a link, I end up being redirected somewhere else.
    I'm aware of such programs as Malware Bytes and I have ran it once, It found 19 items and deleted them. But, I'm still getting the random redirects, Now if anyone can help me I'd highly appreciate it. This is rather annoying :\

    Thanks in Advance!

    ( This is a repost with additional information. )
    HiJackthis ,DDS, Gmer logs

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:51:42 AM, on 2/14/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IDT\WDM\STacSV.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\sttray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\AESTFltr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\WINDOWS\system32\svchost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O1 - Hosts: ÿþ127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [AESTFltr] "C:\WINDOWS\system32\AESTFltr.exe" /NoDlg
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [coreworks] "C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe" runatstartup
    O4 - HKLM\..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
    O4 - Global Startup: Bluetooth.lnk = ?
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: HP Connection Manager Service (mdvsrv) - HP - C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe
    O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 8348 bytes
     
  2. Motorbreath

    Motorbreath Thread Starter

    Joined:
    Feb 12, 2011
    Messages:
    10
    DDS Logs


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Owner at 4:04:12.93 on Mon 02/14/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.537 [GMT -5:00]

    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Pro Firewall *Disabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IDT\WDM\STacSV.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\sttray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\AESTFltr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page =
    uStart Page = hxxp://www.facebook.com/
    uDefault_Page_URL = hxxp://www.Yahoo.com
    uSearch Bar =
    mSearchAssistant =
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [eyeBeam SIP Client]
    uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IDTSysTrayApp] sttray.exe
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [AESTFltr] "c:\windows\system32\AESTFltr.exe" /NoDlg
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [coreworks] "c:\program files\hpq\hp connection manager 1.1\bin\gbxapp.exe" runatstartup
    mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ttmedoyq.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: ZoneAlarm Toolbar: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(general.useragent.extra.brc,

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-9 11608]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-2-2 482696]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-9 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-9 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-9 61960]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-9-4 25208]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-9-4 435568]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-2-26 112128]
    R3 mdvsrv;HP Connection Manager Service;c:\program files\hpq\hp connection manager 1.1\bin\mdvsrv.exe [2008-8-21 575976]
    S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
    S2 Ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
    S2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\qdlservice\QDLService.exe [2008-6-27 345336]
    S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    S3 cpuz130;cpuz130;\??\c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz130\cpuz_x32.sys [?]
    S3 icsak;icsak;\??\c:\program files\checkpoint\zaforcefield\ak\icsak.sys --> c:\program files\checkpoint\zaforcefield\ak\icsak.sys [?]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-15 14336]
    S3 PortTalk;PortTalk;c:\windows\system32\drivers\porttalk.sys [2010-2-6 3567]
    S3 UCORESYS;UCORESYS;c:\swsetup\sp45107\UCORESYS.SYS [2008-7-24 15432]

    =============== Created Last 30 ================

    2011-02-14 05:40:09 388096 ----a-r- c:\docume~1\owner\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-02-14 05:40:06 -------- d-----w- c:\program files\Trend Micro
    2011-02-09 10:14:08 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
    2011-02-09 10:13:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-02-09 07:48:55 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-03 06:50:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\pHaKeLj10600
    2011-01-22 23:46:26 -------- d-----w- c:\docume~1\owner\applic~1\Avira
    2011-01-17 00:14:47 -------- d-----w- c:\program files\Microsoft
    2011-01-16 12:43:21 -------- d-----w- c:\docume~1\owner\applic~1\Local

    ==================== Find3M ====================


    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: TOSHIBA_MK6028GAL rev.BN101C -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EB7735]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86ebd990]; MOV EAX, [0x86ebda0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F35AB8]
    3 CLASSPNP[0xF75E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000076[0x86F55470]
    5 ACPI[0xF7334620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86F36940]
    \Driver\atapi[0x86FDF290] -> IRP_MJ_CREATE -> 0x86EB7735
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK6028GAL_______________________BN101C__#5&2868f5b2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86EB757B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 4:06:02.40 ===============
     
  3. Motorbreath

    Motorbreath Thread Starter

    Joined:
    Feb 12, 2011
    Messages:
    10
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-14 04:07:51
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK6028GAL rev.BN101C
    Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\axrorpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xAA3DE130]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xAA3D7950]
    SSDT F7CBBA7E ZwCreateKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xAA3DE900]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xAA3F57A0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xAA3F5BB0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xAA3FF680]
    SSDT F7CBBA74 ZwCreateThread
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xAA3DEA60]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xAA3D8790]
    SSDT F7CBBA83 ZwDeleteKey
    SSDT F7CBBA8D ZwDeleteValueKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xAA3F48F0]
    SSDT sptd.sys ZwEnumerateKey [0xF73E3FFE]
    SSDT sptd.sys ZwEnumerateValueKey [0xF73E438C]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xAA3D1650]
    SSDT F7CBBA92 ZwLoadKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xAA3FDB80]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xAA3FFA20]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xAA3D82E0]
    SSDT sptd.sys ZwOpenKey [0xF73AFA30]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xAA3F7E90]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xAA3F7A60]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwProtectVirtualMemory [0xAA3F9E60]
    SSDT sptd.sys ZwQueryKey [0xF73E4464]
    SSDT sptd.sys ZwQueryValueKey [0xF73E42E4]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xAA3FECC0]
    SSDT F7CBBA9C ZwReplaceKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xAA3DDC80]
    SSDT F7CBBA97 ZwRestoreKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xAA3DE3F0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xAA3D8BB0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationObject [0xAA3F9D40]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xAA3D0D90]
    SSDT F7CBBA88 ZwSetValueKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xAA3F6750]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xAA3F6490]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xAA3D1A90]

    INT 0x62 ? 8659DCC8
    INT 0x63 ? 86490CC8
    INT 0x83 ? 86490CC8
    INT 0xA4 ? 86490CC8
    INT 0xB4 ? 86490CC8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2C9C 80504538 12 Bytes JMP D7F0EF7A
    .text ntkrnlpa.exe!ZwCallbackReturn + 2CC4 80504560 4 Bytes JMP 320EAA3D
    .text ntkrnlpa.exe!ZwCallbackReturn + 2D68 80504604 12 Bytes [50, 16, 3D, AA, 92, BA, CB, ...]
    .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF746CD38]
    ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
    .text USBPORT.SYS!DllUnload F6A3F934 5 Bytes JMP 864901D8

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[320] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[320] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20BF90BD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\spoolsv.exe[368] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\spoolsv.exe[368] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\spoolsv.exe[368] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\spoolsv.exe[368] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\spoolsv.exe[368] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\spoolsv.exe[368] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\spoolsv.exe[368] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\spoolsv.exe[368] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\STacSV.exe[424] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\STacSV.exe[424] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\STacSV.exe[424] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\STacSV.exe[424] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\STacSV.exe[424] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\STacSV.exe[424] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\STacSV.exe[424] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\STacSV.exe[424] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Java\jre6\bin\jqs.exe[464] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Java\jre6\bin\jqs.exe[464] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Java\jre6\bin\jqs.exe[464] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Java\jre6\bin\jqs.exe[464] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Java\jre6\bin\jqs.exe[464] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Java\jre6\bin\jqs.exe[464] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Java\jre6\bin\jqs.exe[464] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Java\jre6\bin\jqs.exe[464] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Google\Update\GoogleUpdate.exe[488] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Google\Update\GoogleUpdate.exe[488] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Google\Update\GoogleUpdate.exe[488] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Google\Update\GoogleUpdate.exe[488] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Google\Update\GoogleUpdate.exe[488] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Google\Update\GoogleUpdate.exe[488] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Google\Update\GoogleUpdate.exe[488] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Google\Update\GoogleUpdate.exe[488] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\winlogon.exe[736] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\winlogon.exe[736] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\winlogon.exe[736] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\services.exe[784] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\services.exe[784] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\lsass.exe[796] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\lsass.exe[796] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\lsass.exe[796] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\lsass.exe[796] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\lsass.exe[796] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[836] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[836] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[836] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[836] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[836] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[836] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[836] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[836] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\QUALCOMM\QDLService\QDLService.exe[852] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\QUALCOMM\QDLService\QDLService.exe[852] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\QUALCOMM\QDLService\QDLService.exe[852] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\QUALCOMM\QDLService\QDLService.exe[852] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\QUALCOMM\QDLService\QDLService.exe[852] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\QUALCOMM\QDLService\QDLService.exe[852] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\QUALCOMM\QDLService\QDLService.exe[852] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\QUALCOMM\QDLService\QDLService.exe[852] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Documents and Settings\Owner\Desktop\gmer.exe[1108] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Documents and Settings\Owner\Desktop\gmer.exe[1108] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Documents and Settings\Owner\Desktop\gmer.exe[1108] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Documents and Settings\Owner\Desktop\gmer.exe[1108] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Documents and Settings\Owner\Desktop\gmer.exe[1108] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Documents and Settings\Owner\Desktop\gmer.exe[1108] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Documents and Settings\Owner\Desktop\gmer.exe[1108] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Documents and Settings\Owner\Desktop\gmer.exe[1108] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
    .text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
    .text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
    .text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\svchost.exe[1140] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\svchost.exe[1140] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0068000A
    .text C:\WINDOWS\System32\svchost.exe[1140] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\svchost.exe[1140] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F7000A
    .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1188] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1188] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1188] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1188] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1188] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1188] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1188] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1188] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1224] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1224] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1236] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1236] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxpers.exe[1456] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxpers.exe[1456] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxpers.exe[1456] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxpers.exe[1456] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxpers.exe[1456] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxpers.exe[1456] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxpers.exe[1456] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxpers.exe[1456] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxsrvc.exe[1464] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxsrvc.exe[1464] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxsrvc.exe[1464] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxsrvc.exe[1464] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxsrvc.exe[1464] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxsrvc.exe[1464] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxsrvc.exe[1464] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\igfxsrvc.exe[1464] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1784] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1784] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1784] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1784] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1784] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1784] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1784] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1784] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe[2036] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe[2036] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe[2036] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe[2036] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe[2036] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe[2036] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe[2036] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe[2036] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\sttray.exe[2108] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\sttray.exe[2108] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\sttray.exe[2108] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\sttray.exe[2108] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\sttray.exe[2108] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\sttray.exe[2108] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\sttray.exe[2108] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\sttray.exe[2108] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\AESTFltr.exe[2112] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\AESTFltr.exe[2112] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\AESTFltr.exe[2112] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\AESTFltr.exe[2112] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\AESTFltr.exe[2112] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\AESTFltr.exe[2112] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\AESTFltr.exe[2112] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\AESTFltr.exe[2112] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\sttray.exe[2116] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\sttray.exe[2116] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\sttray.exe[2116] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\sttray.exe[2116] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\sttray.exe[2116] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\sttray.exe[2116] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\sttray.exe[2116] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\IDT\WDM\sttray.exe[2116] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\hkcmd.exe[2208] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\hkcmd.exe[2208] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\hkcmd.exe[2208] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\hkcmd.exe[2208] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\hkcmd.exe[2208] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\hkcmd.exe[2208] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\hkcmd.exe[2208] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\hkcmd.exe[2208] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 