Unremovable Wallpaper from AntiVirus System Pro

Yep. Done. Now reboot your computer, kindly, and tell me if there was a change.

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

I'm sorry, but the wallpaper still persists >__<

I'm currently doing another MBAM Quick Scan, while post the log if anything pops up.

---
The log;
---
Malwarebytes' Anti-Malware 1.44
Database version: 3511
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

07/01/2010 10:09:19 PM
mbam-log-2010-01-07 (22-09-19).txt

Scan type: Quick Scan
Objects scanned: 148351
Time elapsed: 1 hour(s), 25 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Last edited by SilverSonata on 8th January 2010, 3:09 am; edited 1 time in total (Reason for editing : Scanning completed)

I'm not sure if this is relevant but;

I have a computer with many accounts, and when I was on my sister's account to delete her Temporary Internet Files so that the scan would proceed more smoothly, I noticed that her wallpaper was not infected.

Is this because the wallpaper virus did not reach my sister's computer yet?

Please reboot your computer. To reboot into Safe Mode, tap the F8 key continually, just before Windows starts to load.
Select the first option, to run Windows in Safe Mode, then press "Enter".

Once in Safe Mode, open the SmitfraudFix folder and double click "SmitfraudFix.cmd".
Select option #2 - Clean by typing 2 and press "Enter".
You will be prompted : "Registry cleaning - Do you want to clean the registry?", answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found), answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart anyway into Normal Mode. A text file will appear, with results from the cleaning process.

Please copy/paste its content into your next reply with a new HijackThis log.

(The report can also be found at the root of the system drive, usually at C:\rapport.txt)

Warning: running option #2 on a non infected computer will remove your Desktop background.

SmitFraudFix v2.424

Scan done at 7:48:50.01, 08/01/2010
Run from C:\Documents and Settings\Amanda\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

When I tried to download HijackThis, I received the following;

"The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

I am not on Safe Mode, so I presume it is because Windows Installer is not correctly installed...

Please navigate to this webpage: http://support.microsoft.com/kb/313222 and see the section "Fix it for me" and click the Microsoft Fix-It button. This will download a fix utility to repair the security settings on your computer, due to damages of malware or other harmful system changes. Install the file after download.

Then try it.

=/

Even when I try to run the 'Fix it for me', I still get the same message.
Should I try to do it manually?

Ah, I was able to get it running thanks to;
http://support.microsoft.com/kb/319624

Do I still need to do the Microsoft Fix It or can I go straight to HijackThis?

Here is the HijackThis log;

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 06:58:18, on 08/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Amanda\Desktop\TrendMicro\HiJackThis\HiJackThis.exe

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/58.10/uploader2.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 7955 bytes

Please copy and paste the following in to Notepad:

Then click File > Save as
Save as wallpaperFIX.reg to your Desktop.
Choose Save as type: All Files.
Click Save.

Exit Notepad, then double-click on wallpaperFIX.reg to run the script.

After you have confirmed the prompts, please restart your computer.

Let me know if your wallpaper will cooperate now.

When I rebooted my computer, I now have two annoying things pop up;

This one appears ar the very beggining after logging in;


And this one starts to load itself automatically after a minute or two and will not disappear unless I use the Ctrl + Alt + Delete Command (If I click Cancel a few times, it will only temporarily go away, and a minute later, it will automatically restart to load again);


Also, while my desktop was loading, before the virus, I usually see my wallpaper appear along with my icons, but ever since the virus, I only see the wallpaper and then the icons appear after 2 minutes (I timed it while waiting). The very same thing happened right now and since it's not like my usual, it's worrying me because it's the exact same behavior as the

Thank you for your patience and perseverance with me. I'm sorry for causing you so many inconveniences.

Don't worry.

Please go to VirusTotal. Copy and paste the following file path in to the box.

C:\windows\explorer.exe

Then click submit.

Please post the results (URL) to your next reply.

I need for that file to be re-analyzed.

It was already analyzed, but a new analysis must be done.

I'm sorry, is this the right one now?

http://www.virustotal.com/analisis/1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455-1263010277

Ok. Good.

Please copy and paste the following in to Notepad:

Then click File > Save as
Save as wallFIX.reg to your Desktop.
Choose Save as type: All Files.
Click Save.

Exit Notepad, then double-click on wallFIX.reg to run the script.

After you have confirmed the prompts, please restart your computer.

Let me know if your wallpaper will cooperate now.

My wallpaper is doing very well now. Thank you very much!

But at the startup of my computer, I still have the 'Found New Hardware Wizard' as well as the other download CD.

As for all the suggested downloads you have asked me to download up to now, can I uninstall them? If so, how?

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
==

Download WhoCrashed from here
This program checks for any drivers which may have been causing your computer to crash....

Click on the file you just downloaded and run it.
Put a tick in Accept then click on Next
Put a tick in the Don't create a start menu folder then click Next
Put a tick in Create a Desktop Icon then click on Install and make sure there is a tick in Launch Whocrashed before clicking Finish
Click Analyze
It will want to download the Debugger and install it Say Yes

WhoCrashed will create report but you have to scroll down to see it
Copy and paste it into your next reply

Analysis
--------------------------------------------------------------------------------

Crash dump directory: C:\WINDOWS\Minidump

Crash dumps are enabled on your computer.


On Sun 20/12/2009 10:36:58 PM your computer crashed
This was likely caused by the following module: csrss.exe
Bugcheck code: 0xF4 (0x3, 0x8284FDA0, 0x8284FF14, 0x8060567E)
Error: CRITICAL_OBJECT_TERMINATION
Dump file: C:\WINDOWS\Minidump\Mini122009-02.dmp
file path: C:\WINDOWS\system32\csrss.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: Client Server Runtime Process
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Sun 20/12/2009 10:32:14 PM your computer crashed
This was likely caused by the following module: kxloapog.sys
Bugcheck code: 0x10000050 (0xFAE9500B, 0x0, 0xEBF68F60, 0x0)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini122009-01.dmp



On Tue 10/03/2009 02:29:17 AM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1F09000, 0x2, 0x0, 0xEE83FD00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030909-01.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Sun 08/03/2009 04:47:35 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1F10000, 0x2, 0x0, 0xEED62D00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030809-01.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Sat 07/03/2009 04:48:47 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1EF8000, 0x2, 0x0, 0xEE809D00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030709-03.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Sat 07/03/2009 04:44:20 PM your computer crashed
This was likely caused by the following module: mpfp.sys
Bugcheck code: 0x1000008E (0xC0000005, 0xEE508295, 0xED7ED174, 0x0)
Error: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M
Dump file: C:\WINDOWS\Minidump\Mini030709-02.dmp
file path: C:\WINDOWS\system32\drivers\mpfp.sys
product: McAfee Personal Firewall Plus
company: McAfee, Inc.
description: McAfee Personal Firewall Plus Driver



On Sat 07/03/2009 04:35:54 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1F2C000, 0x2, 0x0, 0xEE402D00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030709-01.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Fri 06/03/2009 10:50:22 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1ECD000, 0x2, 0x0, 0xEE82ED00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030609-02.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Fri 06/03/2009 10:39:47 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1EB6000, 0x2, 0x0, 0xEF26ED00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030609-01.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Wed 28/06/2006 04:59:13 PM your computer crashed
This was likely caused by the following module: dump_wmimmc.
Bugcheck code: 0x100000CE (0xEDDDFD2F, 0x0, 0xEDDDFD2F, 0x0)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini062806-03.dmp



On Wed 28/06/2006 04:35:47 PM your computer crashed
This was likely caused by the following module: dump_wmimmc.
Bugcheck code: 0x100000CE (0xEEC5FD2F, 0x0, 0xEEC5FD2F, 0x0)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini062806-02.dmp



On Wed 28/06/2006 04:22:31 PM your computer crashed
This was likely caused by the following module: dump_wmimmc.
Bugcheck code: 0x100000CE (0xEE678D2F, 0x0, 0xEE678D2F, 0x0)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini062806-01.dmp



On Sun 25/12/2005 02:41:33 PM your computer crashed
This was likely caused by the following module: ssrtln.sys
Bugcheck code: 0x100000D1 (0xF8136D9C, 0x2, 0x1, 0xF88B282F)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini122505-01.dmp
file path: C:\WINDOWS\system32\drivers\ssrtln.sys
company: Sonic Solutions
description: Shared Driver Component




--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------

13 crash dumps have been found and analyzed. Note that it's not always possible to state with certainty whether a reported driver is really responsible for crashing your system or that the root cause is in another module. nȯne it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.

I was just doing a scan on MBAM and the results were interesting;

Malwarebytes' Anti-Malware 1.44
Database version: 3527
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

09/01/2010 01:20:29 PM
mbam-log-2010-01-09 (13-20-29).txt

Scan type: Full Scan (A:\|D:\|E:\|)
Objects scanned: 134139
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.


---

So that was the infection that covered my wallpaper? I should have scanned my A:\|D:\|E:\| Drives earlier. =/

Must have been. We took care of it anyway, because we locked the keys, so you have control over the wallpaper only. At least you have wallpaper back.

Now let's find out what that driver is that keeps crashing a system file on your computer. Also, the culprit in those Found New Hardware popups.
==

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.



Set it to Maximum



IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

http://www.getsysteminfo.com/read.php?file=aeed390c48836c9b5afd42d7a2ece910

Thank you very much for helping me. =)

The new hardware popup cannot be determined, because it is hard to tell what needs to be installed. In the GSI log, all I can see is an Unknown Device.

Your Windows Installer is not functioning properly. Do you know the version number of Windows Installer on your computer? It can be found in Add or Remove Programs (Control Panel).

I'm sorry, but I'm having trouble finding out the number of my Windows Installer, what name is it under in the 'Add or Remove Programs' because I can't find it on the long list.

No biggie.

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
McAfee SecurityCenter
``````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 5
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Lastly, see this page for more info about malware and prevention.

Thank you so very much for all the help and support you have given me.
=)

When I read the article you suggested to me, I saw many free antiviruses that interested me.

Which antivirus would you suggest to me because my McAfee program is nearing it's expiration and I would like to consider all the posibilites. Should I wait for the expiration to come to a full end before I download these antiviruses?
Because I heard that having too many of them just causes them to clash with eachother.

Is there also a limit to the number of firewalls one can have on the computer?

Also, my father recently bought 'Webroot Internet Security Essentials 2010' is this program a antivirus with a firewall? It only came with the box and it's CD, and I browsed to check it's ratings, and they seem fine, but I would like to know your opinion if the Antiviruses and Firewall you suggest in the link are more effective than this program.

Webroot should be fine.

Only one firewall is necessary and will work.

I'm sorry to bother you again, but both 'Found New Hardware Wizard' and the 'Status' windows still appear at startup of my computer.

Is there any way to permenantly remove it?

As I said a little bit ago, it is not possible to find the root of the issue there, because I cannot tell from here the unknown device. If I knew the unknown device, it would be easier to configure it.

Ok, thank you very much for trying so hard to help me with all these problems. =)