WiredWX Hobby Weather ToolsLog in

 


Unremovable Wallpaper from AntiVirus System Pro

3 posters

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyUnremovable Wallpaper from AntiVirus System Pro

more_horiz
Hello,

Recently, my father was tricked by AntiVirus System Pro and downloaded it onto our computer, after much toil on Safe Mode, I believe to have successfully removed it with the help of MBAM. But, when I came back to my normal Mode, I noticed that my wallpaper was still covered by an annoying message stating how my System is Infected.

I am currently running another MBAM Quick Scan with hopes of finding the infected object, but it could take up to an hour waiting for it to complete itself.

I would like to show you a log from a scan I did today in Safe Mode, but it does not appear in the Log Tab on MBAM.

The most recent MBAM Log

Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

06/01/2010 11:47:51 PM
mbam-log-2010-01-06 (23-47-51).txt

Scan type: Quick Scan
Objects scanned: 150132
Time elapsed: 1 hour(s), 37 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Last edited by SilverSonata on 7th January 2010, 4:49 am; edited 1 time in total (Reason for editing : MBAM just finished scanning)

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
Please download ComboFix Unremovable Wallpaper from AntiVirus System Pro Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Unremovable Wallpaper from AntiVirus System Pro Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Unremovable Wallpaper from AntiVirus System Pro RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
ComboFix 10-01-04.01 - Amanda 07/01/2010 1:46.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.301 [GMT -5:00]
Running from: c:\documents and settings\Amanda\desktop\commy.exe
Command switches used :: /stepdel
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\IS15.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.

