Web attack Fake AV download 2 getting reported by AV software

Egarrim · July 3, 2013

Hi, i have been getting the warning below when visiting several web sites inc my hushmail account.

Web attack Fake AV download 2

This is only happening on my samsung netbook, therefore i think i may have something suspicious on the computer.

Here are the logs from DDS

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.25.2

Run by End User at 9:30:23 on 2013-07-03

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.328 [GMT 1:00]

.

AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *Enabled*

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe

C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k yksvcs

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\20.4.0.40\CoIEPlg.dll

BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\20.4.0.40\ips\IPSBHO.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.4.0.40\CoIEPlg.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\enduse~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek wireless lan software\RtWLan.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{35CDF897-F0F1-4DA4-9253-350657F04F5C} : DHCPNameServer = 192.168.1.1

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\end user\application data\mozilla\firefox\profiles\oucvv0y8.default\

FF - prefs.js: browser.search.selectedEngine - Norton Safe Search

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

FF - ExtSQL: 2013-06-22 19:45; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\coFFPlgn

FF - ExtSQL: 2013-06-22 19:45; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\IPSFFPlgn

.

============= SERVICES / DRIVERS ===============

.

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-6-18 102448]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1404000.028\SymDS.sys [2013-6-22 367704]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1404000.028\SymEFA.sys [2013-6-22 934488]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\bashdefs\20130702.001\BHDrvx86.sys [2013-7-2 1002072]

R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1404000.028\ccSetx86.sys [2013-6-22 134744]

R1 RapportCerberus_53984;RapportCerberus_53984;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\53984\RapportCerberus32_53984.sys [2013-5-28 317424]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-6-18 103120]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-6-18 174320]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1404000.028\Ironx86.sys [2013-6-22 175264]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\20.4.0.40\ccSvcHst.exe [2013-6-22 144368]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-6-18 1124632]

R2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\srs labs\srs wow xt and tsxt\SRS_PostInstaller.exe [2009-5-19 66792]

R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2006-2-28 14336]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-6-22 106656]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\ipsdefs\20130702.001\IDSXpx86.sys [2013-7-3 373728]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\virusdefs\20130702.021\NAVENG.SYS [2013-7-3 93272]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\virusdefs\20130702.021\NAVEX15.SYS [2013-7-3 1611992]

R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [2012-12-12 530664]

R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2012-12-12 233512]

R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2012-12-12 238464]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-12-12 1684736]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-7-1 35144]

.

=============== Created Last 30 ================

.

2013-07-02 10:53:29 144896 ----a-w- c:\windows\system32\javacpl.cpl

2013-07-02 10:53:13 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-07-02 08:56:29 53248 ----a-w- c:\windows\system32\zlib.dll

2013-07-01 19:57:09 -------- d-----w- C:\Stinger_Quarantine

2013-07-01 19:56:49 -------- d-----w- c:\program files\stinger

2013-07-01 19:45:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)

2013-07-01 19:44:48 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-07-01 19:36:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-07-01 19:26:22 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro

2013-07-01 19:20:21 -------- d-sh--w- c:\documents and settings\end user\IECompatCache

2013-07-01 18:21:31 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2013-07-01 18:21:31 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2013-07-01 18:21:25 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2013-07-01 18:21:25 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys

2013-06-26 12:50:05 -------- d-sh--w- c:\documents and settings\end user\PrivacIE

2013-06-26 12:48:43 -------- d-sh--w- c:\documents and settings\end user\IETldCache

2013-06-26 12:44:24 -------- dc-h--w- c:\windows\ie8

2013-06-26 12:03:17 -------- d-----w- C:\d3dbeda7c5cdcecdc079ab6d

2013-06-22 18:42:59 -------- d-----w- c:\windows\system32\drivers\nis\1404000.028

