Jump to content


Photo
- - - - -

Av.exe will not go away with Malwarebytes


  • This topic is locked This topic is locked
7 replies to this topic

#1 altheman

altheman

    New Member

  • Members
  • Pip
  • 4 posts

Posted 29 June 2011 - 12:19 PM

I am pretty computer savvy and have been dealing with this Av.exe, Malwarebytes says it has removed it and needs reboot, after reboot it will find the av.exe again in all the same places. I bought the full version of Malwarebytes and had the same effect and result. Please advise I am about 4 hours away from re-imaging the machine.Attached File  M_bam.zip   13.61KB   7 downloads

#2 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 02 July 2011 - 10:00 PM

Hi and welcome to Malwarebytes.


In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 altheman

altheman

    New Member

  • Members
  • Pip
  • 4 posts

Posted 26 July 2011 - 03:56 PM

Attached File  Attach.zip   2.49KB   4 downloadsMalwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7286

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

7/26/2011 4:44:41 PM
mbam-log-2011-07-26 (16-44-41).txt

Scan type: Quick scan
Objects scanned: 267727
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 75

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\antav\av.exe (Worm.Flooder) -> Quarantined and deleted successfully.
c:\windows\syswow64\antav\av.exe (Worm.Flooder) -> Quarantined and deleted successfully.
c:\users\administrator\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\alliant\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\dhagans\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\kacevedo\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin01\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin02\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\user\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\administrator\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\users\alliant\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\users\dhagans\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\users\kacevedo\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\users\public\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\users\synadmin\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\users\synadmin01\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\users\synadmin02\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\users\user\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\localservice\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\networkservice\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\windows\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
c:\users\administrator\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\alliant\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\dhagans\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\kacevedo\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\public\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin01\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin02\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\user\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\localservice\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\networkservice\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\system32\config\systemprofile\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\administrator\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\alliant\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\dhagans\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\kacevedo\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\public\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin01\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin02\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\user\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\localservice\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\networkservice\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\system32\config\systemprofile\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
c:\users\administrator\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\alliant\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\dhagans\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\kacevedo\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\public\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin01\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin02\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\user\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\localservice\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\networkservice\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\system32\config\systemprofile\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\administrator\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\alliant\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\dhagans\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\kacevedo\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\public\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin01\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\synadmin02\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\users\user\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\localservice\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\serviceprofiles\networkservice\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\system32\config\systemprofile\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.
c:\windows\system32\avi\av.exe (Backdoor.Bifrose) -> Quarantined and deleted successfully.
c:\windows\syswow64\avi\av.exe (Backdoor.Bifrose) -> Quarantined and deleted successfully.

#4 altheman

altheman

    New Member

  • Members
  • Pip
  • 4 posts

Posted 26 July 2011 - 03:59 PM

Hi and welcome to Malwarebytes.


In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.


**********************************************************************************************************************************************************************************************

