Laptop is full of viruses! (Application cannot be executed)

[Kola360]

Hello, my problem is on my HP Pavillion Dv5 Notebook PC. Proccesor: AMD Athlon(tm) X2 Dual-Core QL-60 1/90 GHz. Service Pack 2, 32 bit Operating System, 3.00 RAM, On my laptop there are many alerts popping up, like an Antivirus software alert with the title " INFILTRATION ALERT" and at the bottom it says the Threat is Win32/Nuqel.E  and a Security Warning "Application cannot be executed. The file vdslr.exe is infected. Do you want to activate your antivirus software now?" When I click yes, it takes me to a website where I can buy an antivirus, if I click "no" then the same message pops up 10 seconds later with a different file listed.  I can not even access Google Chrome, now I have settle for Firefox. Every once in awhile a pop-up occurs and it takes me to "adult" sites that I have never been to.

[SuperDave]

This thread has been marked Solved. Do you still need?

[Kola360]

Sorry about that, I still do need some help. I attached my 3 logs in this post.

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Please copy and paste your logs in your replies.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:23012
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
**************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
**************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[Kola360]

ComboFix 10-11-21.01 - owner 21/11/2010  14:38:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.2.1033.18.2813.1483 [GMT -5:00]
Running from: c:\users\owner\Desktop\commy.exe
Command switches used :: /stepdel
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\CFLog
c:\users\owner\AppData\Local\syssvc.exe
c:\windows\system32\arp.exe

.
(((((((((((((((((((((((((   Files Created from 2010-10-21 to 2010-11-21  )))))))))))))))))))))))))))))))
.

2010-11-21 19:46 . 2010-11-21 19:46   --------   d-----w-   c:\users\owner.owner-PC\AppData\Local\temp
2010-11-21 19:46 . 2010-11-21 19:46   --------   d-----w-   c:\users\MR.TECH\AppData\Local\temp
2010-11-21 19:46 . 2010-11-21 19:46   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-11-20 21:41 . 2009-11-03 19:07   679936   ----a-w-   c:\windows\system32\D3DX81ab.dll
2010-11-20 21:41 . 2009-11-03 19:07   1970176   ----a-w-   c:\windows\system32\d3dx9.dll
2010-11-19 07:01 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{4AEC4C6F-41B6-4857-9C38-CA3E407C0EC3}\mpengine.dll
2010-11-18 00:45 . 2010-11-18 00:45   --------   d-----w-   c:\program files\CCleaner
2010-11-15 21:27 . 2010-11-15 21:27   --------   d-----w-   C:\AVGTemp
2010-11-15 20:52 . 2010-11-15 20:52   --------   d-----w-   c:\program files\Trend Micro
2010-11-15 12:48 . 2010-11-15 12:48   --------   d-----w-   c:\users\owner\AppData\Roaming\Malwarebytes
2010-11-15 12:48 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-15 12:48 . 2010-11-15 12:48   --------   d-----w-   c:\program files\MALWAREBYTES ANTI-MALWARE
2010-11-15 12:48 . 2010-11-15 12:48   --------   d-----w-   c:\programdata\Malwarebytes
2010-11-15 12:48 . 2010-11-15 13:14   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-11-15 12:48 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-11-10 19:21 . 2010-10-07 11:37   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
2010-10-30 19:43 . 2010-10-30 19:43   --------   d-----w-   c:\windows\en
2010-10-30 19:42 . 2010-09-23 04:21   39272   ----a-w-   c:\windows\system32\drivers\fssfltr.sys
2010-10-30 19:36 . 2009-09-04 21:44   69464   ----a-w-   c:\windows\system32\XAPOFX1_3.dll
2010-10-30 19:36 . 2009-09-04 21:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2010-10-30 19:36 . 2009-09-04 21:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2010-10-30 19:35 . 2010-10-30 19:35   469256   ----a-w-   c:\program files\Common Files\Windows Live\.cache\9ab03de21cb786906\InstallManager_WLE_WLE.exe
2010-10-30 19:35 . 2010-10-30 19:35   15712   ----a-w-   c:\program files\Common Files\Windows Live\.cache\997acb221cb786905\MeshBetaRemover.exe
2010-10-30 19:35 . 2010-10-30 19:35   94040   ----a-w-   c:\program files\Common Files\Windows Live\.cache\9777cf321cb786904\DSETUP.dll
2010-10-30 19:35 . 2010-10-30 19:35   525656   ----a-w-   c:\program files\Common Files\Windows Live\.cache\9777cf321cb786904\DXSETUP.exe
2010-10-30 19:35 . 2010-10-30 19:35   1691480   ----a-w-   c:\program files\Common Files\Windows Live\.cache\9777cf321cb786904\dsetup32.dll
2010-10-30 19:35 . 2010-10-30 19:35   94040   ----a-w-   c:\program files\Common Files\Windows Live\.cache\951219d21cb786903\DSETUP.dll
2010-10-30 19:35 . 2010-10-30 19:35   525656   ----a-w-   c:\program files\Common Files\Windows Live\.cache\951219d21cb786903\DXSETUP.exe
2010-10-30 19:35 . 2010-10-30 19:35   1691480   ----a-w-   c:\program files\Common Files\Windows Live\.cache\951219d21cb786903\dsetup32.dll
2010-10-30 19:33 . 2009-08-04 08:02   754688   ----a-w-   c:\windows\system32\webservices.dll
2010-10-28 21:48 . 2010-10-28 21:48   --------   d-----w-   c:\users\owner\AppData\Roaming\AnvSoft
2010-10-28 21:48 . 2010-10-28 21:48   --------   d-----w-   c:\program files\AnvSoft
2010-10-28 21:28 . 2010-10-28 21:28   --------   d-----w-   c:\users\owner\dwhelper
2010-10-27 11:59 . 2010-08-26 16:34   1696256   ----a-w-   c:\windows\system32\gameux.dll
2010-10-27 11:59 . 2010-08-26 16:33   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2010-10-27 11:59 . 2010-08-26 14:23   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-03 00:30   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-23 04:47 . 2010-09-23 04:47   49016   ----a-w-   c:\windows\system32\sirenacm.dll
2010-09-23 04:32 . 2010-09-23 04:32   301936   ----a-w-   c:\windows\WLXPGSS.SCR
2010-09-13 13:56 . 2010-10-13 10:00   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2010-09-08 16:17 . 2010-09-08 16:17   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2010-09-08 06:01 . 2010-10-13 09:58   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-13 09:58   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-13 09:58   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-13 09:58   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-13 09:58   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-13 09:58   385024   ----a-w-   c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-13 09:58   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-13 09:58   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-13 10:00   125952   ----a-w-   c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-13 10:00   17920   ----a-w-   c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-13 10:00   304128   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-13 10:00   145408   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-13 10:00   102400   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-13 08:05   954752   ----a-w-   c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-13 08:05   954288   ----a-w-   c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-13 08:03   531968   ----a-w-   c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-13 08:03   2038272   ----a-w-   c:\windows\system32\win32k.sys
2010-08-26 16:37 . 2010-10-13 09:59   157184   ----a-w-   c:\windows\system32\t2embed.dll
2010-08-26 16:33 . 2010-10-27 11:59   173056   ----a-w-   c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-27 11:59   542720   ----a-w-   c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33 . 2010-10-27 11:59   458752   ----a-w-   c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-27 11:59   2159616   ----a-w-   c:\windows\apppatch\AcGenral.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{437c4386-9237-441f-a940-009430030ee0}"= "c:\program files\Messenger_Plus_Live_CA-EN\tbMess.dll" [2010-03-25 2355296]

[HKEY_CLASSES_ROOT\clsid\{437c4386-9237-441f-a940-009430030ee0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{437c4386-9237-441f-a940-009430030ee0}]
2010-03-25 17:31   2355296   ----a-w-   c:\program files\Messenger_Plus_Live_CA-EN\tbMess.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{437c4386-9237-441f-a940-009430030ee0}"= "c:\program files\Messenger_Plus_Live_CA-EN\tbMess.dll" [2010-03-25 2355296]

[HKEY_CLASSES_ROOT\clsid\{437c4386-9237-441f-a940-009430030ee0}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{437C4386-9237-441F-A940-009430030EE0}"= "c:\program files\Messenger_Plus_Live_CA-EN\tbMess.dll" [2010-03-25 2355296]

[HKEY_CLASSES_ROOT\clsid\{437c4386-9237-441f-a940-009430030ee0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-23 4240760]
"Google Update"="c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-07-24 133104]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-17 1033512]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-05-15 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-02 554288]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 SABKUTIL;SABKUTIL;c:\program files\SUPERAntiSpyware\SABKUTIL.sys

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 135664]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe [2009-01-29 578920]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2008-12-22 28672]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-04-29 38224]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-10-24 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-10-24 28800]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XDva317;XDva317;c:\windows\system32\XDva317.sys

R3 XDva321;XDva321;c:\windows\system32\XDva321.sys

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\DRIVERS\Amddfltr.sys [2008-01-07 15416]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\aestsrv.exe [2008-02-12 73728]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-03-18 19456]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-03-26 341328]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-01-23 52736]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
WindowsMobile   REG_MULTI_SZ      wcescomm rapimgr
LocalServiceRestricted   REG_MULTI_SZ      WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 21:06   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 23:53]

2010-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-04 23:53]

2010-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551935227-1022177039-1233512963-1000Core.job
- c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-24 19:50]

2010-11-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551935227-1022177039-1233512963-1000UA.job
- c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-24 19:50]

2010-11-21 c:\windows\Tasks\User_Feed_Synchronization-{145FD834-576F-467F-951E-287FEA8AE2B7}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = yahoo.com
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://ca.search.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\pz29zz1p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2535290&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|http://yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2535290&q=
FF - component: c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\pz29zz1p.default\extensions\{437c4386-9237-441f-a940-009430030ee0}\components\FFExternalAlert.dll
FF - component: c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\pz29zz1p.default\extensions\{437c4386-9237-441f-a940-009430030ee0}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\owner\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-21 14:47
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-11-21  14:49:33
ComboFix-quarantined-files.txt  2010-11-21 19:49

Pre-Run: 149,789,073,408 bytes free
Post-Run: 149,757,349,888 bytes free

- - End Of File - - 65611418AFFC91A72B3B30BD8FEA121F




Results of screen317's Security Check version 0.99.6 
 Windows Vista Service Pack 2 (UAC is enabled)
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 CCleaner     
 Java(TM) 6 Update 20 
 Out of date Java installed!
 Adobe Flash Player 10.1.85.3 
Adobe Reader 9.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSASCui.exe
 Windows Defender MSASCui.exe   
````````````````````````````````
DNS Vulnerability Check:

``````````End of Log````````````

[SuperDave]

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\WLXPGSS.SCR
 * At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
**************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*********************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
*****************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

[Kola360]

Hey Dave, here are my logs.


http://virusscan.jotti.org/en/scanresult/6a9f31e6f28c685d9e46ef3ddfdcd2b5af57b1
65/7a9dbc774f379a58bc43c7236a2ed6c8e25b8df3





ysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_diskdump.sys
Service Name: ---
Module Base: 9FB71000
Module End: 9FB7B000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_ahcix86s.sys
Service Name: ---
Module Base: 9FB7B000
Module End: 9FBBB000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAlpcConnectPort
Address: 87CBE0E8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied

[SuperDave]

How's your computer running now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[Kola360]

My laptop's running like it never had a virus in the first place.

Here is my ESET list of found threats :

C:\Qoobox\Quarantine\C\Users\owner\AppData\Local\syssvc.exe.vir   a variant of Win32/Kryptik.IDS trojan   cleaned by deleting - quarantined
C:\Users\owner\AppData\Local\syssvc.exe   a variant of Win32/Kryptik.IDS trojan   cleaned by deleting - quarantined
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-1d837203   Java/TrojanDownloader.Agent.NBK trojan   deleted - quarantined
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\1d36d24d-71e2fe48   multiple threats   deleted - quarantined
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-3465f07f   Java/TrojanDownloader.Agent.NBL trojan   deleted - quarantined
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\184340f3-28bdb61b   a variant of Java/TrojanDownloader.Agent.NAN trojan   deleted - quarantined
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\1968e4f5-4195ddad   probably a variant of Win32/Agent.FQRCZBA trojan   deleted - quarantined
C:\Users\owner\Music\Documents\Downloads\MsgPlusLive-490 (1).exe   a variant of Win32/MessengerPlus application   cleaned by deleting - quarantined

Here is the ESET log

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=df4bd2177dceaa4884c96dc8d9aa7175
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-24 12:43:49
# local_time=2010-11-23 07:43:49 (-0500, Eastern Standard Time)
# country="Canada"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 611737 611737 0 0
# compatibility_mode=768 16777215 100 0 12672697 12672697 0 0
# compatibility_mode=1024 16777215 100 0 1833898 1833898 0 0
# compatibility_mode=5892 16776573 100 100 0 127156425 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=181539
# found=8
# cleaned=8
# scan_time=10532
C:\Qoobox\Quarantine\C\Users\owner\AppData\Local\syssvc.exe.vir   a variant of Win32/Kryptik.IDS trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\owner\AppData\Local\syssvc.exe   a variant of Win32/Kryptik.IDS trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-1d837203   Java/TrojanDownloader.Agent.NBK trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\1d36d24d-71e2fe48   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-3465f07f   Java/TrojanDownloader.Agent.NBL trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\184340f3-28bdb61b   a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\1968e4f5-4195ddad   probably a variant of Win32/Agent.FQRCZBA trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\owner\Music\Documents\Downloads\MsgPlusLive-490 (1).exe   a variant of Win32/MessengerPlus application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C



I have a question. What do you think is the best free antivirus software out right now? Im torn between avast!,avira and avg. I really just want one with a high detection rate to prevent this problem from happening again.

[SuperDave]

I have a question. What do you think is the best free antivirus software out right now? Im torn between avast!,avira and avg. I really just want one with a high detection rate to prevent this problem from happening again.

I have to admit I really like MSE. Very efficient, no registration, daily updates and not a resource hog.

Microsoft Security Essentials for Windows Vista\Windows 7

Let's do some cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
*******************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[Kola360]

I made sure to thank you for your help. I appreciate it A LOT.