Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Boot.Tidserv.B


  • This topic is locked This topic is locked
7 replies to this topic

#1 SC268

SC268

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 12 February 2011 - 04:44 AM

Hello,
I have Norton 360, but I let it lapse for about a week before renewing. Internet Explorer wound up going into safe mode and we could not get on the internet. I made a Norton boot disc which caught the problem but couldn't fix it. Logs are below.

Thank you.




DDS (Ver_10-12-12.02) - NTFSx86
Run by JackB at 8:03:48.28 on Thu 02/10/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.431 [GMT -6:00]

AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdpserv.exe
C:\WINDOWS\system32\lxdpcoms.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Winferno\WSS\WSS.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Lexmark Z2300 Series\lxdpMsdMon.exe
C:\Program Files\SelectRebates\SelectRebates.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\JackB\Application Data\U3\0000186265736950\LaunchPad.exe
C:\Documents and Settings\JackB\Desktop\malware removal\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwZp95Uj5JDwuVKldGH9e+GVQklSvnLJo8dljHdywmipiTU6j/qsR4cuLc8pAL2Tnco/RY0uKuvBKTvoML3lkKQyO31pCGpSonkGyX//gUTy0=
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: H - No File
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: (Gaming)2: {971f630e-ad68-4d6e-b0c3-1c627aac80f1} - c:\program files\gamingsquared\gaming2\G2IE_v1042.dll
BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {9FB3908C-6565-4CB0-95F8-E9F85258723C} - No File
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
TB: ShopAtHome Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [lxdpamon] "c:\program files\lexmark z2300 series\lxdpamon.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SelectRebates] c:\program files\selectrebates\SelectRebates.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?s=100000336&p=ZRxdm4293DUS&si=&a=VY4k.VRDJKiahU6_Ex8IzA&n=2010072514
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli scecli
IFEO: chrome.exe - iesafemode.exe -sb
IFEO: firefox.exe - iesafemode.exe -sb
IFEO: iexplore.exe - iesafemode.exe -sb
IFEO: opera.exe - iesafemode.exe -sb
IFEO: safari.exe - iesafemode.exe -sb

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-12-14 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-12-14 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-12-14 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20110204.001\IDSXpx86.sys [2011-2-4 341944]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [2010-2-11 98984]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-12-14 117640]
R2 Winferno Subscription Service;Winferno Subscription Service;c:\program files\common files\winferno\wss\WSS.exe [2011-2-5 139264]
R3 EraserUtilDrvI10;EraserUtilDrvI10;c:\program files\common files\symantec shared\eengine\EraserUtilDrvI10.sys [2011-2-5 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110205.002\NAVENG.SYS [2011-2-5 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110205.002\NAVEX15.SYS [2011-2-5 1360760]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [2010-7-25 28762]
S2 PhoneTreeUSB;PhoneTree USB Driver (phontree.sys);c:\windows\system32\drivers\PhonTrnt.sys [2006-9-13 27776]
S2 PTHardLoader;PhoneTree USB Loader Driver (pthloadr.sys);c:\windows\system32\drivers\PTHLdrnt.sys [2006-9-13 19167]

=============== Created Last 30 ================

2011-02-05 22:24:18 -------- d-----w- C:\NBRT
2011-02-05 19:59:35 495616 ----a-w- c:\windows\system32\WINUTIL5.DLL
2011-02-05 19:59:35 393216 ----a-w- c:\windows\system32\WINLCTL5.DLL
2011-02-05 19:59:33 835584 ----a-w- c:\windows\system32\WINCTL4.OCX
2011-02-05 19:59:30 -------- d-----w- c:\program files\common files\Winferno
2011-02-05 19:58:34 499785 ----a-w- c:\windows\system32\WINUTIL8.DLL
2011-02-05 19:58:33 393216 ----a-w- c:\windows\system32\WINLCTL6.DLL
2011-02-05 19:58:32 835656 ----a-w- c:\windows\system32\WINCTL5.OCX
2011-02-05 19:58:31 425984 ----a-w- c:\windows\system32\WinCMR.dll
2011-02-05 19:58:04 -------- d-----w- c:\program files\Winferno
2011-02-05 18:29:59 72192 ----a-w- c:\windows\system32\dllcache\taskkill.exe
2011-02-05 18:28:58 69120 ----a-w- c:\windows\system32\dllcache\ciodm.dll
2011-02-05 18:27:59 1494528 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2011-02-02 15:00:06 1690624 ----a-w- c:\windows\system32\iesafemode.exe
2011-02-02 14:59:45 -------- d-----w- c:\program files\AVG Antivirus 2011
2011-01-25 13:31:49 -------- d-----w- c:\program files\iPod
2011-01-25 13:31:18 -------- d-----w- c:\program files\iTunes
2011-01-25 13:16:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-01-25 13:16:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-01-25 13:16:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-01-25 13:16:30 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-01-25 13:16:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-01-25 13:16:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-01-25 13:16:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

