Well don't I feel like a fool, now that I settled down and had access to a web browser that works and being able to snoop around the forums, apparently it was just some silly spyware that was easily removed (or so far it would seem) with Malwarebytes. Sorry for making such a big post about nothing. I'll definitely be lurking around here to avoid wasting space in the future, lol. >.<
Thank you for the awesome assistance I am sure you would have provided if I wasn't such a fool
Today I started recieving some worrying error messages, generally I get two pop ups,
Pop up 1:
This one is usually triggered by my actions on the computer when I try to open items/run programs, or sometimes when trying to right click to change program settings, it also opens up when I try to open the task manager via ctrl+alt+delete (and closes the task manager - and often any program related to it opening up, or refuses my access).
Pop up "WARNING" box with a red circle crossed out:
Application cannot be executed. The file is infected. Please activate your antivirus software.
This pop up is usually followed by another pop up box of the same style,
Pop up 2:
(word for word, typos and all)
"Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)"
I so far just "X" this out instead of hitting OK, though I might have hit OK the first time this popped up in my carelessness.
This second one also just pops up on the screen every now and then even when I am taking no action.
Disconcertingly enough, it also changed my desktop background to an image that said WARNING Your computer is infected. And also the "Red circle with white x" image is now in my tray.
I did a full scan with Avira Antivirus and it didn't detect anything unusual. I can't save any logs/records because I am attacked by these pop ups whenever I try.
I was able to run ERUNT fine.
I get Pop up 1 when trying to run the DDS from the getting started thread.
It also pops up when I run RootRepeal after I click OK on the "Select Scan" prompt and it begins running (too fast to catch what's up) and somethign seems to pop up but then this trojan or whatever brings out Pop up 1 again and whatever appeared is gone. However, afterwards I can still click the save report button and save the file.
I'm rather inept at computer stuff so I was really happy when I stumbled upon your site here.
Any help would be greatly appreciated
(I'll edit in the rootrepeal text momentarily)
Oh I might also note that both my Avira (free version) and WinXP automatically update so I think they should be up to date.
ROOTREPEAL © AD, 2007-2009
Scan Start Time: 2009/11/17 03:41
Program Version: Version 18.104.22.168
Windows Version: Windows XP Media Center Edition SP2
Image Path: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys
Address: 0xBA3A8000 Size: 31744 File Visible: No Signed: -
Image Path: Combo-Fix.sys
Address: 0xBA128000 Size: 60416 File Visible: No Signed: -
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC117000 Size: 98304 File Visible: No Signed: -
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA608000 Size: 8192 File Visible: No Signed: -
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA644000 Size: 7872 File Visible: No Signed: -
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8916000 Size: 49152 File Visible: No Signed: -
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba69a3e6
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba69a3dc
#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba69a3eb
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba69a3f5
#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba69a3fa
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba69a3c8
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba69a3cd
#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba69a404
#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba69a3ff
#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba69a3f0
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba69a3d7
Edited by wanderkind, 17 November 2009 - 04:02 AM.