Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Your system is infected" desktop and fake antiviruses.


  • This topic is locked This topic is locked
8 replies to this topic

#1 Flargonshroud

Flargonshroud

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 04 September 2009 - 05:10 AM

Okay so earlier this evening my computer started randomly restarting itself as soon as I opened any folder in the "My Documents folder."


When it finally restarted my desktop was changed to a blue screen with a box in the center reading "YOUR SYSTEM IS INFECTED."

There are also fake antivirus softwares that are trying to run.

I read online about this problem, and it gave a a solution of running SuperAntiSpyware on safe mode, then MalwareBytes Antimalware after rebooting.

The problem with that is I was able to open Superantispyware once, then started a scan, then it terminated itself. When I tried to open it again it told me something along the line of "Windows can not access the specified file, you may not have permission."

The same exact thing happened with MBAM and Avast. It's as if whatever is infecting my computer won't make the same mistake twice in letting me access my antivirus software.

There are also taskbar icons (a red circle with a white X) saying my computer is infected with a little alert balloon which leads to a internet site for fake antiviruses.

Whatever has infected my computer is killing off all my anti-virus software as I try to use it. And there are numerous pop ups and false alerts. Also my internet browser redirects when I try to go to help sites.

Oh also, there are pop up windows that say things like 224.exe has to close or something like that. (the 3 digit number is alwaysrandom.)



With all my antivirus software being disabled, what can I do to help this problem?

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:29 AM

Posted 04 September 2009 - 05:44 AM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Chris Wray

Chris Wray

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 04 September 2009 - 12:13 PM

Hi I''m new here and I didnt want to just butt in here but I''m having the same issue as he is and i tried to run RootRepeal and halfway thru the scanning it was terminated as well :thumbsup:/

#4 Flargonshroud

Flargonshroud
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 04 September 2009 - 01:31 PM

I'm having the same problem Chris mentioned. Halfway though running the RootRepeal scan it terminated itself.

When I tried to open it again an error messages comes up saying "C:\Documents and Settings\Administrator\My Documents\Downloads\RootRepeal.exe"

And a taskbar icon I think from Windows Police Pro says it is impossible to run RootRepeal.exe because is says C:\Documents and Settings\Administrator\My Documents\Downloads\RootRepeal.exe is infected. Please activate your antivirus software.

#5 Flargonshroud

Flargonshroud
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 04 September 2009 - 01:46 PM

RootRepeal only terminates itself when you try to scan "Files" here is a log I was able to get by scanning everything except files.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/04 11:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6E4F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ACD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF622C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF78FB000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF7171000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf761387e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf7613bfe

Stealth Objects
-------------------
Object: Hidden Module [Name: rotscxspvnsvny.dll]
Process: svchost.exe (PID: 860) Address: 0x00790000 Size: 53248

Object: Hidden Module [Name: rotscxnrtwcvhp.dll]
Process: Explorer.EXE (PID: 588) Address: 0x00c10000 Size: 28672

Object: Hidden Module [Name: rotscxnrtwcvhp.dll]
Process: firefox.exe (PID: 2484) Address: 0x010e0000 Size: 28672

Object: Hidden Module [Name: rotscxnrtwcvhp.dll]
Process: IEXPLORE.EXE (PID: 2356) Address: 0x00bd0000 Size: 28672

Object: Hidden Module [Name: rotscxnrtwcvhp.dll]
Process: IEXPLORE.EXE (PID: 1916) Address: 0x00bd0000 Size: 28672

==EOF==

#6 Flargonshroud

Flargonshroud
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 04 September 2009 - 01:49 PM

Sorry for the multiple replies.

I was able to make this log scanning files, it detects these things then immediately terminates. (I stopped the scan right before the time it would kill itself.)

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/04 11:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\eventlog.dll
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\rotscxjcbqeett.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxlketvppe.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxlmybigip.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxnrtwcvhp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxspvnsvny.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxswespdii.dll
Status: Invisible to the Windows API!

#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:29 AM

Posted 04 September 2009 - 03:43 PM

You have one of the newer rootkits. Let's transfer you to the HJT/Malware forum.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

IF DDS will not work, use a log from SRE instead:
  • Please download System Repair Engineer from here
  • Unzip/extract sreng2.zip to a folder on your desktop
  • Double-click on SREngLdr.EXE to launch System Repair Engineer
  • Click the Smart Scan Icon
  • Click Scan
  • Wait for the scan to finish
  • Click on the Save Reports button
  • Save it to your desktop, using the recommended name of SREngLOG.log
  • Close System Repair Engineer
  • Use notepad to open the SREngLOG.log file
  • Copy & paste the contents of that file as a reply to this topic
  • Note: The log may be long, and you may need several posts to post all of it
  • If you are using a custom HOSTS file, please leave out the HOSTS File section, as it will make the log far too long

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 Flargonshroud

Flargonshroud
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 04 September 2009 - 05:03 PM

Was unable to open dds, used SRE. Also made a post in the HJT forum.

here's the SRE log,

2009-09-04,13:52:12

System Repair Engineer 2.8.1.1279
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been selected:
	All Boot Items (Including Registry, Startup Folders, Services and so on)
	Browser Add-ons
	Running Processes (Including process model information)
	File Associations
	Winsock Provider
	Autorun.Inf
	HOSTS File
	Process Privileges Scan
	Scheduled Tasks
	Windows Security Update Check
	API HOOK
	Hidden Process


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
	<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
	<MSMSGS><"C:\Program Files\Messenger\msmsgs.exe" /background>  [(Verified)Microsoft Windows XP Publisher]
	<Windows System Recover!><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\system.exe>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
	<FlashPlayerUpdate><C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p>  [(Verified)Adobe Systems Incorporated]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
	<load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
	<ehTray><C:\WINDOWS\ehome\ehtray.exe>  [Microsoft Corporation]
	<AlwaysReady Power Message APP><ARPWRMSG.EXE>  [(Verified)Microsoft Windows Publisher]
	<HPHUPD08><c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe>  [Hewlett-Packard]
	<DISCover><C:\Program Files\DISC\DISCover.exe>  [Digital Interactive Systems Corporation]
	<DiscUpdateManager><C:\Program Files\DISC\DiscUpdMgr.exe>  [Digital Interactive Systems Corporation, Inc.]
	<DMAScheduler><"c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe">  [Sonic Solutions]
	<Recguard><C:\WINDOWS\SMINST\RECGUARD.EXE>  []
	<PCDrProfiler><>  [N/A]
	<HPBootOp><"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run>  [Hewlett-Packard Company]
	<HP Software Update><C:\Program Files\HP\HP Software Update\HPwuSchd2.exe>  [Hewlett-Packard Development Company, L.P.]
	<avast!><C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe>  [(Verified)ALWIL Software]
	<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
	<QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime>  [Apple Inc.]
	<LogitechCommunicationsManager><"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe">  [(Verified)Logitech Inc]
	<LogitechQuickCamRibbon><"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide>  [(Verified)Logitech Inc]
	<YSearchProtection><"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe">  [(Verified)Yahoo! Inc.]
	<SunJavaUpdateSched><"C:\Program Files\Java\jre6\bin\jusched.exe">  [(Verified)"Sun Microsystems, Inc."]
	<PWRISOVM.EXE><C:\Program Files\PowerISO\PWRISOVM.EXE>  [PowerISO Computing, Inc.]
	<braviax><C:\WINDOWS\system32\braviax.exe>  []
	<winupdate.exe><C:\WINDOWS\system32\winupdate.exe>  []
	<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>  [File is missing]
	<lohuzolov><Rundll32.exe "c:\windows\system32\lisepeyo.dll",a>  []
	<11417034><C:\Documents and Settings\All Users\Application Data\11417034\11417034.exe>  []
	<letubagede><Rundll32.exe "C:\WINDOWS\system32\rogavove.dll",s>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
	<Malwarebytes' Anti-Malware><C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent>  [(Verified)Malwarebytes Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
	<shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
	<Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
	<AppInit_DLLs><c:\windows\system32\lisepeyo.dll,C:\WINDOWS\system32\kuvimulo.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
	<UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
	<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
	<PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Publisher]
	<CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Publisher]
	<WebCheck><C:\WINDOWS\system32\webcheck.dll>  [(Verified)Microsoft Windows]
	<SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Publisher]
	<papudituh><c:\windows\system32\lisepeyo.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
	<WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
	<WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
	<WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
	<WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
	<WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
	<WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
	<WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
	<WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
	<WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
	<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows]
	<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows]
	<{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}><C:\WINDOWS\system32\tajf83ikdmf.dll>  []
	<{8f8a7d17-f8dc-490c-be29-35f70c98fb80}><c:\windows\system32\lisepeyo.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
	<Internet Explorer Version Update><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
	<Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
	<Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
	<Browser Customizations><"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
	<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
	<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{407408d4-94ed-4d86-ab69-a7f649d112ee}]
	<Media Center><%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
	<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
	<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
	<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
	<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
	<Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
	<Windows Desktop Update><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
	<Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -BaseSettings>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
	<N/A><c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
	<Fax><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
	<SCRNSAVE.EXE><C:\WINDOWS\System32\logon.scr>  [(Verified)Microsoft Windows Publisher]

