Can you take a look at my Log : )

[evilfantasy]

Ok, should take around 10 minutes, I will be here.

[missypoo]

I did the scan and copied the log, but then all all my icons disappeared and I had no way to get back to anysites.  So I had to shut the PC and of course it lost the log that I copied.  Is that suppose to happen?

[missypoo]

If you have any more ideas, please let me know.  I took some nyquil and it's kicking in, but I hope you will be on tomorrow morning.  I plan on fixing this problem lol.  Talk to you tomorrow :  )  don't give up on me just yet! 

Melissa

[evilfantasy]

Go to C:\Combofix.txt and get the log from there.

[missypoo]

I found the combofix log:

ComboFix 08-02-18.1 - Mikkelsen 2008-02-17 22:36:02.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.267 [GMT -6:00]
Running from: C:\Users\Mikkelsen\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://ceement.rssx.hp.com
.
(((((((((((((((((((((((((   Files Created from 2008-01-18 to 2008-02-18  )))))))))))))))))))))))))))))))
.

2008-02-17 14:03 . 2008-02-17 14:03   <DIR>   d--------   C:\Program Files\Trend Micro
2008-02-17 11:31 . 2008-02-17 11:31   <DIR>   d--------   C:\Users\All Users\SUPERAntiSpyware.com
2008-02-17 11:31 . 2008-02-17 11:31   <DIR>   d--------   C:\ProgramData\SUPERAntiSpyware.com
2008-02-17 11:30 . 2008-02-17 11:30   <DIR>   d--------   C:\Users\Mikkelsen\AppData\Roaming\SUPERAntiSpyware.com
2008-02-17 11:30 . 2008-02-17 22:17   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-02-15 20:48 . 2008-02-15 20:48   <DIR>   d--------   C:\Users\All Users\Avg7
2008-02-15 20:48 . 2008-02-15 20:48   <DIR>   d--------   C:\ProgramData\Avg7
2008-02-05 09:19 . 2008-02-12 17:48   <DIR>   d--------   C:\Program Files\CCleaner
2008-01-31 03:02 . 2007-01-03 19:20   1,732   --a------   C:\Windows\System32\drivers\nvphy.bin

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 17:29   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 02:27   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-02-16 02:26   ---------   d-----w   C:\Program Files\NewSoft
2008-02-12 23:48   ---------   d-----w   C:\ProgramData\WildTangent
2008-02-12 23:48   ---------   d-----w   C:\Program Files\Microsoft Works
2008-02-12 23:48   ---------   d-----w   C:\Program Files\Google
2008-02-12 23:48   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-02-12 23:48   ---------   d-----w   C:\Program Files\Common Files\SureThing Shared
2008-02-12 22:27   ---------   d-----w   C:\Program Files\MSN Messenger
2008-02-12 18:07   642   ----a-w   C:\Users\Mikkelsen\AppData\Roaming\wklnhst.dat
2008-02-12 18:04   ---------   d-----w   C:\ProgramData\Symantec
2008-02-01 21:50   ---------   d-----w   C:\Program Files\Windows Sidebar
2008-02-01 21:50   ---------   d-----w   C:\Program Files\Windows Mail
2008-01-15 15:54   10,537   ----a-w   C:\Windows\system32\drivers\COH_Mon.cat
2008-01-15 11:28   706   ----a-w   C:\Windows\system32\drivers\COH_Mon.inf
2008-01-13 00:32   23,904   ----a-w   C:\Windows\system32\drivers\COH_Mon.sys
2008-01-09 09:08   802,816   ----a-w   C:\Windows\system32\drivers\tcpip.sys
2008-01-09 09:08   24,064   ----a-w   C:\Windows\System32\netcfg.exe
2008-01-09 09:08   22,016   ----a-w   C:\Windows\System32\netiougc.exe
2008-01-09 09:08   216,760   ----a-w   C:\Windows\system32\drivers\netio.sys
2008-01-09 09:08   167,424   ----a-w   C:\Windows\System32\tcpipcfg.dll
2008-01-09 09:05   11,776   ----a-w   C:\Windows\System32\sbunattend.exe
2007-12-23 05:48   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-12-12 09:07   1,327,104   ----a-w   C:\Windows\System32\quartz.dll
2007-12-12 09:06   9,728   ----a-w   C:\Windows\System32\LAPRXY.DLL
2007-12-12 09:06   223,232   ----a-w   C:\Windows\System32\WMASF.DLL
2007-12-12 09:05   824,832   ----a-w   C:\Windows\System32\wininet.dll
2007-12-12 09:05   56,320   ----a-w   C:\Windows\System32\iesetup.dll
2007-12-12 09:05   52,736   ----a-w   C:\Windows\AppPatch\iebrshim.dll
2007-12-12 09:05   26,624   ----a-w   C:\Windows\System32\ieUnatt.exe
2007-12-12 09:03   3,504,824   ----a-w   C:\Windows\System32\ntkrnlpa.exe
2007-12-12 09:03   3,470,520   ----a-w   C:\Windows\System32\ntoskrnl.exe
2007-08-29 08:14   174   --sha-w   C:\Program Files\desktop.ini
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 03:05 1232896]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2006-11-16 16:59 1480296]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 06:34 2159104 C:\Windows\System32\oobefldr.dll]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 12:49 4670968]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 06:35 125440]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 09:06 700416]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-09-01 23:26 171448]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 10:55 1347584]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-11 02:01 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 07:42 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 09:16 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 04:57 3784704 C:\Windows\RtHDVCpl.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 08:12 71176]
"Monitor"="C:\Windows\PixArt\PAC207\Monitor.exe" [2006-11-03 10:01 319488]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24 54840]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 20:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 20:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 20:15 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2007-01-15 12:36:13 34520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080215.002\IDSvix86.sys [2008-02-13 10:18]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 10:44]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;C:\Windows\system32\DRIVERS\netr73.sys [2007-08-31 13:54]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]
S3 PAC207;SoC PC-Camera;C:\Windows\system32\DRIVERS\PFC027.SYS [2006-12-05 10:34]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 07:39:04 C:\Windows\Tasks\HPCeeScheduleForMikkelsen.job"
- C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe!HPCeeScheduleForMikkelsen (null)
"2008-02-15 07:42:02 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Mikkelsen.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-02-18 02:11:04 C:\Windows\Tasks\User_Feed_Synchronization-{5CEA02D6-9241-486C-976D-525FAA476D9A}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 22:39:58
Windows 6.0.6000  NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 22:40:37
ComboFix-quarantined-files.txt  2008-02-18 04:40:35
.
2008-01-31 09:02:51   --- E O F --- 

