Hi steam. I deleted my cookies and Smitfraudfix, and I followed your instructions for the system restore.
Here's the Combofix log:
ComboFix 08-03-14.4 - in hong chong 2008-03-23 18:27:33.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.249 [GMT -5:00]
Running from: C:\Documents and Settings\in hong chong\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\in hong chong\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\SYSTEM32\asferro.4
C:\WINDOWS\system32\asferro.dll
C:\WINDOWS\SYSTEM32\docad.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\asferro.4
C:\WINDOWS\SYSTEM32\docad.exe
C:\WINDOWS\system32\asferro.dll . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.
2008-03-22 18:13 . 2008-03-22 19:26 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-22 15:58 . 2008-03-22 17:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-20 17:02 . 2008-03-20 17:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-20 16:51 . 2008-03-20 17:24 <DIR> d-------- C:\SDFix
2008-03-17 19:52 . 2008-03-22 17:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-17 19:52 . 2008-03-17 19:52 <DIR> d-------- C:\Documents and Settings\in hong chong\Application Data\SUPERAntiSpyware.com
2008-03-17 19:52 . 2008-03-17 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-17 19:51 . 2008-03-17 19:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 19:09 . 2008-03-17 19:09 <DIR> d-------- C:\Program Files\CCleaner
2008-03-14 22:07 . 2008-03-14 22:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-14 19:36 . 2008-03-14 19:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-03-14 19:36 . 2008-03-14 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-14 18:51 . 2008-03-22 17:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-14 18:51 . 2008-03-14 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-13 21:19 . 2008-03-14 00:16 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-13 21:19 . 2008-03-14 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-09 20:47 . 2008-03-09 20:47 80,959,471 --a------ C:\WINDOWS\pav.sig
2008-03-09 20:38 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\SYSTEM32\asprouni.exe
2008-03-09 20:37 . 2008-03-09 20:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\ASPRO
2008-03-09 20:37 . 2008-03-09 21:15 30,590 --a------ C:\WINDOWS\SYSTEM32\pavaspro.ico
2008-03-09 20:37 . 2008-03-09 21:15 3,377 --a------ C:\WINDOWS\SYSTEM32\.ico
2008-03-09 20:37 . 2008-03-09 21:15 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstallpro.ico
2008-03-09 20:37 . 2008-03-09 21:15 1,406 --a------ C:\WINDOWS\SYSTEM32\Helppro.ico
2008-03-09 19:42 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-03-09 19:41 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hyemhslckupp.sys
2008-03-09 19:28 . 2008-03-22 18:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-09 19:28 . 2008-03-22 17:08 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-09 19:28 . 2008-03-22 17:08 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-09 19:28 . 2008-03-22 17:08 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-09 18:54 . 2008-03-09 18:54 4,172 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-09 18:25 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-03-09 18:25 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-03-09 18:25 . 2008-03-09 01:15 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-03-09 18:25 . 2008-03-05 22:29 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-03-09 18:25 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-03-09 18:25 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-03-09 18:25 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-03-05 19:42 . 2008-03-05 19:42 <DIR> d-------- C:\Documents and Settings\eun soon chong\Application Data\HPAppData
2008-03-02 17:31 . 2008-03-14 16:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 17:31 . 2008-03-02 17:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-28 21:41 . 2008-02-28 21:41 <DIR> d-------- C:\Program Files\iPod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 00:32 --------- d-----w C:\Documents and Settings\in hong chong\Application Data\HPAppData
2008-03-22 22:44 --------- d-----w C:\Program Files\Bonjour
2008-03-19 23:41 --------- d-----w C:\Program Files\SmileyDistrict
2008-03-19 23:41 --------- d-----w C:\Program Files\QuickTime
2008-03-19 23:41 --------- d-----w C:\Program Files\iTunes
2008-03-19 23:41 --------- d-----w C:\Program Files\DellSupport
2008-03-18 00:42 --------- d-----w C:\Program Files\Yahoo!
2008-03-16 21:47 4,736 ----a-w C:\WINDOWS\system32\drivers\cijexctk.sys
2008-03-13 23:49 --------- d-----w C:\Program Files\Jasc Software Inc
2008-03-01 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-18 17:29 --------- d-----w C:\Documents and Settings\in ji chong\Application Data\Apple Computer
2008-02-18 03:35 --------- d-----w C:\Documents and Settings\in hong chong\Application Data\Apple Computer
2008-02-18 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-18 01:52 --------- d-----w C:\Program Files\Apple Software Update
2008-02-18 01:48 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-18 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-02-17 22:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 22:29 --------- d-----w C:\Program Files\Ulead Systems
2008-02-17 22:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-17 22:26 --------- d-----w C:\Program Files\CyberLink
2008-02-17 22:25 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-17 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-17 22:24 --------- d-----w C:\Program Files\Common Files\aolshare
2008-02-17 22:21 --------- d-----w C:\Program Files\WildTangent
2008-02-17 22:13 --------- d-----w C:\Program Files\Common Files\Real
2008-02-01 04:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-25 21:42 --------- d-----w C:\Program Files\Intel
2008-01-25 21:32 --------- d-----w C:\Program Files\MUSICMATCH
2008-01-25 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-25 20:19 --------- d-----w C:\Program Files\Dell Support Center
2008-01-25 20:18 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-03-02 00:35 65,552 ----a-w C:\Documents and Settings\in ji chong\Application Data\GDIPFONTCACHEV1.DAT
2002-09-19 03:42 3,178,828 ------w C:\Program Files\E.msi
.
Code:
<pre>
----a-w 212,992 2008-03-14 21:26:42 C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w 212,992 2008-03-01 23:19:01 C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE
----a-w 98,304 2008-03-10 00:56:41 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-03-10 00:56:42 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-03-10 00:56:42 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-03-10 00:56:42 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-03-10 00:56:44 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-03-10 00:56:44 C:\Program Files\QuickTime\qttask .exe
----a-w 385,024 2008-03-10 00:56:47 C:\Program Files\QuickTime\qttask .exe
</pre>
((((((((((((((((((((((((((((( snapshot@2008-03-19_18.54.37.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-22 23:14:06 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-03-22 23:14:06 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-03-22 23:14:07 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-03-22 23:14:11 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 20:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-03-22 23:14:13 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-03-22 23:14:08 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 20:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2008-03-20 09:14:11 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-20 22:03:12 4,390,912 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\
00000001\ntuser.dat
+ 2008-03-20 22:03:12 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\
00000002\UsrClass.dat
+ 2008-03-20 09:14:11 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-20 22:02:55 4,390,912 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\
00000001\ntuser.dat
+ 2008-03-20 22:02:55 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\
00000002\UsrClass.dat
+ 2007-07-27 19:49:02 196,683 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 19:49:02 225,355 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 00:25:22 139,264 ----a-w C:\WINDOWS\SYSTEM32\lnod32umc.dll
+ 2005-12-05 17:37:10 106,496 ----a-w C:\WINDOWS\SYSTEM32\lnod32upd.dll
+ 2008-02-11 14:39:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
+ 2008-02-11 14:39:18 237,568 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
+ 2008-02-08 18:53:46 110,592 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
+ 2008-02-05 13:48:04 77,824 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe
- 2008-03-19 23:48:06 16,810 ----a-w C:\WINDOWS\SYSTEM32\tablet.dat
+ 2008-03-23 23:33:23 16,810 ----a-w C:\WINDOWS\SYSTEM32\tablet.dat
+ 2004-12-07 15:11:34 258,352 ----a-w C:\WINDOWS\SYSTEM32\unicows.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99DC9AB0-94F0-4ACA-B943-8FCCE5DEF0B3}]
2008-03-05 19:55 98048 --a------ C:\WINDOWS\system32\asferro.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"MRT"="C:\WINDOWS\system32\MRT.exe" [ ]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2008-03-01 23:10 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2008-03-14 16:27 303104]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 20:01:04 83360]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-11-06 11:12:29 106496]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135963495\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 nftkecaa;nftkecaa;C:\WINDOWS\system32\drivers\lpjcqiax.sys []
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2008-03-14 01:03:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-03-23 18:34:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-23 18:40:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-23 23:40:02
ComboFix2.txt 2008-03-20 21:47:09
ComboFix3.txt 2008-03-19 23:55:12
ComboFix4.txt 2008-03-19 02:15:39
ComboFix5.txt 2008-03-16 22:11:57
.
2008-02-14 00:18:51 --- E O F ---
And here's the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:01 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
