Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Your system is infected" desktop and fake antiviruses.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Flargonshroud

Flargonshroud

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 04 September 2009 - 03:58 PM

Referred from http://www.bleepingcomputer.com/forums/t/255068/your-system-is-infected-desktop-and-fake-antiviruses/

Adding in description of computer issues from other topic. ~ OB

Okay so earlier this evening my computer started randomly restarting itself as soon as I opened any folder in the "My Documents folder."


When it finally restarted my desktop was changed to a blue screen with a box in the center reading "YOUR SYSTEM IS INFECTED."

There are also fake antivirus softwares that are trying to run.

I read online about this problem, and it gave a a solution of running SuperAntiSpyware on safe mode, then MalwareBytes Antimalware after rebooting.

The problem with that is I was able to open Superantispyware once, then started a scan, then it terminated itself. When I tried to open it again it told me something along the line of "Windows can not access the specified file, you may not have permission."

The same exact thing happened with MBAM and Avast. It's as if whatever is infecting my computer won't make the same mistake twice in letting me access my antivirus software.

There are also taskbar icons (a red circle with a white X) saying my computer is infected with a little alert balloon which leads to a internet site for fake antiviruses.

Whatever has infected my computer is killing off all my anti-virus software as I try to use it. And there are numerous pop ups and false alerts. Also my internet browser redirects when I try to go to help sites.

Oh also, there are pop up windows that say things like 224.exe has to close or something like that. (the 3 digit number is alwaysrandom.)

With all my antivirus software being disabled, what can I do to help this problem?

End of added material. ~ OB

Hello I came from the topic listed above and was told to post a topic here.

I was unable to open dds, so I used SRE and made a log as suggested.

2009-09-04,13:52:12

System Repair Engineer 2.8.1.1279
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been selected:
	All Boot Items (Including Registry, Startup Folders, Services and so on)
	Browser Add-ons
	Running Processes (Including process model information)
	File Associations
	Winsock Provider
	Autorun.Inf
	HOSTS File
	Process Privileges Scan
	Scheduled Tasks
	Windows Security Update Check
	API HOOK
	Hidden Process