2010-01-06 22:54 . 2010-01-06 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2010-01-06 05:27 . 2010-01-06 05:27 -------- d-----w- c:\program files\Webroot
2010-01-06 05:27 . 2010-01-06 05:27 -------- d-----w- c:\documents and settings\Tom\Application Data\Webroot
2010-01-06 05:27 . 2010-01-06 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-01-06 05:27 . 2009-08-31 18:00 1563008 ----a-w- c:\windows\WRSetup.dll
2010-01-06 05:03 . 2010-01-06 05:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-22 02:08 . 2009-12-22 02:09 -------- d-----w- C:\Combo-Fix
2009-12-20 23:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-20 23:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-20 22:48 . 2009-12-20 22:48 -------- d-----w- c:\program files\TrendMicro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 05:19 . 2005-07-04 01:12 82592 -c--a-w- c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 00:15 . 2009-10-28 02:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 00:15 . 2009-12-03 23:47 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-30 19:55 . 2009-10-28 02:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54 . 2009-10-28 02:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 04:48 . 2007-02-17 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-21 06:24 . 2006-07-14 19:18 -------- d-----w- c:\documents and settings\Amanda\Application Data\U3
2009-11-19 13:30 . 2008-03-16 12:59 -------- d-----w- c:\program files\McAfee
2009-11-05 02:35 . 2005-02-28 21:38 82592 ----a-w- c:\documents and settings\Amanda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:46 . 2004-08-04 11:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2009-11-30 05:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-26 02:58 . 2007-09-04 00:25 129862 ----a-w- c:\windows\hpoins13.dat
2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2005-2-21 156784]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\RTCSHARE.EXE"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8616:TCP"= 8616:TCP:PORT_8616
"37737:TCP"= 37737:TCP:PORT_37737
"11048:TCP"= 11048:TCP:PORT_11048
"11426:TCP"= 11426:TCP:PORT_11426
"12726:TCP"= 12726:TCP:PORT_12726
"49335:TCP"= 49335:TCP:PORT_49335
"24719:TCP"= 24719:TCP:PORT_24719
"52391:TCP"= 52391:TCP:PORT_52391
"22843:TCP"= 22843:TCP:PORT_22843
"35391:TCP"= 35391:TCP:PORT_35391
"7440:TCP"= 7440:TCP:PORT_7440
"34165:TCP"= 34165:TCP:PORT_34165
"29940:TCP"= 29940:TCP:PORT_29940
"47946:TCP"= 47946:TCP:PORT_47946
"56326:TCP"= 56326:TCP:PORT_56326
"46663:TCP"= 46663:TCP:PORT_46663
"16396:TCP"= 16396:TCP:PORT_16396
"31143:TCP"= 31143:TCP:PORT_31143
"14541:TCP"= 14541:TCP:PORT_14541
"47936:TCP"= 47936:TCP:PORT_47936
"41640:TCP"= 41640:TCP:PORT_41640
"60210:TCP"= 60210:TCP:PORT_60210
"16801:TCP"= 16801:TCP:PORT_16801
"41255:TCP"= 41255:TCP:PORT_41255
"46394:TCP"= 46394:TCP:PORT_46394
"14377:TCP"= 14377:TCP:PORT_14377
"40773:TCP"= 40773:TCP:PORT_40773
"33120:TCP"= 33120:TCP:PORT_33120
"9221:TCP"= 9221:TCP:PORT_9221
"31945:TCP"= 31945:TCP:PORT_31945
"62458:TCP"= 62458:TCP:PORT_62458
"31141:TCP"= 31141:TCP:PORT_31141
"49070:TCP"= 49070:TCP:PORT_49070
"28293:TCP"= 28293:TCP:PORT_28293
"60568:TCP"= 60568:TCP:PORT_60568
"53106:TCP"= 53106:TCP:PORT_53106
"14170:TCP"= 14170:TCP:PORT_14170
"43269:TCP"= 43269:TCP:PORT_43269
"34936:TCP"= 34936:TCP:PORT_34936
"17423:TCP"= 17423:TCP:PORT_17423
"17226:TCP"= 17226:TCP:PORT_17226
"10265:TCP"= 10265:TCP:PORT_10265
"9438:TCP"= 9438:TCP:PORT_9438
"29915:TCP"= 29915:TCP:PORT_29915
"63150:TCP"= 63150:TCP:PORT_63150
"59949:TCP"= 59949:TCP:PORT_59949