013C000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013D000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 013B000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2340] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2340] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2340] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20BF90BD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2340] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2340] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2344] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2344] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2344] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2344] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2344] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2344] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2344] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2344] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2428] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2428] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2428] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2428] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2428] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2428] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2428] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2428] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2480] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2480] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2480] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2480] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2480] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2480] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2480] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2480] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe[2516] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe[2516] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe[2516] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe[2516] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe[2516] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe[2516] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe[2516] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe[2516] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[2624] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[2624] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[2624] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[2624] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[2624] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[2624] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[2624] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[2624] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe[2652] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe[2652] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe[2652] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe[2652] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe[2652] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe[2652] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe[2652] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe[2652] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2736] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2736] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2736] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2736] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2736] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2736] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2736] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2736] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2792] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2792] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2792] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2792] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2792] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2792] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2792] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2792] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2804] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2804] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2804] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2804] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2804] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2804] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2804] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2804] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe[2888] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe[2888] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe[2888] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe[2888] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe[2888] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe[2888] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe[2888] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe[2888] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\ctfmon.exe[3096] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\ctfmon.exe[3096] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\ctfmon.exe[3096] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\ctfmon.exe[3096] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\ctfmon.exe[3096] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\ctfmon.exe[3096] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\ctfmon.exe[3096] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\ctfmon.exe[3096] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3300] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3300] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3300] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3300] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3300] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 209937DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWDMP.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3300] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3300] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3300] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20BF90BD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\alg.exe[3316] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\alg.exe[3316] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\alg.exe[3316] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\alg.exe[3316] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\alg.exe[3316] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\alg.exe[3316] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\alg.exe[3316] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\System32\alg.exe[3316] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3532] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20BF8614 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3532] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20BF8BDB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3532] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20BF882E C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3532] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20BF82EF C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3532] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3532] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3532] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3532] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\Explorer.EXE[3640] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D6000A
    .text C:\WINDOWS\Explorer.EXE[3640] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A
    .text C:\WINDOWS\Explorer.EXE[3640] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D5000C
    .text C:\WINDOWS\Explorer.EXE[3640] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\Explorer.EXE[3640] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\Explorer.EXE[3640] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\WINDOWS\Explorer.EXE[3640] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3928] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 013C000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3928] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013D000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3928] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 013B000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3928] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20BF8CE0 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3928] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20BF8EB9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3928] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20BF90BD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3928] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20BF8112 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3928] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20BF80DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8659C1F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{50A564D7-DBCC-420D-8A1F-E87BF1F98D4F} 860411F8
    Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\usbehci \Device\USBPDO-0 8653D430
    Device \Driver\usbuhci \Device\USBPDO-1 8653E1F8
    Device \Driver\usbuhci \Device\USBPDO-2 8653E1F8
    Device \Driver\usbuhci \Device\USBPDO-3 8653E1F8
    Device \Driver\usbuhci \Device\USBPDO-4 8653E1F8
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864B757B
    Device \Driver\atapi \Device\Ide\IdePort0 [F72EFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\NetBT \Device\NetBt_Wins_Export 860411F8
    Device \Driver\NetBT \Device\NetbiosSmb 860411F8
    Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\usbuhci \Device\USBFDO-0 8653E1F8
    Device \Driver\usbuhci \Device\USBFDO-1 8653E1F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 859E71F8
    Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\usbuhci \Device\USBFDO-2 8653E1F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 859E71F8
    Device \Driver\usbuhci \Device\USBFDO-3 8653E1F8
    Device \Driver\usbehci \Device\USBFDO-4 8653D430
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK6028GAL_______________________BN101C__#5&2868f5b2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\NetworkService\Cookies\[email protected][10].txt 101 bytes
    File C:\Documents and Settings\NetworkService\Cookies\[email protected][9].txt 68 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D04G50VQ\yellowpages_lycos_com[1].txt 18360 bytes