2013-06-22 18:42:59 -------- d-----w- c:\windows\system32\drivers\NIS

2013-06-22 18:42:53 -------- d-----w- c:\program files\Norton Internet Security

2013-06-22 18:42:34 -------- d-----w- c:\program files\NortonInstaller

2013-06-22 18:42:34 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller

2013-06-22 18:37:50 -------- d-----w- c:\documents and settings\all users\application data\Norton

2013-06-22 12:02:29 -------- d-----w- c:\program files\SpyAlert

2013-06-18 15:14:28 102448 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2013-06-06 09:47:42 -------- d-----w- c:\program files\CCleaner

2013-06-06 09:14:32 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-06-06 09:14:32 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-06-06 08:24:42 -------- d-----w- c:\documents and settings\end user\local settings\application data\LogMeIn Rescue Calling Card

2013-06-06 07:58:04 -------- d-----w- c:\documents and settings\end user\application data\Malwarebytes

2013-06-06 07:57:57 -------- d-----w- c:\program files\LogMeIn Rescue Calling Card

2013-06-06 07:57:47 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2013-06-06 07:57:39 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-06-06 07:48:18 -------- d-----w- c:\windows\pss

2013-06-06 07:34:23 -------- d-----w- c:\documents and settings\end user\local settings\application data\LogMeIn Rescue Applet

2013-06-06 06:58:43 -------- d-----w- c:\documents and settings\all users\application data\AMMYY

.

==================== Find3M ====================

.

2013-07-02 10:52:50 867240 ----a-w- c:\windows\system32\npDeployJava1.dll

2013-07-02 10:52:50 789416 ----a-w- c:\windows\system32\deployJava1.dll

2013-06-22 18:43:58 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2013-05-23 05:25:28 934488 ----a-r- c:\windows\system32\drivers\nis\1404000.028\SymEFA.sys

2013-05-21 05:02:00 367704 ----a-r- c:\windows\system32\drivers\nis\1404000.028\SymDS.sys

2013-05-16 05:02:14 603224 ----a-r- c:\windows\system32\drivers\nis\1404000.028\srtsp.sys

2013-04-25 00:43:56 396760 ----a-r- c:\windows\system32\drivers\nis\1404000.028\symtdi.sys

2013-04-25 00:43:56 352344 ----a-r- c:\windows\system32\drivers\nis\1404000.028\symtdiv.sys

2013-04-25 00:43:56 339544 ----a-r- c:\windows\system32\drivers\nis\1404000.028\symnets.sys

2013-04-16 02:41:14 134744 ----a-r- c:\windows\system32\drivers\nis\1404000.028\ccSetx86.sys

.

============= FINISH: 9:31:15.67 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 18/12/2012 10:09:02

System Uptime: 03/07/2013 08:54:50 (1 hours ago)

.

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | N120

Processor: Intel® Atom CPU N270 @ 1.60GHz | U2E1 | 798/mhz

Processor: Intel® Atom CPU N270 @ 1.60GHz | U2E1 | 1052/mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 140.828 GiB free.

D: is Removable

E: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP2: 15/05/2013 11:23:35 - avast! Free Antivirus Setup

RP3: 15/05/2013 11:24:40 - Installed Windows XP KB893357.

RP4: 15/05/2013 11:24:57 - Installed Windows XP KB911164.

RP5: 17/05/2013 19:55:30 - Installed Java 6 Update 22

RP6: 17/05/2013 19:56:47 - Installed OpenOffice.org 3.3

RP7: 22/05/2013 20:58:31 - Installed Rapport

RP8: 27/05/2013 19:45:40 - Installed Adobe Reader X (10.0.1).

RP9: 28/05/2013 09:59:57 - Removed Java 6 Update 22

RP10: 28/05/2013 10:02:13 - Installed Java 7 Update 21

RP11: 06/06/2013 08:45:32 - restore

RP12: 24/06/2013 22:35:31 - Installed Rapport

RP13: 26/06/2013 13:33:51 - Installed Windows XP KB932823-v3.