"28248:TCP"= 28248:TCP:PORT_28248
"14022:TCP"= 14022:TCP:PORT_14022
"10385:TCP"= 10385:TCP:PORT_10385
"11331:TCP"= 11331:TCP:PORT_11331
"26828:TCP"= 26828:TCP:PORT_26828
"62173:TCP"= 62173:TCP:PORT_62173
"65260:TCP"= 65260:TCP:PORT_65260
"14001:TCP"= 14001:TCP:PORT_14001
"32193:TCP"= 32193:TCP:PORT_32193
"59256:TCP"= 59256:TCP:PORT_59256
"10430:TCP"= 10430:TCP:PORT_10430
"27899:TCP"= 27899:TCP:PORT_27899
"29963:TCP"= 29963:TCP:PORT_29963
"19903:TCP"= 19903:TCP:PORT_19903
"9368:TCP"= 9368:TCP:PORT_9368
"44465:TCP"= 44465:TCP:PORT_44465
"39276:TCP"= 39276:TCP:PORT_39276
"28516:TCP"= 28516:TCP:PORT_28516
"54704:TCP"= 54704:TCP:PORT_54704
"22851:TCP"= 22851:TCP:PORT_22851
"8326:TCP"= 8326:TCP:PORT_8326
"26733:TCP"= 26733:TCP:PORT_26733
"45119:TCP"= 45119:TCP:PORT_45119
"26830:TCP"= 26830:TCP:PORT_26830
"64715:TCP"= 64715:TCP:PORT_64715
"35790:TCP"= 35790:TCP:PORT_35790
"61141:TCP"= 61141:TCP:PORT_61141
"35275:TCP"= 35275:TCP:PORT_35275
"31464:TCP"= 31464:TCP:PORT_31464
"33218:TCP"= 33218:TCP:PORT_33218
"27333:TCP"= 27333:TCP:PORT_27333
"60193:TCP"= 60193:TCP:PORT_60193
"50612:TCP"= 50612:TCP:PORT_50612
"33630:TCP"= 33630:TCP:PORT_33630
"39106:TCP"= 39106:TCP:PORT_39106
"63597:TCP"= 63597:TCP:PORT_63597
"55235:TCP"= 55235:TCP:PORT_55235
"30806:TCP"= 30806:TCP:PORT_30806
"27740:TCP"= 27740:TCP:PORT_27740
"28056:TCP"= 28056:TCP:PORT_28056
"6365:TCP"= 6365:TCP:PORT_6365
"8765:TCP"= 8765:TCP:PORT_8765
"34006:TCP"= 34006:TCP:PORT_34006
"18941:TCP"= 18941:TCP:PORT_18941
"56321:TCP"= 56321:TCP:PORT_56321
"59493:TCP"= 59493:TCP:PORT_59493
"17876:TCP"= 17876:TCP:PORT_17876
"55945:TCP"= 55945:TCP:PORT_55945
"49879:TCP"= 49879:TCP:PORT_49879
"62656:TCP"= 62656:TCP:PORT_62656
"24888:TCP"= 24888:TCP:PORT_24888
"58695:TCP"= 58695:TCP:PORT_58695
"19391:TCP"= 19391:TCP:PORT_19391
"63760:TCP"= 63760:TCP:PORT_63760
"22775:TCP"= 22775:TCP:PORT_22775
"41720:TCP"= 41720:TCP:PORT_41720
"65056:TCP"= 65056:TCP:PORT_65056
"54964:TCP"= 54964:TCP:PORT_54964
"63551:TCP"= 63551:TCP:PORT_63551
"13213:TCP"= 13213:TCP:PORT_13213
"48760:TCP"= 48760:TCP:PORT_48760
"19508:TCP"= 19508:TCP:PORT_19508
"35763:TCP"= 35763:TCP:PORT_35763
"7761:TCP"= 7761:TCP:PORT_7761
"9596:TCP"= 9596:TCP:PORT_9596
"31103:TCP"= 31103:TCP:PORT_31103
"9963:TCP"= 9963:TCP:PORT_9963
"65026:TCP"= 65026:TCP:PORT_65026
"47591:TCP"= 47591:TCP:PORT_47591
"13100:TCP"= 13100:TCP:PORT_13100
"19554:TCP"= 19554:TCP:PORT_19554
"16259:TCP"= 16259:TCP:PORT_16259
"30468:TCP"= 30468:TCP:PORT_30468
"36447:TCP"= 36447:TCP:PORT_36447
"17158:TCP"= 17158:TCP:PORT_17158
"9568:TCP"= 9568:TCP:PORT_9568
"53096:TCP"= 53096:TCP:PORT_53096
"38196:TCP"= 38196:TCP:PORT_38196
"7371:TCP"= 7371:TCP:PORT_7371
"59121:TCP"= 59121:TCP:PORT_59121
"28385:TCP"= 28385:TCP:PORT_28385
"30105:TCP"= 30105:TCP:PORT_30105
"23738:TCP"= 23738:TCP:PORT_23738
"54691:TCP"= 54691:TCP:PORT_54691
"62101:TCP"= 62101:TCP:PORT_62101
"20105:TCP"= 20105:TCP:PORT_20105
"40842:TCP"= 40842:TCP:PORT_40842
"35856:TCP"= 35856:TCP:PORT_35856
"63943:TCP"= 63943:TCP:PORT_63943
"60273:TCP"= 60273:TCP:PORT_60273
"33901:TCP"= 33901:TCP:PORT_33901
"16263:TCP"= 16263:TCP:PORT_16263
"32233:TCP"= 32233:TCP:PORT_32233
"45429:TCP"= 45429:TCP:PORT_45429
"5823:TCP"= 5823:TCP:PORT_5823
"55783:TCP"= 55783:TCP:PORT_55783
"34100:TCP"= 34100:TCP:PORT_34100
"64790:TCP"= 64790:TCP:PORT_64790
"8712:TCP"= 8712:TCP:PORT_8712
"34615:TCP"= 34615:TCP:PORT_34615
"7824:TCP"= 7824:TCP:PORT_7824
"58444:TCP"= 58444:TCP:Pando Media Booster
"58444:UDP"= 58444:UDP:Pando Media Booster
"57094:TCP"= 57094:TCP:Pando Media Booster
"57094:UDP"= 57094:UDP:Pando Media Booster

