Solved Keyboard freezing & other issues - HJT log

Looking much better. Run FindAWF option 2 again and paste in the following path this time.

"C:\Program Files\QuickTime\bak\qttask.exe "

Post the new awf.txt log.

 

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 05/25/2008
The current time is: 19:36:55.25


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/18/2006 05:58 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 08:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

12/13/2005 05:41 PM 77,824 hkcmd.exe
12/13/2005 05:45 PM 118,784 igfxpers.exe
12/13/2005 05:44 PM 98,304 igfxtray.exe
12/19/2005 09:08 AM 1,347,584 WLTRAY.exe
4 File(s) 1,642,496 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

05/18/2006 05:58 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

11/29/2005 12:56 PM 761,947 SynTPEnh.exe
1 File(s) 761,947 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 May 18 2006 "C:\Program Files\QuickTime\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe "
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe "
77824 Dec 13 2005 "C:\WINDOWS\system32\hkcmd.exe "
77824 Dec 13 2005 "C:\drivers\video\onboard\hkcmd.exe "
77824 Dec 13 2005 "C:\WINDOWS\system32\bak\hkcmd.exe "
118784 Dec 13 2005 "C:\WINDOWS\system32\igfxpers.exe "
118784 Dec 13 2005 "C:\drivers\video\onboard\igfxpers.exe "
118784 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxpers.exe "
98304 Dec 13 2005 "C:\WINDOWS\system32\igfxtray.exe "
98304 Dec 13 2005 "C:\drivers\video\onboard\igfxtray.exe "
98304 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxtray.exe "
1347584 Dec 19 2005 "C:\WINDOWS\system32\WLTRAY.exe "
1347584 Dec 19 2005 "C:\WINDOWS\system32\bak\WLTRAY.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "
761947 Nov 29 2005 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
761947 Nov 29 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe "
761947 Nov 29 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe "
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe "
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe "


end of report

 

Good work. Lets clean up now. Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Highlight and copy the following bolded list of folders to be removed:



C:\PROGRA~1\MESSEN~1\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\PROGRA~1\WIFD1F~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK


Click below the line of folders.txt and paste the list.
Close folders.txt and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log. Please post the contents of the new awf.txt log here.

 

Good work? Im following instructions, and cut copying and pasting another language.....that youre fluent in. Good work to you LOL....

Here is #3

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sun 05/25/2008
The current time is: 21:36:36.95


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

05/18/2006 05:58 PM 98,304 qttask.exe
1 File(s) 98,304 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 May 18 2006 "C:\Program Files\QuickTime\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "


end of report



Btw. I have an icon on my task bar of two computers with an x. This is in addition to the icon of my internet connection. When I click on it, it says local area connection, a network cable is unplugged...I cant turn it off. If I right click it it gives me windows firewall or open network connection..blah blah blah. If you follow it, it takes you to windows firewall or repair a connection....can we make that go away, or wait till later. Its not causing a problem I dont think, just irritating to look at, because I know it doesnt belong there..

Bill

 

Please manually delete the following bak folder.

C:\Program Files\QuickTime\bak

You can also delete FindAWF.exe

Click Start>Run and paste the following command, then hit Enter.

ncpa.cpl

This should open the Network Connections control panel. How many network connection icons are present?
Does one of them also appear as 'a network cable is unplugged'?
Can you right click and disable it, and if so, does your internet connection remain intact?

 

that took care of that....whats next? Was I supposed to check stuff and "fix" it on HJT? Cause I havent yet. Also, All those scans we did, It said in bold red on alot of them that I have no restore point. Im assuming the red indicates a critical concern, or am I getting ahead of myself. This thing is running great. Still ocassion hiccups when typing, but nothing anything close to what it was.

 

The bold red message in the log is letting me know that your machine does not have the Recovery Console installed. The recovery console is a DOS-like interface that can be run upon startup, from which some commands can be used in an attempt to repair an unbootable system. The author of ComboFix feels it's important to have it installed due to the increasing severity of today's malware infections and the damage it can do, so echo's it's lack of presence to the output log in big, bold, red lettering.


Please do an online scan with Kaspersky WebScanner

Click Scan Now and Accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and a fresh HijackThis log.

 

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 26, 2008 1:07:47 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/05/2008
Kaspersky Anti-Virus database records: 800486
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 78672
Number of viruses found: 7
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 00:52:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\3ed93118c9707e193789e792196505c0_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc6cb1e30bb2325a53ffc982e6b2a901_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Bill\.housecall6.6\Quarantine\b153.exe.bac_a03708 Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\Documents and Settings\Bill\.housecall6.6\Quarantine\JavaCore.exe.bac_a03708 Infected: not-a-virus:AdWare.Win32.Insider.b skipped
C:\Documents and Settings\Bill\.housecall6.6\Quarantine\msiexec[1].exe.bac_a03708 Infected: Trojan-Clicker.Win32.Agent.tg skipped
C:\Documents and Settings\Bill\.housecall6.6\Quarantine\POTA777444[1].exe.bac_a03708/data0002 Infected: not-a-virus:AdWare.Win32.TTC.e skipped
C:\Documents and Settings\Bill\.housecall6.6\Quarantine\POTA777444[1].exe.bac_a03708 NSIS: infected - 1 skipped
C:\Documents and Settings\Bill\.housecall6.6\Quarantine\POTA777444[1].exe.bac_a03708 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Bill\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amagent39.exe/file01 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.391 skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amagent39.exe Infected: not-a-virus:Monitor.Win32.ActivityMonitor.391 skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amonitor39.exe/file17 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amonitor39.exe/file19/file01 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.391 skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amonitor39.exe/file19/file02 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amonitor39.exe/file19/file03 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amonitor39.exe/file19/file04 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amonitor39.exe/file19/file05 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.b skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amonitor39.exe/file19/file06 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amonitor39.exe/file19 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip/amonitor39.exe Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip ZIP: infected - 11 skipped
C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bill\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amagent39.exe/file01 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.391 skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amagent39.exe Inno: infected - 1 skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amonitor39.exe/file17 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amonitor39.exe/file19/file01 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.391 skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amonitor39.exe/file19/file02 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amonitor39.exe/file19/file03 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amonitor39.exe/file19/file04 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amonitor39.exe/file19/file05 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.b skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amonitor39.exe/file19/file06 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amonitor39.exe/file19 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.c skipped
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full\amonitor39.exe Inno: infected - 8 skipped
C:\Documents and Settings\Bill\ntuser.dat Object is locked skipped
C:\Documents and Settings\Bill\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000029.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000099.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000102.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000105.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000106.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000107.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000108.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000113.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000117.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000124.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000125.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP8\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:14 AM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185019444906
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5603 bytes

 

Safe to assume you downloaded the activity monitor? If not, remove it.

C:\Documents and Settings\Bill\Desktop\Unused Desktop Shortcuts\activmon39full.zip
C:\Documents and Settings\Bill\My Documents\Unzipped\activmon39full

Delete the housecall quarantined folder as well.

C:\Documents and Settings\Bill\.housecall6.6\Quarantine

Then empty the recycle bin.
Looks good otherwise, so lets clean up now.


Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


Fix the following entry with HijackThis, unless that is a custom page you set.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html

If not familiar with the above html file, delete it if it exists.


Everything seem to be OK now?

 

Running like brand new.....