==================== Find3M ====================

2010-12-15 01:37:36 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-15 01:36:50 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-12-01 18:32:43 2050190 ----a-w- c:\documents and settings\all users\SPL71E.tmp
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST360020A rev.3.39 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F205DC]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f267b8]; MOV EAX, [0x86f26834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86FCFAB8]
3 CLASSPNP[0xF750405B] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000069[0x86FD3E98]
5 ACPI[0xF745A620] -> nt!IofCallDriver[0x804E37D5] -> [0x86F7D940]
\Driver\atapi[0x86F63730] -> IRP_MJ_CREATE -> 0x86F205DC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST360020A_______________________________3.39____#45353058354b4b35202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F20422
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 8:07:09.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:53 PM

Posted 12 February 2011 - 04:22 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 SC268

SC268
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 13 February 2011 - 07:33 PM

Thanks so much! Upon launch of ComboFix, the computer opened 30 internet explorer windows. I wasn't connected to the internet, so I don't know where it was trying to go. Anyway, ComboFix found and fixed some problems. After it got finished (and re-booted several times), I ran Norton 360 again. It found Trojan.Gen, but "resolved" it. Upon another re-boot, it found the same, and again took care of it. Now it cannot find it, so it looks to be working fine. At least I can access the internet again.

The ComboFix.txt contents are below.