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
	<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
	<MSMSGS><"C:\Program Files\Messenger\msmsgs.exe" /background>  [(Verified)Microsoft Windows XP Publisher]
	<Windows System Recover!><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\system.exe>  []
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
	<FlashPlayerUpdate><C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p>  [(Verified)Adobe Systems Incorporated]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
	<load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
	<ehTray><C:\WINDOWS\ehome\ehtray.exe>  [Microsoft Corporation]
	<AlwaysReady Power Message APP><ARPWRMSG.EXE>  [(Verified)Microsoft Windows Publisher]
	<HPHUPD08><c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe>  [Hewlett-Packard]
	<DISCover><C:\Program Files\DISC\DISCover.exe>  [Digital Interactive Systems Corporation]
	<DiscUpdateManager><C:\Program Files\DISC\DiscUpdMgr.exe>  [Digital Interactive Systems Corporation, Inc.]
	<DMAScheduler><"c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe">  [Sonic Solutions]
	<Recguard><C:\WINDOWS\SMINST\RECGUARD.EXE>  []
	<PCDrProfiler><>  [N/A]
	<HPBootOp><"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run>  [Hewlett-Packard Company]
	<HP Software Update><C:\Program Files\HP\HP Software Update\HPwuSchd2.exe>  [Hewlett-Packard Development Company, L.P.]
	<avast!><C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe>  [(Verified)ALWIL Software]
	<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.]
	<QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime>  [Apple Inc.]
	<LogitechCommunicationsManager><"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe">  [(Verified)Logitech Inc]
	<LogitechQuickCamRibbon><"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide>  [(Verified)Logitech Inc]
	<YSearchProtection><"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe">  [(Verified)Yahoo! Inc.]
	<SunJavaUpdateSched><"C:\Program Files\Java\jre6\bin\jusched.exe">  [(Verified)"Sun Microsystems, Inc."]
	<PWRISOVM.EXE><C:\Program Files\PowerISO\PWRISOVM.EXE>  [PowerISO Computing, Inc.]
	<C:\WINDOWS\system32\braviax.exe>  []
	<winupdate.exe><C:\WINDOWS\system32\winupdate.exe>  []
	<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>  [File is missing]
	<lohuzolov><Rundll32.exe "c:\windows\system32\lisepeyo.dll",a>  []
	<11417034><C:\Documents and Settings\All Users\Application Data\11417034\11417034.exe>  []
	<letubagede><Rundll32.exe "C:\WINDOWS\system32\rogavove.dll",s>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
	<Malwarebytes' Anti-Malware><C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent>  [(Verified)Malwarebytes Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
	<shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
	<Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
	<AppInit_DLLs><c:\windows\system32\lisepeyo.dll,C:\WINDOWS\system32\kuvimulo.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
	<UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
	<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
	<PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Publisher]
	<CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Publisher]
	<WebCheck><C:\WINDOWS\system32\webcheck.dll>  [(Verified)Microsoft Windows]
	<SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Publisher]
	<papudituh><c:\windows\system32\lisepeyo.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
	<WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
	<WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
	<WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
	<WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
	<WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
	<WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
	<WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
	<WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
	<WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
	<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows]
	<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows]
	<{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}><C:\WINDOWS\system32\tajf83ikdmf.dll>  []
	<{8f8a7d17-f8dc-490c-be29-35f70c98fb80}><c:\windows\system32\lisepeyo.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
	<Internet Explorer Version Update><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
	<Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
	<Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
	<"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
	<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
	<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{407408d4-94ed-4d86-ab69-a7f649d112ee}]
	<Media Center><%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
	<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
	<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
	<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
	<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
	<Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
	<Windows Desktop Update><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
	<Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -BaseSettings>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
	<N/A><c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
	<Fax><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
	<SCRNSAVE.EXE><C:\WINDOWS\System32\logon.scr>  [(Verified)Microsoft Windows Publisher]

==================================
Startup Folders
[HP Digital Imaging Monitor]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk --> C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [Hewlett-Packard Development Company, L.P.]><N>
[Updates From HP]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk --> C:\PROGRA~1\UPDATE~1\9972322\Program\UPDATE~1.EXE [Hewlett-Packard]><N>

==================================
Services
[AntipyProex / AntipPro2009_100][Stopped/Auto Start]
  <C:\WINDOWS\svchasts.exe><N/A>
[Apple Mobile Device / Apple Mobile Device][Stopped/Auto Start]
  <"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"><Apple Inc.>
[avast! iAVS4 Control Service / aswUpdSv][Stopped/Auto Start]
  <"C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"><ALWIL Software>
[Ati HotKey Poller / Ati HotKey Poller][Stopped/Auto Start]
  <C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[avast! Antivirus / avast! Antivirus][Stopped/Auto Start]
  <"C:\Program Files\Alwil Software\Avast4\ashServ.exe"><ALWIL Software>
[avast! Mail Scanner / avast! Mail Scanner][Stopped/Manual Start]
  <"C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service><ALWIL Software>
[avast! Web Scanner / avast! Web Scanner][Stopped/Manual Start]
  <"C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service><ALWIL Software>
[Bonjour Service / Bonjour Service][Stopped/Auto Start]
  <"C:\Program Files\Bonjour\mDNSResponder.exe"><Apple Inc.>
[FLEXnet Licensing Service / FLEXnet Licensing Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"><Macrovision Europe Ltd.>
[Google Update Service (gupdate) / gupdate][Stopped/Auto Start]
  <"C:\Program Files\Google\Update\GoogleUpdate.exe" /svc><Google Inc.>
[Google Software Updater / gusvc][Stopped/Auto Start]
  <"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[iPod Service / iPod Service][Stopped/Manual Start]
  <"C:\Program Files\iPod\bin\iPodService.exe"><Apple Inc.>
[Java Quick Starter / JavaQuickStarterService][Stopped/Auto Start]
  <"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"><Sun Microsystems, Inc.>
[Lavasoft Ad-Aware Service / Lavasoft Ad-Aware Service][Stopped/Auto Start]
  <"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"><N/A>
[LightScribeService Direct Disc Labeling Service / LightScribeService][Stopped/Auto Start]
  <"C:\Program Files\Common Files\LightScribe\LSSrvc.exe"><Hewlett-Packard Company>
[LVCOMSer / LVCOMSer][Stopped/Auto Start]
  <"C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe"><Logitech Inc.>
[Process Monitor / LVPrcSrv][Stopped/Auto Start]
  <"C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"><Logitech Inc.>
[LVSrvLauncher / LVSrvLauncher][Stopped/Auto Start]
  <C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe><Logitech Inc.>
[Pml Driver HPZ12 / Pml Driver HPZ12][Stopped/Boot Start]
  <\SystemRoot\C:\WINDOWS\system32\HPZipm12.exe><(File is missing)>
[Yahoo! Updater / YahooAUService][Stopped/Auto Start]
  <"C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe"><Yahoo! Inc.>

==================================
Drivers
[Agere Systems Soft Modem / AgereSoftModem][Stopped/Manual Start]
  <system32\DRIVERS\AGRSM.sys><Agere Systems>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Stopped/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[AMD Processor Driver / AmdK8][Stopped/System Start]
  <system32\DRIVERS\AmdK8.sys><Advanced Micro Devices>
[aswFsBlk / aswFsBlk][Stopped/Auto Start]
  <system32\DRIVERS\aswFsBlk.sys><ALWIL Software>
[ati2mtag / ati2mtag][Stopped/Manual Start]
  <system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Promise driver accelerator / bb-run][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\bb-run.sys><Promise Technology, Inc.>
[BVRPMPR5 NDIS Protocol Driver / BVRPMPR5][Stopped/Manual Start]
  <\??\I:\INSTAL~E\Core\BVRPMPR5.SYS><N/A>
[EagleNT / EagleNT][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\EagleNT.sys><N/A>
[ftsata2 / ftsata2][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\ftsata2.sys><Promise Technology, Inc.>
[GEAR ASPI Filter Driver / GEARAspiWDM][Running/Manual Start]
  <system32\DRIVERS\GEARAspiWDM.sys><GEAR Software Inc.>
[Hamachi Network Interface / hamachi][Stopped/Manual Start]
  <system32\DRIVERS\hamachi.sys><LogMeIn, Inc.>
[Intel RAID Controller / iaStor][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\iaStor.sys><Intel Corporation>
[Intel Processor Driver / intelppm][Stopped/System Start]
  <system32\DRIVERS\intelppm.sys><N/A>
[Lbd / Lbd][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\Lbd.sys><Lavasoft AB>
[Logitech AEC Driver / LVcKap][Stopped/Manual Start]
  <system32\DRIVERS\LVcKap.sys><Logitech Inc.>
[Logitech Machine Vision Engine Loader / LVMVDrv][Stopped/Manual Start]
  <system32\DRIVERS\LVMVDrv.sys><Logitech Inc.>
[Logitech LVPr2Mon Driver / LVPr2Mon][Stopped/Manual Start]
  <system32\DRIVERS\LVPr2Mon.sys><>
[nsup / nsup][Stopped/Auto Start]
  <system32\drivers\naoyj.sys><N/A>
[plnkj / plnkj][Stopped/Auto Start]
  <system32\drivers\ykbjpuh.sys><N/A>
[Ps2 / Ps2][Running/Manual Start]
  <system32\DRIVERS\PS2.sys><Hewlett-Packard Company>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[USB Wireless 802.11 b/g Adaptor Driver / RT73][Running/Manual Start]
  <system32\DRIVERS\rt73.sys><Ralink Technology, Corp.>
[Realtek 10/100/1000 NIC Family all in one NDIS XP Driver / RTL8023xp][Running/Manual Start]
  <system32\DRIVERS\Rtnicxp.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SASDIFSV / SASDIFSV][Stopped/System Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS><SUPERAdBlocker.com and SUPERAntiSpyware.com>
[SASENUM / SASENUM][Stopped/Manual Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS><SUPERAdBlocker.com and SUPERAntiSpyware.com>
[SASKUTIL / SASKUTIL][Stopped/System Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys><SUPERAdBlocker.com and SUPERAntiSpyware.com>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[Apple Mobile USB Driver / USBAAPL][Stopped/Manual Start]
  <System32\Drivers\usbaapl.sys><Apple, Inc.>

==================================
Browser Add-ons
[&Yahoo! Toolbar Helper]
  {02478D38-C3F9-4efb-9B51-7695ECA05670} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll, (Signed) Yahoo! Inc.>
[C:\WINDOWS\system32\tajf83ikdmf.dll]
  {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} <C:\WINDOWS\system32\tajf83ikdmf.dll, N/A>
[&Research]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL, (Signed) Microsoft Corporation>
[AIM]
  {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} <C:\Program Files\AIM\aim.exe, (Signed) America Online, Inc.>
[Internet Connection Help]
  {E2D4D26B-0180-43a4-B05F-462D6D54C789} <, >
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, (Signed) Microsoft Corporation>
[&Google]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll, (Signed) Yahoo! Inc.>
[Facebook Photo Uploader 5 Control]
  {8100D56A-5661-482C-BEE8-AFECE305D968} <C:\WINDOWS\Downloaded Program Files\PhotoUploader55.ocx, (Signed) The Facebook>
[Java Plug-in 1.6.0_15]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre6\bin\npjpi160_15.dll, (Signed) Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_05]
  {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_15]
  {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\npjpi160_15.dll, (Signed) Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_15]
  {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\npjpi160_15.dll, (Signed) Sun Microsystems, Inc.>
[]
  {E2883E8F-472F-4FB0-9522-AC9BF37916A7} <, >
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, (Signed) Adobe Systems Incorporated>
[]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <, >
[&Google]
  {2318C2B1-4965-11D4-9B18-009027A5CD4F} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[Active Desktop Mover]
  {72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, (Signed) N/A>
[]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <, >
[Google Toolbar Helper]
  {AA58ED58-01DD-4D91-8333-CF10577473F7} <c:\program files\google\googletoolbar1.dll, Google Inc.>
[hpWebHelper Class]
  {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} <C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll, TODO: <Company name>>
[Helper Class]
  {BF0118D4-63FF-4138-9327-F3028FB1A578} <C:\WINDOWS\web\wallpaper\welcome\AWhelper.dll, >
[]
  {E2D4D26B-0180-43A4-B05F-462D6D54C789} <, >
[Runclose Control]
  {F31D1897-7EFD-4647-8687-E05894E382AB} <C:\WINDOWS\System32\RUNCLOSE.OCX, Hewlett-Packard Company>
[]
  {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[&Google Search]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html, N/A>
[&Translate English Word]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html, N/A>
[Add to Google Photos Screensa&ver]
  <res://C:\WINDOWS\system32\GPhotos.scr/200, N/A>
[Backward Links]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html, N/A>
[Cached Snapshot of Page]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html, N/A>
[E&xport to Microsoft Excel]
  <res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000, N/A>
[Similar Pages]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html, N/A>
[Translate Page into English]
  <res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html, N/A>

==================================
Running Processes
[PID: 384 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 608 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 632 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
	[C:\WINDOWS\system32\Ati2evxx.dll]  [ATI Technologies Inc., 6.14.10.4129]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
	[C:\WINDOWS\system32\rogavove.dll]  [N/A, ]
[PID: 680 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
[PID: 692 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
[PID: 860 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 956 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1112 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 1224 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 1296 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
[PID: 1676 / Administrator][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
	[C:\WINDOWS\system32\tajf83ikdmf.dll]  [N/A, ]
	[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
	[C:\Program Files\WinRAR\rarext.dll]  [, ]
	[C:\Program Files\PowerArchiver\PASHLEXT.DLL]  [ConeXware, Inc., 11.5.0.20]
	[C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll]  [Malwarebytes Corporation, 1, 2, 0, 0]
	[C:\Program Files\PowerISO\PWRISOSH.DLL]  [PowerISO Computing, Inc., 4, 5, 0, 0]
	[C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll]  [, 1.0.0.1]
	[C:\Program Files\Alwil Software\Avast4\ashShell.dll]  [ALWIL Software, 4, 8, 1351, 0]
	[C:\WINDOWS\system32\msdmo.dll]  [, ]
	[C:\WINDOWS\system32\dxmasf.dll]  [, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\WINDOWS\system32\rogavove.dll]  [N/A, ]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
[PID: 1388 / Administrator][C:\Documents and Settings\Administrator\Desktop\procexp.exe]  [Sysinternals - www.sysinternals.com, 11.33]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
	[C:\WINDOWS\system32\netfxperf.dll]  [Microsoft Corporation, 1.1.4322.573]
	[C:\WINDOWS\system32\tajf83ikdmf.dll]  [N/A, ]
[PID: 264 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\spoolsv.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 496 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\system.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 1068 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrss.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
[PID: 596 / Administrator][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
[PID: 432 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
[PID: 1236 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smss.exe]  [N/A, ]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\bosudeji.dll]  [N/A, ]
[PID: 2424 / SYSTEM][C:\WINDOWS\system32\cmd.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\wohavune.dll]  [N/A, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
[PID: 2556 / Administrator][C:\Program Files\Mozilla Firefox\firefox.exe]  [Mozilla Corporation, 1.9.1.2]
	[C:\Program Files\Mozilla Firefox\xul.dll]  [Mozilla Foundation, 1.9.1.2]
	[C:\Program Files\Mozilla Firefox\sqlite3.dll]  [sqlite.org, 3.6.10]
	[C:\Program Files\Mozilla Firefox\MOZCRT19.dll]  [Mozilla Foundation, 8.00.0000]
	[C:\Program Files\Mozilla Firefox\js3250.dll]  [Netscape Communications Corporation, 4.0]
	[C:\Program Files\Mozilla Firefox\nspr4.dll]  [Mozilla Foundation, 4.8]
	[C:\Program Files\Mozilla Firefox\smime3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nss3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssutil3.dll]  [Mozilla Foundation, 3.12.3.1]
	[C:\Program Files\Mozilla Firefox\plc4.dll]  [Mozilla Foundation, 4.8]
	[C:\Program Files\Mozilla Firefox\plds4.dll]  [Mozilla Foundation, 4.8]
	[C:\Program Files\Mozilla Firefox\ssl3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\xpcom.dll]  [Mozilla Foundation, 1.9.1.2]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll]  [Mozilla Foundation, 1.9.1.2]
	[C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll]  [Mozilla Foundation, 1.9.1.2]
	[C:\Program Files\Mozilla Firefox\softokn3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssdbm3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\freebl3.dll]  [Mozilla Foundation, 3.12.3.1 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.75]
	[C:\WINDOWS\system32\tajf83ikdmf.dll]  [N/A, ]
[PID: 2024 / Administrator][C:\Program Files\PowerArchiver\POWERARC.EXE]  [ConeXware, Inc., 11.5.0.66]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\Program Files\PowerArchiver\paunrar3.dll]  [N/A, ]
	[C:\Program Files\PowerArchiver\PAISO.DLL]  [Hoopoe ProGroup, 1, 7, 4, 1 beta 1]
[PID: 1348 / Administrator][C:\Program Files\PowerArchiver\POWERARC.EXE]  [ConeXware, Inc., 11.5.0.66]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\Program Files\PowerArchiver\paunrar3.dll]  [N/A, ]
	[C:\Program Files\PowerArchiver\PAISO.DLL]  [Hoopoe ProGroup, 1, 7, 4, 1 beta 1]
	[C:\Program Files\PowerArchiver\paclib.dll]  [N/A, ]
[PID: 508 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_PA988\SREngLdr.EXE]  [Smallfrogs Studio, 2.8.1.1279]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
[PID: 2700 / Administrator][C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_PA988\SREfcdbd2d8.EXE]  [Smallfrogs Studio, 2.8.1.1279]
	[C:\WINDOWS\system32\kuvimulo.dll]  [N/A, ]
	[c:\windows\system32\lisepeyo.dll]  [N/A, ]
	[\\?\globalroot\Device\__max++>\109A45CE.x86.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\winhelper.dll]  [N/A, ]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  Error. [C:\WINDOWS\system32\desote.exe "%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
VSockets Library over [MSAFD Tcpip [TCP/IP]]
	C:\WINDOWS\system32\winhelper.dll(, N/A)
VSockets Library
	C:\WINDOWS\system32\winhelper.dll(, N/A)

==================================
Autorun.Inf
[H:\]
[AUTORUN]
ShellExecute=Info.exe protect.ed 480 480

==================================
HOSTS File
127.0.0.1	   localhost

==================================
Process Privileges Scan
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 264, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SPOOLSV.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 496, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SYSTEM.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1068, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\CSRSS.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 432, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\TASKMGR.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1236, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SMSS.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 508, C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\_PA988\SRENGLDR.EXE]

==================================
Scheduled Tasks
[Enabled] {7B02EF0B-A410-4938-8480-9BA26420A627}.job
		C:\WINDOWS\msa.exe 
[Enabled] GoogleUpdateTaskMachineCore.job
		C:\Program Files\Google\Update\GoogleUpdate.exe 
[Enabled] Google Software Updater.job
		C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe 
[Enabled] AppleSoftwareUpdate.job
		C:\Program Files\Apple Software Update\SoftwareUpdate.exe 
[Enabled] Ad-Aware Update (Weekly).job
		C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe 
[Enabled] {BB65B0FB-5712-401b-B616-E69AC55E2757}.job
		C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\n.exe 

==================================
Windows Security Update Check
N/A

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

Adding in RootRepeal logs from other topic. ~ OB

RootRepeal only terminates itself when you try to scan "Files" here is a log I was able to get by scanning everything except files.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/04 11:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6E4F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ACD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF622C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF78FB000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF7171000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf761387e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf7613bfe

Stealth Objects
-------------------
Object: Hidden Module [Name: rotscxspvnsvny.dll]
Process: svchost.exe (PID: 860) Address: 0x00790000 Size: 53248

Object: Hidden Module [Name: rotscxnrtwcvhp.dll]
Process: Explorer.EXE (PID: 588) Address: 0x00c10000 Size: 28672

Object: Hidden Module [Name: rotscxnrtwcvhp.dll]
Process: firefox.exe (PID: 2484) Address: 0x010e0000 Size: 28672

Object: Hidden Module [Name: rotscxnrtwcvhp.dll]
Process: IEXPLORE.EXE (PID: 2356) Address: 0x00bd0000 Size: 28672

Object: Hidden Module [Name: rotscxnrtwcvhp.dll]
Process: IEXPLORE.EXE (PID: 1916) Address: 0x00bd0000 Size: 28672

==EOF==
=================
I was able to make this log scanning files, it detects these things then immediately terminates. (I stopped the scan right before the time it would kill itself.)

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/04 11:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\eventlog.dll
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\rotscxjcbqeett.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxlketvppe.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxlmybigip.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxnrtwcvhp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxspvnsvny.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\rotscxswespdii.dll
Status: Invisible to the Windows API!

Edited by Orange Blossom, 04 September 2009 - 06:24 PM.
Fix link and add additional information. ~ OB


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 10 September 2009 - 03:47 PM

Hello Flargonshroud,

Download and run Win32kDiag:Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
Please post back with:
  • Win32kDiag.txt
  • Content of the log.txt

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 AM

Posted 17 September 2009 - 09:46 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users