==================================
Startup Folders
[HP Digital Imaging Monitor]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk --> C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [Hewlett-Packard Development Company, L.P.]><N>
[Updates From HP]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk --> C:\PROGRA~1\UPDATE~1\9972322\Program\UPDATE~1.EXE [Hewlett-Packard]><N>

==================================
Services
[AntipyProex / AntipPro2009_100][Stopped/Auto Start]
  <C:\WINDOWS\svchasts.exe><N/A>
[Apple Mobile Device / Apple Mobile Device][Stopped/Auto Start]
  <"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"><Apple Inc.>
[avast! iAVS4 Control Service / aswUpdSv][Stopped/Auto Start]
  <"C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"><ALWIL Software>
[Ati HotKey Poller / Ati HotKey Poller][Stopped/Auto Start]
  <C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[avast! Antivirus / avast! Antivirus][Stopped/Auto Start]
  <"C:\Program Files\Alwil Software\Avast4\ashServ.exe"><ALWIL Software>
[avast! Mail Scanner / avast! Mail Scanner][Stopped/Manual Start]
  <"C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service><ALWIL Software>
[avast! Web Scanner / avast! Web Scanner][Stopped/Manual Start]
  <"C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service><ALWIL Software>
[Bonjour Service / Bonjour Service][Stopped/Auto Start]
  <"C:\Program Files\Bonjour\mDNSResponder.exe"><Apple Inc.>
[FLEXnet Licensing Service / FLEXnet Licensing Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"><Macrovision Europe Ltd.>
[Google Update Service (gupdate) / gupdate][Stopped/Auto Start]
  <"C:\Program Files\Google\Update\GoogleUpdate.exe" /svc><Google Inc.>
[Google Software Updater / gusvc][Stopped/Auto Start]
  <"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[iPod Service / iPod Service][Stopped/Manual Start]
  <"C:\Program Files\iPod\bin\iPodService.exe"><Apple Inc.>
[Java Quick Starter / JavaQuickStarterService][Stopped/Auto Start]
  <"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"><Sun Microsystems, Inc.>
[Lavasoft Ad-Aware Service / Lavasoft Ad-Aware Service][Stopped/Auto Start]
  <"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"><N/A>
[LightScribeService Direct Disc Labeling Service / LightScribeService][Stopped/Auto Start]
  <"C:\Program Files\Common Files\LightScribe\LSSrvc.exe"><Hewlett-Packard Company>
[LVCOMSer / LVCOMSer][Stopped/Auto Start]
  <"C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe"><Logitech Inc.>
[Process Monitor / LVPrcSrv][Stopped/Auto Start]
  <"C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"><Logitech Inc.>
[LVSrvLauncher / LVSrvLauncher][Stopped/Auto Start]
  <C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe><Logitech Inc.>
[Pml Driver HPZ12 / Pml Driver HPZ12][Stopped/Boot Start]
  <\SystemRoot\C:\WINDOWS\system32\HPZipm12.exe><(File is missing)>
[Yahoo! Updater / YahooAUService][Stopped/Auto Start]
  <"C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe"><Yahoo! Inc.>

==================================
Drivers
[Agere Systems Soft Modem / AgereSoftModem][Stopped/Manual Start]
  <system32\DRIVERS\AGRSM.sys><Agere Systems>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Stopped/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[AMD Processor Driver / AmdK8][Stopped/System Start]
  <system32\DRIVERS\AmdK8.sys><Advanced Micro Devices>
[aswFsBlk / aswFsBlk][Stopped/Auto Start]
  <system32\DRIVERS\aswFsBlk.sys><ALWIL Software>
[ati2mtag / ati2mtag][Stopped/Manual Start]
  <system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Promise driver accelerator / bb-run][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\bb-run.sys><Promise Technology, Inc.>
[BVRPMPR5 NDIS Protocol Driver / BVRPMPR5][Stopped/Manual Start]
  <\??\I:\INSTAL~E\Core\BVRPMPR5.SYS><N/A>
[EagleNT / EagleNT][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\EagleNT.sys><N/A>
[ftsata2 / ftsata2][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\ftsata2.sys><Promise Technology, Inc.>
[GEAR ASPI Filter Driver / GEARAspiWDM][Running/Manual Start]
  <system32\DRIVERS\GEARAspiWDM.sys><GEAR Software Inc.>
[Hamachi Network Interface / hamachi][Stopped/Manual Start]
  <system32\DRIVERS\hamachi.sys><LogMeIn, Inc.>
[Intel RAID Controller / iaStor][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\iaStor.sys><Intel Corporation>
[Intel Processor Driver / intelppm][Stopped/System Start]
  <system32\DRIVERS\intelppm.sys><N/A>
[Lbd / Lbd][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\Lbd.sys><Lavasoft AB>
[Logitech AEC Driver / LVcKap][Stopped/Manual Start]
  <system32\DRIVERS\LVcKap.sys><Logitech Inc.>
[Logitech Machine Vision Engine Loader / LVMVDrv][Stopped/Manual Start]
  <system32\DRIVERS\LVMVDrv.sys><Logitech Inc.>
[Logitech LVPr2Mon Driver / LVPr2Mon][Stopped/Manual Start]
  <system32\DRIVERS\LVPr2Mon.sys><>
[nsup / nsup][Stopped/Auto Start]
  <system32\drivers\naoyj.sys><N/A>
[plnkj / plnkj][Stopped/Auto Start]
  <system32\drivers\ykbjpuh.sys><N/A>
[Ps2 / Ps2][Running/Manual Start]
  <system32\DRIVERS\PS2.sys><Hewlett-Packard Company>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[USB Wireless 802.11 b/g Adaptor Driver / RT73][Running/Manual Start]
  <system32\DRIVERS\rt73.sys><Ralink Technology, Corp.>
[Realtek 10/100/1000 NIC Family all in one NDIS XP Driver / RTL8023xp][Running/Manual Start]
  <system32\DRIVERS\Rtnicxp.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SASDIFSV / SASDIFSV][Stopped/System Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS><SUPERAdBlocker.com and SUPERAntiSpyware.com>
[SASENUM / SASENUM][Stopped/Manual Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS><SUPERAdBlocker.com and SUPERAntiSpyware.com>
[SASKUTIL / SASKUTIL][Stopped/System Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys><SUPERAdBlocker.com and SUPERAntiSpyware.com>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[Apple Mobile USB Driver / USBAAPL][Stopped/Manual Start]
  <System32\Drivers\usbaapl.sys><Apple, Inc.>