RP14: 26/06/2013 13:45:26 - Installed Windows Internet Explorer 8.

RP15: 01/07/2013 20:22:54 - D7 Automatic Restore Point - Post Maintenance

RP16: 02/07/2013 11:51:51 - Removed Java 7 Update 21

RP17: 02/07/2013 11:52:43 - Installed Java 7 Update 25

.

==== Installed Programs ======================

.

Adobe Flash Player 11 Plugin

Adobe Reader X (10.0.1)

Adv Support

CCleaner

Intel® Graphics Media Accelerator Driver

Java 7 Update 25

Java Auto Updater

Malwarebytes Anti-Malware version 1.75.0.1300

Marvell Miniport Driver

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Mozilla Firefox 21.0 (x86 en-US)

Mozilla Maintenance Service

Namuga 1.3M Webcam

Norton Internet Security

OpenOffice.org 3.3

Rapport

Realtek High Definition Audio Driver

REALTEK Wireless LAN Driver and Utility

Spy Alert

SRS WOW XT and TSXT

Update for Windows XP (KB932823-v3)

VLC media player 2.0.0

WebFldrs XP

WIDCOMM Bluetooth Software

Windows Internet Explorer 8

.

==== Event Viewer Messages From Past Week ========

.

02/07/2013 11:51:24, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

01/07/2013 20:28:00, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

.

==== End Of File ===========================

Thanks in advance.

Psychotic · July 3, 2013

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Please download Gmer from here by clicking on the "Download EXE" Button.

Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Show All ( should be unchecked by default )
[*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Egarrim · July 3, 2013

Thank you for your quick response, here is the GMER log file

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-07-03 16:40:56

Windows 5.1.2600 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM160HI rev.HH100-06 149.05GB

Running: jztrp1r2.exe; Driver: C:\DOCUME~1\ENDUSE~1\LOCALS~1\Temp\pgwyqfod.sys

---- System - GMER 2.1 ----

SSDT 860F6218 ZwAlertResumeThread

SSDT 860FDE00 ZwAlertThread

SSDT 860E1278 ZwAllocateVirtualMemory

SSDT 86187988 ZwAssignProcessToJobObject

SSDT 85F5AA00 ZwConnectPort

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0xA9066EDA]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey [0xA9243ED0]

SSDT 854CC160 ZwCreateMutant

SSDT 8555E160 ZwCreateSymbolicLinkObject

SSDT 860D1340 ZwCreateThread

SSDT 8622EA90 ZwDebugActiveProcess

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0xA90671E2]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey [0xA9244150]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey [0xA9244810]

SSDT 86143EE8 ZwDuplicateObject

SSDT 85F92748 ZwFreeVirtualMemory

SSDT 860C8F00 ZwImpersonateAnonymousToken

SSDT 8610F548 ZwImpersonateThread

SSDT 856433E8 ZwLoadDriver

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0xA906AEC2]

SSDT 860D17C0 ZwMapViewOfSection

SSDT 860F7E28 ZwOpenEvent

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0xA906708A]

SSDT 860FC2D0 ZwOpenProcess

SSDT 861698C8 ZwOpenProcessToken

SSDT 85F4D438 ZwOpenSection

SSDT 8617D008 ZwOpenThread

SSDT 85544160 ZwProtectVirtualMemory

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0xA906ADCA]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwRenameKey [0xA9244D70]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0xA906AD3A]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0xA906AD82]

SSDT 8627B5A8 ZwResumeThread

SSDT 85F66D80 ZwSetContextThread

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0xA90672F6]

SSDT 85634EF8 ZwSetInformationProcess

SSDT 85F85208 ZwSetSystemInformation

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey [0xA9244A90]

