This was performed on a virtual machine.
__________________________________________________________________________________
Looks similar to Microsoft Security Essentials, a legitimate antivirus.
It is not very aggressive.
Here is one of the alerts to the right:
__________________________________________________________________________________
|
RogueKiller |
¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] BV88e.exe -- C:\Documents and Settings\All Users\Application Data\4be81\BV88e.exe -> KILLED [TermProc]
¤¤¤ Registry Entries:
780 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Best Virus Protection ("C:\Documents and Settings\All Users\Application Data\4be81\
BV88e.exe" /s /d) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-515967899-484763869-854245398-1003[...]\Run : Best Virus Protection ("C:\Documents and Settings\All Users\Application Data\4be81\
BV88e.exe" /s /d) -> FOUND
[] HKLM\[...]\Windows : () -> ACCESS DENIED
[IFEO] HKLM\[...]\Image File Execution Options : a.exe (svchost.exe) -> FOUND
[IFEO] HKLM\[...]\Image File Execution Options : aAvgApi.exe (svchost.exe) -> FOUND
[IFEO] HKLM\[...]\Image File Execution Options : AAWTray.exe (svchost.exe) -> FOUND
[IFEO] HKLM\[...]\Image File Execution Options : About.exe (svchost.exe) -> FOUND
Many more IFEO entries...
__________________________________________________________________________________
|
TDSSKiller |
19:33:12.0787 2416 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:33:12.0797 2416 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
19:33:12.0797 2416 ACPI ( Virus.Win32.Rloader.a ) - infected
19:33:12.0797 2416 ACPI - detected Virus.Win32.Rloader.a (0)
19:34:04.0641 2408 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
19:34:04.0641 2408 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
__________________________________________________________________________________
|
MBAM |
Registry Values Detected: 16
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|0 (Security.Hijack) -> Data: msseces.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|1 (Security.Hijack) -> Data: MSASCui.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|2 (Security.Hijack) -> Data: ekrn.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|3 (Security.Hijack) -> Data: egui.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|4 (Security.Hijack) -> Data: avgnt.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|5 (Security.Hijack) -> Data: avcenter.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|6 (Security.Hijack) -> Data: avscan.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|7 (Security.Hijack) -> Data: avgfrw.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|8 (Security.Hijack) -> Data: avgui.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|9 (Security.Hijack) -> Data: avgtray.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|10 (Security.Hijack) -> Data: avgscanx.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|11 (Security.Hijack) -> Data: avgcfgex.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|12 (Security.Hijack) -> Data: avgemc.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|13 (Security.Hijack) -> Data: avgchsvx.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|14 (Security.Hijack) -> Data: avgcmgr.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|15 (Security.Hijack) -> Data: avgwdsvc.exe -> Quarantined and deleted successfully.
HKCR\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|
URL (Hijack.SearchPage) -> Bad: (hxxp://findgala.com/?&uid=7&q={searchTerms}) Good: (hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and repaired successfully.
Files Detected: 5
C:\Documents and Settings\All Users\Application Data\4be81\
BV88e.exe (Rogue.PersonalSecuritySentinel) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Desktop\
Best Virus Protection.lnk (Rogue.BestVirusProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Application Data\Microsoft\Internet Explorer\Quick Launch\
Best Virus Protection.lnk (Rogue.BestVirusProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Start Menu\Programs\
Best Virus Protection.lnk (Rogue.BestVirusProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Start Menu\
Best Virus Protection.lnk (Rogue.BestVirusProtection) -> Quarantined and deleted successfully.
__________________________________________________________________________________
|
CF |
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\thisisu\Application Data\Best Virus Protection
c:\documents and settings\thisisu\Application Data\Best Virus Protection\Instructions.ini
c:\documents and settings\thisisu\Recent\ANTIGEN.dll
c:\documents and settings\thisisu\Recent\CLSV.dll
c:\documents and settings\thisisu\Recent\CLSV.tmp
c:\documents and settings\thisisu\Recent\delfile.dll
c:\documents and settings\thisisu\Recent\eb.tmp
c:\documents and settings\thisisu\Recent\energy.drv
c:\documents and settings\thisisu\Recent\fix.drv
c:\documents and settings\thisisu\Recent\PE.dll
c:\documents and settings\thisisu\Recent\PE.exe
c:\documents and settings\thisisu\Recent\PE.tmp
c:\documents and settings\thisisu\Recent\runddlkey.exe
c:\documents and settings\thisisu\Recent\SICKBOY.drv
c:\documents and settings\thisisu\Recent\sld.dll
c:\documents and settings\thisisu\Recent\sld.sys
__________________________________________________________________________________
|
MGtools |
"C:\Documents and Settings\All Users\Application Data\"
4BE81 Mar 8 2012 "4be81"
BVVJIFP Mar 8 2012 "BVVJIFP" -> BVNYP.cfg
Directory of C:\Documents and Settings\All Users\Application Data\4be81
03/08/2012 07:24 PM 4,286 BVP.ico
03/08/2012 07:24 PM <DIR> BVPSys
03/08/2012 07:24 PM <DIR> Quarantine Items
1 File(s) 4,286 bytes
"C:\Documents and Settings\thisisu\Desktop\"
525.mof Mar 8 2012 340 "525.mof"
BVPSYS Mar 8 2012 "BVPSys"
QUARAN~1 Mar 8 2012 "Quarantine Items"
__________________________________________________________________________________
Misc notes:
Adds its own entry to the Security Center cache / WMI.
Use Windows Repair by Tweaking.com -> Repair WMI to fix. __________________________________________________________________________________