    ---- EOF - GMER 1.0.15 ----
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Hiya Motorbreath,

    As follows please :-

    Step 1

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


      [​IMG]

    • If an infected file is detected, the default action will be Cure, click on Continue.


      [​IMG]

    • If a suspicious file is detected, the default action will be Skip, click on Continue.


      [​IMG]

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


      [​IMG]

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

    Step 2

    We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    Combofix

    Don`t forget Combofix must be saved to your desktop, do not save to or run from anywhere else. <--Very important

    Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

    Please include the C:\ComboFix.txt in your next reply for further review.

    Examples of how to disable realtime protection available at the following link :-

    Disable realtime protection

    Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Step 3

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Post the three logs in your reply please,

    Kevin
     
  5. Motorbreath

    Motorbreath Thread Starter

    Joined:
    Feb 12, 2011
    Messages:
    10
    Hello Kevin! Thanks for taking the time to help me out with this annoying issue!
    Here are the logs you've requested .


    TDSSkiller Log

    2011/02/16 18:26:18.0942 1484 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
    2011/02/16 18:26:19.0176 1484 ================================================================================
    2011/02/16 18:26:19.0176 1484 SystemInfo:
    2011/02/16 18:26:19.0176 1484
    2011/02/16 18:26:19.0176 1484 OS Version: 5.1.2600 ServicePack: 3.0
    2011/02/16 18:26:19.0176 1484 Product type: Workstation
    2011/02/16 18:26:19.0176 1484 ComputerName: YOUR-5A66F93F18
    2011/02/16 18:26:19.0176 1484 UserName: Owner
    2011/02/16 18:26:19.0176 1484 Windows directory: C:\WINDOWS
    2011/02/16 18:26:19.0176 1484 System windows directory: C:\WINDOWS
    2011/02/16 18:26:19.0176 1484 Processor architecture: Intel x86
    2011/02/16 18:26:19.0176 1484 Number of processors: 2
    2011/02/16 18:26:19.0176 1484 Page size: 0x1000
    2011/02/16 18:26:19.0176 1484 Boot type: Normal boot
    2011/02/16 18:26:19.0176 1484 ================================================================================
    2011/02/16 18:26:20.0349 1484 Initialize success
    2011/02/16 18:26:38.0870 4024 ================================================================================
    2011/02/16 18:26:38.0870 4024 Scan started
    2011/02/16 18:26:38.0870 4024 Mode: Manual;
    2011/02/16 18:26:38.0870 4024 ================================================================================
    2011/02/16 18:26:40.0433 4024 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2011/02/16 18:26:41.0089 4024 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/02/16 18:26:41.0808 4024 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/02/16 18:26:42.0402 4024 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2011/02/16 18:26:43.0230 4024 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/02/16 18:26:43.0980 4024 AESTAud (20f078136f3bdc4c0405c0527b769303) C:\WINDOWS\system32\drivers\AESTAud.sys
    2011/02/16 18:26:44.0684 4024 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/02/16 18:26:45.0340 4024 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/02/16 18:26:45.0934 4024 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2011/02/16 18:26:46.0497 4024 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2011/02/16 18:26:47.0060 4024 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2011/02/16 18:26:47.0685 4024 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/02/16 18:26:48.0279 4024 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2011/02/16 18:26:48.0888 4024 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2011/02/16 18:26:49.0466 4024 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2011/02/16 18:26:50.0076 4024 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2011/02/16 18:26:50.0701 4024 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/02/16 18:26:51.0280 4024 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2011/02/16 18:26:51.0920 4024 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2011/02/16 18:26:52.0467 4024 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2011/02/16 18:26:53.0171 4024 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys
    2011/02/16 18:26:54.0702 4024 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/02/16 18:26:55.0859 4024 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/02/16 18:26:58.0344 4024 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/02/16 18:26:59.0329 4024 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/02/16 18:26:59.0813 4024 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2011/02/16 18:27:00.0860 4024 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2011/02/16 18:27:01.0923 4024 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2011/02/16 18:27:03.0861 4024 BCM43XX (c89327377d4b62dc792e8930ea55f571) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    2011/02/16 18:27:05.0502 4024 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/02/16 18:27:06.0565 4024 btaudio (4b43dfe1c1fbb305a1dc5504ef9bb34e) C:\WINDOWS\system32\drivers\btaudio.sys
    2011/02/16 18:27:07.0769 4024 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
    2011/02/16 18:27:09.0222 4024 BTKRNL (b4355289cb2ebcc91ae995f916d271b7) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
    2011/02/16 18:27:10.0770 4024 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
    2011/02/16 18:27:11.0567 4024 btwhid (949eca9c56f657c06d3166d51f3226c7) C:\WINDOWS\system32\DRIVERS\btwhid.sys
    2011/02/16 18:27:12.0286 4024 BTWUSB (fac7e5965162c70d184dfe92b4bcbd1b) C:\WINDOWS\system32\Drivers\btwusb.sys
    2011/02/16 18:27:12.0911 4024 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2011/02/16 18:27:13.0520 4024 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/02/16 18:27:14.0083 4024 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/02/16 18:27:14.0630 4024 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2011/02/16 18:27:15.0177 4024 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/02/16 18:27:15.0802 4024 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/02/16 18:27:16.0412 4024 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/02/16 18:27:17.0584 4024 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/02/16 18:27:18.0272 4024 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2011/02/16 18:27:18.0960 4024 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/02/16 18:27:19.0616 4024 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2011/02/16 18:27:20.0460 4024 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2011/02/16 18:27:21.0226 4024 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2011/02/16 18:27:21.0898 4024 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/02/16 18:27:23.0101 4024 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/02/16 18:27:24.0414 4024 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/02/16 18:27:25.0493 4024 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/02/16 18:27:26.0399 4024 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/02/16 18:27:27.0118 4024 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2011/02/16 18:27:27.0712 4024 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/02/16 18:27:29.0588 4024 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
    2011/02/16 18:27:30.0619 4024 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/02/16 18:27:31.0541 4024 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/02/16 18:27:32.0276 4024 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/02/16 18:27:33.0042 4024 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/02/16 18:27:33.0683 4024 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/02/16 18:27:34.0355 4024 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/02/16 18:27:34.0980 4024 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/02/16 18:27:35.0621 4024 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/02/16 18:27:36.0261 4024 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/02/16 18:27:37.0043 4024 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/02/16 18:27:37.0653 4024 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2011/02/16 18:27:38.0371 4024 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/02/16 18:27:39.0106 4024 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2011/02/16 18:27:39.0653 4024 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2011/02/16 18:27:40.0325 4024 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/02/16 18:27:44.0795 4024 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    2011/02/16 18:27:49.0109 4024 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/02/16 18:27:49.0672 4024 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2011/02/16 18:27:50.0250 4024 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/02/16 18:27:50.0828 4024 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/02/16 18:27:51.0547 4024 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/02/16 18:27:52.0235 4024 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/02/16 18:27:52.0860 4024 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/02/16 18:27:53.0689 4024 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/02/16 18:27:54.0955 4024 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/02/16 18:27:56.0064 4024 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/02/16 18:27:56.0877 4024 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/02/16 18:27:57.0330 4024 ISWKL (9bed1d5119aab64735b1cd98d16361f7) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