SSDT 860DECD0 ZwSuspendProcess

SSDT 861800B0 ZwSuspendThread

SSDT 86165950 ZwTerminateProcess

SSDT 8607F950 ZwTerminateThread

SSDT 8627B4D0 ZwUnmapViewOfSection

SSDT 8631C830 ZwWriteVirtualMemory

---- Kernel code sections - GMER 2.1 ----

.text ntoskrnl.exe!ZwYieldExecution + 163 804E5024 4 Bytes [90, EA, 22, 86]

.text ntoskrnl.exe!ZwYieldExecution + 18F 804E5050 4 Bytes CALL BED46493

.text ntoskrnl.exe!ZwYieldExecution + 203 804E50C4 8 Bytes [E8, 33, 64, 85, C2, AE, 06, ...]

? SYMDS.SYS The system cannot find the file specified. !

? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 2.1 ----

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00370048

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0035004C

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0037020E

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0037012A

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00370682

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0037059E

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003703D6

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003702F2

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003704BA

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00370766

.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[540] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0037084A

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00640048

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 003F004C

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ntdll.dll!KiUserApcDispatcher 7C90EAC0 5 Bytes JMP 00414620 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 71A70001

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 00640A0E

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0064020E

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0064012A

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00640682

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0064059E

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 006403D6

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 006402F2

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 006404BA

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00640766

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71A10022

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1200] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 71AE0022

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00390048

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0037004C

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0039084A

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0039020E

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0039012A

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00390682

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0039059E

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003903D6

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003902F2

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003904BA

.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00390766

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00380048

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0036004C

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0038020E

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0038012A

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00380682

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0038059E

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003803D6

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003802F2

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003804BA

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00380766

.text C:\Program Files\Java\jre7\bin\jqs.exe[1876] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0038084A

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 003D0048

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 003B004C

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 003D020E

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 003D012A

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 003D0682

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 003D059E

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003D03D6

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003D02F2

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003D04BA

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 003D0766

.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1944] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 003D084A

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00380048

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0036004C

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0038020E

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0038012A

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00380682

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0038059E

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003803D6

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003802F2

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003804BA

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00380766

.text C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe[1988] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0038084A

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 04880048

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 03ED004C

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0488084A

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0488020E

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0488012A

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 04880682

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0488059E

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 048803D6

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 048802F2

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 048804BA

.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2072] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 04880766

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 007C0048

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 003F004C

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ntdll.dll!KiUserApcDispatcher 7C90EAC0 5 Bytes JMP 0043C690 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 71A80001

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] USER32.dll!EnumClipboardFormats + 213 77D6DC84 6 Bytes JMP 71AE001E

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 007C0A0E

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 007C020E

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 007C012A

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 007C0682

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 007C059E

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 007C03D6

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 007C02F2

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 007C04BA

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 007C0766

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 719E0022

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2976] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 71A20022

.text C:\WINDOWS\system32\igfxtray.exe[3284] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00390048

.text C:\WINDOWS\system32\igfxtray.exe[3284] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0037004C

.text C:\WINDOWS\system32\igfxtray.exe[3284] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0039084A

.text C:\WINDOWS\system32\igfxtray.exe[3284] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0039020E

.text C:\WINDOWS\system32\igfxtray.exe[3284] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0039012A

.text C:\WINDOWS\system32\igfxtray.exe[3284] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00390682

.text C:\WINDOWS\system32\igfxtray.exe[3284] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0039059E

.text C:\WINDOWS\system32\igfxtray.exe[3284] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003903D6

.text C:\WINDOWS\system32\igfxtray.exe[3284] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003902F2

.text C:\WINDOWS\system32\igfxtray.exe[3284] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003904BA

.text C:\WINDOWS\system32\igfxtray.exe[3284] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00390766

.text C:\WINDOWS\system32\hkcmd.exe[3304] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00390048

.text C:\WINDOWS\system32\hkcmd.exe[3304] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0037004C

.text C:\WINDOWS\system32\hkcmd.exe[3304] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0039084A

.text C:\WINDOWS\system32\hkcmd.exe[3304] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0039020E