---------------------------------------
ComboFix 11-02-12.01 - JackB 02/13/2011 0:44.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.711 [GMT -6:00]
Running from: c:\documents and settings\JackB\Desktop\CFix.exe
Command switches used :: c:\documents and settings\JackB\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JackB\Recent\hpothb07.dat
c:\documents and settings\JackB\Recent\hpothb07.tif
c:\documents and settings\JackB\Recent\Junior & Skeliton.tif
c:\documents and settings\JackB\Recent\Scan0001.tif
c:\program files\AVG Antivirus 2011
c:\program files\AVG Antivirus 2011\avg.exe
c:\program files\Freeze.com Toolbar
c:\program files\Freeze.com Toolbar\autosearch_plugin.dll
c:\program files\Freeze.com Toolbar\basis.xml
c:\program files\Freeze.com Toolbar\freeze.bmp
c:\program files\Freeze.com Toolbar\freeze_us.crc
c:\program files\Freeze.com Toolbar\freeze_us.inf
c:\program files\Freeze.com Toolbar\frzToolbar_logo.bmp
c:\program files\Freeze.com Toolbar\icons.bmp
c:\program files\Freeze.com Toolbar\info.txt
c:\program files\Freeze.com Toolbar\powered_yahoo_search.bmp
c:\program files\Freeze.com Toolbar\tbhelper.dll
c:\program files\Freeze.com Toolbar\uninstall.exe
c:\program files\Freeze.com Toolbar\update.exe
c:\program files\Freeze.com Toolbar\version.txt
c:\program files\Freeze.com Toolbar\whiteList_plugin.dll
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
c:\program files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL
c:\program files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL
c:\program files\FunWebProducts\Installr\Cache\10CA90FB.exe
c:\program files\FunWebProducts\Installr\Cache\files.ini
c:\program files\FunWebProducts\ScreenSaver\Images\10CB70EB.urr
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJpeg.dll
c:\program files\MyWebSearch\bar\1.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\1.bin\F3HTtpct.dll
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCrctr.dll
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\INSTALL.RDF
c:\program files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\1.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTml.dll
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSUABTN.DLL
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\01C31BD3.bmp
c:\program files\MyWebSearch\bar\Cache\0578A704
c:\program files\MyWebSearch\bar\Cache\10CB4DC3
c:\program files\MyWebSearch\bar\Cache\10CB53BF
c:\program files\MyWebSearch\bar\Cache\10CB5739.bin
c:\program files\MyWebSearch\bar\Cache\10CB5D15.bin
c:\program files\MyWebSearch\bar\Cache\10CB6294.bin
c:\program files\MyWebSearch\bar\Cache\10CB64C6.bin
c:\program files\MyWebSearch\bar\Cache\1560B3E6.bin
c:\program files\MyWebSearch\bar\Cache\1560B85B.bin
c:\program files\MyWebSearch\bar\Cache\1BCF800A
c:\program files\MyWebSearch\bar\Cache\4480DB0F.bin
c:\program files\MyWebSearch\bar\Cache\5DF9C0D9.bin
c:\program files\MyWebSearch\bar\Cache\5DF9C1B4.bin
c:\program files\MyWebSearch\bar\Cache\5DF9C212.bin
c:\program files\MyWebSearch\bar\Cache\5DF9C27F.bin
c:\program files\MyWebSearch\bar\Cache\602D14F2.bmp
c:\program files\MyWebSearch\bar\Cache\602D15FC.bin
c:\program files\MyWebSearch\bar\Cache\6D7EF923.bin
c:\program files\MyWebSearch\bar\Cache\6D7EFB55.bin
c:\program files\MyWebSearch\bar\Cache\A3B4EBE6.bin
c:\program files\MyWebSearch\bar\Cache\A3B4EDBA.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\8_step1.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\bkez.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkgr.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkgs.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bklf.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkrg.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkwebfet.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzc.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzl.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzn.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzq.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzr.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzu.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzv.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzw.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzwinky.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2r.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3r.png
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut4.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut4b.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut4c.htm
c:\program files\MyWebSearch\bar\Message\COMMON\shield.png
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Overlay\COMMON.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\basis.xml.temp
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar1.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\system32\_004237_.tmp.dll
c:\windows\system32\_004238_.tmp.dll
c:\windows\system32\_004239_.tmp.dll
c:\windows\system32\_004240_.tmp.dll
c:\windows\system32\_004246_.tmp.dll
c:\windows\system32\_004247_.tmp.dll
c:\windows\system32\_004248_.tmp.dll
c:\windows\system32\_004249_.tmp.dll
c:\windows\system32\_004250_.tmp.dll
c:\windows\system32\_004251_.tmp.dll
c:\windows\system32\_004252_.tmp.dll
c:\windows\system32\_004253_.tmp.dll
c:\windows\system32\_004254_.tmp.dll
c:\windows\system32\_004255_.tmp.dll
c:\windows\system32\_004256_.tmp.dll
c:\windows\system32\_004258_.tmp.dll
c:\windows\system32\_004259_.tmp.dll
c:\windows\system32\_004260_.tmp.dll
c:\windows\system32\_004261_.tmp.dll
c:\windows\system32\_004262_.tmp.dll
c:\windows\system32\_004265_.tmp.dll
c:\windows\system32\_004266_.tmp.dll
c:\windows\system32\_004270_.tmp.dll
c:\windows\system32\_004271_.tmp.dll
c:\windows\system32\_004272_.tmp.dll
c:\windows\system32\_004273_.tmp.dll
c:\windows\system32\_004274_.tmp.dll
c:\windows\system32\_004275_.tmp.dll
c:\windows\system32\_004276_.tmp.dll
c:\windows\system32\_004277_.tmp.dll
c:\windows\system32\_004278_.tmp.dll
c:\windows\system32\_004279_.tmp.dll
c:\windows\system32\_004280_.tmp.dll
c:\windows\system32\_004281_.tmp.dll
c:\windows\system32\_004283_.tmp.dll
c:\windows\system32\_004284_.tmp.dll
c:\windows\system32\_004285_.tmp.dll
c:\windows\system32\_004286_.tmp.dll
c:\windows\system32\_004287_.tmp.dll
c:\windows\system32\_004288_.tmp.dll
c:\windows\system32\_004289_.tmp.dll
c:\windows\system32\_004292_.tmp.dll
c:\windows\system32\_004293_.tmp.dll
c:\windows\system32\_004294_.tmp.dll
c:\windows\system32\_004295_.tmp.dll
c:\windows\system32\_004297_.tmp.dll
c:\windows\system32\_004298_.tmp.dll
c:\windows\system32\_004299_.tmp.dll
c:\windows\system32\_004300_.tmp.dll
c:\windows\system32\_004301_.tmp.dll
c:\windows\system32\_004304_.tmp.dll
c:\windows\system32\_004305_.tmp.dll
c:\windows\system32\_004309_.tmp.dll
c:\windows\system32\_004310_.tmp.dll
c:\windows\system32\_004312_.tmp.dll
c:\windows\system32\_004314_.tmp.dll
c:\windows\system32\_004315_.tmp.dll
c:\windows\system32\_004317_.tmp.dll
c:\windows\system32\_004318_.tmp.dll
c:\windows\system32\_004319_.tmp.dll
c:\windows\system32\_004320_.tmp.dll
c:\windows\system32\_004323_.tmp.dll
c:\windows\system32\_004324_.tmp.dll
c:\windows\system32\_004325_.tmp.dll
c:\windows\system32\_004326_.tmp.dll
c:\windows\system32\_004327_.tmp.dll
c:\windows\system32\_004332_.tmp.dll
c:\windows\system32\_004334_.tmp.dll
c:\windows\system32\_006568_.tmp.dll
c:\windows\system32\_006569_.tmp.dll
c:\windows\system32\_006570_.tmp.dll
c:\windows\system32\_006571_.tmp.dll
c:\windows\system32\_006578_.tmp.dll
c:\windows\system32\_006579_.tmp.dll
c:\windows\system32\_006580_.tmp.dll
c:\windows\system32\_006581_.tmp.dll
c:\windows\system32\_006583_.tmp.dll
c:\windows\system32\_006584_.tmp.dll
c:\windows\system32\_006587_.tmp.dll
c:\windows\system32\_006588_.tmp.dll
c:\windows\system32\_006590_.tmp.dll
c:\windows\system32\_006591_.tmp.dll
c:\windows\system32\_006592_.tmp.dll
c:\windows\system32\_006593_.tmp.dll
c:\windows\system32\_006594_.tmp.dll
c:\windows\system32\_006597_.tmp.dll
c:\windows\system32\_006598_.tmp.dll
c:\windows\system32\_006602_.tmp.dll
c:\windows\system32\_006603_.tmp.dll
c:\windows\system32\_006605_.tmp.dll
c:\windows\system32\_006607_.tmp.dll
c:\windows\system32\_006608_.tmp.dll
c:\windows\system32\_006610_.tmp.dll
c:\windows\system32\_006611_.tmp.dll
c:\windows\system32\_006612_.tmp.dll
c:\windows\system32\_006613_.tmp.dll
c:\windows\system32\_006614_.tmp.dll
c:\windows\system32\_006617_.tmp.dll
c:\windows\system32\_006618_.tmp.dll
c:\windows\system32\_006619_.tmp.dll
c:\windows\system32\_006620_.tmp.dll
c:\windows\system32\_006621_.tmp.dll
c:\windows\system32\_006626_.tmp.dll
c:\windows\system32\_006628_.tmp.dll
c:\windows\system32\_006629_.tmp.dll
c:\windows\system32\encapi32.dll
c:\windows\system32\f3PSSavr.scr

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2011-01-13 to 2011-02-13 )))))))))))))))))))))))))))))))
.

2011-02-13 06:51 . 2011-02-13 06:51 -------- d-----w- c:\documents and settings\JackB\Local Settings\Application Data\Symantec
2011-02-11 04:30 . 2011-02-11 04:31 -------- d-----w- C:\CFix
2011-02-05 22:24 . 2011-02-05 22:26 -------- d-----w- C:\NBRT
2011-02-05 19:59 . 2009-04-13 16:18 495616 ----a-w- c:\windows\system32\WINUTIL5.DLL
2011-02-05 19:59 . 2006-03-31 20:36 393216 ----a-w- c:\windows\system32\WINLCTL5.DLL
2011-02-05 19:59 . 2008-06-02 15:38 835584 ----a-w- c:\windows\system32\WINCTL4.OCX
2011-02-05 19:59 . 2011-02-05 19:59 -------- d-----w- c:\program files\Common Files\Winferno
2011-02-05 19:58 . 2010-10-26 17:07 499785 ----a-w- c:\windows\system32\WINUTIL8.DLL
2011-02-05 19:58 . 2008-12-26 19:13 393216 ----a-w- c:\windows\system32\WINLCTL6.DLL
2011-02-05 19:58 . 2010-09-01 22:59 835656 ----a-w- c:\windows\system32\WINCTL5.OCX
2011-02-05 19:58 . 2010-09-02 17:22 425984 ----a-w- c:\windows\system32\WinCMR.dll
2011-02-05 19:58 . 2011-02-05 19:58 -------- d-----w- c:\program files\Winferno
2011-02-05 18:29 . 2006-10-13 12:35 65536 ----a-w- c:\windows\system32\dllcache\nwwks.dll
2011-02-05 18:28 . 2006-06-22 05:06 69120 ----a-w- c:\windows\system32\dllcache\ciodm.dll
2011-02-05 18:27 . 2007-08-22 13:12 1494528 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2011-02-02 15:00 . 2011-02-02 15:00 1690624 ----a-w- c:\windows\system32\iesafemode.exe
2011-01-25 13:31 . 2011-01-25 13:31 -------- d-----w- c:\program files\iPod
2011-01-25 13:31 . 2011-01-25 13:33 -------- d-----w- c:\program files\iTunes
2011-01-25 13:16 . 2011-01-25 13:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-01-25 13:16 . 2011-01-25 13:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-01-25 13:16 . 2011-01-25 13:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-01-25 13:16 . 2011-01-25 13:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-01-25 13:16 . 2011-01-25 13:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-01-25 13:16 . 2011-01-25 13:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-01-25 13:16 . 2011-01-25 13:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-01-25 13:14 . 2011-01-25 13:16 -------- d-----w- c:\program files\QuickTime
2011-01-23 01:12 . 2011-02-11 04:21 -------- d-----w- c:\documents and settings\JackB\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 01:37 . 2010-12-15 01:37 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-15 01:37 . 2010-12-15 01:37 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-15 01:37 . 2010-12-15 05:21 217136 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-12-15 01:37 . 2010-12-15 05:21 48688 ----a-w- c:\windows\system32\drivers\N360\0308000.029\symndisv.sys
2010-12-15 01:37 . 2010-12-15 05:21 36400 ----a-w- c:\windows\system32\drivers\N360\0308000.029\symndis.sys
2010-12-15 01:37 . 2010-12-15 05:21 33072 ----a-w- c:\windows\system32\drivers\N360\0308000.029\symids.sys
2010-12-15 01:37 . 2010-12-15 05:21 89904 ----a-w- c:\windows\system32\drivers\N360\0308000.029\symfw.sys
2010-12-15 01:37 . 2010-12-15 05:21 310320 ----a-w- c:\windows\system32\drivers\SymEFA.sys
2010-12-15 01:37 . 2010-12-15 05:21 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-12-15 01:37 . 2010-12-15 05:21 308272 ----a-w- c:\windows\system32\drivers\N360\0308000.029\srtsp.sys
2010-12-15 01:37 . 2010-12-15 05:21 482432 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-12-15 01:37 . 2010-12-15 01:37 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-12-15 01:37 . 2006-09-19 21:44 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-15 01:37 . 2010-12-15 05:21 259632 ----a-w- c:\windows\system32\drivers\BHDrvx86.sys
2010-12-15 01:36 . 2006-10-04 00:47 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-12-01 18:32 . 2010-12-01 18:24 2050190 ----a-w- c:\documents and settings\All Users\SPL71E.tmp
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
2008-03-03 23:26 635392 ----a-w- c:\program files\GamingSquared\Gaming2\G2IE_v1042.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-11-02 126976]
"lxdpamon"="c:\program files\Lexmark Z2300 Series\lxdpamon.exe" [2008-03-27 16040]
"Conime"="c:\windows\system32\conime.exe" [2004-08-04 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^JackB^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\JackB\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^JackB^Start Menu^Programs^Startup^Microsoft Office Shortcut Bar.lnk]
path=c:\documents and settings\JackB\Start Menu\Programs\Startup\Microsoft Office Shortcut Bar.lnk
backup=c:\windows\pss\Microsoft Office Shortcut Bar.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^JackB^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\JackB\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^JackB^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\JackB\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 13:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-08-04 22:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdpmon.exe]
2008-03-27 15:15 656040 ----a-w- c:\program files\Lexmark Z2300 Series\lxdpmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-05-12 20:04 196608 ----a-w- c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2005-10-24 20:53 307200 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
2010-06-30 21:46 1652736 ----a-r- c:\program files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
2003-04-30 22:21 184784 ----a-w- c:\program files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpamon.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\frun.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpwbgw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353

R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [2/11/2010 4:20 PM 98984]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [12/14/2010 11:17 PM 117640]
R2 Winferno Subscription Service;Winferno Subscription Service;c:\program files\Common Files\Winferno\WSS\WSS.exe [2/5/2011 1:59 PM 139264]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/5/2011 10:12 AM 102448]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS --> c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\N360\0308000.029\BHDrvx86.sys --> c:\windows\system32\Drivers\N360\0308000.029\BHDrvx86.sys [?]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\N360\0308000.029\ccHPx86.sys --> c:\windows\system32\Drivers\N360\0308000.029\ccHPx86.sys [?]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20110204.001\IDSXpx86.sys [2/4/2011 8:08 PM 341944]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 5:18 PM 308656]
S2 PhoneTreeUSB;PhoneTree USB Driver (phontree.sys);c:\windows\system32\drivers\PhonTrnt.sys [9/13/2006 8:12 AM 27776]
S2 PTHardLoader;PhoneTree USB Loader Driver (pthloadr.sys);c:\windows\system32\drivers\PTHLdrnt.sys [9/13/2006 8:12 AM 19167]
.
Contents of the 'Scheduled Tasks' folder

2011-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-02-13 c:\windows\Tasks\RegPowerClean.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2011-02-05 16:41]

2011-02-05 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2011-02-05 16:41]

2011-02-13 c:\windows\Tasks\RPCReminder.job
- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2011-02-05 19:38]

2011-02-13 c:\windows\Tasks\WSSHelper.job
- c:\program files\Common Files\Winferno\WSS\WSSHelper.exe [2011-02-05 23:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwZp95Uj5JDwuVKldGH9e+GVQklSvnLJo8dljHdywmipiTU6j/qsR4cuLc8pAL2Tnco/RY0uKuvBKTvoML3lkKQyO31pCGpSonkGyX//gUTy0=
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{605B3D3F-4F33-41D0-BA27-98238E1E839F} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
Notify-dimsntfy - (no file)
MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
MSConfigStartUp-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-13 00:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3784)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\lxdpcoms.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark Z2300 Series\lxdpMsdMon.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-02-13 01:10:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-13 07:10

Pre-Run: 33,875,181,568 bytes free
Post-Run: 33,734,770,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 3096C435F5AE33FC06383C1502CF3D33

#4 SC268

SC268
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 13 February 2011 - 07:51 PM

I forgot a few things. It will not let me install Service Pack 3. (It is currently SP2.)

It also fails to install the following from Microsoft Updates:
"Security Update for Microsoft XML Core Services 6.0 Service Pack 2 (KB954459)", and
"Update for Microsoft XML Core Services 6.0 Service Pack 2 (KB973686)"

Also, when I shut it down, the "Turn Off" button always installs 2 updates on shutdown. It has done it on multiple consecutive shut downs, and hasn't shut down without doing it.

Thanks.

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:53 PM

Posted 14 February 2011 - 03:39 PM

Good evening. :)

How long have you been trying to install Service Pack 3?

So long, and thanks for all the fish.

 

 


#6 SC268

SC268
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 15 February 2011 - 05:08 PM

I tried it a few times about a month ago before getting the boot.tidserv.b. It will inspect the system and work for about 30 minutes, then it will pop up and say that it failed. Then it takes a while to put things back the way they were. I figured it was a separate problem, but thought I'd mention it. I tried to intall it a few days ago and got the same result.

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:53 PM

Posted 15 February 2011 - 05:53 PM

Good evening. :)

We'll worry about the slime that your PC picked up first, and play with the rest afterwards. I think a little online scan as a double check would be a good idea.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:53 PM

Posted 20 February 2011 - 03:01 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users