==================================
Browser Add-ons
[&Yahoo! Toolbar Helper]
  {02478D38-C3F9-4efb-9B51-7695ECA05670} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll, (Signed) Yahoo! Inc.>
[C:\WINDOWS\system32\tajf83ikdmf.dll]
  {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} <C:\WINDOWS\system32\tajf83ikdmf.dll, N/A>
[&Research]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL, (Signed) Microsoft Corporation>
[AIM]
  {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} <C:\Program Files\AIM\aim.exe, (Signed) America Online, Inc.>
[Internet Connection Help]
  {E2D4D26B-0180-43a4-B05F-462D6D54C789} <, >
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, (Signed) Microsoft Corporation>
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll, (Signed) Yahoo! Inc.>
[Facebook Photo Uploader 5 Control]
  {8100D56A-5661-482C-BEE8-AFECE305D968} <C:\WINDOWS\Downloaded Program Files\PhotoUploader55.ocx, (Signed) The Facebook>
[Java Plug-in 1.6.0_15]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre6\bin\npjpi160_15.dll, (Signed) Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_05]
  {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_15]
  {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\npjpi160_15.dll, (Signed) Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_15]
  {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\npjpi160_15.dll, (Signed) Sun Microsystems, Inc.>
[]
  {E2883E8F-472F-4FB0-9522-AC9BF37916A7} <, >
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, (Signed) Adobe Systems Incorporated>
[]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <, >
[&Google]
  {2318C2B1-4965-11D4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[Active Desktop Mover]
  {72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, (Signed) N/A>
[]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <, >
[Google Toolbar Helper]
  {AA58ED58-01DD-4D91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[hpWebHelper Class]
  {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} <C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll, TODO: <Company name>>
[Helper Class]
  {BF0118D4-63FF-4138-9327-F3028FB1A578} <C:\WINDOWS\web\wallpaper\welcome\AWhelper.dll, >
[]
  {E2D4D26B-0180-43A4-B05F-462D6D54C789} <, >
[Runclose Control]
  {F31D1897-7EFD-4647-8687-E05894E382AB} <C:\WINDOWS\System32\RUNCLOSE.OCX, Hewlett-Packard Company>
[]
  {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[&Google Search]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html, N/A>
[&Translate English Word]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html, N/A>
[Add to Google Photos Screensa&ver]
  <res://C:\WINDOWS\system32\GPhotos.scr/200, N/A>
[Backward Links]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html, N/A>
[Cached Snapshot of Page]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html, N/A>
[E&xport to Microsoft Excel]
  <res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000, N/A>
[Similar Pages]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html, N/A>
[Translate Page into English]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html, N/A>