.text C:\WINDOWS\system32\hkcmd.exe[3304] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0039012A

.text C:\WINDOWS\system32\hkcmd.exe[3304] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00390682

.text C:\WINDOWS\system32\hkcmd.exe[3304] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0039059E

.text C:\WINDOWS\system32\hkcmd.exe[3304] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003903D6

.text C:\WINDOWS\system32\hkcmd.exe[3304] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003902F2

.text C:\WINDOWS\system32\hkcmd.exe[3304] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003904BA

.text C:\WINDOWS\system32\hkcmd.exe[3304] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00390766

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00380048

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0036004C

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0038084A

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0038020E

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0038012A

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00380682

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0038059E

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003803D6

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003802F2

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003804BA

.text C:\WINDOWS\system32\igfxsrvc.exe[3376] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00380766

.text C:\WINDOWS\system32\igfxpers.exe[3472] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00380048

.text C:\WINDOWS\system32\igfxpers.exe[3472] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0036004C

.text C:\WINDOWS\system32\igfxpers.exe[3472] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0038084A

.text C:\WINDOWS\system32\igfxpers.exe[3472] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0038020E

.text C:\WINDOWS\system32\igfxpers.exe[3472] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0038012A

.text C:\WINDOWS\system32\igfxpers.exe[3472] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00380682

.text C:\WINDOWS\system32\igfxpers.exe[3472] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0038059E

.text C:\WINDOWS\system32\igfxpers.exe[3472] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003803D6

.text C:\WINDOWS\system32\igfxpers.exe[3472] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003802F2

.text C:\WINDOWS\system32\igfxpers.exe[3472] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003804BA

.text C:\WINDOWS\system32\igfxpers.exe[3472] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00380766

.text D:\GMER\jztrp1r2.exe[3756] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00380048

.text D:\GMER\jztrp1r2.exe[3756] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0036004C

.text D:\GMER\jztrp1r2.exe[3756] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0038020E

.text D:\GMER\jztrp1r2.exe[3756] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0038012A

.text D:\GMER\jztrp1r2.exe[3756] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00380682

.text D:\GMER\jztrp1r2.exe[3756] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0038059E

.text D:\GMER\jztrp1r2.exe[3756] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003803D6

.text D:\GMER\jztrp1r2.exe[3756] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003802F2

.text D:\GMER\jztrp1r2.exe[3756] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003804BA

.text D:\GMER\jztrp1r2.exe[3756] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00380766

.text D:\GMER\jztrp1r2.exe[3756] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0038084A

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00390048

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0037004C

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0039020E

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0039012A

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00390682

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0039059E

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 003903D6

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 003902F2

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 003904BA

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00390766

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3960] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 00390A0E

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00600048

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 004E004C

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0060020E

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0060012A

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00600682

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0060059E

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 006003D6

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 006002F2

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 006004BA

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00600766

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4040] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0060084A

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ntdll.dll!NtMapViewOfSection 7C90DC55 5 Bytes JMP 00880048

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ntdll.dll!NtTerminateThread 7C90E8A3 5 Bytes JMP 0076004C

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] USER32.dll!DeviceEventWorker + 178 77D89E68 7 Bytes JMP 0088084A

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ADVAPI32.dll!OpenSCManagerW + A3 77DE6160 7 Bytes JMP 0088020E

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ADVAPI32.dll!StartServiceCtrlDispatcherW + 153 77DEB630 7 Bytes JMP 0088012A

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ADVAPI32.dll!SystemFunction025 + 8D 77DEB887 7 Bytes JMP 00880682

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36CC4 7 Bytes JMP 0088059E

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36E5C 7 Bytes JMP 008803D6

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3706C 7 Bytes JMP 008802F2

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ADVAPI32.dll!CreateServiceA + 193 77E37204 7 Bytes JMP 008804BA

.text C:\Program Files\REALTEK Wireless LAN Software\RtWLan.exe[4084] ADVAPI32.dll!CreateServiceW + 103 77E3730C 7 Bytes JMP 00880766

---- Devices - GMER 2.1 ----

Device Ntfs.sys

Device Fastfat.SYS

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS

Device mrxsmb.sys

AttachedDevice fltMgr.sys

---- EOF - GMER 2.1 ----

Psychotic · July 4, 2013

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

====================================================

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Egarrim · July 4, 2013

Hi, here is the combofix log.

