I'm not that great with computers. I keep running MalwareBytes, but on re-start the problems are still there:

Trojan.FakeAlert
hijack.Wallpaper
hijack.TaskManager
hijack.DisplayProperties (six of them)

I managed to open my registry and delete a lot of this, but they just come back. How can I fix this?


Malwarebytes' Anti-Malware 1.40
Database version: 2610
Windows 5.1.2600 Service Pack 3

11/28/2009 9:08:17 PM
mbam-log-2009-11-28 (21-08-17).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 159393
Time elapsed: 24 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Sweet. I downloaded ComboFix and it cleaned up the bad stuff on my laptop. It's running fine, except now I don't get any sound from it. I can't find anything wrong with my Sound And Audio Devices.

Here's the ComboFix txt file:

ComboFix 09-12-02.05 - User 12/02/2009 22:04.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.497 [GMT -6:00]
Running from: c:\documents and settings\User\My Documents\My Pictures\sfgnjszfg\Frames\commy.exe.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\AVR10.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\ndisapi.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD
-------\Service_NDISRD
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 04:10 . 2007-11-06 13:40 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-09 16:04 . 2007-11-06 18:50 94904 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-09 06:48 . 2009-10-09 06:48 -------- d-----w- c:\program files\Microsoft Encarta
2009-09-27 18:47 . 2009-09-27 18:47 1096736 ----a-w- c:\documents and settings\All Users\Application Data\13987654\13987654.exe
2009-09-11 14:18 . 2007-11-06 12:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2007-11-06 12:23 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-07 344064]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-06-27 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REALTEK USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REALTEK USB Wireless LAN Utility.lnk
backup=c:\windows\pss\REALTEK USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\spoolsv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [3/26/2008 4:17 PM 38144]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [3/19/2009 7:13 PM 29824]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [3/19/2009 7:13 PM 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [3/19/2009 7:13 PM 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [3/19/2009 7:13 PM 59776]
S3 MAUSBFTP;Service for M-Audio Fast Track Pro (WDM);c:\windows\system32\DRIVERS\mausb.sys --> c:\windows\system32\DRIVERS\mausb.sys [?]
S3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [2/14/2003 4:16 PM 96256]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [3/26/2008 4:22 PM 288000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {1C9361EB-4A95-490B-8DB6-F16FD5098145} = 69.78.96.14 66.174.92.14
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{42dc8989-5226-4348-ae03-eb9ceb523a1c} - c:\program files\Affordable Computer Rentals\Helper.dll
BHO-{93195A15-1731-49B9-9509-F7C93EE03C3E} - c:\program files\Affordable Computer Rentals\Toolbar.dll
Toolbar-{58C1E8CE-26A7-4C17-B84F-4070C37B9CD9} - c:\program files\Affordable Computer Rentals\Toolbar.dll
WebBrowser-{58C1E8CE-26A7-4C17-B84F-4070C37B9CD9} - c:\program files\Affordable Computer Rentals\Toolbar.dll
Notify-NavLogon - (no file)
AddRemove-Live 6.0.1 - c:\docume~1\USER\DESKTOP\M-AUDIO\LIVE60~1.1\INSTALL\UNWISE.EXE
AddRemove-{F37167DD-4436-4641-90B6-329D60632DDA} - c:\program files\InstallShield Installation Information\{F37167DD-4436-4641-90B6-329D60632DDA}\Setup.exe REMOVEALL --u:{F37167DD-4436-4641-90B6-329D60632DDA}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 22:11
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2952)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-12-02 22:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-03 04:14

Pre-Run: 45,453,639,680 bytes free
Post-Run: 46,914,830,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C645FE637E49B096139503F33E932305

Please use Internet Explorer and run a BitDefender Online scan

• Please check I agree with the Terms and Conditions and click Start Here
  
• You will need to allow an Active X install for the scan to run.
  
• Leave the scanning options at default and click Start Scan
  

Please post the results in your next reply.

Hey,

I did the scan with BitDefender and removed lots of stuff, but my laptop still won't play any sounds. It still just static every once in a while.

Here's the log:

BitDefender Online Scanner -Scan ReportBitDefender Online Scanner
Scan report generated at: Thu, Dec 03, 2009 - 20:06:28

Scan path: C:\;D:\;

Statistics
Time00:47:55
Files269280
Folders5436
Boot Sectors0
Archives9088
Packed Files13574

Results
Identified Viruses 4
Infected Files 8
Suspect Files 0
Warnings0
Disinfected0
Deleted Files8

Engines Info
Virus Definitions4686614
Engine buildAVCORE v2.1 Windows/i386 11.0.0.26 (Oct 20 2009)
Scan plugins17
Archive plugins44
Unpack plugins8
E-mail plugins6
System plugins4

Scan Settings
First ActionDisinfect
Second ActionDelete
HeuristicsYes
Enable WarningsYes
Scanned Extensions*;
Exclude Extensions
Scan EmailsYes
Scan ArchivesYes
Scan PackedYes
Scan FilesYes
Scan BootYes

Scanned File Status
C:\Documents and Settings\All Users\Application
Data\13987654\13987654.exeInfected with: Trojan.CryptRedol.Gen.5
C:\Documents and Settings\All Users\Application
Data\13987654\13987654.exeDisinfection failed
C:\Documents and Settings\All Users\Application
Data\13987654\13987654.exeDeleted
C:\Documents and Settings\User\Application
Data\Sun\Java\Deployment\cache\6.0\42\14413fea-67971d54Infected
with: Gen:Packed.bq0@cSo3YVmc
C:\Documents and Settings\User\Application
Data\Sun\Java\Deployment\cache\6.0\42\14413fea-67971d54Disinfection
failed
C:\Documents and Settings\User\Application
Data\Sun\Java\Deployment\cache\6.0\42\14413fea-67971d54Deleted
C:\System Volume
Information\_restore{C7A1051F-65DB-4093-AFD8-6C299E32635D}\RP1\A0000050.exeInfected
with: Trojan.Generic.2777164
C:\System Volume
Information\_restore{C7A1051F-65DB-4093-AFD8-6C299E32635D}\RP1\A0000050.exeDeleted
C:\System Volume
Information\_restore{C7A1051F-65DB-4093-AFD8-6C299E32635D}\RP1\A0000051.exeInfected
with: Trojan.Generic.2777164
C:\System Volume
Information\_restore{C7A1051F-65DB-4093-AFD8-6C299E32635D}\RP1\A0000051.exeDeleted
C:\System Volume
Information\_restore{C7A1051F-65DB-4093-AFD8-6C299E32635D}\RP1\A0000163.exeInfected
with: Trojan.CryptRedol.Gen.5
C:\System Volume
Information\_restore{C7A1051F-65DB-4093-AFD8-6C299E32635D}\RP1\A0000163.exeDisinfection
failed
C:\System Volume
Information\_restore{C7A1051F-65DB-4093-AFD8-6C299E32635D}\RP1\A0000163.exeDeleted
C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.virInfected
with: Trojan.FakeAV.PZ
C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.virDisinfection
failed
C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.virDeleted
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon86.exe.virInfected
with: Trojan.Generic.2777164
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon86.exe.virDeleted
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate86.exe.virInfected
with: Trojan.Generic.2777164
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate86.exe.virDeleted

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.