==================================
Running Processes
[PID: 384 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 608 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 632 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
	[C:\WINDOWS\system32\Ati2evxx.dll]  [ATI Technologies Inc., 6.14.10.4129]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
	[C:\WINDOWS\system32\rogavove.dll]  [N/A, ]
[PID: 680 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
[PID: 692 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
[PID: 860 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 956 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1112 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 1224 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 1296 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
[PID: 1676 / Administrator][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
	[C:\WINDOWS\system32\tajf83ikdmf.dll]  [N/A, ]
	[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
	[C:\Program Files\WinRAR\rarext.dll]  [, ]
	[C:\Program Files\PowerArchiver\PASHLEXT.DLL]  [ConeXware, Inc., 11.5.0.20]
	[C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll]  [Malwarebytes Corporation, 1, 2, 0, 0]
	[C:\Program Files\PowerISO\PWRISOSH.DLL]  [PowerISO Computing, Inc., 4, 5, 0, 0]
	[C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll]  [, 1.0.0.1]
	[C:\Program Files\Alwil Software\Avast4\ashShell.dll]  [ALWIL Software, 4, 8, 1351, 0]
	[C:\WINDOWS\system32\msdmo.dll]  [, ]
	[C:\WINDOWS\system32\dxmasf.dll]  [, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\WINDOWS\system32\rogavove.dll]  [N/A, ]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
[PID: 1388 / Administrator][C:\Documents and Settings\Administrator\Desktop\procexp.exe]  [Sysinternals - www.sysinternals.com, 11.33]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
	[C:\WINDOWS\system32\netfxperf.dll]  [Microsoft Corporation, 1.1.4322.573]
	[C:\WINDOWS\system32\tajf83ikdmf.dll]  [N/A, ]
[PID: 264 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\spoolsv.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 496 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\system.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 1068 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrss.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 596 / Administrator][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
[PID: 432 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
[PID: 1236 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smss.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
[PID: 2424 / SYSTEM][C:\WINDOWS\system32\cmd.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
[PID: 2556 / Administrator][C:\Program Files\Mozilla Firefox\firefox.exe]  [Mozilla Corporation, 1.9.1.2]
	[C:\Program Files\Mozilla Firefox\xul.dll]  [Mozilla Foundation, 1.9.1.2]
	[C:\Program Files\Mozilla Firefox\sqlite3.dll]  [sqlite.org, 3.6.10]
	[C:\Program Files\Mozilla Firefox\MOZCRT19.dll]  [Mozilla Foundation, 8.00.0000]
	[C:\Program Files\Mozilla Firefox\js3250.dll]  [Netscape Communications Corporation, 4.0]
	[C:\Program Files\Mozilla Firefox\nspr4.dll]  [Mozilla Foundation, 4.8]
	[C:\Program Files\Mozilla Firefox\smime3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nss3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssutil3.dll]  [Mozilla Foundation, 3.12.3.1]
	[C:\Program Files\Mozilla Firefox\plc4.dll]  [Mozilla Foundation, 4.8]
	[C:\Program Files\Mozilla Firefox\plds4.dll]  [Mozilla Foundation, 4.8]
	[C:\Program Files\Mozilla Firefox\ssl3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\xpcom.dll]  [Mozilla Foundation, 1.9.1.2]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll]  [Mozilla Foundation, 1.9.1.2]
	[C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll]  [Mozilla Foundation, 1.9.1.2]
	[C:\Program Files\Mozilla Firefox\softokn3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssdbm3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\freebl3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.75]
	[C:\WINDOWS\system32\tajf83ikdmf.dll]  [N/A, ]
[PID: 2024 / Administrator][C:\Program Files\PowerArchiver\POWERARC.EXE]  [ConeXware, Inc., 11.5.0.66]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\Program Files\PowerArchiver\paunrar3.dll]  [N/A, ]
	[C:\Program Files\PowerArchiver\PAISO.DLL]  [Hoopoe ProGroup, 1, 7, 4, 1 beta 1]
[PID: 1348 / Administrator][C:\Program Files\PowerArchiver\POWERARC.EXE]  [ConeXware, Inc., 11.5.0.66]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\Program Files\PowerArchiver\paunrar3.dll]  [N/A, ]
	[C:\Program Files\PowerArchiver\PAISO.DLL]  [Hoopoe ProGroup, 1, 7, 4, 1 beta 1]
	[C:\Program Files\PowerArchiver\paclib.dll]  [N/A, ]
[PID: 508 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_PA988\SREngLdr.EXE]  [Smallfrogs Studio, 2.8.1.1279]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
[PID: 2700 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_PA988\SREfcdbd2d8.EXE]  [Smallfrogs Studio, 2.8.1.1279]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  Error. [C:\WINDOWS\system32\desote.exe "%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
VSockets Library over [MSAFD Tcpip [TCP/IP]]
	C:\WINDOWS\system32\winhelper.dll(, N/A)
VSockets Library
	C:\WINDOWS\system32\winhelper.dll(, N/A)

==================================
Autorun.Inf
[H:\]
[AUTORUN]
ShellExecute=Info.exe protect.ed 480 480

==================================
HOSTS File
127.0.0.1	   localhost

==================================
Process Privileges Scan
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 264, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SPOOLSV.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 496, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SYSTEM.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1068, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\CSRSS.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 432, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\TASKMGR.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1236, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SMSS.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 508, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\_PA988\SRENGLDR.EXE]

==================================
Scheduled Tasks
[Enabled] {7B02EF0B-A410-4938-8480-9BA26420A627}.job
		C:\WINDOWS\msa.exe 
[Enabled] GoogleUpdateTaskMachineCore.job
		C:\Program Files\Google\Update\GoogleUpdate.exe 
[Enabled] Google Software Updater.job
		C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe 
[Enabled] AppleSoftwareUpdate.job
		C:\Program Files\Apple Software Update\SoftwareUpdate.exe 
[Enabled] Ad-Aware Update (Weekly).job
		C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe 
[Enabled] {BB65B0FB-5712-401b-B616-E69AC55E2757}.job
		C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\n.exe 

==================================
Windows Security Update Check
N/A

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================


#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:29 AM

Posted 04 September 2009 - 06:24 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/255189/your-system-is-infected-desktop-and-fake-antiviruses/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users