Results 1 to 2 of 2

Thread: powrprof.dll identified as both safe and dangerous

  1. 2008-05-22, 05:33 #1
    winuser
    winuser is offline
    Junior Member
    Join Date
    May 2008
    Posts
    1

    Default powrprof.dll identified as both safe and dangerous

    I am posting here to clarify a doubt: I was checking my system startup with Spybot S&D and found an entry (powrprof.dll etc.) which is described in two ways at the same time:

    Database status: Not required - virus, spyware, malware or other resource hog
    Value: LoadPowerProfile
    Filename: ASDAPI.EXE
    Description
    Added by the _CABRO_ TROJAN!
    and

    Database status: Necessity depends on users preferences
    Value: LoadPowerProfile
    Filename: Rundll32.exe powrprof.dll

    Description
    Power management specifics such as monitor shut-off, system standby, etc.
    A little worried, I run a full scan with Spybot without detecting the trojan. Thus, I searched for ASDAPI.EXE in the "Search Files and Folders" Windows tool, and then in the register through regedit.

    For my concern, I found "ASDAPI.EXE" in the following register keys:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

    I then tried to search more info about backdoor.Cabro on Google, finding that the trojan modifies other keys of the register. I checked those and luckily the trojan values aren't there.
    Then I looked for MRU and found that it simply means "Most Recently Used". A page from the Microsoft.com website explained that it only means that I searched for that earlier (which is true) through "Find Files and Folders".

    Can I then consider myself safe?

    If the answer is yes, then please consider this post as an information for all newbies that may find themselves in this situation.
    Reply With Quote Reply With Quote
  2. 2008-05-23, 21:59 #2
    md usa spybot fan
    md usa spybot fan is offline
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    winuser:

    The comments (descriptions) associated on startup entries are the known possibilities for the names of the startup entries ("LoadPowerProfile" in your case). There is no actual analysis of the startup entry itself (other than the name) nor of the program it points to. In order to then determine which description may or may not be applicable to your particular startup entry, you must compare the "Current filename: ..." that is listed above the individual descriptions with the "Filename: ..." in each description to determine which description, if any, may apply.

    Since it does not seem that included the "Current filename: ..." nor post the actual startup entry that you are interested in, it is difficult help.

    If you post the "Current filename: ..." or the actual startup entry and related information, possibly someone can help.

    You can post the actual startup entry by going into Spybot > Mode > Advanced Mode > Tools > System startup and right clicking on the list, then select "Copy to clipboard". You can paste (Ctrl + V) the clipboard into another post in this thread. Please edit the post so that only the entry in question is posted.

    Getting an answer is one thing, learning is another.

    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules