Can you take a look at my Log : )

[Malware Removal Specialist]

Ok, should take around 10 minutes, I will be here.

I did the scan and copied the log, but then all all my icons disappeared and I had no way to get back to anysites.  So I had to shut the PC and of course it lost the log that I copied.  Is that suppose to happen?

If you have any more ideas, please let me know.  I took some nyquil and it's kicking in, but I hope you will be on tomorrow morning.  I plan on fixing this problem lol.  Talk to you tomorrow :  )  don't give up on me just yet! 

Melissa

[Malware Removal Specialist]

Go to C:\Combofix.txt and get the log from there.

I found the combofix log:

ComboFix 08-02-18.1 - Mikkelsen 2008-02-17 22:36:02.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.267 [GMT -6:00]
Running from: C:\Users\Mikkelsen\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://ceement.rssx.hp.com
.
(((((((((((((((((((((((((   Files Created from 2008-01-18 to 2008-02-18  )))))))))))))))))))))))))))))))
.

2008-02-17 14:03 . 2008-02-17 14:03   <DIR>   d--------   C:\Program Files\Trend Micro
2008-02-17 11:31 . 2008-02-17 11:31   <DIR>   d--------   C:\Users\All Users\SUPERAntiSpyware.com
2008-02-17 11:31 . 2008-02-17 11:31   <DIR>   d--------   C:\ProgramData\SUPERAntiSpyware.com
2008-02-17 11:30 . 2008-02-17 11:30   <DIR>   d--------   C:\Users\Mikkelsen\AppData\Roaming\SUPERAntiSpyware.com
2008-02-17 11:30 . 2008-02-17 22:17   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-02-15 20:48 . 2008-02-15 20:48   <DIR>   d--------   C:\Users\All Users\Avg7
2008-02-15 20:48 . 2008-02-15 20:48   <DIR>   d--------   C:\ProgramData\Avg7
2008-02-05 09:19 . 2008-02-12 17:48   <DIR>   d--------   C:\Program Files\CCleaner
2008-01-31 03:02 . 2007-01-03 19:20   1,732   --a------   C:\Windows\System32\drivers\nvphy.bin

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 17:29   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 02:27   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-02-16 02:26   ---------   d-----w   C:\Program Files\NewSoft
2008-02-12 23:48   ---------   d-----w   C:\ProgramData\WildTangent
2008-02-12 23:48   ---------   d-----w   C:\Program Files\Microsoft Works
2008-02-12 23:48   ---------   d-----w   C:\Program Files\Google
2008-02-12 23:48   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-02-12 23:48   ---------   d-----w   C:\Program Files\Common Files\SureThing Shared
2008-02-12 22:27   ---------   d-----w   C:\Program Files\MSN Messenger
2008-02-12 18:07   642   ----a-w   C:\Users\Mikkelsen\AppData\Roaming\wklnhst.dat
2008-02-12 18:04   ---------   d-----w   C:\ProgramData\Symantec
2008-02-01 21:50   ---------   d-----w   C:\Program Files\Windows Sidebar
2008-02-01 21:50   ---------   d-----w   C:\Program Files\Windows Mail
2008-01-15 15:54   10,537   ----a-w   C:\Windows\system32\drivers\COH_Mon.cat
2008-01-15 11:28   706   ----a-w   C:\Windows\system32\drivers\COH_Mon.inf
2008-01-13 00:32   23,904   ----a-w   C:\Windows\system32\drivers\COH_Mon.sys
2008-01-09 09:08   802,816   ----a-w   C:\Windows\system32\drivers\tcpip.sys
2008-01-09 09:08   24,064   ----a-w   C:\Windows\System32\netcfg.exe
2008-01-09 09:08   22,016   ----a-w   C:\Windows\System32\netiougc.exe
2008-01-09 09:08   216,760   ----a-w   C:\Windows\system32\drivers\netio.sys
2008-01-09 09:08   167,424   ----a-w   C:\Windows\System32\tcpipcfg.dll
2008-01-09 09:05   11,776   ----a-w   C:\Windows\System32\sbunattend.exe
2007-12-23 05:48   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-12-12 09:07   1,327,104   ----a-w   C:\Windows\System32\quartz.dll
2007-12-12 09:06   9,728   ----a-w   C:\Windows\System32\LAPRXY.DLL
2007-12-12 09:06   223,232   ----a-w   C:\Windows\System32\WMASF.DLL
2007-12-12 09:05   824,832   ----a-w   C:\Windows\System32\wininet.dll
2007-12-12 09:05   56,320   ----a-w   C:\Windows\System32\iesetup.dll
2007-12-12 09:05   52,736   ----a-w   C:\Windows\AppPatch\iebrshim.dll
2007-12-12 09:05   26,624   ----a-w   C:\Windows\System32\ieUnatt.exe
2007-12-12 09:03   3,504,824   ----a-w   C:\Windows\System32\ntkrnlpa.exe
2007-12-12 09:03   3,470,520   ----a-w   C:\Windows\System32\ntoskrnl.exe
2007-08-29 08:14   174   --sha-w   C:\Program Files\desktop.ini
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 03:05 1232896]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2006-11-16 16:59 1480296]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 06:34 2159104 C:\Windows\System32\oobefldr.dll]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 12:49 4670968]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 06:35 125440]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 09:06 700416]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-01 23:26 171448]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 10:55 1347584]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-11 02:01 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 07:42 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 09:16 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 04:57 3784704 C:\Windows\RtHDVCpl.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 08:12 71176]
"Monitor"="C:\Windows\PixArt\PAC207\Monitor.exe" [2006-11-03 10:01 319488]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24 54840]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 20:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 20:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 20:15 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2007-01-15 12:36:13 34520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080215.002\IDSvix86.sys [2008-02-13 10:18]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 10:44]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;C:\Windows\system32\DRIVERS\netr73.sys [2007-08-31 13:54]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]
S3 PAC207;SoC PC-Camera;C:\Windows\system32\DRIVERS\PFC027.SYS [2006-12-05 10:34]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 07:39:04 C:\Windows\Tasks\HPCeeScheduleForMikkelsen.job"
- C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe!HPCeeScheduleForMikkelsen (null)
"2008-02-15 07:42:02 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Mikkelsen.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-02-18 02:11:04 C:\Windows\Tasks\User_Feed_Synchronization-{5CEA02D6-9241-486C-976D-525FAA476D9A}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 22:39:58
Windows 6.0.6000  NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 22:40:37
ComboFix-quarantined-files.txt  2008-02-18 04:40:35
.
2008-01-31 09:02:51   --- E O F --- 

