altheman

Av.exe will not go away with Malwarebytes

8 posts in this topic

I am pretty computer savvy and have been dealing with this Av.exe, Malwarebytes says it has removed it and needs reboot, after reboot it will find the av.exe again in all the same places. I bought the full version of Malwarebytes and had the same effect and result. Please advise I am about 4 hours away from re-imaging the machine.M_bam.zip

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Share this post


Link to post
Share on other sites

Attach.zipMalwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7286

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

7/26/2011 4:44:41 PM

mbam-log-2011-07-26 (16-44-41).txt

Scan type: Quick scan

Objects scanned: 267727

Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 75

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\windows\system32\antav\av.exe (Worm.Flooder) -> Quarantined and deleted successfully.

c:\windows\syswow64\antav\av.exe (Worm.Flooder) -> Quarantined and deleted successfully.

c:\users\administrator\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\alliant\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\dhagans\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\kacevedo\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin01\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin02\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\user\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\administrator\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\users\alliant\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\users\dhagans\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\users\kacevedo\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\users\public\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\users\synadmin\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\users\synadmin01\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\users\synadmin02\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\users\user\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\localservice\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\networkservice\appdata\local\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\windows\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

c:\users\administrator\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\alliant\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\dhagans\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\kacevedo\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\public\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin01\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin02\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\user\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\localservice\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\networkservice\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\system32\config\systemprofile\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\administrator\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\alliant\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\dhagans\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\kacevedo\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\public\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin01\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin02\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\user\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\localservice\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\networkservice\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\system32\config\systemprofile\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

c:\users\administrator\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\alliant\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\dhagans\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\kacevedo\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\public\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin01\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin02\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\user\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\localservice\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\networkservice\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\system32\config\systemprofile\templates\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\administrator\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\alliant\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\dhagans\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\kacevedo\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\public\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin01\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\synadmin02\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\users\user\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\localservice\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\serviceprofiles\networkservice\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\system32\config\systemprofile\templates\avg\av.exe (Trojan.MultipleAV) -> Quarantined and deleted successfully.

c:\windows\system32\avi\av.exe (Backdoor.Bifrose) -> Quarantined and deleted successfully.

c:\windows\syswow64\avi\av.exe (Backdoor.Bifrose) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

**********************************************************************************************************************************************************************************************

.

DDS (Ver_2011-06-23.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514

Run by Synadmin02 at 16:45:39 on 2011-07-26

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1783.465 [GMT -4:00]

.

AV: Kaspersky Anti-Virus *Enabled/Outdated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}

SP: Kaspersky Anti-Virus *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

c:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe

c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe

C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe

C:\Program Files (x86)\Century\TinyTERM\NetUtils\CenLPD.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

c:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe

C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\AgentMon.exe

c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe

C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\PDF Complete\pdfsvc.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe

C:\Program Files (x86)\PC Tools Security\pctsSvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\RealVNC\VNC4\winvnc4.exe

C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

c:\Program Files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\PC Tools Security\pctsGui.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Cenlpdstatus.exe

C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\KaUsrTsk.exe

C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe

C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll

BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll

BHO: HP ProtectTools Security Manager Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpOtsPluginIe8.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

mRun: [KASHSYNTKS36468151087708] "C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\KaUsrTsk.exe"

mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe

mRun: [AVP] "c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"

mRun: [iSTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI

mRun: [PCTools FGuard] C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe

mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Cenlpdstatus.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll

TCP: DhcpNameServer = 10.0.0.101

TCP: Interfaces\{DA2FE57A-3CBB-4BA0-A2D1-0AD3D5D42404} : DhcpNameServer = 10.0.0.101

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Notify: DeviceNP - DeviceNP.dll

AppInit_DLLs: c:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll

BHO-X64: Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

BHO-X64: PC Tools Browser Guard BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll

BHO-X64: Browser Defender BHO - No File

BHO-X64: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - c:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll

BHO-X64: HP ProtectTools Security Manager Extension: {395610AE-C624-4f58-B89E-23733EA00F9A} - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpOtsPluginIe8.dll

BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll

BHO-X64: IEVkbdBHO - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

BHO-X64: link filter bho - No File

TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

TB-X64: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll

mRun-x64: [KASHSYNTKS36468151087708] "C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\KaUsrTsk.exe"

mRun-x64: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe

mRun-x64: [AVP] "c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"

mRun-x64: [iSTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI

mRun-x64: [PCTools FGuard] C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe

mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

AppInit_DLLs-X64: c:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll

.