    2011/02/16 18:27:58.0377 4024 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/02/16 18:27:59.0190 4024 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/02/16 18:28:00.0237 4024 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/02/16 18:28:01.0660 4024 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/02/16 18:28:05.0520 4024 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/02/16 18:28:06.0833 4024 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/02/16 18:28:08.0537 4024 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/02/16 18:28:09.0865 4024 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/02/16 18:28:11.0084 4024 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/02/16 18:28:12.0897 4024 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2011/02/16 18:28:14.0663 4024 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/02/16 18:28:16.0367 4024 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/02/16 18:28:17.0633 4024 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/02/16 18:28:18.0274 4024 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/02/16 18:28:18.0930 4024 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/02/16 18:28:19.0806 4024 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/02/16 18:28:20.0696 4024 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/02/16 18:28:21.0556 4024 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/02/16 18:28:22.0509 4024 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/02/16 18:28:23.0385 4024 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/02/16 18:28:24.0948 4024 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/02/16 18:28:26.0104 4024 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/02/16 18:28:27.0323 4024 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/02/16 18:28:28.0230 4024 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/02/16 18:28:30.0543 4024 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/02/16 18:28:32.0622 4024 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/02/16 18:28:34.0216 4024 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/02/16 18:28:36.0435 4024 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/02/16 18:28:37.0998 4024 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/02/16 18:28:39.0452 4024 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/02/16 18:28:41.0249 4024 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/02/16 18:28:42.0797 4024 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/02/16 18:28:43.0688 4024 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/02/16 18:28:44.0907 4024 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/02/16 18:28:45.0782 4024 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/02/16 18:28:46.0939 4024 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/02/16 18:28:47.0626 4024 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/02/16 18:28:48.0314 4024 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/02/16 18:28:49.0127 4024 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/02/16 18:28:50.0690 4024 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/02/16 18:28:51.0612 4024 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/02/16 18:28:56.0660 4024 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2011/02/16 18:28:57.0348 4024 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2011/02/16 18:28:58.0161 4024 PortTalk (7d5a2d755b6c6579f63657b527d6ff1b) C:\WINDOWS\system32\Drivers\PortTalk.sys
    2011/02/16 18:28:58.0989 4024 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/02/16 18:28:59.0895 4024 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/02/16 18:29:00.0646 4024 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/02/16 18:29:01.0333 4024 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/02/16 18:29:02.0131 4024 QCDonner (fddd1aeb9f81ef1e6e48ae1edc2a97d6) C:\WINDOWS\system32\DRIVERS\OVCD.sys
    2011/02/16 18:29:02.0787 4024 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2011/02/16 18:29:03.0475 4024 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2011/02/16 18:29:04.0131 4024 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2011/02/16 18:29:04.0850 4024 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2011/02/16 18:29:05.0569 4024 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2011/02/16 18:29:06.0288 4024 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/02/16 18:29:07.0335 4024 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/02/16 18:29:08.0179 4024 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/02/16 18:29:08.0851 4024 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/02/16 18:29:09.0617 4024 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/02/16 18:29:10.0383 4024 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/02/16 18:29:11.0243 4024 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/02/16 18:29:12.0384 4024 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/02/16 18:29:13.0368 4024 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/02/16 18:29:15.0494 4024 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
    2011/02/16 18:29:17.0510 4024 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2011/02/16 18:29:19.0526 4024 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/02/16 18:29:21.0355 4024 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/02/16 18:29:22.0824 4024 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/02/16 18:29:24.0653 4024 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2011/02/16 18:29:25.0434 4024 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/02/16 18:29:26.0419 4024 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2011/02/16 18:29:27.0482 4024 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/02/16 18:29:28.0591 4024 sptd (a199171385be17973fd800fa91f8f78a) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/02/16 18:29:28.0591 4024 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: a199171385be17973fd800fa91f8f78a
    2011/02/16 18:29:28.0654 4024 sptd - detected Locked file (1)
    2011/02/16 18:29:29.0654 4024 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/02/16 18:29:30.0842 4024 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/02/16 18:29:32.0139 4024 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2011/02/16 18:29:33.0859 4024 STHDA (32c6df3f7d1241fd8348498b31152131) C:\WINDOWS\system32\drivers\sthda.sys
    2011/02/16 18:29:35.0969 4024 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/02/16 18:29:36.0688 4024 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/02/16 18:29:37.0672 4024 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/02/16 18:29:38.0407 4024 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2011/02/16 18:29:39.0329 4024 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2011/02/16 18:29:40.0517 4024 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2011/02/16 18:29:41.0220 4024 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2011/02/16 18:29:41.0970 4024 SynTP (c8cc806f0506e9f168750371d37eee18) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/02/16 18:29:42.0736 4024 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/02/16 18:29:43.0643 4024 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/02/16 18:29:44.0674 4024 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
    2011/02/16 18:29:45.0815 4024 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/02/16 18:29:46.0784 4024 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/02/16 18:29:47.0816 4024 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/02/16 18:29:48.0847 4024 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2011/02/16 18:29:49.0660 4024 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
    2011/02/16 18:29:49.0957 4024 UCORESYS (9555d36fb21b993e5c4b98c2fc2b3671) C:\SwSetup\SP45107\UCORESYS.SYS
    2011/02/16 18:29:50.0832 4024 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/02/16 18:29:51.0817 4024 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2011/02/16 18:29:52.0630 4024 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/02/16 18:29:54.0130 4024 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/02/16 18:29:54.0708 4024 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/02/16 18:29:55.0302 4024 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/02/16 18:29:55.0974 4024 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/02/16 18:29:56.0725 4024 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/02/16 18:29:57.0491 4024 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/02/16 18:29:58.0272 4024 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2011/02/16 18:29:59.0022 4024 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/02/16 18:29:59.0772 4024 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2011/02/16 18:30:00.0585 4024 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/02/16 18:30:01.0398 4024 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/02/16 18:30:02.0351 4024 vsdatant (e666493586aba03b73bce4e5ebc40289) C:\WINDOWS\system32\vsdatant.sys
    2011/02/16 18:30:03.0461 4024 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/02/16 18:30:04.0743 4024 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/02/16 18:30:05.0493 4024 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/02/16 18:30:06.0149 4024 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2011/02/16 18:30:06.0790 4024 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/02/16 18:30:07.0478 4024 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/02/16 18:30:08.0134 4024 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/02/16 18:30:08.0931 4024 yukonwxp (849494d3f85a45231744ca7470246c71) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
    2011/02/16 18:30:09.0260 4024 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/02/16 18:30:09.0275 4024 ================================================================================
    2011/02/16 18:30:09.0275 4024 Scan finished
    2011/02/16 18:30:09.0275 4024 ================================================================================
    2011/02/16 18:30:09.0322 3120 Detected object count: 2
    2011/02/16 18:31:54.0087 3120 Locked file(sptd) - User select action: Skip
    2011/02/16 18:31:54.0166 3120 \HardDisk0 - will be cured after reboot
    2011/02/16 18:31:54.0166 3120 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure




    ComboFix Log

    ComboFix 11-02-16.01 - Owner 02/16/2011 20:27:37.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.587 [GMT -5:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Pro Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Application Data\Local
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\100.3986674.avi&b=153(2).ddr
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\100.3986674.avi&b=153.ddr
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\3.ddi
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\4.ddi
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\settings.ddi
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\100.3986674.avi&b=153
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\100.3986674.avi&b=153(2).ddp
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\100.3986674.avi&b=153(3).ddp
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\100.3986674.avi&b=153(4).ddp
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\100.3986674.avi&b=153(5).ddp
    c:\documents and settings\Owner\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\100.3986674.avi&b=153.ddp
    C:\install.exe
    c:\program files\Common Files\Uninstall
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_IAS
    -------\Legacy_ZWUNZI_SERVICE
    -------\Service_Ias


    ((((((((((((((((((((((((( Files Created from 2011-01-17 to 2011-02-17 )))))))))))))))))))))))))))))))
    .

    2011-02-14 09:39 . 2010-12-03 19:35 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
    2011-02-14 05:40 . 2011-02-14 05:40 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-02-14 05:40 . 2011-02-14 05:40 -------- d-----w- c:\program files\Trend Micro
    2011-02-09 10:14 . 2011-02-09 10:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2011-02-09 10:13 . 2011-02-09 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-09 07:48 . 2011-02-16 08:12 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-03 06:50 . 2011-02-09 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\pHaKeLj10600
    2011-01-22 23:46 . 2011-01-22 23:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-13 13:40 . 2009-12-09 10:00 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-13 13:40 . 2009-12-09 10:00 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2010-01-26 1724728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
    "IDTSysTrayApp"="sttray.exe" [2008-08-30 442477]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-28 471040]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-01 1343488]
    "coreworks"="c:\program files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe" [2008-08-22 780776]
    "HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-09-22 1011080]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-09-04 722288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Zwunzi Service"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "57412:TCP"= 57412:TCP:pando Media Booster
    "57412:UDP"= 57412:UDP:pando Media Booster
    "56309:TCP"= 56309:TCP:pando Media Booster
    "56309:UDP"= 56309:UDP:pando Media Booster
    "443:TCP"= 443:TCP:*:Disabled:eek:oVoo TCP port 443
    "443:UDP"= 443:UDP:*:Disabled:eek:oVoo UDP port 443
    "37674:TCP"= 37674:TCP:*:Disabled:eek:oVoo TCP port 37674
    "37674:UDP"= 37674:UDP:*:Disabled:eek:oVoo UDP port 37674
    "37675:UDP"= 37675:UDP:*:Disabled:eek:oVoo UDP port 37675
    "37676:TCP"= 37676:TCP:*:Disabled:eek:oVoo TCP port 37676
    "37676:UDP"= 37676:UDP:*:Disabled:eek:oVoo UDP port 37676
    "37677:UDP"= 37677:UDP:*:Disabled:eek:oVoo UDP port 37677
    "58516:TCP"= 58516:TCP:pando Media Booster
    "58516:UDP"= 58516:UDP:pando Media Booster

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/18/2010 5:37 PM 436792]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/9/2009 5:00 AM 135336]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [9/4/2009 7:53 AM 25208]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [9/4/2009 7:54 AM 435568]
    R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [6/27/2008 1:41 PM 345336]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/26/2009 5:15 PM 112128]
    R3 mdvsrv;HP Connection Manager Service;c:\program files\HPQ\HP Connection Manager 1.1\bin\mdvsrv.exe [8/21/2008 8:51 PM 575976]
    S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
    S3 cpuz130;cpuz130;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
    S3 icsak;icsak;\??\c:\program files\CheckPoint\ZAForceField\AK\icsak.sys --> c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [?]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/15/2008 7:00 AM 14336]
    S3 PortTalk;PortTalk;c:\windows\system32\drivers\porttalk.sys [2/6/2010 4:16 AM 3567]
    S3 UCORESYS;UCORESYS;c:\swsetup\SP45107\UCORESYS.SYS [7/24/2008 6:16 PM 15432]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ttmedoyq.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: ZoneAlarm Toolbar: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(general.useragent.extra.brc,
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-eyeBeam SIP Client - (no file)
    HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
    MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\daemon.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-16 20:52
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(748)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

    - - - - - - - > 'lsass.exe'(804)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

    - - - - - - - > 'explorer.exe'(2104)
    c:\windows\system32\WININET.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\btmmhook.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\program files\IDT\WDM\STacSV.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\sttray.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\hpq\hp connection manager 1.1\bin\gbx4log.exe
    c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe
    c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
    c:\windows\system32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-16 21:02:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-17 02:02

    Pre-Run: 36,854,681,600 bytes free
    Post-Run: 36,930,723,840 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - BABAE73E12E779BCBBDB77C73ECA7D07






    And finally, The Security checkup Log.