ComboFix 13-07-03.01 - End User 04/07/2013 12:58:27.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.374 [GMT 1:00]

Running from: e:\new folder\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\AMMYY

c:\documents and settings\All Users\Application Data\AMMYY\hr

c:\documents and settings\All Users\Application Data\AMMYY\hr3

c:\documents and settings\All Users\Application Data\AMMYY\settings3.bin

.

((((((((((((((((((((((((( Files Created from 2013-06-04 to 2013-07-04 )))))))))))))))))))))))))))))))

.

2013-07-02 10:57 . 2013-07-02 10:57 -------- d-----w- c:\windows\Sun

2013-07-02 10:53 . 2013-07-02 10:52 144896 ----a-w- c:\windows\system32\javacpl.cpl

2013-07-02 10:53 . 2013-07-02 10:52 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-07-02 10:52 . 2013-07-02 10:52 -------- d-----w- c:\program files\Java

2013-07-02 10:50 . 2013-07-02 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2013-07-02 08:56 . 2013-07-02 08:56 53248 ----a-w- c:\windows\system32\zlib.dll

2013-07-01 19:57 . 2013-07-01 19:57 -------- d-----w- C:\Stinger_Quarantine

2013-07-01 19:56 . 2013-07-01 21:40 -------- d-----w- c:\program files\stinger

2013-07-01 19:45 . 2013-07-01 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)

2013-07-01 19:44 . 2013-07-01 19:44 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-07-01 19:36 . 2013-07-01 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-07-01 19:26 . 2013-07-01 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2013-07-01 19:20 . 2013-07-01 19:20 -------- d-sh--w- c:\documents and settings\End User\IECompatCache

2013-07-01 18:21 . 2001-08-17 12:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2013-07-01 18:21 . 2001-08-17 12:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2013-07-01 18:21 . 2001-08-17 13:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2013-07-01 18:21 . 2001-08-17 13:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys

2013-06-26 12:50 . 2013-06-26 12:50 -------- d-sh--w- c:\documents and settings\End User\PrivacIE

2013-06-26 12:48 . 2013-06-26 12:48 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2013-06-26 12:48 . 2013-06-26 12:48 -------- d-sh--w- c:\documents and settings\End User\IETldCache

2013-06-26 12:44 . 2013-06-26 12:46 -------- dc-h--w- c:\windows\ie8

2013-06-26 12:03 . 2013-06-26 12:04 -------- d-----w- C:\d3dbeda7c5cdcecdc079ab6d

2013-06-22 18:43 . 2013-06-22 19:01 -------- d-----w- c:\program files\Common Files\Symantec Shared

2013-06-22 18:43 . 2013-06-22 18:43 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2013-06-22 18:43 . 2013-06-22 18:43 -------- d-----w- c:\program files\Symantec

2013-06-22 18:42 . 2013-06-22 18:42 -------- d-----w- c:\windows\system32\drivers\NIS

2013-06-22 18:42 . 2013-06-22 18:42 -------- d-----w- c:\program files\Norton Internet Security

2013-06-22 18:42 . 2013-06-22 18:42 -------- d-----w- c:\program files\NortonInstaller

2013-06-22 18:37 . 2013-06-22 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2013-06-22 12:02 . 2013-06-22 12:02 -------- d-----w- c:\program files\SpyAlert

2013-06-18 15:14 . 2013-06-18 15:14 102448 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2013-06-06 09:47 . 2013-06-06 09:48 -------- d-----w- c:\program files\CCleaner

2013-06-06 09:14 . 2013-06-12 09:22 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-06-06 09:14 . 2013-06-12 09:22 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-06-06 08:24 . 2013-06-25 10:37 -------- d-----w- c:\documents and settings\End User\Local Settings\Application Data\LogMeIn Rescue Calling Card

2013-06-06 07:58 . 2013-06-06 07:58 -------- d-----w- c:\documents and settings\End User\Application Data\Malwarebytes

2013-06-06 07:57 . 2013-06-23 09:20 -------- d-----w- c:\program files\LogMeIn Rescue Calling Card

2013-06-06 07:57 . 2013-06-06 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2013-06-06 07:57 . 2013-04-04 13:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-06-06 07:34 . 2013-06-26 12:37 -------- d-----w- c:\documents and settings\End User\Local Settings\Application Data\LogMeIn Rescue Applet

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-07-02 10:52 . 2013-05-28 09:03 867240 ----a-w- c:\windows\system32\npDeployJava1.dll

2013-07-02 10:52 . 2013-05-17 18:56 789416 ----a-w- c:\windows\system32\deployJava1.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]

"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

.

c:\documents and settings\End User\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]

REALTEK Wireless LAN Utility.lnk - c:\program files\REALTEK Wireless LAN Software\RtWLan.exe /H [2012-12-12 897024]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\REALTEK Wireless LAN Software\\RtWLan.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot

"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot

"53:UDP"= 53:UDP:Realtek AP UDP Prot

.

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [18/06/2013 16:14 102448]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1404000.028\SymDS.sys [22/06/2013 19:43 367704]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1404000.028\SymEFA.sys [22/06/2013 19:43 934488]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20130702.001\BHDrvx86.sys [02/07/2013 19:30 1002072]

R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NIS\1404000.028\ccSetx86.sys [22/06/2013 19:43 134744]

R1 RapportCerberus_53984;RapportCerberus_53984;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\53984\RapportCerberus32_53984.sys [28/05/2013 10:12 317424]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [18/06/2013 16:14 103120]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [18/06/2013 16:14 174320]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1404000.028\Ironx86.sys [22/06/2013 19:43 175264]

R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [22/06/2013 19:43 144368]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [18/06/2013 16:14 1124632]

R2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe [19/05/2009 11:39 66792]

R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [28/02/2006 13:00 14336]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [22/06/2013 19:44 106656]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20130703.001\IDSXpx86.sys [04/07/2013 12:44 373728]

R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [12/12/2012 11:15 530664]

R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [12/12/2012 11:06 233512]

R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [12/12/2012 11:06 238464]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/12/2012 11:04 1684736]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [01/07/2013 20:44 35144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

yksvcs REG_MULTI_SZ yksvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-07-04 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-06 09:22]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\End User\Application Data\Mozilla\Firefox\Profiles\oucvv0y8.default\

FF - prefs.js: browser.search.selectedEngine - Norton Safe Search

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - ExtSQL: 2013-06-22 19:45; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\coFFPlgn

FF - ExtSQL: 2013-06-22 19:45; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\IPSFFPlgn

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-BsScanner

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-07-04 13:08

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"

.

Completion time: 2013-07-04 13:11:36

ComboFix-quarantined-files.txt 2013-07-04 12:11

.

Pre-Run: 151,202,447,360 bytes free

Post-Run: 151,198,285,824 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - DD5793954677DFFE0776A508196A3B10

8F558EB6672622401DA993E1E865C861

Egarrim · July 4, 2013

Sorry just realized my mistake, i didnt run from desktop will post correct log shortly.

Egarrim · July 4, 2013

Here is the second log run from the desktiop

ComboFix 13-07-03.01 - End User 04/07/2013 13:19:37.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.314 [GMT 1:00]

Running from: c:\documents and settings\End User\Desktop\ComboFix.exe