Unremovable Wallpaper from AntiVirus System Pro

Hello,

Recently, my father was tricked by AntiVirus System Pro and downloaded it onto our computer, after much toil on Safe Mode, I believe to have successfully removed it with the help of MBAM. But, when I came back to my normal Mode, I noticed that my wallpaper was still covered by an annoying message stating how my System is Infected.

I am currently running another MBAM Quick Scan with hopes of finding the infected object, but it could take up to an hour waiting for it to complete itself.

I would like to show you a log from a scan I did today in Safe Mode, but it does not appear in the Log Tab on MBAM.

The most recent MBAM Log

Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

06/01/2010 11:47:51 PM
mbam-log-2010-01-06 (23-47-51).txt

Scan type: Quick Scan
Objects scanned: 150132
Time elapsed: 1 hour(s), 37 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Last edited by SilverSonata on 7th January 2010, 4:49 am; edited 1 time in total (Reason for editing : MBAM just finished scanning)

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

ComboFix 10-01-04.01 - Amanda 07/01/2010 1:46.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.301 [GMT -5:00]
Running from: c:\documents and settings\Amanda\desktop\commy.exe
Command switches used :: /stepdel
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\IS15.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.

2010-01-06 22:54 . 2010-01-06 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2010-01-06 05:27 . 2010-01-06 05:27 -------- d-----w- c:\program files\Webroot
2010-01-06 05:27 . 2010-01-06 05:27 -------- d-----w- c:\documents and settings\Tom\Application Data\Webroot
2010-01-06 05:27 . 2010-01-06 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-01-06 05:27 . 2009-08-31 18:00 1563008 ----a-w- c:\windows\WRSetup.dll
2010-01-06 05:03 . 2010-01-06 05:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-22 02:08 . 2009-12-22 02:09 -------- d-----w- C:\Combo-Fix
2009-12-20 23:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-20 23:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-20 22:48 . 2009-12-20 22:48 -------- d-----w- c:\program files\TrendMicro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 05:19 . 2005-07-04 01:12 82592 -c--a-w- c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 00:15 . 2009-10-28 02:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 00:15 . 2009-12-03 23:47 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-30 19:55 . 2009-10-28 02:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54 . 2009-10-28 02:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 04:48 . 2007-02-17 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-21 06:24 . 2006-07-14 19:18 -------- d-----w- c:\documents and settings\Amanda\Application Data\U3
2009-11-19 13:30 . 2008-03-16 12:59 -------- d-----w- c:\program files\McAfee
2009-11-05 02:35 . 2005-02-28 21:38 82592 ----a-w- c:\documents and settings\Amanda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:46 . 2004-08-04 11:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2009-11-30 05:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-26 02:58 . 2007-09-04 00:25 129862 ----a-w- c:\windows\hpoins13.dat
2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2005-2-21 156784]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\RTCSHARE.EXE"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8616:TCP"= 8616:TCP:PORT_8616
"37737:TCP"= 37737:TCP:PORT_37737
"11048:TCP"= 11048:TCP:PORT_11048
"11426:TCP"= 11426:TCP:PORT_11426
"12726:TCP"= 12726:TCP:PORT_12726
"49335:TCP"= 49335:TCP:PORT_49335
"24719:TCP"= 24719:TCP:PORT_24719
"52391:TCP"= 52391:TCP:PORT_52391
"22843:TCP"= 22843:TCP:PORT_22843
"35391:TCP"= 35391:TCP:PORT_35391
"7440:TCP"= 7440:TCP:PORT_7440
"34165:TCP"= 34165:TCP:PORT_34165
"29940:TCP"= 29940:TCP:PORT_29940
"47946:TCP"= 47946:TCP:PORT_47946
"56326:TCP"= 56326:TCP:PORT_56326
"46663:TCP"= 46663:TCP:PORT_46663
"16396:TCP"= 16396:TCP:PORT_16396
"31143:TCP"= 31143:TCP:PORT_31143
"14541:TCP"= 14541:TCP:PORT_14541
"47936:TCP"= 47936:TCP:PORT_47936
"41640:TCP"= 41640:TCP:PORT_41640
"60210:TCP"= 60210:TCP:PORT_60210
"16801:TCP"= 16801:TCP:PORT_16801
"41255:TCP"= 41255:TCP:PORT_41255
"46394:TCP"= 46394:TCP:PORT_46394
