[lunarlander]

Hi,

Just did a event log review and Windows Defender found something. EventID is 3004. It found a "service:rkpavproc1" which is presumably newly added and it says it looks suspicious.

Googled it and the Prevx site says it is a worm. And it has an extension of SYS.

Couldnt find a file named like that. Checked the registry for something named like that and didnt find any. Did a Panda online Active Scan and didnt find anything. Did a Kaspersky online scan and found nothing. Did some event log cross referencing by time and couldn't find anything suspicious in Application, Security or System logs - Admin wasn't logged in, and there were no application crashes near that time. Ran the Backlight rootkit finder and didnt find anything either. Did a HijackThis log and it isnt listed under services section.

The WindowsDefender event didnt say that it removed the file, only telling me that it was suspcious and to review it. But I can't find it..

I suck at forensics. Anyone have any ideas on what to look for?

Its a Vista Business SP1 box.

[Phantom010]

You should remove Windows Defender and get SuperAntiSpyware and Malwarebyte's Anti-Malware. Scan your computer again and see what it finds and removes.

What's your antivirus, or do you have one, other than online scanners? Does it show the file?

[lunarlander]

My onboard antivirus is Avast - it didnt find anything either. I will try MalwareBytes now

Cannot remove Windows Defender on a Vista machine, it is built in I think

[jillian2]

Quote:

Originally Posted by lunarlander

My onboard antivirus is Avast - it didnt find anything either. I will try MalwareBytes now

Cannot remove Windows Defender on a Vista machine, it is built in I think

Launch Windows Defender and at the top > Click Tools >then Click Software Explorer > On the left side , make sure that "Start-Up " Programs are showing > Highlight Windows Defender.> At the bottom on the right side you have an option to either "Disable " or "Remove " Defender from start-up.

[lunarlander]

MalwareBytes found nothing

[Phantom010]

What did Windows Defender do with the file? Did it quarantine it? Perhaps that's why no other program is showing the file.

[lunarlander]

No I don't think Windows Defender put it into quarantine. Here's what it says in the event log:

"Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow."
For more information please see the following:
Not Applicable
Scan ID: {4C495F79-18F9-45D4-828E-61AE8DA67478}
User: @@@@@@
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: service:RkPavproc1
Alert Type: Unclassified software
Detection Type:


It didn't prompt me or anything.

[Phantom010]

Does it still find it?

[lunarlander]

Ha, I found it.

I ran the Panda online ActiveScan again, and checked the event log, there it appears again. So it belongs to Panda ActiveScan.

Thanks for all your help.