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Synadmin02 at 16:45:39 on 2011-07-26
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1783.465 [GMT -4:00]
.
AV: Kaspersky Anti-Virus *Enabled/Outdated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Kaspersky Anti-Virus *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
c:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files (x86)\Century\TinyTERM\NetUtils\CenLPD.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\AgentMon.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe
C:\Program Files (x86)\PC Tools Security\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\PC Tools Security\pctsGui.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Cenlpdstatus.exe
C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\KaUsrTsk.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll
BHO: HP ProtectTools Security Manager Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpOtsPluginIe8.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [KASHSYNTKS36468151087708] "C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\KaUsrTsk.exe"
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [AVP] "c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
mRun: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
mRun: [PCTools FGuard] C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Cenlpdstatus.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
TCP: DhcpNameServer = 10.0.0.101
TCP: Interfaces\{DA2FE57A-3CBB-4BA0-A2D1-0AD3D5D42404} : DhcpNameServer = 10.0.0.101
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Notify: DeviceNP - DeviceNP.dll
AppInit_DLLs: c:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll
BHO-X64: Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: PC Tools Browser Guard BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll
BHO-X64: Browser Defender BHO - No File
BHO-X64: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - c:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll
BHO-X64: HP ProtectTools Security Manager Extension: {395610AE-C624-4f58-B89E-23733EA00F9A} - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpOtsPluginIe8.dll
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
BHO-X64: link filter bho - No File
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB-X64: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll
mRun-x64: [KASHSYNTKS36468151087708] "C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\KaUsrTsk.exe"
mRun-x64: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun-x64: [AVP] "c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
mRun-x64: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
mRun-x64: [PCTools FGuard] C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe
mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
AppInit_DLLs-X64: c:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KLBG;Kaspersky Lab Boot Guard Driver;C:\Windows\system32\DRIVERS\klbg.sys --> C:\Windows\system32\DRIVERS\klbg.sys [?]
R0 PCTCore;PCTools KDS;C:\Windows\system32\drivers\PCTCore64.sys --> C:\Windows\system32\drivers\PCTCore64.sys [?]
R0 pctDS;PC Tools Data Store;C:\Windows\system32\drivers\pctDS64.sys --> C:\Windows\system32\drivers\pctDS64.sys [?]
R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\system32\drivers\pctEFA64.sys --> C:\Windows\system32\drivers\pctEFA64.sys [?]
R0 SbAlg;SbAlg;C:\Windows\System32\drivers\SbAlg.sys [2010-2-1 51800]
R0 SbFsLock;SbFsLock;C:\Windows\System32\drivers\SbFsLock.sys [2010-2-1 13256]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys --> C:\Windows\system32\DRIVERS\klim6.sys [?]
R1 PCTSD;PC Tools Spyware Doctor Driver;C:\Windows\system32\Drivers\PCTSD64.sys --> C:\Windows\system32\Drivers\PCTSD64.sys [?]
R1 RsvLock;RsvLock;C:\Windows\System32\drivers\rsvlock.sys [2010-2-1 40088]
R2 AVP;Kaspersky Anti-Virus;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe [2010-6-18 377600]
R2 Browser Defender Update Service;Browser Defender Update Service;C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [2011-7-15 337872]
R2 CenLPD;CenLPD;C:\Program Files (x86)\Century\TinyTERM\NetUtils\CenLPD.exe [2011-5-9 102400]
R2 HP ProtectTools Service;HP ProtectTools Service;C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-1-12 36864]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-17 682040]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-1-25 92216]
R2 HpFkCryptService;Drive Encryption Service;C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2010-2-1 281192]
R2 HPFSService;File Sanitizer for HP ProtectTools;C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2009-12-11 297984]
R2 KASYNTKS36468151087708;Kaseya Agent;C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\AgentMon.exe [2011-5-20 835584]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-3-1 373640]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2010-9-17 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-4-24 1128952]
R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [2011-7-15 371472]
R2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [2011-7-15 1117144]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-4-24 2320920]
R3 DEBridge;DEBridge;C:\Program Files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe [2010-2-1 704512]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\drivers\HECIx64.sys --> C:\Windows\system32\drivers\HECIx64.sys [?]
R3 KAPFA;KAPFA;\??\C:\Windows\system32\drivers\KAPFA.SYS --> C:\Windows\system32\drivers\KAPFA.SYS [?]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\system32\DRIVERS\klmouflt.sys --> C:\Windows\system32\DRIVERS\klmouflt.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DAMDrv;DAMDrv;C:\Windows\system32\DRIVERS\DAMDrv64.sys --> C:\Windows\system32\DRIVERS\DAMDrv64.sys [?]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\Windows\SysWOW64\flcdlock.exe [2009-12-7 362040]
S3 Impcd;Impcd;C:\Windows\system32\drivers\Impcd.sys --> C:\Windows\system32\drivers\Impcd.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 OxPPort;OxPPort;C:\Windows\system32\drivers\OxPPort.sys --> C:\Windows\system32\drivers\OxPPort.sys [?]
S3 OxSer;OxSer;C:\Windows\system32\drivers\OxSer.sys --> C:\Windows\system32\drivers\OxSer.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
.
=============== Created Last 30 ================
.
2011-07-26 20:43:54 -------- d-----w- C:\Users\synadmin02\AppData\Local\Hewlett-Packard
2011-07-26 20:39:29 -------- d-----w- C:\Users\synadmin02\AppData\Local\Threat Expert
2011-07-26 20:34:08 -------- d-----w- C:\Users\synadmin02\AppData\Roaming\Malwarebytes
2011-07-26 20:34:04 -------- d-----w- C:\Users\synadmin02\AppData\Local\PDFC
2011-07-26 20:34:03 -------- d-----w- C:\Users\synadmin02\AppData\Local\LogMeIn
2011-07-15 13:08:18 767952 ----a-w- C:\Windows\BDTSupport.dll
2011-07-15 13:08:18 2078672 ----a-w- C:\Windows\PCTBDCore.dll
2011-07-15 13:08:18 149456 ----a-w- C:\Windows\SGDetectionTool.dll
2011-07-15 13:08:17 1533904 ----a-w- C:\Windows\PCTBDRes.dll
2011-07-15 13:04:57 816016 ----a-w- C:\Windows\System32\drivers\pctEFA64.sys
2011-07-15 13:04:57 452872 ----a-w- C:\Windows\System32\drivers\pctDS64.sys
2011-07-15 13:04:56 334976 ----a-w- C:\Windows\System32\drivers\pctgntdi64.sys
2011-07-15 13:04:56 140800 ----a-w- C:\Windows\System32\drivers\pctwfpfilter64.sys
2011-07-15 13:04:51 282440 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys
2011-07-15 13:04:44 279344 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys
2011-07-15 13:04:40 92896 ----a-w- C:\Windows\System32\drivers\pctplsg64.sys
2011-07-15 13:04:34 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2011-07-15 13:04:32 -------- d-----w- C:\Program Files (x86)\PC Tools Security
2011-07-15 13:02:39 -------- d-----w- C:\ProgramData\PC Tools
2011-07-15 09:07:30 8873296 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{24E3BDF3-CCB4-4522-810E-427FF040C276}\mpengine.dll
2011-07-14 17:58:17 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-14 17:45:00 -------- d-----w- C:\Users\synadmin02\AppData\Local\temp
2011-07-14 17:35:35 98816 ----a-w- C:\Windows\sed.exe
2011-07-14 17:35:35 518144 ----a-w- C:\Windows\SWREG.exe
2011-07-14 17:35:35 256000 ----a-w- C:\Windows\PEV.exe
2011-07-14 17:35:35 208896 ----a-w- C:\Windows\MBR.exe
2011-07-14 17:04:51 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-07-13 19:24:35 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-13 19:24:35 -------- d-----w- C:\ProgramData\Malwarebytes
2011-07-13 19:24:26 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-07-13 19:24:26 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-07-06 10:46:48 -------- d-----w- C:\Program Files\Spybot - Search & Destroy
2011-07-06 10:46:46 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-07-06 10:46:46 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
.
==================== Find3M ====================
.
2011-06-06 15:10:45 876032 ----a-w- C:\Windows\SysWow64\VFP6RENU.DLL
2011-06-06 15:10:45 24990 ----a-w- C:\Windows\SysWow64\VFP6RUN.EXE
2011-06-06 15:10:44 3370256 ----a-w- C:\Windows\SysWow64\VFP6R.DLL
2011-05-24 23:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-05-21 12:40:59 82432 ----a-w- C:\Windows\SysWow64\msxml4r.dll
2011-05-21 12:40:59 44544 ----a-w- C:\Windows\SysWow64\msxml4a.dll
2011-05-21 12:40:59 1233920 ----a-w- C:\Windows\SysWow64\msxml4.dll
2011-05-11 14:18:08 0 ----a-w- C:\Windows\ativpsrm.bin
2011-05-06 14:58:00 20968 ----a-w- C:\Windows\System32\pdfc_port.dll
.
============= FINISH: 16:46:54.40 ===============

#5 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 29 July 2011 - 01:43 AM

Hi,

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6 altheman

altheman

    New Member

  • Members
  • Pip
  • 4 posts

Posted 29 July 2011 - 10:36 AM

To me personaly I think that your answer is unacceptable, I have 3 pc's at home if they all become infected I have to re-image all 3. I mean re-imaging is always an option just thought that I'd give Mbam a chance. Thanks for nothing, really nothing.

#7 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 01 August 2011 - 06:58 PM

I don't really understand what you mean. I gave you my recommendation based on your malware.

Like I said,

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.


I'm sorry you don't think the free help we offer is satisfactory.


Hope you have a great day.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 01 August 2011 - 07:02 PM

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users