"14377:TCP"= 14377:TCP:PORT_14377
"40773:TCP"= 40773:TCP:PORT_40773
"33120:TCP"= 33120:TCP:PORT_33120
"9221:TCP"= 9221:TCP:PORT_9221
"31945:TCP"= 31945:TCP:PORT_31945
"62458:TCP"= 62458:TCP:PORT_62458
"31141:TCP"= 31141:TCP:PORT_31141
"49070:TCP"= 49070:TCP:PORT_49070
"28293:TCP"= 28293:TCP:PORT_28293
"60568:TCP"= 60568:TCP:PORT_60568
"53106:TCP"= 53106:TCP:PORT_53106
"14170:TCP"= 14170:TCP:PORT_14170
"43269:TCP"= 43269:TCP:PORT_43269
"34936:TCP"= 34936:TCP:PORT_34936
"17423:TCP"= 17423:TCP:PORT_17423
"17226:TCP"= 17226:TCP:PORT_17226
"10265:TCP"= 10265:TCP:PORT_10265
"9438:TCP"= 9438:TCP:PORT_9438
"29915:TCP"= 29915:TCP:PORT_29915
"63150:TCP"= 63150:TCP:PORT_63150
"59949:TCP"= 59949:TCP:PORT_59949
"28248:TCP"= 28248:TCP:PORT_28248
"14022:TCP"= 14022:TCP:PORT_14022
"10385:TCP"= 10385:TCP:PORT_10385
"11331:TCP"= 11331:TCP:PORT_11331
"26828:TCP"= 26828:TCP:PORT_26828
"62173:TCP"= 62173:TCP:PORT_62173
"65260:TCP"= 65260:TCP:PORT_65260
"14001:TCP"= 14001:TCP:PORT_14001
"32193:TCP"= 32193:TCP:PORT_32193
"59256:TCP"= 59256:TCP:PORT_59256
"10430:TCP"= 10430:TCP:PORT_10430
"27899:TCP"= 27899:TCP:PORT_27899
"29963:TCP"= 29963:TCP:PORT_29963
"19903:TCP"= 19903:TCP:PORT_19903
"9368:TCP"= 9368:TCP:PORT_9368
"44465:TCP"= 44465:TCP:PORT_44465
"39276:TCP"= 39276:TCP:PORT_39276
"28516:TCP"= 28516:TCP:PORT_28516
"54704:TCP"= 54704:TCP:PORT_54704
"22851:TCP"= 22851:TCP:PORT_22851
"8326:TCP"= 8326:TCP:PORT_8326
"26733:TCP"= 26733:TCP:PORT_26733
"45119:TCP"= 45119:TCP:PORT_45119
"26830:TCP"= 26830:TCP:PORT_26830
"64715:TCP"= 64715:TCP:PORT_64715
"35790:TCP"= 35790:TCP:PORT_35790
"61141:TCP"= 61141:TCP:PORT_61141
"35275:TCP"= 35275:TCP:PORT_35275
"31464:TCP"= 31464:TCP:PORT_31464
"33218:TCP"= 33218:TCP:PORT_33218
"27333:TCP"= 27333:TCP:PORT_27333
"60193:TCP"= 60193:TCP:PORT_60193
"50612:TCP"= 50612:TCP:PORT_50612
"33630:TCP"= 33630:TCP:PORT_33630
"39106:TCP"= 39106:TCP:PORT_39106
"63597:TCP"= 63597:TCP:PORT_63597
"55235:TCP"= 55235:TCP:PORT_55235
"30806:TCP"= 30806:TCP:PORT_30806
"27740:TCP"= 27740:TCP:PORT_27740
"28056:TCP"= 28056:TCP:PORT_28056
"6365:TCP"= 6365:TCP:PORT_6365
"8765:TCP"= 8765:TCP:PORT_8765
"34006:TCP"= 34006:TCP:PORT_34006
"18941:TCP"= 18941:TCP:PORT_18941
"56321:TCP"= 56321:TCP:PORT_56321
"59493:TCP"= 59493:TCP:PORT_59493
"17876:TCP"= 17876:TCP:PORT_17876
"55945:TCP"= 55945:TCP:PORT_55945
"49879:TCP"= 49879:TCP:PORT_49879
"62656:TCP"= 62656:TCP:PORT_62656
"24888:TCP"= 24888:TCP:PORT_24888
"58695:TCP"= 58695:TCP:PORT_58695
"19391:TCP"= 19391:TCP:PORT_19391
"63760:TCP"= 63760:TCP:PORT_63760
"22775:TCP"= 22775:TCP:PORT_22775
"41720:TCP"= 41720:TCP:PORT_41720
"65056:TCP"= 65056:TCP:PORT_65056
"54964:TCP"= 54964:TCP:PORT_54964
"63551:TCP"= 63551:TCP:PORT_63551
"13213:TCP"= 13213:TCP:PORT_13213
"48760:TCP"= 48760:TCP:PORT_48760
"19508:TCP"= 19508:TCP:PORT_19508
"35763:TCP"= 35763:TCP:PORT_35763
"7761:TCP"= 7761:TCP:PORT_7761
"9596:TCP"= 9596:TCP:PORT_9596
"31103:TCP"= 31103:TCP:PORT_31103
"9963:TCP"= 9963:TCP:PORT_9963
"65026:TCP"= 65026:TCP:PORT_65026
"47591:TCP"= 47591:TCP:PORT_47591
"13100:TCP"= 13100:TCP:PORT_13100
"19554:TCP"= 19554:TCP:PORT_19554
"16259:TCP"= 16259:TCP:PORT_16259
"30468:TCP"= 30468:TCP:PORT_30468
"36447:TCP"= 36447:TCP:PORT_36447
"17158:TCP"= 17158:TCP:PORT_17158
"9568:TCP"= 9568:TCP:PORT_9568
"53096:TCP"= 53096:TCP:PORT_53096
"38196:TCP"= 38196:TCP:PORT_38196
"7371:TCP"= 7371:TCP:PORT_7371
"59121:TCP"= 59121:TCP:PORT_59121
"28385:TCP"= 28385:TCP:PORT_28385
"30105:TCP"= 30105:TCP:PORT_30105
"23738:TCP"= 23738:TCP:PORT_23738
"54691:TCP"= 54691:TCP:PORT_54691
"62101:TCP"= 62101:TCP:PORT_62101
"20105:TCP"= 20105:TCP:PORT_20105
"40842:TCP"= 40842:TCP:PORT_40842
"35856:TCP"= 35856:TCP:PORT_35856
"63943:TCP"= 63943:TCP:PORT_63943
"60273:TCP"= 60273:TCP:PORT_60273
"33901:TCP"= 33901:TCP:PORT_33901
"16263:TCP"= 16263:TCP:PORT_16263
"32233:TCP"= 32233:TCP:PORT_32233
"45429:TCP"= 45429:TCP:PORT_45429
"5823:TCP"= 5823:TCP:PORT_5823
"55783:TCP"= 55783:TCP:PORT_55783
"34100:TCP"= 34100:TCP:PORT_34100
"64790:TCP"= 64790:TCP:PORT_64790
"8712:TCP"= 8712:TCP:PORT_8712
"34615:TCP"= 34615:TCP:PORT_34615
"7824:TCP"= 7824:TCP:PORT_7824
"58444:TCP"= 58444:TCP:Pando Media Booster
"58444:UDP"= 58444:UDP:Pando Media Booster
"57094:TCP"= 57094:TCP:Pando Media Booster
"57094:UDP"= 57094:UDP:Pando Media Booster

R2 HPFECP06;HPFECP06;c:\windows\SYSTEM32\DRIVERS\hpfecp06.sys [11/03/2005 3:29 PM 38176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - MBAMSwissArmy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-02 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2004-08-04 00:12]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 16:22]

2009-12-07 c:\windows\Tasks\QuickClean.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 16:22]

2009-10-26 c:\windows\Tasks\WebReg Photosmart C4200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.10/uploader2.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
MSConfigStartUp-CTFMON - (no file)



**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2010-01-07 01:59:15
ComboFix-quarantined-files.txt 2010-01-07 06:59
ComboFix2.txt 2009-12-21 01:02

Pre-Run: 46,625,320,960 bytes free
Post-Run: 46,722,174,976 bytes free

- - End Of File - - B395DFC36C64698AD9F01B351E9BE360

Please download Malwarebytes Anti-Malware from here.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Malwarebytes' Anti-Malware 1.43
Database version: 3507
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

07/01/2010 5:18:39 PM
mbam-log-2010-01-07 (17-18-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 248328
Time elapsed: 6 hour(s), 14 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP58\A0010041.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP58\A0010042.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Even after restarting my computer as instructed by MBAM, the wallpaper hasn't gone away.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

SmitFraudFix v2.424

Scan done at 18:33:11.92, 07/01/2010
Run from C:\Documents and Settings\Amanda\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Amanda\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amanda


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Amanda\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amanda\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Amanda\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.200.241.37
DNS Server Search Order: 24.201.245.77
DNS Server Search Order: 24.200.243.189

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Please download DragonFix by DragonMaster Jay, and save it to your Desktop. Right click and Extract All, and save the files to your Desktop.

• Please disable realtime protection. The only realtime protection that gets in the way and need to be disabled: Windows Defender, Microsoft Security Essentials, Spybot TeaTimer, WinPatrol, and Ad-Aware AdWatch. If you have anyone of those, please disable them.
  
• Double-click DragonFix.reg, and follow the prompt(s).
  
• Please reboot your computer.

Does the Desktop let you remove/change the wallpaper?

Umm..
I believe that I do have one of the realtime protection; Microsoft Security Essentials, but how do I disable it?

Yes, the Desktop allows me to change the wallpaper, but I can't remove it.

open MSE, click on the Settings tab, Real-Time Protection, and uncheck "turn on real-time protection".

After you run DragonFix and reboot your computer, do the process again to turn MSE back on.

Is Windows Security Center the same thing as Microsoft Security Essentials?

Is this it?



Last edited by DragonMaster Jay on 8th January 2010, 12:08 am; edited 1 time in total (Reason for editing : Tidyness :))

No it's not. I see you have McAfee. That would be the one to disable normally, but since they do not reverse changes, it is safe to go ahead with DragonFix now!

All I had to do was follow those two steps after clicking on DragonFix.reg?

Now I need to reboot?

Yep. Done. Now reboot your computer, kindly, and tell me if there was a change.

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

I'm sorry, but the wallpaper still persists >__<

I'm currently doing another MBAM Quick Scan, while post the log if anything pops up.

---
The log;
---
Malwarebytes' Anti-Malware 1.44
Database version: 3511
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

07/01/2010 10:09:19 PM
mbam-log-2010-01-07 (22-09-19).txt

Scan type: Quick Scan
Objects scanned: 148351
Time elapsed: 1 hour(s), 25 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Last edited by SilverSonata on 8th January 2010, 3:09 am; edited 1 time in total (Reason for editing : Scanning completed)

I'm not sure if this is relevant but;

I have a computer with many accounts, and when I was on my sister's account to delete her Temporary Internet Files so that the scan would proceed more smoothly, I noticed that her wallpaper was not infected.

Is this because the wallpaper virus did not reach my sister's computer yet?

Please reboot your computer. To reboot into Safe Mode, tap the F8 key continually, just before Windows starts to load.
Select the first option, to run Windows in Safe Mode, then press "Enter".

Once in Safe Mode, open the SmitfraudFix folder and double click "SmitfraudFix.cmd".
Select option #2 - Clean by typing 2 and press "Enter".
You will be prompted : "Registry cleaning - Do you want to clean the registry?", answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found), answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart anyway into Normal Mode. A text file will appear, with results from the cleaning process.

Please copy/paste its content into your next reply with a new HijackThis log.

(The report can also be found at the root of the system drive, usually at C:\rapport.txt)

Warning: running option #2 on a non infected computer will remove your Desktop background.

SmitFraudFix v2.424

Scan done at 7:48:50.01, 08/01/2010
Run from C:\Documents and Settings\Amanda\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BDF74250-74F4-4642-ABF0-2471AFD932FD}: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.200.241.37 24.201.245.77 24.200.243.189


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

When I tried to download HijackThis, I received the following;

"The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

I am not on Safe Mode, so I presume it is because Windows Installer is not correctly installed...

Please navigate to this webpage: http://support.microsoft.com/kb/313222 and see the section "Fix it for me" and click the Microsoft Fix-It button. This will download a fix utility to repair the security settings on your computer, due to damages of malware or other harmful system changes. Install the file after download.

Then try it.

=/

Even when I try to run the 'Fix it for me', I still get the same message.
Should I try to do it manually?

Ah, I was able to get it running thanks to;
http://support.microsoft.com/kb/319624

Do I still need to do the Microsoft Fix It or can I go straight to HijackThis?

Here is the HijackThis log;

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 06:58:18, on 08/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Amanda\Desktop\TrendMicro\HiJackThis\HiJackThis.exe

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/58.10/uploader2.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 7955 bytes

Please copy and paste the following in to Notepad:

Then click File > Save as
Save as wallpaperFIX.reg to your Desktop.
Choose Save as type: All Files.
Click Save.

Exit Notepad, then double-click on wallpaperFIX.reg to run the script.

After you have confirmed the prompts, please restart your computer.

Let me know if your wallpaper will cooperate now.

When I rebooted my computer, I now have two annoying things pop up;

This one appears ar the very beggining after logging in;


And this one starts to load itself automatically after a minute or two and will not disappear unless I use the Ctrl + Alt + Delete Command (If I click Cancel a few times, it will only temporarily go away, and a minute later, it will automatically restart to load again);


Also, while my desktop was loading, before the virus, I usually see my wallpaper appear along with my icons, but ever since the virus, I only see the wallpaper and then the icons appear after 2 minutes (I timed it while waiting). The very same thing happened right now and since it's not like my usual, it's worrying me because it's the exact same behavior as the

Thank you for your patience and perseverance with me. I'm sorry for causing you so many inconveniences.

Don't worry.

Please go to VirusTotal. Copy and paste the following file path in to the box.

C:\windows\explorer.exe

Then click submit.

Please post the results (URL) to your next reply.

I need for that file to be re-analyzed.

It was already analyzed, but a new analysis must be done.

I'm sorry, is this the right one now?

http://www.virustotal.com/analisis/1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455-1263010277

Ok. Good.

Please copy and paste the following in to Notepad:

Then click File > Save as
Save as wallFIX.reg to your Desktop.
Choose Save as type: All Files.
Click Save.

Exit Notepad, then double-click on wallFIX.reg to run the script.

After you have confirmed the prompts, please restart your computer.

Let me know if your wallpaper will cooperate now.

My wallpaper is doing very well now. Thank you very much!

But at the startup of my computer, I still have the 'Found New Hardware Wizard' as well as the other download CD.

As for all the suggested downloads you have asked me to download up to now, can I uninstall them? If so, how?

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
==

Download WhoCrashed from here
This program checks for any drivers which may have been causing your computer to crash....

Click on the file you just downloaded and run it.
Put a tick in Accept then click on Next
Put a tick in the Don't create a start menu folder then click Next
Put a tick in Create a Desktop Icon then click on Install and make sure there is a tick in Launch Whocrashed before clicking Finish
Click Analyze
It will want to download the Debugger and install it Say Yes

WhoCrashed will create report but you have to scroll down to see it
Copy and paste it into your next reply

Analysis
--------------------------------------------------------------------------------

Crash dump directory: C:\WINDOWS\Minidump

Crash dumps are enabled on your computer.


On Sun 20/12/2009 10:36:58 PM your computer crashed
This was likely caused by the following module: csrss.exe
Bugcheck code: 0xF4 (0x3, 0x8284FDA0, 0x8284FF14, 0x8060567E)
Error: CRITICAL_OBJECT_TERMINATION
Dump file: C:\WINDOWS\Minidump\Mini122009-02.dmp
file path: C:\WINDOWS\system32\csrss.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: Client Server Runtime Process
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Sun 20/12/2009 10:32:14 PM your computer crashed
This was likely caused by the following module: kxloapog.sys
Bugcheck code: 0x10000050 (0xFAE9500B, 0x0, 0xEBF68F60, 0x0)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini122009-01.dmp



On Tue 10/03/2009 02:29:17 AM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1F09000, 0x2, 0x0, 0xEE83FD00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030909-01.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Sun 08/03/2009 04:47:35 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1F10000, 0x2, 0x0, 0xEED62D00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030809-01.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Sat 07/03/2009 04:48:47 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1EF8000, 0x2, 0x0, 0xEE809D00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030709-03.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Sat 07/03/2009 04:44:20 PM your computer crashed
This was likely caused by the following module: mpfp.sys
Bugcheck code: 0x1000008E (0xC0000005, 0xEE508295, 0xED7ED174, 0x0)
Error: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M
Dump file: C:\WINDOWS\Minidump\Mini030709-02.dmp
file path: C:\WINDOWS\system32\drivers\mpfp.sys
product: McAfee Personal Firewall Plus
company: McAfee, Inc.
description: McAfee Personal Firewall Plus Driver



On Sat 07/03/2009 04:35:54 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1F2C000, 0x2, 0x0, 0xEE402D00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030709-01.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Fri 06/03/2009 10:50:22 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1ECD000, 0x2, 0x0, 0xEE82ED00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030609-02.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Fri 06/03/2009 10:39:47 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x100000D1 (0xE1EB6000, 0x2, 0x0, 0xEF26ED00)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini030609-01.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft Windows Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit may be another driver on your system which cannot be identified at this time.



On Wed 28/06/2006 04:59:13 PM your computer crashed
This was likely caused by the following module: dump_wmimmc.
Bugcheck code: 0x100000CE (0xEDDDFD2F, 0x0, 0xEDDDFD2F, 0x0)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini062806-03.dmp



On Wed 28/06/2006 04:35:47 PM your computer crashed
This was likely caused by the following module: dump_wmimmc.
Bugcheck code: 0x100000CE (0xEEC5FD2F, 0x0, 0xEEC5FD2F, 0x0)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini062806-02.dmp



On Wed 28/06/2006 04:22:31 PM your computer crashed
This was likely caused by the following module: dump_wmimmc.
Bugcheck code: 0x100000CE (0xEE678D2F, 0x0, 0xEE678D2F, 0x0)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini062806-01.dmp



On Sun 25/12/2005 02:41:33 PM your computer crashed
This was likely caused by the following module: ssrtln.sys
Bugcheck code: 0x100000D1 (0xF8136D9C, 0x2, 0x1, 0xF88B282F)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini122505-01.dmp
file path: C:\WINDOWS\system32\drivers\ssrtln.sys
company: Sonic Solutions
description: Shared Driver Component




--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------

13 crash dumps have been found and analyzed. Note that it's not always possible to state with certainty whether a reported driver is really responsible for crashing your system or that the root cause is in another module. nȯne it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.

I was just doing a scan on MBAM and the results were interesting;

Malwarebytes' Anti-Malware 1.44
Database version: 3527
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

09/01/2010 01:20:29 PM
mbam-log-2010-01-09 (13-20-29).txt

Scan type: Full Scan (A:\|D:\|E:\|)
Objects scanned: 134139
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.


---

So that was the infection that covered my wallpaper? I should have scanned my A:\|D:\|E:\| Drives earlier. =/

Must have been. We took care of it anyway, because we locked the keys, so you have control over the wallpaper only. At least you have wallpaper back.

Now let's find out what that driver is that keeps crashing a system file on your computer. Also, the culprit in those Found New Hardware popups.
==

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.



Set it to Maximum



IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

http://www.getsysteminfo.com/read.php?file=aeed390c48836c9b5afd42d7a2ece910

Thank you very much for helping me. =)

The new hardware popup cannot be determined, because it is hard to tell what needs to be installed. In the GSI log, all I can see is an Unknown Device.

Your Windows Installer is not functioning properly. Do you know the version number of Windows Installer on your computer? It can be found in Add or Remove Programs (Control Panel).

I'm sorry, but I'm having trouble finding out the number of my Windows Installer, what name is it under in the 'Add or Remove Programs' because I can't find it on the long list.

No biggie.

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
McAfee SecurityCenter
``````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 5
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Lastly, see this page for more info about malware and prevention.

Thank you so very much for all the help and support you have given me.
=)

When I read the article you suggested to me, I saw many free antiviruses that interested me.

Which antivirus would you suggest to me because my McAfee program is nearing it's expiration and I would like to consider all the posibilites. Should I wait for the expiration to come to a full end before I download these antiviruses?
Because I heard that having too many of them just causes them to clash with eachother.

Is there also a limit to the number of firewalls one can have on the computer?

Also, my father recently bought 'Webroot Internet Security Essentials 2010' is this program a antivirus with a firewall? It only came with the box and it's CD, and I browsed to check it's ratings, and they seem fine, but I would like to know your opinion if the Antiviruses and Firewall you suggest in the link are more effective than this program.

Webroot should be fine.

Only one firewall is necessary and will work.

I'm sorry to bother you again, but both 'Found New Hardware Wizard' and the 'Status' windows still appear at startup of my computer.

Is there any way to permenantly remove it?

As I said a little bit ago, it is not possible to find the root of the issue there, because I cannot tell from here the unknown device. If I knew the unknown device, it would be easier to configure it.

Ok, thank you very much for trying so hard to help me with all these problems. =)