Jump to content

Trojan.Agent.U


Recommended Posts

Hi,

I'm new here but I've been watching the posts for about a week now. I seem to have acquired an uninvited guest that doesn't seem to want to leave. I've run NAV 2010, Spy-Bot, Malwarebytes. Every one finds it and will delete it but it keeps returning. Also expiereincing changes in security pemissions, have found a few DLL's with strange names, what seems so be improper file extensions.

First time i ran NAV 2010 found found and supposedly & removed 2 downloaders, Trojan.Zefarch(ixuvomuy.dll), Trojan.FakeAV!gen38 (kgkndtushdw.exe), and Trojan.Zefarch!gen(eqiyurega.dll). Also the registry seems to be thinking for itself.

Link to post
Share on other sites

Hello,

Pleased to meet you RPMcMurphy. I want to thank you for taking your time to help me with my problem. Have tried replying twice but each time it tlls me the response is to large. I'm gonna try and respond in 2 replies.

DDS (Ver_10-03-17.01) - NTFSx86

Run by JayDee109 at 17:44:14.92 on Wed 09/01/2010

Internet Explorer: 8.0.6001.18943

Microsoft

Link to post
Share on other sites

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-09-01 18:17:36

Windows 6.0.6002 Service Pack 2

Running: 2lc6n5b4.exe; Driver: C:\Users\JAYDEE~1\AppData\Local\Temp\kxdyiuog.sys

---- System - GMER 1.0.15 ----

SSDT 8813AF90 ZwAlertResumeThread

SSDT 87E79E98 ZwAlertThread

SSDT 87E68490 ZwAllocateVirtualMemory

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x8FE38570]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcCreatePort [0x8FE38E46]

SSDT 881BCFD0 ZwAssignProcessToJobObject

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x8FE37FC6]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8FE31884]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8FE52FA8]

SSDT 8813AD40 ZwCreateMutant

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x8FE38AD0]

SSDT 881BCD50 ZwCreateSymbolicLinkObject

SSDT 87E688A0 ZwCreateThread

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x8FE38C2E]

SSDT 8813A638 ZwDebugActiveProcess

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8FE325B4]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8FE54A50]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8FE54346]

SSDT 87E685E8 ZwDuplicateObject

SSDT 87E682F0 ZwFreeVirtualMemory

SSDT 8813AE10 ZwImpersonateAnonymousToken

SSDT 8813AED0 ZwImpersonateThread

SSDT 8792C970 ZwLoadDriver

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8FE5541A]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x8FE55658]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x8FE55B0A]

SSDT 87E68210 ZwMapViewOfSection

SSDT 8813AC80 ZwOpenEvent

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8FE3216C]

SSDT 87E68788 ZwOpenProcess

SSDT 87DCB048 ZwOpenProcessToken

SSDT 8813AB00 ZwOpenSection

SSDT 87E686B8 ZwOpenThread

SSDT 881BCF00 ZwProtectVirtualMemory

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8FE564E0]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8FE55DD4]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x8FE37B5E]

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8FE56F40]

SSDT 87E79F58 ZwResumeThread

SSDT 87E79F90 ZwSetContextThread

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8FE329BE]

SSDT 87E68080 ZwSetInformationProcess

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0x8FE56A68]

SSDT 8813A9F8 ZwSetSystemInformation

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8FE53A6A]

SSDT 8813ABC0 ZwSuspendProcess

SSDT 880B9E88 ZwSuspendThread

SSDT 87DCBDA8 ZwTerminateProcess

SSDT 880B9F48 ZwTerminateThread

SSDT 87E68150 ZwUnmapViewOfSection

SSDT 87E683C0 ZwWriteVirtualMemory

SSDT 881BCE20 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 81EC1880 8 Bytes [90, AF, 13, 88, 98, 9E, E7, ...] {NOP ; SCASD ; ADC ECX, [EAX-0x78186168]}

.text ntkrnlpa.exe!KeSetEvent + 131 81EC1894 4 Bytes [90, 84, E6, 87]

.text ntkrnlpa.exe!KeSetEvent + 13D 81EC18A0 8 Bytes [70, 85, E3, 8F, 46, 8E, E3, ...]

.text ntkrnlpa.exe!KeSetEvent + 191 81EC18F4 4 Bytes [D0, CF, 1B, 88]

.text ntkrnlpa.exe!KeSetEvent + 1C1 81EC1924 4 Bytes [C6, 7F, E3, 8F]

.text ...