[evilfantasy]

I don't see anything there.


Please download  DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot. Leave the Dr. Web CureIt log on the desktop.

Copy and paste that log in the next reply.
.
----------

Please use Panda's NanoScan

• Under Scan Now click the Full Scan button
  
• Follow the prompts to install the Active X if necessary
• When the scan is finished, a report will be generated
• Next to Scan Details click the small Save button and save the report to your desktop.
  
• Please post the report in your reply.

.
----------

Next post
Dr Web log
Nano Scan log

[missypoo]

Ok, I'm downloading the DrWeb CureIt, is it normal for the process to take awhile?  It's says estimate time is like 48 minutes total.

[missypoo]

Oh great!  While it was downloading an error popped up.  It said this:

Internet Explorer cannot download cureit.exe from ftp.drweb.com.
The operation timed out.

Now what?

[evilfantasy]

Try this first.


Download and install CleanUp!.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Move the arrow to Standard CleanUp!
  
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

[missypoo]

Hate to admit this, but I don't know how to do backups and don't know if I have a 64 bit OS.  How can I do that?

[evilfantasy]

It isn't a 64bit.


Follow these steps to create a backup of the registry.

• Click the Start button, then click Run.
  
• Type REGEDIT, then click OK.
  • The Registry Editor opens.
• Choose File, Export Registry File.
  
• Verify the following entries in the Export Registry File Dialog Box:
• Save in: Desktop
  
• File Name: Registry Backup
  
• Export Range: All

• Click Save.
  
• Exit the Registry Editor.
• Verify you have an icon titled REGISTRY BACKUP.REG on the Desktop.

CAUTION: Do not double-click the REGISTRY BACKUP.REG file on your Desktop unless you intend to undo your changes or need to restore the Registry.

• Immediately verify the effect of your changes by restarting the computer.
• Once you have verified that the changes to the registry:
  
• If there are any problems.
  • Restore it immediately by Right clicking the REGISTRY BACKUP.REG and choose Merge.
• If there are no problems.
  • Delete the REGISTRY BACKUP.REG file from the desktop.

Do not allow the REGISTRY BACKUP.REG file to remain on the desktop beyond the testing period to avoid inadvertently double-clicking it.

[missypoo]

I don't know how to get to the RUN key.  I knew how to do it when I had XP.  Where do I find it on Vista?

[evilfantasy]

Press the Windows+R keys.

[missypoo]

I restarted the computer after doing the backup process.  Do I delete it now?  If so, how do I get rid of it?

[evilfantasy]

If everything is running OK then delete it.

Try the Dr Web again.