    Results of screen317's Security Check version 0.99.8
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    Avira AntiVir Personal - Free Antivirus
    ZoneAlarm Pro
    ZoneAlarm Toolbar
    Avira successfully updated!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    CCleaner
    Java(TM) 6 Update 17
    Java(TM) 6 Update 6
    Out of date Java installed!
    Adobe Flash Player 10.2.152.26
    Adobe Reader 9.4.1
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.13)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    Zone Labs ZoneAlarm zlclient.exe
    ``````````End of Log````````````




    Thanks again for your help, It's highly appreciated.
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Hiya Motorbreath,

    Proceed as follows please :-

    Step 1

    Please download DeFogger to your desktop.
    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
    Do not re-enable these drivers until otherwise instructed.

    Step 2

    Uninstall the following from Add/Remove Programs:

    Java(TM) 6 Update 6

    Step 3

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take between one and several hours to complete depending on the size of your system.

    Post the ESET log in next reply, also tell me how system is responding, any issues?

    Kevin
     
  7. Motorbreath

    Motorbreath Thread Starter

    Joined:
    Feb 12, 2011
    Messages:
    10
    Hello Kevin!

    Sorry I've taken so long t reply, Works been dreadful.

    As far as computer performance,
    I can say it's not redirecting any searches ( So far )
    And It's not so sluggish when surfing, BUT - My computer does take a longer then normal time to load up after I sign in to my account - The start menu bar doesn't even show for at least a 2 minutes, nor do the shortcuts on my desktop screen. I'm assuming this is because of all the things I've downloaded to help my problem, But who knows *Shrugs*
    Well, Here are the logs you've requested.

    Defogger Log

    defogger_disable by jpshortstuff (23.02.10.1)
    Log created at 03:45 on 18/02/2011 (Owner)

    Checking for autostart values...
    HKCU\~\Run values retrieved.
    HKLM\~\Run values retrieved.

    Checking for services/drivers...
    Unable to read sptd.sys
    SPTD -> Disabled (Service running -> reboot required)


    -=E.O.F=-



    ESet scan

    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\65715e50-77a93ff1 multiple threats deleted - quarantined
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Hiya motorbreath,

    Good to hear the redirects have stopped, we can remove the tools etc later.

    Proceed as follows please :-

    Step 1

    Follow the instructions Here to clear the Java Cache and get rid of the exploits.

    Step 2

    Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

    Please go to the link below to update.

    Adobe Reader Untick the Free McAfee® Security Scan Plus

    Step 3

    You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version.
    For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.
    The most current version of Sun Java is: Java Runtime Environment Version 6 Update 23.

    • Go to Sun Java
    • Select Windows 7/XP/Vista/2000/2003/2008 If using 64 bit OS Select Information about the 64-bit Java plug-in and follow prompts
    • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
    • Reboot your computer

    Step 4

    Download and scan with CCleaner

    1. Use either one of the two free links below the Premium version.
    2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 24 hours"
    3. Then select the items you wish to clean up.

    In the Windows Tab:

    • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section.
    • Clean all entries in the "Advanced" section.
    • Clean any others that you choose.


    In the Applications Tab:
    • Clean all except cookies in the Firefox/Mozilla section if you use it.
    • Clean all in the Opera section if you use it.
    • Clean Sun Java in the Internet Section.
    • Clean any others that you choose.
    • Make sure "Wipe free space" is unticked, this will dramatically increase scan time if selected.

    4. Click the "Run Cleaner" button.
    5. A pop up box will appear advising this process will permanently delete files from your system.
    6. Click "OK" and it will scan and clean your system.
    7. Click "exit" when done.

    Step 5

    Re-open CCleaner again, select > Tools > Start up > In the bottom right hand corner select > Save to text file > Name the file and save to it somewhere handy, say your Desktop. Copy and paste the info from that file to your next reply.

    Let me know if the other steps completed OK...

    Kevin
     
  9. Motorbreath

    Motorbreath Thread Starter

    Joined:
    Feb 12, 2011
    Messages:
    10
    Hello Kevin!

    Thanks for all your help, Thing's seem to be getting back to normal
    I've done everything you've asked me to, But I ran across a small issue with Ccleaner.
    I ran the cleaner, Everything went through fine - But when I go to tools > Startup, There isn't a "Copy to text" Option. ( I'm running version 2.28.1091 ) But, In the Uninstall section there is - So I went ahead and did that just in case.
    Here is that Log.