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E404340, 0x3DC617, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[220] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[220] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[220] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[220] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[220] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[220] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[220] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[220] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[220] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wininit.exe[664] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wininit.exe[664] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wininit.exe[664] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wininit.exe[664] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wininit.exe[664] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wininit.exe[664] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wininit.exe[664] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wininit.exe[664] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wininit.exe[664] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\services.exe[700] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\services.exe[700] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\services.exe[700] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\services.exe[700] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\services.exe[700] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\services.exe[700] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\services.exe[700] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsass.exe[712] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsass.exe[712] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsass.exe[712] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsass.exe[712] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsass.exe[712] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsass.exe[712] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsm.exe[720] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsm.exe[720] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsm.exe[720] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsm.exe[720] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsm.exe[720] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsm.exe[720] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsm.exe[720] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsm.exe[720] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\lsm.exe[720] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[912] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[912] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[912] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\nvvsvc.exe[960] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\nvvsvc.exe[960] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\nvvsvc.exe[960] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\nvvsvc.exe[960] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\nvvsvc.exe[960] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\nvvsvc.exe[960] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\nvvsvc.exe[960] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\nvvsvc.exe[960] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\nvvsvc.exe[960] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[988] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[988] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[988] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[988] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[988] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[988] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[988] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1028] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1028] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1028] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1028] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1028] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1028] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1028] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1028] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1028] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\DllHost.exe[1080] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\DllHost.exe[1080] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\DllHost.exe[1080] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\DllHost.exe[1080] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\DllHost.exe[1080] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\DllHost.exe[1080] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\DllHost.exe[1080] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\DllHost.exe[1080] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\DllHost.exe[1080] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1120] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1120] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1120] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1120] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1120] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1120] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1184] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1184] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1184] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1184] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1184] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1184] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1184] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1184] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\System32\svchost.exe[1184] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1200] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1200] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1200] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1200] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1200] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1304] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1304] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1304] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wscript.exe[1344] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wscript.exe[1344] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wscript.exe[1344] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wscript.exe[1344] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wscript.exe[1344] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wscript.exe[1344] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wscript.exe[1344] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wscript.exe[1344] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\wscript.exe[1344] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1400] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1400] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1400] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1400] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1400] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1400] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1400] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1400] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1400] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1416] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1416] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1416] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1416] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1416] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1416] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1416] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1416] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1416] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\notepad.exe[1432] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\notepad.exe[1432] ntdll.dll!NtAlpcImpersonateClientOfPort 77824214 5 Bytes JMP 20C78DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\notepad.exe[1432] ntdll.dll!NtImpersonateClientOfPort 778249E4 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\notepad.exe[1432] ntdll.dll!NtSetInformationProcess 77825324 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\notepad.exe[1432] kernel32.dll!OpenProcess 767D7267 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\notepad.exe[1432] ADVAPI32.dll!ImpersonateNamedPipeClient 761A3A48 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\notepad.exe[1432] ADVAPI32.dll!SetThreadToken 761B8E21 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\notepad.exe[1432] USER32.dll!FindWindowA 75ED9D76 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\notepad.exe[1432] USER32.dll!FindWindowW 75EEA441 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Windows\system32\svchost.exe[1560] ntdll.dll!NtAccessCheckByType 77824044 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

Link to post
Share on other sites

Hi jaydee109,

Can you try adding the GMER log and the Attach.txt report from DDS as attachments. The GMER log was cut off as it's most likely too large to post.

Hi RPMcMurphy,

You should have the Gmer log. I tried sending the attachment a couple times, but all it would do is turn the attachment screen into a white box w/a swirling thing and it said initializing attachment. The last time it locked up the puter. Am I doing something wrong?

Link to post
Share on other sites

jaydee109:

icon11.gif Download Combofix from either of the links below, and save it to your desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.

.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

jaydee109:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://forums.malwarebytes.org/index.php?showtopic=61733
Collect::
c:\users\JayDee109\AppData\Local\amozoxuje.dll
c:\users\JayDee109\AppData\Local\Gyimocovofama.dat
c:\users\JayDee109\AppData\Local\Uzefegu.bin
c:\users\JayDee109\AppData\Local\ndefdxt.dll
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skuyifopani"=-

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please include the following in your next post:

  • ComboFix log
  • MBAM log

Link to post
Share on other sites

jaydee109:

How is your computer running now? Please run this next:

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • Kaspersky log
  • How is your computer running now?

Link to post
Share on other sites

RPMcMurphy,

Seems to be doing much better, those wierd DLL's seem to be gone, the Registry entry pertaining to "Skuyifopani" is now gone. Haven't had a chance to look for all the wierd .tmp files that began with a $ sign but I'll get to that. If their still around can they be deleted? They all appear empty.

Regarding Kaspersky, it requires JAVA to run. I deleted anything having to do with Sun Microsystems or JAVA when this mess started as I suspect thats what could have started this. I read somewhere that Rev. 6 was infected and that was the last upgrade I installed.

My question regarding this is: What release would you suggest downloading?

I will wait for your reply before proceeding.

As a side issue, since the last chapter in this saga, once in awile when accessing a web page all I get looks like programing language or something. Any Ideas?

Respectfully,

Jay

Link to post
Share on other sites

RPMcMurphy,

Couple things have returnd.

When booting and desktop loads, error box titled RunDLL32:

Error Loading:

C:\Users\JayDee109\AppData\Local\ndefdxt.dll

Specified module could no be found

In Start Menu,

Key HKCU:RUN

Program Skuyifopany

File rundll32.exe"C:\Users\JayDee109\AppData\Local\ndefdxt.dll", Startup

Can uncheck and delete, close and reopen program and comes right back

Registry Entry,

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Name Skuyifopani

Type Reg_5Z or Sz... can't quite be sure

Data Rundll32.exe"C:\Users\JayDee109\AppData\Local\ndefdxt.dll",Startup

Will not delete from registry using RegEdit.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, September 2, 2010

Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, September 02, 2010 11:57:07

Records in database: 4178649

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

Scan statistics:

Objects scanned: 155388

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 02:19:20

No threats found. Scanned area is clean.

Selected area has been scanned.

The gibberish in browser seems to have gone awaay, at least for now.

Jay

Link to post
Share on other sites

jaydee109:

icon11.gif Run Combofix again. If it asks to update, please allow it to.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.

.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

jaydee109:

I see the problem - we need to disable TeaTimer:

icon11.gif Disable Spybot S&D's TeaTimer

  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done and reboot your computer.

(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.)

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skuyifopani"=-
Reboot::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

jaydee109:

Thanks for the kind words.

Now you should be all set - the bad file was gone, but TeaTimer stopped the registry entry from being removed the first time.

I have some very important cleanup for you to take care of now:

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please visit our General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

jaydee109:

Interesting. Did it come back after a reboot, or exactly when did it happen? Please run this for me:

icon11.gif Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Good Morning RPMcMurphy,

As stated last night the pest has returned.

Couple of things I've discovered. I don't know if it's pertinent or not.

In startup: Key HK_CU:Run(User S-1-5-21-1822997668-4093300276-3722600737-1000

Value Skuyifopani

Command Line rundll32.exe"C:\Users\JayDee109\AppData\Local\ndefdxt.dll".Startup

Now have a second recycle bin in root directory $Recycle.Bin

Three files in C:\Users\JayDee109, also show up in Desktop at top of directory tree'

S-1-5-21-1822997668-4093300276-3722600737-1000.rrr attribute A

S-1-5-21-1822997668-4093300276-3722600737-1000.Log1 attribute HA

S-1-5-21-1822997668-4093300276-3722600737-1000.Log2 attribute HA

Have also noticed a file attribute of N showing up.

Also to entries of a temp folder and an IswTmp folder that have 2 very small question marks on top of the icon. Another appears on the Apple Computer folder in C:\Users\JayDee109\AppData\LocalLow.

Most of the files in the first temp folder with file names like ~DFC477.tmp and variations of the same file name. Some have a date\time stamp of last night at about the time I performed the last scan. There now are some more files with different names (same format) dated today when I first opened the folder.

I opened one of these files and it looked like code to me, but in the first 5 or 6 lines the word Root Entry appeared. When I highlight the file and right click, go down to properties then go to security under the group and user names the following entry is listed:

USER S-1-5-21-1822997668-4093300276-3722600737-1000

When I highlight it switches to:

_ISW_RESTRICTED_GROUP_(JayDee109-PC\_ISW_RESTRICTED_GROUP_)

When the security tab is first clicked there's a little red ? over rhe little face icon on the left.

In the Temp\IswTmp folder there is a log folder. they exhibit the same behavior when checking the folder\security tab. Also current date\time stamp. their file ext. is .SWL.

I tried to send you one of the ~D temp files last night but when I submitted it IE locked up tight. I used the cut and paste method since the attachment procedure and I don't get along.

Looked up the .rrr and .SWL file extensions on Whatis?.com but foumd nothing.

Don't know if any of this is relavent or not.

Once again Thank You

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.