R2 HPFECP06;HPFECP06;c:\windows\SYSTEM32\DRIVERS\hpfecp06.sys [11/03/2005 3:29 PM 38176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - MBAMSwissArmy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-02 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2004-08-04 00:12]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 16:22]

2009-12-07 c:\windows\Tasks\QuickClean.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 16:22]

2009-10-26 c:\windows\Tasks\WebReg Photosmart C4200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.10/uploader2.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
MSConfigStartUp-CTFMON - (no file)



**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2010-01-07 01:59:15
ComboFix-quarantined-files.txt 2010-01-07 06:59
ComboFix2.txt 2009-12-21 01:02

Pre-Run: 46,625,320,960 bytes free
Post-Run: 46,722,174,976 bytes free

- - End Of File - - B395DFC36C64698AD9F01B351E9BE360

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
Unremovable Wallpaper from AntiVirus System Pro Mbamicontw5 Please download Malwarebytes Anti-Malware from here.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
Malwarebytes' Anti-Malware 1.43
Database version: 3507
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

07/01/2010 5:18:39 PM
mbam-log-2010-01-07 (17-18-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 248328
Time elapsed: 6 hour(s), 14 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP58\A0010041.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP58\A0010042.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
Even after restarting my computer as instructed by MBAM, the wallpaper hasn't gone away.

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
Moderated Message: Hello, your comment has been removed. Please do not post in another member's topic. If you need help, please read this over and click here to open a new topic. ~DragonMaster Jay

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
SmitFraudFix v2.424

Scan done at 18:33:11.92, 07/01/2010
Run from C:\Documents and Settings\Amanda\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Amanda\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amanda


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Amanda\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amanda\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Amanda\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.200.241.37
DNS Server Search Order: 24.201.245.77
DNS Server Search Order: 24.200.243.189

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
Please download DragonFix by DragonMaster Jay, and save it to your Desktop. Right click and Extract All, and save the files to your Desktop.
  • Please disable realtime protection. The only realtime protection that gets in the way and need to be disabled: Windows Defender, Microsoft Security Essentials, Spybot TeaTimer, WinPatrol, and Ad-Aware AdWatch. If you have anyone of those, please disable them.
  • Double-click DragonFix.reg, and follow the prompt(s).
  • Please reboot your computer.


Does the Desktop let you remove/change the wallpaper?

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
Umm..
I believe that I do have one of the realtime protection; Microsoft Security Essentials, but how do I disable it?

Yes, the Desktop allows me to change the wallpaper, but I can't remove it.

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
open MSE, click on the Settings tab, Real-Time Protection, and uncheck "turn on real-time protection".

After you run DragonFix and reboot your computer, do the process again to turn MSE back on.

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
Is Windows Security Center the same thing as Microsoft Security Essentials?

Is this it?

Unremovable Wallpaper from AntiVirus System Pro Untitled

Last edited by DragonMaster Jay on 8th January 2010, 12:08 am; edited 1 time in total (Reason for editing : Tidyness :))

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
No it's not. I see you have McAfee. That would be the one to disable normally, but since they do not reverse changes, it is safe to go ahead with DragonFix now!

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
All I had to do was follow those two steps after clicking on DragonFix.reg?

Now I need to reboot?

descriptionUnremovable Wallpaper from AntiVirus System Pro EmptyRe: Unremovable Wallpaper from AntiVirus System Pro

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum