View Full Version : Trojan help please!
tom8fallon8
2010-05-26, 00:27
Until it stopped working Firefox opened new tabs and redirected my search results on google etc. (I am having to use Internet Explorer, which I find is a lot slower than Firefox, freezes a lot of the time and also redirects my search results) clearly some kind of Spyware or Trojan.
Now some exe. files including the program files for Firefox won't open, Windows just says it can't find the program files. I've used Spybot Search and Destroy and installed Zone Alarm (whilst deleting McAfee as its awful though I've been told Zone Alarm isn't much better) and deleted a lot of Malware and at least 2 other Trojans using these software, but the trojan: Trojan.Win32.Scar.cftj keeps coming up in each scan on Zone Alarm and neither Zone Alarm or Spybot Search and Destroy can delete it, even after rebooting.
The Trojan's been messing around with my registry files and I couldn't system restore the computer (which I would have done to about two week ago, when I was free of all this). Any help would really be appreciated as I can't use the computer properly and it seems a lot slower than it was before.
Bare in mind, that the computer i'm using is around 6 years old and only has 1.5gb of ram and I put a gig in about a year ago, it is quite fast however (when free of viruses :)), for something of as rubbish a processor and as little ram.
Here is my HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:26:34, on 25/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Lexmark 1400 Series\lxdjamon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra73.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [lxdjmon.exe] "C:\Program Files\Lexmark 1400 Series\lxdjmon.exe"
O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"
O4 - HKLM\..\Run: [shell] C:\WINDOWS\system\rundll32.exe Owner
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [rdygfrah] C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ofkjccvxs\prbjrdttssd.exe
O4 - HKLM\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [rdygfrah] C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ofkjccvxs\prbjrdttssd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.eafootballworld.com
O15 - Trusted Zone: http://*.easports.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
--
End of file - 14670 bytes
---------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
shelf life
2010-05-30, 03:33
hi,
Your log is a few days old. If you still need help simply reply to my post.
tom8fallon8
2010-05-30, 11:27
Yes can you help please, I'll post a new log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:27:18, on 30/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Lexmark 1400 Series\lxdjamon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra73.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [lxdjmon.exe] "C:\Program Files\Lexmark 1400 Series\lxdjmon.exe"
O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"
O4 - HKLM\..\Run: [shell] C:\WINDOWS\system\rundll32.exe Owner
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [rdygfrah] C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ofkjccvxs\prbjrdttssd.exe
O4 - HKLM\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [rdygfrah] C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ofkjccvxs\prbjrdttssd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.eafootballworld.com
O15 - Trusted Zone: http://*.easports.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
--
End of file - 14495 bytes
shelf life
2010-05-30, 23:13
hi,
installed Zone Alarm (whilst deleting McAfee
Mcafee was your anti-virus application. Unless you installed a Zone alarm suite that included a anti-virus you are now with out a anti-virus. Spybot isnt anti-virus.
You have a back door installed.
First we will use hjt, then you can get a download to use and last you can get a free anti-virus from one of the links below
First use hjt then reboot machine.
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra73.exe,
O4 - HKLM\..\Run: [rdygfrah] C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ofkjccvxs\prbjrdttssd.exe
O4 - HKLM\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe
O4 - HKLM\..\Run: [shell] C:\WINDOWS\system\rundll32.exe Owner
O4 - HKLM\..\Run: [rdygfrah] C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ofkjccvxs\prbjrdttssd.exe
O4 - HKLM\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe
O4 - HKCU\..\Run: [rdygfrah] C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ofkjccvxs\prbjrdttssd.exe
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [xpjdrqwb] C:\Documents and Settings\NetworkService\Local Settings\Application Data\lnduskywu\xmlpbqgtssd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
Next: Malwarebytes:
Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Third:
download, install update and scan with one of these free anti-virus apps, unless you have already installed a antivirus:
http://www.avast.com/security-software-home-office
http://free.avg.com/us-en/homepage
http://www.free-av.com/
after the above, post the Malwarebytes log, rescan with hjt and post a new hjt log also.
tom8fallon8
2010-05-31, 01:02
i've got the zone alarm security suite and i'm using the anti virus/anti spyware :)
shelf life
2010-05-31, 02:46
hi
i'm using the anti virus/anti spyware
ok good. Did you follow the rest of the directions, using hjt and getting Malwarebytes?
tom8fallon8
2010-05-31, 12:31
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4157
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
31/05/2010 10:17:49
mbam-log-2010-05-31 (10-17-49).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 236957
Time elapsed: 2 hour(s), 41 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Zbot) -> Data: c:\windows\system32\sdra73.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Zbot) -> Data: system32\sdra73.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra73.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\l0wsec (Trojan.Zbot) -> Delete on reboot.
Files Infected:
C:\WINDOWS\system32\sdra73.exe (Trojan.Zbot) -> Delete on reboot.
C:\WINDOWS\Temp\19B.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\l0wsec\l0cal.ds (Trojan.Zbot) -> Delete on reboot.
C:\WINDOWS\system32\l0wsec\us3r.ds (Trojan.Zbot) -> Delete on reboot.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:29:53, on 31/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Lexmark 1400 Series\lxdjamon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra73.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [lxdjmon.exe] "C:\Program Files\Lexmark 1400 Series\lxdjmon.exe"
O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.eafootballworld.com
O15 - Trusted Zone: http://*.easports.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
--
End of file - 13526 bytes
tom8fallon8
2010-05-31, 12:45
I can now open firefox but it's about half as quick as it used to be and is much more prone to freezing. However, it doesn't seem to be re-directing from Google. I know this may only be the start of the process though :D.
shelf life
2010-06-01, 00:13
ok thanks for the info. we will use hjt once more, then run MBAM again;
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra73.exe,
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Check MBAM for updates and run it once more and post the log.
Suggestion for firefox is to backup your bookmarks, uninstall FF and reinstall it.
You want to do that? May be the quickest solution.
tom8fallon8
2010-06-01, 01:47
I've deleted the O2 one but the F2 seems to have already been deleted.
Here's the logfile just incase
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:45:15, on 31/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Lexmark 1400 Series\lxdjamon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [lxdjmon.exe] "C:\Program Files\Lexmark 1400 Series\lxdjmon.exe"
O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.eafootballworld.com
O15 - Trusted Zone: http://*.easports.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
--
End of file - 11148 bytes
Firefox seems to be as it used to now, same quick speed and rarely freezes i'll post my mbam log tomorrow as the scan takes about 2 1/2 hours to complete.
shelf life
2010-06-01, 03:44
ok tom8fallon8.
tom8fallon8
2010-06-01, 12:55
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4157
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
01/06/2010 02:33:54
mbam-log-2010-06-01 (02-33-54).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 237834
Time elapsed: 2 hour(s), 45 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
shelf life
2010-06-02, 00:14
Well that looks good. All is well now? Re-directs are gone?
tom8fallon8
2010-06-02, 01:29
firefox still sometimes directs links that I click on Google and it still ocaasionally opens new tabs and pages by itself. What would you recommend?
shelf life
2010-06-02, 03:03
ok. We will get one more download to use. Link and directions:
Please download: RootRepeal
http://ad13.geekstogo.com/RootRepeal.exe
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan
May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
tom8fallon8
2010-06-02, 15:11
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/02 12:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: rootrepeal2.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal2.sys
Address: 0xAFDD3000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\RootRepeal report 06-02-10 (12-45-58).txt
Status: Visible to the Windows API, but not on disk.
Path: C:\RootRepeal report 06-02-10 (12-46-55).txt
Status: Visible to the Windows API, but not on disk.
Path: C:\Program Files\Mozilla Firefox\settings.dat
Status: Visible to the Windows API, but not on disk.
Path: C:\WINDOWS\Internet Logs\prefs.js
Status: Locked to the Windows API!
Path: c:\windows\internet logs\fwpktlog.txt
Status: Size mismatch (API: 4801, Raw: 4679)
Path: c:\windows\temp\av8.tmp
Status: Allocation size mismatch (API: 47251456, Raw: 42401792)
Path: c:\windows\temp\fla17.tmp
Status: Size mismatch (API: 7815157, Raw: 7004857)
Path: C:\WINDOWS\Prefetch\ROOTREPEAL(2).EXE-0F5ABE84.pf
Status: Visible to the Windows API, but not on disk.
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522908.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522909.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522910.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522911.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522912.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522913.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522914.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522915.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522916.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522917.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522918.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522919.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522920.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522921.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522922.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522923.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522924.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522926.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522927.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522928.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522929.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522930.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522931.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522932.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522933.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522934.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522935.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522936.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522937.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522938.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522939.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522940.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522941.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522942.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522944.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522945.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522946.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522947.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522948.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522949.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522950.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522951.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522952.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522953.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522954.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522955.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522956.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522957.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522958.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522959.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522960.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522962.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522963.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522964.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522965.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522966.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522967.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522968.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522969.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522970.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522971.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522972.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522973.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522974.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522975.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522976.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522977.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522978.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522980.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522981.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522982.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522983.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522984.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522985.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522986.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522987.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522988.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522989.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522990.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522991.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522992.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522993.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522994.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522995.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522996.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522998.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522999.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523000.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523001.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523002.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523003.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523004.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523005.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523006.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523007.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523008.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523009.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523010.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523011.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523012.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523013.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523014.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522925.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522943.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522961.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522979.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0522997.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523015.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523033.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523051.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523016.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523017.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523018.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523019.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523020.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523021.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523022.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523023.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523024.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523025.mfl
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523026.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523027.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523028.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523029.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523030.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523031.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523032.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523034.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523035.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523036.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523037.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523038.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523039.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523040.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523041.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523042.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523043.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523044.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523045.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523046.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523047.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523048.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523049.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523050.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523052.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523053.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523054.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523055.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523056.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523057.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523058.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523059.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523060.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523061.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523062.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523063.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523064.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523065.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523066.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523067.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\A0523068.RDB
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\change.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\RestorePointSize
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\rp.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\$hf_mig$\KB873333\snapshot
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\IswTmp\Logs\ISWSHEX.swl
Status: Locked to the Windows API!
Path: c:\documents and settings\networkservice\local settings\temporary internet files\content.ie5\tvh6r27c\051557_47[1].flv
Status: Allocation size mismatch (API: 2293760, Raw: 2228224)
Path: C:\Documents and Settings\HP_Owner\Local Settings\Apps\2.0\8W602J1O.LAE\L1B2KWAM.QY5\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!
Path: C:\Documents and Settings\HP_Owner\Local Settings\Apps\2.0\8W602J1O.LAE\L1B2KWAM.QY5\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!
SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1141542
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1141dba
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb101325a
#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1142dcc
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb100c83a
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb102e0ac
#: 043 Function Name: NtCreateMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1142ca4
#: 044 Function Name: NtCreateNamedPipeFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1141148
#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1013a2c
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1027f48
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1028370
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1032802
#: 051 Function Name: NtCreateSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1142efe
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1144784
#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1141a58
#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1013b8a
#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1144176
#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb100d6fc
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb102fb54
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb102f44a
#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1142524
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1026d2c
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1140e80
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1140f2a
#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1142330
#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1005a2a
#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb103051e
#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb103075c
#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1032bbe
#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1141076
#: 114 Function Name: NtOpenEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1142e6e
#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb100d1ee
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1140592
#: 120 Function Name: NtOpenMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1142d3c
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb102a460
#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb11447ae
#: 126 Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1142fa0
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb102a04e
#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1040264
#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1140fd4
#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1140bfc
#: 167 Function Name: NtQuerySection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1144b50
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb114084c
#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb114449e
#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb10315e4
#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1030ed8
#: 194 Function Name: NtReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb114332a
#: 195 Function Name: NtReplyWaitReceivePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb11431f0
#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1012df2
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1032044
#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1145028
#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb11401fe
#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1013526
#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1141c76
#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb100db06
#: 227 Function Name: NtSetInformationObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1040128
#: 230 Function Name: NtSetInformationToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb114386c
#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1031b6c
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb10050b8
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb102eb6e
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1144d74
#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1144e9c
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb102906c
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1028d9c
#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb114180e
#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1005e7c
#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1144a06
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1141998
Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb115271e
#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb11527e8
#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1152852
#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1152782
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb115227e
#: 312 Function Name: NtUserBuildHwndList
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb11528b4
#: 323 Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1152636
#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb115246c
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb11521e6
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb115256e
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb1152232
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1011a94
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1011bfa
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1011d5e
#: 489 Function Name: NtUserRegisterUserApiHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1006bc2
#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb100f534
#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb10121e0
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb10072d2
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1006956
==EOF==
shelf life
2010-06-03, 00:32
ok thanks for the info. Lets get another look with Gmer. Link and directions:
See step # 8 for directions on using Gmer here (http://www.bleepingcomputer.com/forums/topic34773.html).
tom8fallon8
2010-06-03, 16:24
How long is this scan going to take? because its really affecting the computer's performance its making it seem like i've got 100 mb of ram and a dial up internet connection lol.
tom8fallon8
2010-06-03, 18:31
Well I left the computer for a few hours and it seems that its rebooted itself without saving any sort of log, and it doesn't give you any idea of how complete the scan is. Furthermore, the internet seems to crash on every page now, brilliant software, i'll reply again in about a years time when the computers finished scanning, at this rate I might just give up and buy a new computer.
tom8fallon8
2010-06-03, 23:55
Right, 5 hours later:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-03 21:38:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\kwgyakog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB1138542]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwClose [0xB1138DBA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB100A25A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateEvent [0xB1139DCC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB100383A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB10250AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateMutant [0xB1139CA4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xB1138148]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB100AA2C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB101EF48]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB101F370]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB1029802]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateSemaphore [0xB1139EFE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB113B784]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwCreateThread [0xB1138A58]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB100AB8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xB113B176]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB10046FC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB1026B54]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB102644A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xB1139524]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB101DD2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwEnumerateKey [0xB1137E80]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xB1137F2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwFsControlFile [0xB1139330]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xB0FFCA2A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB102751E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB102775C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xB1029BBE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xB1138076]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenEvent [0xB1139E6E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB10041EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenKey [0xB1137592]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenMutant [0xB1139D3C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB1021460]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenSection [0xB113B7AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwOpenSemaphore [0xB1139FA0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB102104E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwProtectVirtualMemory [0xB1037264]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryKey [0xB1137FD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xB1137BFC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQuerySection [0xB113BB50]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueryValueKey [0xB113784C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwQueueApcThread [0xB113B49E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB10285E4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB1027ED8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwReplyPort [0xB113A32A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xB113A1F0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB1009DF2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB1029044]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwResumeThread [0xB113C028]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSaveKey [0xB11371FE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB100A526]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetContextThread [0xB1138C76]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB1004B06]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationObject [0xB1037128]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSetInformationToken [0xB113A86C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB1028B6C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xB0FFC0B8]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB1025B6E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSuspendProcess [0xB113BD74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwSuspendThread [0xB113BE9C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB102006C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB101FD9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwTerminateThread [0xB113880E]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xB0FFCE7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xB113BA06]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xB1138998]
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab) IoIsOperationSynchronous
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [2C, AA, 00, B1, 48, EF, 01, ...]
.text ntoskrnl.exe!_abnormal_termination + 114 804E2780 16 Bytes [02, 98, 02, B1, FE, 9E, 13, ...]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [2A, CA, FF, B0, 1E, 75, 02, ...]
.text ntoskrnl.exe!_abnormal_termination + 34C 804E29B8 16 Bytes [E4, 85, 02, B1, D8, 7E, 02, ...]
.text ntoskrnl.exe!_abnormal_termination + 3CC 804E2A38 1 Byte [06]
.text ...
.text ntoskrnl.exe!IoIsOperationSynchronous 804E876A 5 Bytes JMP B112DDAE \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512939 5 Bytes JMP B112D9D4 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wxp_x86]/Kaspersky Lab)
.rsrc C:\WINDOWS\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xBA1EC394]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[244] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[244] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[244] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[244] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\HP_Owner\Desktop\gmer\gmer.exe[268] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\HP_Owner\Desktop\gmer\gmer.exe[268] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\HP_Owner\Desktop\gmer\gmer.exe[268] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\HP_Owner\Desktop\gmer\gmer.exe[268] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\HP_Owner\Desktop\gmer\gmer.exe[268] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\HP_Owner\Desktop\gmer\gmer.exe[268] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\HP_Owner\Desktop\gmer\gmer.exe[268] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Documents and Settings\HP_Owner\Desktop\gmer\gmer.exe[268] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[364] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[364] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[364] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[364] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[364] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[364] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[364] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[364] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[388] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[388] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[388] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[388] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[388] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[388] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[388] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[388] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[436] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[436] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[436] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[436] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[436] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[436] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[436] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Common Files\Motive\McciCMService.exe[436] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[500] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[500] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20C39270 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Bonjour\mDNSResponder.exe[528] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Bonjour\mDNSResponder.exe[528] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Bonjour\mDNSResponder.exe[528] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Bonjour\mDNSResponder.exe[528] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Bonjour\mDNSResponder.exe[528] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Bonjour\mDNSResponder.exe[528] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Bonjour\mDNSResponder.exe[528] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Bonjour\mDNSResponder.exe[528] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[548] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[548] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[548] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[548] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[548] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[548] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[548] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[548] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Mozilla Firefox\firefox.exe[600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 011D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 011E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[600] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 011C000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[600] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Mozilla Firefox\firefox.exe[600] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Mozilla Firefox\firefox.exe[600] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20C39270 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Mozilla Firefox\firefox.exe[600] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Mozilla Firefox\firefox.exe[600] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[684] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[684] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[684] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[684] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[684] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[684] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[684] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[684] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[744] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[744] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[744] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[744] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[744] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[744] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[744] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[744] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[792] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[792] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[792] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[792] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[792] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[792] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[796] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[796] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[796] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[796] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[796] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[796] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[796] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\hkcmd.exe[796] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[856] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[856] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[856] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[856] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[856] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 209B37DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWDMP.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[856] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[856] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[856] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[856] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\AGRSMMSG.exe[872] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\AGRSMMSG.exe[872] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\AGRSMMSG.exe[872] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\AGRSMMSG.exe[872] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\AGRSMMSG.exe[872] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\AGRSMMSG.exe[872] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\AGRSMMSG.exe[872] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\AGRSMMSG.exe[872] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[924] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[924] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[924] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[924] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[924] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[924] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[924] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\spoolsv.exe[924] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1180] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1180] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0087000A
.text C:\WINDOWS\System32\svchost.exe[1180] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1180] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AD000A
.text C:\WINDOWS\system32\lxdjcoms.exe[1264] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lxdjcoms.exe[1264] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lxdjcoms.exe[1264] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lxdjcoms.exe[1264] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
tom8fallon8
2010-06-03, 23:56
part 2
.text C:\WINDOWS\system32\lxdjcoms.exe[1264] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lxdjcoms.exe[1264] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lxdjcoms.exe[1264] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\lxdjcoms.exe[1264] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iTunes\iTunesHelper.exe[1400] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iTunes\iTunesHelper.exe[1400] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iTunes\iTunesHelper.exe[1400] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iTunes\iTunesHelper.exe[1400] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iTunes\iTunesHelper.exe[1400] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iTunes\iTunesHelper.exe[1400] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iTunes\iTunesHelper.exe[1400] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iTunes\iTunesHelper.exe[1400] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1580] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1580] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1580] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1580] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1580] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1580] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1580] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1580] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1624] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1624] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1624] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1624] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[1624] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1660] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1660] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1660] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1660] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1660] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1660] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1660] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1660] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2084] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2084] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2084] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2084] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2084] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2084] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2084] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[2084] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2176] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2176] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2176] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2176] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2176] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2176] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2176] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2176] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\windows\system\hpsysdrv.exe[2180] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\windows\system\hpsysdrv.exe[2180] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\windows\system\hpsysdrv.exe[2180] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\windows\system\hpsysdrv.exe[2180] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\windows\system\hpsysdrv.exe[2180] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\windows\system\hpsysdrv.exe[2180] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\windows\system\hpsysdrv.exe[2180] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\windows\system\hpsysdrv.exe[2180] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[2296] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[2296] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[2296] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[2296] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[2296] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[2296] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[2296] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[2296] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2412] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2412] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2412] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2412] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2412] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2412] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2412] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2412] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe[2480] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe[2480] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe[2480] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe[2480] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe[2480] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe[2480] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe[2480] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe[2480] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iPod\bin\iPodService.exe[2520] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iPod\bin\iPodService.exe[2520] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iPod\bin\iPodService.exe[2520] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iPod\bin\iPodService.exe[2520] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iPod\bin\iPodService.exe[2520] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iPod\bin\iPodService.exe[2520] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iPod\bin\iPodService.exe[2520] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\iPod\bin\iPodService.exe[2520] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2672] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2672] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2672] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2672] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2672] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2672] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2672] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe[2672] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[2680] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[2680] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[2680] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[2680] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[2680] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2688] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2688] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2688] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2688] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2688] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2688] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2688] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2688] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2760] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2760] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2760] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2760] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2760] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2760] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2760] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Canon\CAL\CALMAIN.exe[2760] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[3228] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[3228] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[3228] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[3228] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[3228] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[3228] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[3228] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\WINDOWS\System32\alg.exe[3228] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\HP\KBD\KBD.EXE[3324] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\HP\KBD\KBD.EXE[3324] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\HP\KBD\KBD.EXE[3324] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\HP\KBD\KBD.EXE[3324] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\HP\KBD\KBD.EXE[3324] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\HP\KBD\KBD.EXE[3324] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\HP\KBD\KBD.EXE[3324] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\HP\KBD\KBD.EXE[3324] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[4008] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C38791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[4008] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C38D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[4008] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C389AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[4008] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C3846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[4008] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C38E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[4008] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C39036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[4008] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C3828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[4008] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C3825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
---- Devices - GMER 1.0.15 ----
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A20FCEC
---- Registry - GMER 1.0.15 ----
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D102BFF-A5E2-2B06-C79F-06FB20459A71}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D102BFF-A5E2-2B06-C79F-06FB20459A71}@iaacjdiipnlnlnenoa 0x6B 0x61 0x6D 0x69 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D102BFF-A5E2-2B06-C79F-06FB20459A71}@hagbpbafkmnjondn 0x6B 0x61 0x6D 0x69 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D102BFF-A5E2-2B06-C79F-06FB20459A71}@gapclgocpimnne 0x61 0x63 0x64 0x69 ...
---- Files - GMER 1.0.15 ----
File C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP485\A0537951.RDB 1830400 bytes
File C:\System Volume Information\_restore{D207F513-1AD2-4EA6-B9AE-1EC20364A2B0}\RP485\A0537969.RDB 1830400 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1PQV46HF\result[1].htm 0 bytes
File C:\WINDOWS\system32\DRIVERS\cdrom.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
shelf life
2010-06-04, 00:51
I have newer directions for Gmer, i pasted in the old one, my bad. You can run this utility, then we should done.
Please download TDSS Killer.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your desktop
Extract the zip file to your desktop.
Double click it to run. It will generate a log file in your root drive C:
Please post the log.
tom8fallon8
2010-06-04, 01:59
You mean this yeah?
23:54:03:812 2596 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
23:54:03:812 2596 ================================================================================
23:54:03:812 2596 SystemInfo:
23:54:03:812 2596 OS Version: 5.1.2600 ServicePack: 3.0
23:54:03:812 2596 Product type: Workstation
23:54:03:812 2596 ComputerName: YOUR-A52C34C618
23:54:03:812 2596 UserName: HP_Owner
23:54:03:812 2596 Windows directory: C:\WINDOWS
23:54:03:812 2596 Processor architecture: Intel x86
23:54:03:812 2596 Number of processors: 1
23:54:03:812 2596 Page size: 0x1000
23:54:03:828 2596 Boot type: Normal boot
23:54:03:828 2596 ================================================================================
23:54:08:312 2596 Initialize success
23:54:08:312 2596
23:54:08:312 2596 Scanning Services ...
23:54:08:750 2596 Raw services enum returned 377 services
23:54:08:765 2596
23:54:08:765 2596 Scanning Drivers ...
23:54:09:765 2596 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:54:10:203 2596 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:54:10:515 2596 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:54:10:718 2596 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
23:54:10:937 2596 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
23:54:11:171 2596 AgereSoftModem (029e01cb2938bec5af31bf47b6af0159) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
23:54:11:640 2596 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
23:54:11:890 2596 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
23:54:12:156 2596 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
23:54:12:625 2596 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:54:12:828 2596 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:54:13:437 2596 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:54:13:984 2596 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:54:14:390 2596 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:54:14:781 2596 btaudio (3bc0afbd546162fe6ed6ccb15befad73) C:\WINDOWS\system32\drivers\btaudio.sys
23:54:15:000 2596 BTDriver (1d25fb8b6b073e6f4fb51034f734ea2c) C:\WINDOWS\system32\DRIVERS\btport.sys
23:54:15:234 2596 BTKRNL (9515d10ceaf284ab1a21934e1958d4fd) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
23:54:15:437 2596 BTSERIAL (af3cc52fc040a402a6ad07ac1bd4fe76) C:\WINDOWS\system32\drivers\btserial.sys
23:54:15:640 2596 BTSLBCSP (e233ae94f1b66ddbfbca9566d0f7fdba) C:\WINDOWS\system32\drivers\btslbcsp.sys
23:54:15:890 2596 BTWDNDIS (66bff2643e5f6a0f80208dde1c4b653a) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
23:54:16:093 2596 btwmodem (49d358c0f2eebdd545270f6935b63ad9) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
23:54:16:265 2596 BTWUSB (4272bab9291d26da5ac913bc79c3ce85) C:\WINDOWS\system32\Drivers\btwusb.sys
23:54:16:453 2596 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:54:16:656 2596 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:54:16:781 2596 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:54:17:031 2596 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:54:17:562 2596 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:54:17:968 2596 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:54:18:203 2596 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:54:18:500 2596 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:54:18:687 2596 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:54:19:078 2596 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:54:19:281 2596 eeCtrl (70aeac5d481b2904b40f2173e280b1b5) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
23:54:19:625 2596 ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
23:54:20:062 2596 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:54:20:578 2596 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:54:21:109 2596 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:54:21:468 2596 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:54:21:875 2596 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:54:22:250 2596 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:54:22:562 2596 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:54:23:140 2596 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
23:54:23:468 2596 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:54:24:015 2596 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:54:24:687 2596 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:54:25:859 2596 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:54:26:390 2596 ialm (0acebb31989cbf9a5663fe4a33d28d21) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
23:54:27:015 2596 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:54:27:843 2596 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
23:54:28:218 2596 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:54:28:671 2596 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:54:29:140 2596 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:54:29:500 2596 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:54:29:859 2596 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:54:30:343 2596 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:54:30:656 2596 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:54:31:046 2596 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:54:31:406 2596 ISWKL (408e827e1132696cae776f23056778c6) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
23:54:32:093 2596 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
23:54:32:609 2596 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:54:33:296 2596 kl1 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\kl1.sys
23:54:34:156 2596 KLIF (a11c971434468fa05815eec8228d63fd) C:\WINDOWS\system32\DRIVERS\klif.sys
23:54:34:546 2596 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
23:54:35:000 2596 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:54:35:437 2596 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:54:36:203 2596 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
23:54:36:781 2596 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
23:54:37:281 2596 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
23:54:37:625 2596 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
23:54:37:968 2596 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
23:54:38:375 2596 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:54:38:703 2596 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:54:39:140 2596 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:54:39:609 2596 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:54:40:250 2596 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:54:41:421 2596 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
23:54:42:968 2596 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
23:54:43:968 2596 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:54:44:437 2596 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:54:44:812 2596 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:54:45:390 2596 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:54:45:796 2596 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:54:46:250 2596 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:54:46:781 2596 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:54:47:171 2596 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
23:54:47:609 2596 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:54:48:171 2596 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:54:48:578 2596 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:54:48:968 2596 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:54:49:234 2596 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
23:54:49:890 2596 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:54:50:421 2596 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:54:50:734 2596 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
23:54:51:000 2596 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:54:51:453 2596 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:54:51:734 2596 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:54:52:046 2596 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:54:52:421 2596 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:54:52:765 2596 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
23:54:53:125 2596 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:54:53:578 2596 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:54:54:078 2596 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:54:54:406 2596 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:54:54:875 2596 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:54:55:109 2596 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:54:56:390 2596 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
23:54:56:578 2596 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:54:56:765 2596 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
23:54:57:031 2596 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys
23:54:57:312 2596 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:54:57:609 2596 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:54:57:859 2596 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:54:59:593 2596 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:54:59:937 2596 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:55:00:312 2596 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:55:00:609 2596 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:55:01:000 2596 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:55:01:328 2596 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:55:01:734 2596 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
23:55:02:218 2596 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:55:02:625 2596 RT73 (bf4709c002d632170dc15a282813d6b3) C:\WINDOWS\system32\DRIVERS\rt73.sys
23:55:02:921 2596 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
23:55:03:140 2596 se59bus (7c38fc284136981ebe002252fa0900d3) C:\WINDOWS\system32\DRIVERS\se59bus.sys
23:55:03:343 2596 se59mdfl (3ced539f4373ccf8d3fe71ae51053d5d) C:\WINDOWS\system32\DRIVERS\se59mdfl.sys
23:55:03:562 2596 se59mdm (c6a6aa039d14f2ea1998e5f922014067) C:\WINDOWS\system32\DRIVERS\se59mdm.sys
23:55:03:843 2596 se59mgmt (7eecfa334292b1cd8de4990b63e02360) C:\WINDOWS\system32\DRIVERS\se59mgmt.sys
23:55:04:156 2596 se59nd5 (555895a241611c59ce057c42bc8b6e85) C:\WINDOWS\system32\DRIVERS\se59nd5.sys
23:55:04:796 2596 se59obex (729dfa6451b7356834bfa6faec9e3092) C:\WINDOWS\system32\DRIVERS\se59obex.sys
23:55:05:484 2596 se59unic (5f453e3e797dbeefe35869dc0239effa) C:\WINDOWS\system32\DRIVERS\se59unic.sys
23:55:06:312 2596 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:55:06:750 2596 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:55:07:328 2596 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:55:07:656 2596 sfdrv01 (4c0d673281178cb496011a2e28571fc8) C:\WINDOWS\system32\drivers\sfdrv01.sys
23:55:08:062 2596 sfhlp02 (15be2b5e4dc5b8623cf167720682abc9) C:\WINDOWS\system32\drivers\sfhlp02.sys
23:55:08:515 2596 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:55:09:109 2596 SiS315 (020467b4ee7f73c304943bf0e3e4d526) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
23:55:09:531 2596 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
23:55:09:859 2596 SiSkp (02960a9c3f4e5178edbd9c0d2d995b3b) C:\WINDOWS\system32\DRIVERS\srvkp.sys
23:55:10:468 2596 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:55:10:953 2596 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:55:11:265 2596 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
23:55:11:781 2596 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:55:12:187 2596 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:55:13:515 2596 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:55:13:953 2596 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:55:14:359 2596 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:55:14:640 2596 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:55:15:093 2596 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:55:16:031 2596 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:55:16:781 2596 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:55:17:171 2596 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
23:55:17:531 2596 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
23:55:17:718 2596 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:55:18:125 2596 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:55:18:375 2596 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:55:18:703 2596 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
23:55:19:140 2596 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:55:19:359 2596 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:55:19:640 2596 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:55:20:093 2596 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:55:20:437 2596 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:55:20:953 2596 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
23:55:21:250 2596 viagfx (220d565a3afdea901dabc67a5c81a121) C:\WINDOWS\system32\DRIVERS\vtmini.sys
23:55:21:531 2596 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
23:55:21:781 2596 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:55:22:078 2596 vsdatant (ba3dcd8da2e4f17dfea68af3bd0aed17) C:\WINDOWS\system32\vsdatant.sys
23:55:22:328 2596 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:55:23:671 2596 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:55:24:265 2596 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:55:24:796 2596 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:55:24:812 2596
23:55:24:812 2596 Completed
23:55:24:812 2596
23:55:24:812 2596 Results:
23:55:24:812 2596 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:55:24:812 2596 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:55:24:812 2596
23:55:25:078 2596 KLMD(ARK) unloaded successfully
shelf life
2010-06-04, 03:09
ok thanks for the info. That last log you ran looks good. You can delete the Gmer icon from your desktop. One more download to run. Its called Combofix. There is a short guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
tom8fallon8
2010-06-04, 04:49
ComboFix 10-06-03.01 - HP_Owner 04/06/2010 1:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.1036 [GMT 1:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc103.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc105.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc106.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc107.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc10A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc10B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc11.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc112.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc113.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc114.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc115.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc116.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc119.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc11F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc121.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc123.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc124.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc125.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc126.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc127.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc12C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc12E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc12F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc13.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc130.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc131.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc133.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc134.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc13B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc13D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc14.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc143.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc144.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc146.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc14C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc14F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc150.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc151.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc152.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc153.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc155.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc156.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc15F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc16.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc16E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc16F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc17.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc174.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc175.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc178.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc179.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc17A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc17E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc18.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc180.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc186.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc18D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc18E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc19.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc190.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc195.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc19B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc19E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1A2.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1A5.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1B4.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1BA.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1BF.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1C2.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1CA.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1D0.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1D3.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1EE.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc1F5.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc20.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc200.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc20B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc20C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc21.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc21F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc22.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc225.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc23.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc233.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc234.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc24.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc24C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc25.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc258.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc25B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc26.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc269.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc27.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc28.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc288.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc28D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc29.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc29D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2AF.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2DD.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2EE.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc2F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc30.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc31.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc313.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc31B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc31F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc32.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc33.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc333.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc34.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc35.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc36.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc37.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc38.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc384.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc39.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc395.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3C8.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3D0.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3D5.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc3F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc4.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc40.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc40A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc41.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc42.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc42E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc43.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc43F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc44.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc45.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc46.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc47.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc48.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc483.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc49.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc4A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc4B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc4C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc4CD.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc4D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc4E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc4F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc5.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc50.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc50F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc51.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc52.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc52C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc53.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc54.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc54B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc55.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc55B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc56.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc57.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc58.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc59.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc598.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc5A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc5B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc5C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc5D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc5D3.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc6.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc61.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc64.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc67.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc68.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc69.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc69B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc6C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc7.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc70.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc74.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc75.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc76.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc77.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc78.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc79.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc7A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc7B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc7C.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc7E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc7F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc8.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc80.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc81.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc82.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc84.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc87.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc87E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc88.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc8A.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc8B.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc8F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc9.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc91.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc94.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc96.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc98.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc99.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc9D.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc9E.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mcc9F.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccA.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccA2.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccA5.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccAD.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccB.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccB3.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccB4.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccB6.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccB7.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccBA.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccBB.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccBC.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccBD.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccBE.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccC.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccC3.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccC5.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccC7.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccC8.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccC9.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccCE.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccD.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccD1.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccD4.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccD5.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccD7.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccD8.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccDB.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccDE.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE0.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE1.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE2.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE3.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE4.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE5.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE6.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE7.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccE9.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccEA.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccEB.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccED.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccF.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccF3.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccF5.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccF6.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccFB.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccFE.tmp
c:\documents and settings\HP_Owner\Local Settings\Temporary Internet Files\mccFF.tmp
c:\windows\system32\tmp.reg
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.
2010-06-03 15:31 . 2010-06-03 15:31 93056 ----a-w- C:\kwgyakog.sys
2010-06-02 22:23 . 2010-06-02 22:23 -------- d-----w- c:\documents and settings\HP_Owner\Downloads
2010-05-30 22:31 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-30 22:30 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 17:56 . 2010-05-25 17:56 388096 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-25 17:56 . 2010-05-25 17:56 -------- d-----w- c:\program files\Trend Micro
2010-05-22 23:01 . 2010-05-22 23:01 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\MakeitOne
2010-05-22 23:01 . 2010-05-22 23:01 -------- d-----w- c:\program files\MakeitOne
2010-05-22 22:55 . 2010-05-22 22:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AnvSoft
2010-05-22 22:55 . 2010-05-22 22:55 -------- d-----w- c:\program files\AnvSoft
2010-05-22 22:46 . 2010-05-22 22:46 1956808 ----a-w- c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-05-22 22:14 . 2010-05-22 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-05-22 22:14 . 2010-05-22 22:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AVS4YOU
2010-05-22 22:10 . 2010-05-22 22:23 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-05-22 22:09 . 2008-07-11 11:25 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-05-22 22:09 . 2010-05-22 22:23 -------- d-----w- c:\program files\AVS4YOU
2010-05-22 17:04 . 2010-05-22 17:48 -------- d-----w- c:\program files\Audacity
2010-05-22 01:43 . 2010-05-22 01:43 1300 ----a-w- C:\fix.reg
2010-05-21 23:49 . 2010-05-21 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2010-05-21 23:30 . 2010-05-21 23:30 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\CheckPoint
2010-05-21 23:29 . 2010-05-21 23:29 -------- d-----w- c:\program files\CheckPoint
2010-05-21 23:29 . 2010-05-21 23:44 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-21 23:29 . 2010-03-24 18:10 72584 ----a-w- c:\windows\zllsputility.exe
2010-05-21 23:29 . 2009-10-12 17:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-05-21 23:28 . 2010-03-24 18:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-05-21 23:28 . 2010-03-24 18:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-05-21 23:28 . 2010-05-22 00:31 -------- d-----w- c:\windows\system32\ZoneLabs
2010-05-21 23:28 . 2010-03-24 18:10 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-05-21 23:28 . 2010-05-21 23:28 -------- d-----w- c:\program files\Zone Labs
2010-05-21 23:16 . 2010-06-04 00:33 -------- d-----w- c:\windows\Internet Logs
2010-05-21 20:34 . 2010-05-22 12:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-21 20:34 . 2010-05-21 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-21 15:12 . 2010-05-21 19:39 -------- d-----w- c:\program files\res
2010-05-21 15:02 . 2010-05-21 15:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-05-19 18:18 . 2010-05-19 18:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\lnduskywu
2010-05-19 18:16 . 2010-05-19 18:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-19 16:15 . 2010-05-19 16:15 -------- d-----w- c:\program files\AVG
2010-05-15 19:44 . 2010-05-23 17:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-14 23:03 . 2010-05-14 23:03 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\ofkjccvxs
2010-05-12 15:21 . 2010-05-12 15:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-05-12 15:16 . 2010-05-12 15:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-08 17:11 . 2010-05-08 17:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 00:30 . 2008-10-07 20:46 -------- d-----w- c:\program files\Lx_cats
2010-06-03 22:49 . 2006-01-04 18:17 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-06-03 02:48 . 2010-06-03 11:16 1828352 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-06-02 16:17 . 2010-06-02 16:18 1824768 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-05-31 22:35 . 2010-05-31 22:36 1815552 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-05-31 10:58 . 2005-01-01 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-31 10:58 . 2005-01-01 11:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-31 10:34 . 2006-12-04 11:24 -------- d-----w- c:\program files\Yahoo!
2010-05-30 22:31 . 2009-12-31 00:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 02:57 . 2010-05-24 14:54 1691648 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-05-23 01:33 . 2010-05-23 09:42 2915840 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-05-23 01:33 . 2010-05-23 09:42 1904128 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-05-23 01:32 . 2010-05-23 09:42 1904128 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-05-22 17:28 . 2010-05-22 17:28 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\FreeAudioPack
2010-05-21 21:41 . 2005-04-27 19:08 23616 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-21 20:52 . 2005-01-01 10:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-21 19:48 . 2009-06-17 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-12 15:19 . 2007-11-05 14:33 -------- d-----w- c:\program files\Google
2010-05-08 17:10 . 2009-01-27 20:27 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-05-01 09:44 . 2008-11-27 19:10 -------- d-----w- c:\program files\iTunes
2010-05-01 09:39 . 2010-05-01 09:39 -------- d-----w- c:\program files\iPod
2010-05-01 09:38 . 2007-11-04 21:11 -------- d-----w- c:\program files\Common Files\Apple
2010-05-01 09:27 . 2010-05-01 09:27 -------- d-----w- c:\program files\Bonjour
2010-05-01 09:07 . 2010-05-01 09:07 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-01 01:15 . 2009-11-24 22:20 22312 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-21 21:46 . 2009-03-31 19:34 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\LimeWire
2010-04-08 12:20 . 2010-04-08 12:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20 . 2010-04-08 12:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-06 15:10 . 2010-04-06 15:10 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Propellerhead Software
2010-04-06 15:10 . 2010-04-06 15:10 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-04-06 15:10 . 2010-04-06 15:10 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-04-06 15:10 . 2010-04-06 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Propellerhead Software
2010-04-05 21:24 . 2010-01-08 23:40 -------- d-----w- c:\program files\VstPlugins
2010-03-11 12:38 . 2006-01-04 18:20 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-01-04 18:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-01-04 18:17 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-01-04 18:20 430080 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"SiSPower"="SiSPower.dll" [2004-09-24 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"lxdjamon"="c:\program files\Lexmark 1400 Series\lxdjamon.exe" [2007-03-05 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-03-24 1038728]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-03-16 730480]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdjcoms.exe"=
"c:\\Program Files\\Lexmark 1400 Series\\lxdjamon.exe"=
"c:\\Program Files\\Lexmark 1400 Series\\App4r.exe"=
"c:\\Program Files\\Lexmark 1400 Series\\Wireless\\lxdjwpss.exe"=
"c:\\WINDOWS\\system32\\lxdjcfg.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdjtime.exe"=
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [16/03/2010 09:55 26232]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [16/03/2010 09:55 488816]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/05/2010 16:16 136176]
S2 lxdjCATSCustConnectService;lxdjCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdjserv.exe [03/11/2008 12:39 99248]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - KLMDB
*Deregistered* - klmd23
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder
2010-05-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 15:16]
2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 15:16]
2010-03-05 c:\windows\Tasks\Install_NSS.job
- c:\program files\Vuze\nssstub.exe [2010-03-02 22:19]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\documents and settings\HP_Owner\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: eafootballworld.com\www
Trusted Zone: easports.com
Trusted Zone: motive.com\pbttbc.bt
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\mv8gbi9m.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaDownload.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{7762A897-2A75-4E3F-A3A7-55BD098B9879} - c:\program files\toolbartv\tbtoo1.dll
HKCU-Run-eyeBeam SIP Client - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-lxdjmon.exe - c:\program files\Lexmark 1400 Series\lxdjmon.exe
HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE
HKLM-Run-NoteBurner - c:\program files\NoteBurner\VTBurnerGUI.exe
SafeBoot-klmdb.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Klinn's ElectroSet (RCT3)_is1 - c:\filesatarirollercoaster tycoon 3stylethemed\RollerCoaster Tycoon 3\Style\Themed\KLN-ElectroSet\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 02:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-534266734-3540294902-2018311696-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9D102BFF-A5E2-2B06-C79F-06FB20459A71}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaacjdiipnlnlnenoa"=hex:6b,61,6d,69,69,64,6b,66,70,65,69,70,6b,64,6f,6b,63,6f,
6a,6d,6e,63,00,00
"hagbpbafkmnjondn"=hex:6b,61,6d,69,69,64,6b,66,70,65,69,70,6b,64,6f,6b,63,6f,
6a,6d,6e,63,00,00
"gapclgocpimnne"=hex:61,63,64,69,6a,69,61,66,65,68,6e,6b,6c,64,66,6b,65,65,66,
6d,66,67,6b,62,65,65,67,70,65,63,67,62,67,69,6e,6c,68,6e,6c,63,6e,67,62,70,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
- - - - - - - > 'lsass.exe'(800)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-06-04 02:43:36
ComboFix-quarantined-files.txt 2010-06-04 01:43
Pre-Run: 32,449,409,024 bytes free
Post-Run: 34,787,340,288 bytes free
- - End Of File - - 915CE1ABABCB9B7EAE4A5354ED1CB2D7
shelf life
2010-06-05, 01:06
Not much there in the Combofix log. Hows it looking on your end now?
tom8fallon8
2010-06-05, 02:30
Firefox still freezes from time to time but rarely redirects any links that I click or opens tabs by itself, I don't think there's much more you can do tbh. I'll keep scanning malwarebytes, spybot, zone alarm etc. from time to time to check there's no trojans or whatever. What do you think of zone alarm? Would you recommend any better security software?
shelf life
2010-06-05, 04:34
I had a annoying problem with FF awhile back. The quickest solution was to export my bookmarks, totally un-install FF then re-install it and import the bookmarks. There is also this. (http://support.mozilla.com/en-US/kb/)
If you haven't yet you can delete the Root Repeal and Gmer icon from your desktop. Keep Malwarebytes and note that it must be updated manually and a scan started manually.
you can remove combofix like this;
start>run and type in combofix /u
click ok or enter
note: there is a space after the x and before the /
What do you think of zone alarm? Would you recommend any better security software?
Iam sure you would get many different opinions on it. I really dont have one or can suggest one AV over the other. Normally if somebody needs AV I just post links to the 'free for home users' AV.
If all is good on your end, some tips to help you remain malware free:
10 Tips for Reducing/Preventing Your Risk To Malware:
In no special order
1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. There is no reason why your computer can not stay malware free.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.
5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?
7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.
8) Install and understand the *limitations* of a software firewall.
9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Or see a slideshow (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing)on how to configure IE 8.0.
10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Do you really trust the source of the file? Do you really need another malware source?
A longer version in link below.
Happy Safe Surfing.