I am sorry but I didn't know what the black dot in my posting icon meant (it wasn't in the legend below), so I presumed it has been "blackmarked" because my user name contains an ampersand and that my site registration had been rejected (which is what happened on BleepingComputer.com).
The current status is that Add/Remove Programs hasn't worked since I tried to uninstall Nero 7 Essentials several weeks ago, which is when the first "blatant" problem appeared. Nero acknowledged that they could be responsible and made some cursory suggestions. I'll never install Nero again (I've moved to Roxio). I would have removed Spybot first if I could have. I had noted two minor incidents in the past month or so: and somewhat strange-looking Java update and more disk activity than there should have been.
I have completely purged (i.e., re-partition and hard format) my secondary system disk drive (Western Digital, 80GB) after disconnecting the primary system drive (Seagate 80GB) from IDE channel 0. I also disconnected the primary data drive (SATA channel 1). This left no way for the malware to access the newly re-built system (which I am running as I write) disk drive.
I am awaiting the arrival (on or about Wednesday, 11/11/2009) of a second SATA disk (channel 2), which will be the secondary data disk, and will allow me to create an Automated System Recovery of the secondary system disk that I can use if the newly-rebuilt secondary system becomes infected as I attempt to recover my personal data from the primary data drive (SATA 1).
Note: SATA 2 will be disconnected before SATA1 is reconnected.
As I though I was on my own, I just went ahead with my own "catastrophe recovery plan" which is why I have two system disks!
I do have two questions I should like answered, briefly if possible, as a favor.
1. Is the Registry key HKEY_USERS\S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzz\ a "super user" (the equivalent of the VMS user "System" for example) and part of the XP installation proper, or this key related to malware?
2. With the hidden and system files set to "visible", should an "emptied Recycle bin" (C:\RECYCLER) still contain a second "recycle bin icon" labeled S-1-5-21-xxxxxxxxx-yyyyyyyyy-zzzzzzzzz?
Below I'll post all of the diagnostic logs I have to date. You'll forgive me, but the plethora of new postings led me to suspect there's been a large outbreak of this malware, and others needed your help more than I did, and of course, I mistakenly believed my first post had been "marked for delete" and I don't believe I saw any replies, just about a dozen views.
With much gratitude,
John
THIS FIRST LOG (only) IS A DUPLICATE FROM THE ORIGINAL POSTING!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:07 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\AOL\1181529228\ee\aolsoftware.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AOL 9.1a\waol.exe
C:\Program Files\AOL 9.1a\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone:
http://*.mcafee.comO16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) -
http://www.bebo.com/files/BeboUploader.5.1.4.cabO16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} -
http://fpdownload2.macromedia.com/get/s ... wflash.cabO16 - DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} (RSClientPrint 2005 Class) -
https://www.marylandsail.org/Reserved.R ... e=PrintCabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resour ... se8942.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windows ... 9320678625O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microso ... 9320540046O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -
http://www.sibelius.com/download/softwa ... Plugin.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/s ... wflash.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) -
http://update.hpphoto.com/download/HPSWUpdate.ocxO20 - Winlogon Notify: GoToAssist - C:\WINDOWS\
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
--
End of file - 7393 bytes
*
*
*
NEW LOGS FOLLOW!
Malwarebytes' Anti-Malware 1.41
Database version: 3082
Windows 5.1.2600 Service Pack 3
11/2/2009 9:35:07 AM
mbam-log-2009-11-02 (09-34-57).txt
Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 226529
Time elapsed: 1 hour(s), 57 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
<<------------------------------------------------------------------------------->>
I did go in and manually fix those two registry entries above, and that worked!
<<------------------------------------------------------------------------------->>
Better I should "come clean" (you'll recall I mistakenly believed I was "on my own"):
ComboFix 09-11-01.04 - John 11/03/2009 2:54.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.669 [GMT -5:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\command
c:\windows\desktop
c:\windows\system32\Cache
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.
2009-11-03 07:37 . 2009-11-03 07:37 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Threat Expert
2009-11-02 07:12 . 2009-11-02 07:12 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-11-02 07:12 . 2009-11-02 07:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-01 18:23 . 2009-11-01 18:23 -------- d-----w- c:\program files\Trend Micro
2009-11-01 01:51 . 2009-11-01 01:53 175 ----a-w- C:\RECYCLER.bat
2009-10-31 22:07 . 2009-10-31 22:11 317 ----a-w- C:\RVclean1.bat
2009-10-31 17:38 . 2009-10-31 17:47 323 ----a-w- C:\RVclean0.bat
2009-10-22 08:52 . 2009-10-22 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2009-10-21 04:58 . 2009-10-21 05:13 19569 ----a-w- c:\windows\hpqins13.dat
2009-10-20 19:16 . 2009-10-20 19:20 -------- d-----w- C:\RegBack
2009-10-20 19:02 . 2009-10-20 19:15 -------- d-----w- c:\program files\ACW
2009-10-20 13:09 . 2009-10-20 13:09 -------- d-----w- c:\program files\MSXML 4.0
2009-10-20 04:11 . 2009-10-25 07:15 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-15 22:02 . 2009-09-06 07:09 126976 -c----w- c:\windows\system32\dllcache\ftpsvc2.dll
2009-10-14 07:30 . 2009-10-14 07:30 -------- d-----w- c:\program files\SmartPCTools
2009-10-13 15:01 . 2009-10-13 15:01 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\AIM
2009-10-10 07:34 . 2007-10-16 19:49 3077416 ----a-w- c:\windows\system32\AdvrCntr2D6E0B790.dll
2009-10-10 07:33 . 2007-10-16 19:49 1000744 ----a-w- c:\windows\system32\ShellManager10E2D762.dll
2009-10-09 04:40 . 2009-10-09 04:48 116891 ----a-w- c:\windows\hpqins00.dat
2009-10-09 04:20 . 2009-10-19 07:11 -------- d-----w- c:\documents and settings\John\Application Data\HpUpdate
2009-10-09 04:20 . 2009-10-09 04:20 -------- d-----w- c:\windows\Hewlett-Packard
2009-10-08 22:07 . 2009-10-08 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-08 21:21 . 2009-10-08 21:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-10-08 21:12 . 2009-10-08 21:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-08 21:09 . 2009-10-08 21:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 07:43 . 2007-01-13 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-03 07:38 . 2009-06-10 02:29 -------- d-----w- c:\program files\IObit
2009-11-03 07:38 . 2009-06-24 18:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 21:09 . 2009-06-09 03:58 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-02 21:02 . 2006-01-16 12:38 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-22 08:51 . 2006-07-15 02:42 39280 -c--a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 22:39 . 2009-05-02 02:51 -------- d-----w- c:\program files\Common Files\Kodak
2009-10-17 15:44 . 2006-07-09 21:03 -------- d-----w- c:\program files\Yahoo!
2009-10-13 03:43 . 2007-02-27 21:26 -------- d-----w- c:\documents and settings\John\Application Data\Yahoo!
2009-10-13 03:43 . 2006-07-15 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-10-13 03:42 . 2007-01-18 14:32 -------- d-----w- c:\documents and settings\John\Application Data\Viewpoint
2009-10-13 03:42 . 2006-07-15 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-13 03:34 . 2009-05-27 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-10-09 04:29 . 2006-07-15 21:53 -------- d-----w- c:\program files\Java
2009-10-09 04:23 . 2006-07-11 23:48 -------- d-----w- c:\program files\Hewlett-Packard
2009-10-09 04:20 . 2007-03-04 19:51 -------- d-----w- c:\program files\HP
2009-10-06 07:09 . 2009-06-10 02:29 -------- d-----w- c:\documents and settings\John\Application Data\IObit
2009-10-03 18:26 . 2009-10-03 18:26 -------- d-----w- c:\program files\Citrix
2009-09-16 14:22 . 2009-09-26 16:55 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-09-26 16:55 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-09-26 16:55 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-07-08 17:44 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-09-26 16:49 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2007-07-27 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 20:14 . 2009-04-04 16:55 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2007-07-27 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2007-07-27 12:00 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-16 14:42 . 2008-03-13 17:55 1040 -c-ha-w- c:\documents and settings\John\hpothb07.dat
2009-08-11 23:16 . 2009-08-11 23:01 129108 ------w- c:\windows\hpiins06.dat
2009-08-06 23:24 . 2006-07-15 01:24 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-05-26 08:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-07-15 01:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-07-15 01:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2006-07-15 01:07 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2007-07-27 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-07-15 01:24 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2007-07-22 00:08 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2006-07-15 01:07 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2007-07-27 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 -c----w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 -c----w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 -c----w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 -c----w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 -c----w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 -c----w- c:\program files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):6c,6f,67,6f,6e,75,69,2e,65,78,65,00,00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt\0sprestrt
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\John\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InCDsrvR"=2 (0x2)
"NBService"=3 (0x3)
"InCDsrv"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"stllssvr"=3 (0x3)
"SeaPort"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"NMIndexingService"=3 (0x3)
"KodakCCS"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"GoToAssist"=3 (0x3)
"fsssvc"=3 (0x3)
"AOL ACS"=2 (0x2)
"ACDaemon"=3 (0x3)
"Brother XP spl Service"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\AOL 9.1a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1181529228\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [4/4/2009 11:54 AM 55152]
S4 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-11-02 c:\windows\Tasks\Daily System.job
- c:\windows\system32\ntbackup.exe [2007-07-27 00:12]
2009-11-02 c:\windows\Tasks\Daily User.job
- c:\windows\system32\ntbackup.exe [2007-07-27 00:12]
2009-11-02 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2007-07-27 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} -
hxxps://www.marylandsail.org/Reserved.R ... e=PrintCabFF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\5xb6gfy6.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://slirsredirect.search.aol.com/sli ... pe=&query=FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL -
hxxp://slirsredirect.search.aol.com/sli ... pe=&query=FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
Notify-GoToAssist - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-11-03 03:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1390067357-1645522239-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3884)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\msdtc.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-03 3:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-03 08:23
Pre-Run: 49,222,221,824 bytes free
Post-Run: 49,089,724,928 bytes free
- - End Of File - - E5F1A3AEE3D517E92403A1A054796F35
<<------------------------------------------------------------------------------->>
So, the staus quo is that "ComboFix" seemed to have run without any hitches,
and I did nothing more as follow up, other than to make copies of data files on the infected primary system disk and place them onto the infected primary data disk, which is not bootable and contains no system files except for the System Volume Information and probably another re-created "RECYCLER" folder in the root directory.
I can quickly disconnect the newly re-built secondary system disk and reconnect the primary system and data disks if this situation can be easily salvaged. Any advice at all would be much appreciated, and my apologies again for violating "The Prime Directive" (of ComboFix.exe).
Thank you again! :-) /jls
