LandzDown Forum

What's the next step?

ComboFix 09-07-20.04 - Administrator 07/21/2009  9:54.2.1 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.2.1255.972.1033.18.254.112 [GMT 2:00]
Running from: c:\documents and settings\Administrator.HOME-B1BE68320F\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.HOME-B1BE68320F\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2009-06-21 to 2009-07-21  )))))))))))))))))))))))))))))))
.

2009-07-19 12:45 . 2009-07-19 12:45   --------   d-----w-   c:\documents and settings\Administrator.HOME-B1BE68320F\Application Data\ESET
2009-07-19 12:43 . 2009-07-19 12:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\ESET
2009-07-19 11:17 . 2009-07-19 11:17   --------   d-----w-   c:\program files\trend micro
2009-07-19 11:17 . 2009-07-19 11:17   --------   d-----w-   C:\rsit
2009-07-18 21:48 . 2009-07-18 21:48   --------   d-----w-   c:\program files\ESET
2009-07-18 20:02 . 2009-07-18 20:02   --------   d-----w-   c:\documents and settings\Administrator.HOME-B1BE68320F\Application Data\Malwarebytes
2009-07-18 20:02 . 2009-07-13 11:36   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-18 20:02 . 2009-07-18 20:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-18 20:02 . 2009-07-13 11:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 20:41 . 2007-10-11 21:58   36   ---ha-w-   c:\windows\system32\f9t.dat
2009-05-28 08:00 . 2009-05-28 08:00   56   ---ha-w-   c:\windows\system32\ezsidmv.dat
2009-05-28 08:00 . 2009-05-28 08:00   --------   d-----w-   c:\documents and settings\Administrator.HOME-B1BE68320F\Application Data\skypePM
2009-05-28 08:00 . 2009-05-28 08:00   --------   d-----w-   c:\program files\Common Files\Skype
2009-05-14 13:49 . 2009-05-14 13:49   55768   ----a-w-   c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 13:49 . 2009-05-14 13:49   33096   ----a-w-   c:\windows\system32\drivers\epfwndis.sys
2009-05-14 13:49 . 2009-05-14 13:49   133000   ----a-w-   c:\windows\system32\drivers\epfw.sys
2009-05-14 13:47 . 2009-05-14 13:47   107256   ----a-w-   c:\windows\system32\drivers\ehdrv.sys
2009-05-14 13:41 . 2009-05-14 13:41   114472   ----a-w-   c:\windows\system32\drivers\eamon.sys
2005-10-10 20:53 . 2005-10-10 20:53   1338   ----a-w-   c:\program files\0007EDF2.key
.

(((((((((((((((((((((((((((((   SnapShot@2009-07-20_20.00.52   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-21 07:33 . 2009-07-21 07:33   16384              c:\windows\Temp\Perflib_Perfdata_66c.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-11 39408]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-05-25 25477928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-10-16 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-10-16 114688]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 196608]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-11 229952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-04-25 54784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Administrator.HOME-B1BE68320F\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-1-19 113664]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0SsiEfr.exe\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\fxsclnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [14/01/2009 01:39 72992]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [28/03/2006 17:29 1078560]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [14/05/2009 15:47 731840]
R2 SpPortEx;Samsung Port Exclusion;c:\windows\system32\drivers\SpPortEx.sys [07/12/2005 17:50 7168]
S3 M1000Srv;M5603C USB2.0 Camera Driver;c:\windows\system32\drivers\M1000KNT.sys [19/11/2006 14:18 449483]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.jerusalemcompass.com/catalog/index.php
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 3.79\AMVConverter\grab.html
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 3.79\MediaManager\grab.html
TCP: {4ADFFFD8-EE70-4A87-8A08-278D42E61A9F} = 208.67.222.222,208.67.220.220
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 09:59
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1659004503-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*, D*S*_*S*t*o*r*e*\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2260)
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
I did as you requested. I also deleted my adobe reader, and acrobot before the scan.

c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-21 10:01
ComboFix-quarantined-files.txt  2009-07-21 08:01
ComboFix2.txt  2009-07-20 20:05

Pre-Run: 8,971,649,024 bytes free
Post-Run: 8,948,088,832 bytes free

126

First  I wish to thank you, and everyone for all of the help

It is strongly recommended to have the Windows Recovery Console installed on your machine.

When I purchased my computer, several years ago, I think that they installed a Non registered version of the XP. So, when my computer was doing the automatic updates, one day I got a window that, "you are running an invalid version of windows etc.....and then they basically shut me down, telling me to go and install a "valid" version, (so that I would be protected properly etc.)
  I went to the computer store. They took care of that problem, and then turned off the "auto updates" so that it wouldn't happen again.
  So, what would you do in this case?

First  I wish to thank you, and everyone for all of the help

You're welcome.

When I purchased my computer, several years ago, I think that they installed a Non registered version of the XP. So, when my computer was doing the automatic updates, one day I got a window that, "you are running an invalid version of windows etc.....and then they basically shut me down, telling me to go and install a "valid" version, (so that I would be protected properly etc.)
  I went to the computer store. They took care of that problem, and then turned off the "auto updates" so that it wouldn't happen again.
  So, what would you do in this case?

If the computer store "took care of the problem," in which case you should have a Certificate of Authenticity, then your computer would have validated so why would they turn off automatic updates?  With autoupdate, ALL security updates will download and install automatically regardless of WGA status. 

In Windows XP, there are only two levels of updates: High-priority and Optional.

When you turn on Automatic Updates in Windows XP, Windows will routinely check for High-priority updates that can help protect your PC from the latest viruses and other security threats. These updates can include security updates, critical updates, and service packs.

http://www.microsoft.com/windows/downloads/windowsupdate/updatelevels.mspx#EDD

Do you know when the computer was infected?  How far back do the restore points go?  In other words, when you posted on July 16, you told us:

If you think that this YES would be a solution, then I would have to look into it asap, to try to determine when. But, if it is like this computer, then I would have at least 2 months to go back. HOWEVER, something did happen to this option because when I click on system restore, it says, "System restore has been turned off by group policy. To turn on System Restore, contact your domain administrator."

If you think that system restore is worth looking into, EVEN taking into account how serious it was affected, then can you help me get the system restore back into my hands?

And concerning Window updates:

If the computer store "took care of the problem," in which case you should have a Certificate of Authenticity, then your computer would have validated so why would they turn off automatic updates?

   
What I meant was, since I do NOT have a certificate of authenticity, they "took care of the problem", i.e. getting my computer to work again,and turning off the automatic updates. So, is there is another solution instead of the windows restore console ??