============= SERVICES / DRIVERS ===============

.

R0 KLBG;Kaspersky Lab Boot Guard Driver;C:\Windows\system32\DRIVERS\klbg.sys --> C:\Windows\system32\DRIVERS\klbg.sys [?]

R0 PCTCore;PCTools KDS;C:\Windows\system32\drivers\PCTCore64.sys --> C:\Windows\system32\drivers\PCTCore64.sys [?]

R0 pctDS;PC Tools Data Store;C:\Windows\system32\drivers\pctDS64.sys --> C:\Windows\system32\drivers\pctDS64.sys [?]

R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\system32\drivers\pctEFA64.sys --> C:\Windows\system32\drivers\pctEFA64.sys [?]

R0 SbAlg;SbAlg;C:\Windows\System32\drivers\SbAlg.sys [2010-2-1 51800]

R0 SbFsLock;SbFsLock;C:\Windows\System32\drivers\SbFsLock.sys [2010-2-1 13256]

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys --> C:\Windows\system32\DRIVERS\klim6.sys [?]

R1 PCTSD;PC Tools Spyware Doctor Driver;C:\Windows\system32\Drivers\PCTSD64.sys --> C:\Windows\system32\Drivers\PCTSD64.sys [?]

R1 RsvLock;RsvLock;C:\Windows\System32\drivers\rsvlock.sys [2010-2-1 40088]

R2 AVP;Kaspersky Anti-Virus;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe [2010-6-18 377600]

R2 Browser Defender Update Service;Browser Defender Update Service;C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [2011-7-15 337872]

R2 CenLPD;CenLPD;C:\Program Files (x86)\Century\TinyTERM\NetUtils\CenLPD.exe [2011-5-9 102400]

R2 HP ProtectTools Service;HP ProtectTools Service;C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-1-12 36864]

R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-17 682040]

R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-1-25 92216]

R2 HpFkCryptService;Drive Encryption Service;C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2010-2-1 281192]

R2 HPFSService;File Sanitizer for HP ProtectTools;C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2009-12-11 297984]

R2 KASYNTKS36468151087708;Kaseya Agent;C:\Program Files (x86)\Kaseya\SYNTKS36468151087708\AgentMon.exe [2011-5-20 835584]

R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-3-1 373640]

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2010-9-17 15928]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]

R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-4-24 1128952]

R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [2011-7-15 371472]

R2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [2011-7-15 1117144]

R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-4-24 2320920]

R3 DEBridge;DEBridge;C:\Program Files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe [2010-2-1 704512]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\drivers\HECIx64.sys --> C:\Windows\system32\drivers\HECIx64.sys [?]

R3 KAPFA;KAPFA;\??\C:\Windows\system32\drivers\KAPFA.SYS --> C:\Windows\system32\drivers\KAPFA.SYS [?]

R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\system32\DRIVERS\klmouflt.sys --> C:\Windows\system32\DRIVERS\klmouflt.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 DAMDrv;DAMDrv;C:\Windows\system32\DRIVERS\DAMDrv64.sys --> C:\Windows\system32\DRIVERS\DAMDrv64.sys [?]

S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]

S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\Windows\SysWOW64\flcdlock.exe [2009-12-7 362040]

S3 Impcd;Impcd;C:\Windows\system32\drivers\Impcd.sys --> C:\Windows\system32\drivers\Impcd.sys [?]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 OxPPort;OxPPort;C:\Windows\system32\drivers\OxPPort.sys --> C:\Windows\system32\drivers\OxPPort.sys [?]

S3 OxSer;OxSer;C:\Windows\system32\drivers\OxSer.sys --> C:\Windows\system32\drivers\OxSer.sys [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]

.

=============== Created Last 30 ================

.

2011-07-26 20:43:54 -------- d-----w- C:\Users\synadmin02\AppData\Local\Hewlett-Packard

2011-07-26 20:39:29 -------- d-----w- C:\Users\synadmin02\AppData\Local\Threat Expert

2011-07-26 20:34:08 -------- d-----w- C:\Users\synadmin02\AppData\Roaming\Malwarebytes

2011-07-26 20:34:04 -------- d-----w- C:\Users\synadmin02\AppData\Local\PDFC

2011-07-26 20:34:03 -------- d-----w- C:\Users\synadmin02\AppData\Local\LogMeIn

2011-07-15 13:08:18 767952 ----a-w- C:\Windows\BDTSupport.dll

2011-07-15 13:08:18 2078672 ----a-w- C:\Windows\PCTBDCore.dll

2011-07-15 13:08:18 149456 ----a-w- C:\Windows\SGDetectionTool.dll

2011-07-15 13:08:17 1533904 ----a-w- C:\Windows\PCTBDRes.dll

2011-07-15 13:04:57 816016 ----a-w- C:\Windows\System32\drivers\pctEFA64.sys

2011-07-15 13:04:57 452872 ----a-w- C:\Windows\System32\drivers\pctDS64.sys

2011-07-15 13:04:56 334976 ----a-w- C:\Windows\System32\drivers\pctgntdi64.sys

2011-07-15 13:04:56 140800 ----a-w- C:\Windows\System32\drivers\pctwfpfilter64.sys

2011-07-15 13:04:51 282440 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys

2011-07-15 13:04:44 279344 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys

2011-07-15 13:04:40 92896 ----a-w- C:\Windows\System32\drivers\pctplsg64.sys

2011-07-15 13:04:34 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools

2011-07-15 13:04:32 -------- d-----w- C:\Program Files (x86)\PC Tools Security

2011-07-15 13:02:39 -------- d-----w- C:\ProgramData\PC Tools

2011-07-15 09:07:30 8873296 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{24E3BDF3-CCB4-4522-810E-427FF040C276}\mpengine.dll

2011-07-14 17:58:17 -------- d-sh--w- C:\$RECYCLE.BIN

2011-07-14 17:45:00 -------- d-----w- C:\Users\synadmin02\AppData\Local\temp

2011-07-14 17:35:35 98816 ----a-w- C:\Windows\sed.exe

2011-07-14 17:35:35 518144 ----a-w- C:\Windows\SWREG.exe

2011-07-14 17:35:35 256000 ----a-w- C:\Windows\PEV.exe

2011-07-14 17:35:35 208896 ----a-w- C:\Windows\MBR.exe

2011-07-14 17:04:51 -------- d-----w- C:\Program Files (x86)\Trend Micro

2011-07-13 19:24:35 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-07-13 19:24:35 -------- d-----w- C:\ProgramData\Malwarebytes

2011-07-13 19:24:26 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-07-13 19:24:26 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-07-06 10:46:48 -------- d-----w- C:\Program Files\Spybot - Search & Destroy

2011-07-06 10:46:46 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2011-07-06 10:46:46 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

.

==================== Find3M ====================

.

2011-06-06 15:10:45 876032 ----a-w- C:\Windows\SysWow64\VFP6RENU.DLL

2011-06-06 15:10:45 24990 ----a-w- C:\Windows\SysWow64\VFP6RUN.EXE

2011-06-06 15:10:44 3370256 ----a-w- C:\Windows\SysWow64\VFP6R.DLL

2011-05-24 23:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe

2011-05-21 12:40:59 82432 ----a-w- C:\Windows\SysWow64\msxml4r.dll

2011-05-21 12:40:59 44544 ----a-w- C:\Windows\SysWow64\msxml4a.dll

2011-05-21 12:40:59 1233920 ----a-w- C:\Windows\SysWow64\msxml4.dll

2011-05-11 14:18:08 0 ----a-w- C:\Windows\ativpsrm.bin

2011-05-06 14:58:00 20968 ----a-w- C:\Windows\System32\pdfc_port.dll

.

============= FINISH: 16:46:54.40 ===============

Share this post


Link to post
Share on other sites

Hi,

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Share this post


Link to post
Share on other sites

To me personaly I think that your answer is unacceptable, I have 3 pc's at home if they all become infected I have to re-image all 3. I mean re-imaging is always an option just thought that I'd give Mbam a chance. Thanks for nothing, really nothing.

Share this post


Link to post
Share on other sites

I don't really understand what you mean. I gave you my recommendation based on your malware.

Like I said,

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

I'm sorry you don't think the free help we offer is satisfactory.

Hope you have a great day.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.