[Malware Removal Specialist]

I don't see anything there.


Please download  DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot. Leave the Dr. Web CureIt log on the desktop.

Copy and paste that log in the next reply.
.
----------

Please use Panda's NanoScan

• Under Scan Now click the Full Scan button
  
• Follow the prompts to install the Active X if necessary
• When the scan is finished, a report will be generated
• Next to Scan Details click the small Save button and save the report to your desktop.
  
• Please post the report in your reply.

.
----------

Next post
Dr Web log
Nano Scan log

Ok, I'm downloading the DrWeb CureIt, is it normal for the process to take awhile?  It's says estimate time is like 48 minutes total.

Oh great!  While it was downloading an error popped up.  It said this:

Internet Explorer cannot download cureit.exe from ftp.drweb.com.
The operation timed out.

Now what?

[Malware Removal Specialist]

Try this first.


Download and install CleanUp!.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Move the arrow to Standard CleanUp!
  
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Hate to admit this, but I don't know how to do backups and don't know if I have a 64 bit OS.  How can I do that?

[Malware Removal Specialist]

It isn't a 64bit.


Follow these steps to create a backup of the registry.

• Click the Start button, then click Run.
  
• Type REGEDIT, then click OK.
  • The Registry Editor opens.
• Choose File, Export Registry File.
  
• Verify the following entries in the Export Registry File Dialog Box:
• Save in: Desktop
  
• File Name: Registry Backup
  
• Export Range: All

• Click Save.
  
• Exit the Registry Editor.
• Verify you have an icon titled REGISTRY BACKUP.REG on the Desktop.

CAUTION: Do not double-click the REGISTRY BACKUP.REG file on your Desktop unless you intend to undo your changes or need to restore the Registry.

• Immediately verify the effect of your changes by restarting the computer.
• Once you have verified that the changes to the registry:
  
• If there are any problems.
  • Restore it immediately by Right clicking the REGISTRY BACKUP.REG and choose Merge.
• If there are no problems.
  • Delete the REGISTRY BACKUP.REG file from the desktop.

Do not allow the REGISTRY BACKUP.REG file to remain on the desktop beyond the testing period to avoid inadvertently double-clicking it.

I don't know how to get to the RUN key.  I knew how to do it when I had XP.  Where do I find it on Vista?

[Malware Removal Specialist]

Press the Windows+R keys.

I restarted the computer after doing the backup process.  Do I delete it now?  If so, how do I get rid of it?

[Malware Removal Specialist]

If everything is running OK then delete it.

Try the Dr Web again.