Please help me!

QT2006

I did the rootkits thing, it didn't give me a log so I assume it sorted it.

Do you think my PC is ok now...based on the logs?

Many thanks

aliEnRIK

Please run combofix again so I can check the rootkit?

QT2006

Here is the log


ComboFix 10-04-09.06 - Natesha 10/04/2010 16:10:38.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.641 [GMT 1:00]
Running from: c:\documents and settings\Natesha\Desktop\QWERTY.exe
.
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.
2010-04-10 13:11 . 2010-04-10 13:11

---

d

---

w- c:\program files\Sophos
2010-04-10 01:55 . 2010-04-10 01:55 61440 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3c17f364-n\decora-sse.dll
2010-04-10 01:55 . 2010-04-10 01:55 503808 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2673e453-n\msvcp71.dll
2010-04-10 01:55 . 2010-04-10 01:55 499712 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2673e453-n\jmc.dll
2010-04-10 01:55 . 2010-04-10 01:55 348160 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2673e453-n\msvcr71.dll
2010-04-10 01:55 . 2010-04-10 01:55 12800 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3c17f364-n\decora-d3d.dll
2010-04-09 10:03 . 2010-04-09 10:03

---

d-sh--w- c:\documents and settings\Dana\PrivacIE
2010-04-09 10:00 . 2010-04-09 10:00

---

d-sh--w- c:\documents and settings\Dana\IETldCache
2010-04-09 07:40 . 2004-08-04 10:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-04-09 07:40 . 2004-08-04 10:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-04-08 22:09 . 2010-04-08 22:09 9830 ----a-w- C:\exefix.reg
2010-04-08 22:06 . 2010-04-08 22:06

---

d-sh--w- c:\documents and settings\Natesha\IECompatCache
2010-04-08 22:04 . 2010-04-08 22:04

---

d-sh--w- c:\documents and settings\Natesha\PrivacIE
2010-04-08 22:00 . 2010-04-08 22:00

---

d-sh--w- c:\documents and settings\Natesha\IETldCache
2010-04-08 21:32 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 21:32 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-08 21:32 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-08 21:32 . 2010-02-25 10:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-04-08 21:32 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 21:32 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-04-08 21:32 . 2010-04-09 19:02

---

d

---

w- c:\windows\ie8updates
2010-04-08 21:32 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 21:29 . 2010-04-08 21:32

---

dc-h--w- c:\windows\ie8
2010-04-08 20:44 . 2010-04-08 20:44 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-04-08 20:43 . 2010-04-08 20:53

---

d

---

w- c:\documents and settings\All Users\Application Data\NOS
2010-04-08 20:43 . 2010-04-08 20:43

---

d

---

w- c:\program files\NOS
2010-04-08 20:42 . 2010-04-08 20:42 503808 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a1c5c3e-n\msvcp71.dll
2010-04-08 20:42 . 2010-04-08 20:42 499712 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a1c5c3e-n\jmc.dll
2010-04-08 20:42 . 2010-04-08 20:42 348160 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a1c5c3e-n\msvcr71.dll
2010-04-08 20:42 . 2010-04-08 20:42 61440 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c10a8be-n\decora-sse.dll
2010-04-08 20:42 . 2010-04-08 20:42 12800 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c10a8be-n\decora-d3d.dll
2010-04-07 21:09 . 2010-04-07 21:09

---

d

---

w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2010-04-07 21:02 . 2010-04-07 21:02

---

d

---

w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AOL Broadband Toolbar
2010-04-07 20:55 . 2010-04-07 20:55 52224 ----a-w- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-07 20:55 . 2010-04-07 20:55 117760 ----a-w- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-07 20:55 . 2010-04-07 20:55

---

d

---

w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AOL
2010-04-07 20:54 . 2010-04-07 20:54

---

d

---

w- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com
2010-04-07 20:54 . 2010-04-07 20:54

---

d

---

w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\avG
2010-04-07 09:26 . 2010-04-07 09:26

---

d

---

w- c:\windows\system32\config\systemprofile\Application Data\AOL
2010-04-06 22:16 . 2010-04-06 22:16 52224 ----a-w- c:\documents and settings\Natesha\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-03 15:47 . 2010-04-03 15:47

---

d

---

w- c:\documents and settings\Givvaunhna.HENRY-23D2558B5\Local Settings\Application Data\AOL Broadband Toolbar
2010-03-21 20:35 . 2010-03-21 20:35

---

d

---

w- c:\documents and settings\Dana\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 12:56 . 2008-05-21 09:37

---

d

---

w- c:\program files\Spybot - Search & Destroy
2010-04-09 22:30 . 2009-05-13 14:27 117760 ----a-w- c:\documents and settings\Natesha\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-09 02:13 . 2008-03-06 18:28 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-04-08 20:43 . 2008-07-17 20:06

---

d

---

w- c:\program files\Common Files\Java
2010-04-08 20:40 . 2008-08-14 17:38

---

d

---

w- c:\program files\Java
2010-04-07 21:57 . 2009-07-30 22:05

---

d

---

w- c:\documents and settings\Natesha\Application Data\vlc
2010-04-07 00:15 . 2009-08-19 20:53

---

d

---

w- c:\documents and settings\Natesha\Application Data\Skype
2010-04-06 23:08 . 2009-08-19 21:04

---

d

---

w- c:\documents and settings\Natesha\Application Data\skypePM
2010-04-06 22:06 . 2008-03-27 23:09

---

d

---

w- c:\program files\SUPERAntiSpyware
2010-04-06 22:02 . 2008-12-27 17:13 2316 ----a-w- c:\documents and settings\All Users\Application Data\xml2B7.tmp
2010-04-06 22:02 . 2008-12-27 17:13 13901 ----a-w- c:\documents and settings\All Users\Application Data\xml2B6.tmp
2010-04-06 22:02 . 2008-12-27 17:13 9036 ----a-w- c:\documents and settings\All Users\Application Data\xml2B5.tmp
2010-03-09 03:28 . 2008-12-27 17:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24 . 2006-03-04 03:33 916480

---

w- c:\windows\system32\wininet.dll
2010-02-22 19:59 . 2010-02-22 19:59 152576 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-22 19:58 . 2010-02-22 19:58 79488 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-19 19:05 . 2010-02-19 19:05

---

d

---

w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-02-12 10:03 . 2010-03-03 09:47 293376

---

w- c:\windows\system32\browserchoice.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-06 2010864]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"HostManager"="c:\program files\Common Files\AOL\1204909232\ee\AOLSoftware.exe" [2006-11-14 50736]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-16 127037]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Ulead Photo Express Calendar Checker"="c:\program files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 69632]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-20 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 15:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-03-11 11:36 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL\\RC\\regClient.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\1204909232\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [29/02/2008 17:03 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [29/02/2008 17:03 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [20/07/2009 11:58 108289]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11.tmp --> c:\windows\system32\11.tmp [?]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 17:51 12872]
S2 gupdate1ca116298c1cc8;Google Update Service (gupdate1ca116298c1cc8);c:\program files\Google\Update\GoogleUpdate.exe [30/07/2009 23:06 133104]
S3 DCamUSBPremier;Digital Camera;c:\windows\system32\drivers\MPIXVID.SYS [17/07/2008 19:45 104593]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe [27/12/2008 17:43 98488]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MEMSWEEP2
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 22:06]
2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 22:06]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 16:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x865D8AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7656fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74a17b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\11.tmp"
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-10 16:21:25
ComboFix-quarantined-files.txt 2010-04-10 15:21
Pre-Run: 226,092,175,360 bytes free
Post-Run: 226,264,313,856 bytes free
- - End Of File - - D7EEC0BC8661465EAB43C772C5906674

QT2006

I have discovered something else is wrong, I can not open Excel at all, when I click it, it says

"Please wait while Microsoft configures Microsoft Office XP Professional with FrontPage"
then a box comes up and says
"The feature you are trying to use is on a CD-ROM or other removable disk that is not available.
Insert the 'Microsoft Office XP Professional with FrontPage' disk and click OK'.
Then it says
"The path 'Microsoft Office XP Professional with FrontPage' cannot be found. Verify that you have access to this location and try again, or tru to find the installation package 'PROPLUS.MSI' in a folder from which you can install the product Microsoft Office XP Professional with FrontPage"
I have never had to do this before?

I am confused

aliEnRIK

Uninstall and reinstall office

QT2006

I wish I could find my disk!! Can I install it from online?

aliEnRIK

Unsure, but you NEED the passkey which is probably on the disc card anyways