    Java(TM) 6 Update 24 Sun Microsystems, Inc. 6.0.240
    Marvell Miniport Driver Marvell 10.62.1.3
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 2 Microsoft Corporation 2.2.30729
    Microsoft .NET Framework 3.0 Service Pack 2 Microsoft Corporation 3.2.30729
    Microsoft .NET Framework 3.5 SP1 Microsoft Corporation
    Microsoft Office PowerPoint Viewer 2007 (English) Microsoft Corporation 12.0.4518.1014
    Microsoft Office Word 2007 Microsoft Corporation 12.0.4518.1014
    Microsoft Silverlight Microsoft Corporation 4.0.50917.0
    Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 8.0.59193
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Corporation 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Corporation 9.0.30729.4148
    Microsoft Works Microsoft Corporation 9.7.0621
    Mozilla Firefox (3.6.13) Mozilla 3.6.13 (en-US)
    MSN
    MSXML 4.0 SP2 (KB954430) Microsoft Corporation 4.20.9870.0
    MSXML 4.0 SP2 (KB973688) Microsoft Corporation 4.20.9876.0
    MSXML 6.0 Parser Microsoft Corporation 6.10.1129.0
    MSXML4 Parser Microsoft Game Studios 1.0.0
    Pando Media Booster Pando Networks Inc. 2.3.5.2
    Qualcomm Gobi Driver Package for HP QUALCOMM 1.0.6
    Qualcomm Gobi Images for HP QUALCOMM 1.0.9
    QuickTime Apple Inc. 7.68.75.0
    Synaptics Pointing Device Driver Synaptics 11.2.2.0
    Viewpoint Media Player
    WIDCOMM Bluetooth Software 5.5.0.4100
    Windows Backup Utility Microsoft Corporation 5.1
    Windows Driver Package - SMSC LAN9500 USB 2.0 to Ethernet 10/100 Adapter x64 Driver (05/12/2008 1.52.0000.0000) SMSC 05/12/2008 1.52.0000.0000
    Windows Driver Package - SMSC LAN9500 USB 2.0 to Ethernet 10/100 Adapter x86 Driver (05/12/2008 1.52.0000.0000) SMSC 05/12/2008 1.52.0000.0000
    Windows Internet Explorer 8 Microsoft Corporation 20090308.140743
    Windows Media Format 11 runtime
    Windows Media Player 11
    ZoneAlarm Pro Check Point, Inc 9.0.112.000
    ZoneAlarm Toolbar Check Point Software Technologies
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    You really need to update CCleaner to Vers 3.02.1343, your version is outdated and no good anymore.I wanted to see your startup list, not the uninstall list.

    No worries, run the following it will sort them out for you:

    Download Startuplite by Malwarebytes and save it to a convenient location. Double click StartUpLite.exe. Select all options you would like executed and select continue.

    Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

    Kevin
     

    Attached Files:

  11. Motorbreath

    Motorbreath Thread Starter

    Joined:
    Feb 12, 2011
    Messages:
    10
    Hey Kevin, Again sorry for taking years to reply -
    Here is the log you originally requested
    What would you suggest I cancel out with the program you told me to use?

    Yes HKCU:Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    Yes HKLM:Run IgfxTray C:\WINDOWS\system32\igfxtray.exe
    Yes HKLM:Run HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
    Yes HKLM:Run Persistence C:\WINDOWS\system32\igfxpers.exe
    Yes HKLM:Run IDTSysTrayApp sttray.exe
    Yes HKLM:Run AESTFltr "C:\WINDOWS\system32\AESTFltr.exe" /NoDlg
    Yes HKLM:Run SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    Yes HKLM:Run coreworks "C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe" runatstartup
    Yes HKLM:Run HP Mobile Broadband c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
    Yes HKLM:Run hpWirelessAssistant C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    Yes HKLM:Run avgnt "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    Yes HKLM:Run ZoneAlarm Client "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    Yes HKLM:Run ISW "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    Yes HKLM:Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    Yes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    Yes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    Yes Startup Common Bluetooth.lnk C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    Hiya Motorbreath,

    This is my recommendation as follows, Stop the entries in Red and let the Green entries run

    Yes HKCU:Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    Yes HKLM:Run IgfxTray C:\WINDOWS\system32\igfxtray.exe
    Yes HKLM:Run HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
    Yes HKLM:Run Persistence C:\WINDOWS\system32\igfxpers.exe
    Yes HKLM:Run IDTSysTrayApp sttray.exe
    Yes HKLM:Run AESTFltr "C:\WINDOWS\system32\AESTFltr.exe" /NoDlg
    Yes HKLM:Run SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    Yes HKLM:Run coreworks "C:\Program Files\HPQ\HP Connection Manager 1.1\bin\gbxapp.exe" runatstartup
    Yes HKLM:Run HP Mobile Broadband c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
    Yes HKLM:Run hpWirelessAssistant C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    Yes HKLM:Run avgnt "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    Yes HKLM:Run ZoneAlarm Client "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    Yes HKLM:Run ISW "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"

    Yes HKLM:Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    Yes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    Yes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    Yes Startup Common Bluetooth.lnk C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

    Let me know when you are complete, also any remaining issues. If all is now OK we can clean up and remove the tools we`ve used.

    Kevin
     
  13. Motorbreath

    Motorbreath Thread Starter

    Joined:
    Feb 12, 2011
    Messages:
    10
    Hey Kevin,

    Well, I've done what you have asked - But I should mention that when I did use startuplite it automatically stopped what start up tasks it thought should be stopped instead of me doing it manually. Is that normal?


    p.s. No issues what so ever, Besides the ridiculously slow start up issue (As well as the "Hibernate" feature taking quite longer then usual.)
     
  14. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,361
    First Name:
    Kevin
    We still need to cleanup the tools we`ve used, as follows please:-

    Step 1

    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
    The above procedure will delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.

    Step 2

    • Download OTC by OldTimer and save it to your desktop. Alternative mirror
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose run as administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.

    Step 3

    Remove the ESET Online Scanner components from your computer, start the Add or Remove Programs applet from Start > Control Panel, select the ESET Online Scanner entry and click Remove. This will happen very quickly, only re-boot if prompted.

    Any tools or logs left on the Desktop can be safely deleted. Let me know if the above steps complete OK, especially the Combofix /Uninstall command.

    I`m not sure what is causing the slow start up, I`m just wondering if Zonealarm and Avira may give that issue. How long have you used that set up? were they running together prior to the infection?

    Kevin
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/981079

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice