Random extensionless files that reappear after restart

[oldm]

Hi,

I've got a problem with objects that Malwarebytes flags as 'Trojan.inject' and appear in various locations on my machine and stop applications from running (the ones in which the files are located). They seem to be randomly generated characters as I cannot find anything if I Google them (they're called ndOdkY3 and yrHc5S3 for what it's worth) and have no file extensions.

If I have MWB 'remove' these objects, they get removed, then I'm asked to restart the computer to finish the operation. Except that upon restart, the files just reappear. I don't know if MWB is supposed to start up again on restart and notify me about anything, but it isn't.

If I scan these files with Microsoft Security Essentials, it doesn't detect anything, but they're obviously doing something wrong as I cannot run my applications. I've run ComboFix with little success, and rkill does absolutely nothing.

Thanks for any help

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.2.1

Run by jhornby at 15:49:28 on 2012-03-06

Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.3037.1512 [GMT 0:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe

C:\Windows\system32\svchost.exe -k apphost

C:\Program Files\Broadcom\BPowMon\BPowMon.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Dell\Dell Datasafe Online\NOBuAgent.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\system32\svchost.exe -k iissvcs

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\igfxpers.exe

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\Explorer.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Users\JHornby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\JHornby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\JHornby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\JHornby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\rundll32.exe

C:\Users\JHornby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\JHornby\AppData\Local\Google\Chrome\Application\chrome.exe

c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://intranet/method4

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.0 runtime\bin\jp2ssv.dll

TB: @c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll

EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Dell DataSafe Online] c:\program files\dell\dell datasafe online\NOBuClient.exe

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxp://m4server2:1024/VirtualServer/activex/VMRCActiveXClient.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab

TCP: DhcpNameServer = 192.168.35.99

TCP: Interfaces\{0DB19370-D840-46B9-A317-8EB0258E515D} : DhcpNameServer = 192.168.35.99

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\jhornby\appdata\roaming\mozilla\firefox\profiles\0jk8rql7.default\

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll

FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\jhornby\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\users\jhornby\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\users\jhornby\appdata\roaming\mozilla\firefox\profiles\0jk8rql7.default\extensions\coralietab@mozdev.org\plugins\npCoralIETab.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-7-15 146448]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]

R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2011-5-5 81920]

R2 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-6 652360]

R2 NOBU;Dell DataSafe Online;c:\program files\dell\dell datasafe online\NOBuAgent.exe [2010-8-25 2075480]

R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-7-15 283152]

R3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2011-5-5 273960]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-6 20464]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-28 136176]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatch12OEM.exe [2010-11-25 219632]

S2 svcGenericHost;Trend Micro Client/Server Security Agent;"c:\program files\trend micro\client server security agent\hostedagent\svcgenerichost.exe" --> c:\program files\trend micro\client server security agent\hostedagent\svcGenericHost.exe [?]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 DEWiSeptember2011QueueImporter;DEWiSeptember2011QueueImporter;c:\dewi\september2011\QueueImporter.exe [2011-9-1 69632]

S3 DEWiSummer2012QueueImporter;DEWiSummer2012QueueImporter;c:\dewi\summer2012\QueueImporter.exe [2011-10-31 70144]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-28 136176]

S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2010-11-25 1116656]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;"c:\program files\trend micro\client server security agent\tmpfw.exe" --> c:\program files\trend micro\client server security agent\TmPfw.exe [?]

S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;"c:\program files\trend micro\client server security agent\tmproxy.exe" --> c:\program files\trend micro\client server security agent\TmProxy.exe [?]

S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2011-1-18 54144]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-8 1343400]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2012-03-06 15:09:26 -------- d-----w- c:\windows\system32\Visual Studio 2008Templates

2012-03-06 15:09:26 -------- d-----w- c:\windows\system32\Visual Studio 2008

2012-03-06 13:14:25 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5489fa73-8cb2-4902-b9c8-dc003c183cbc}\offreg.dll

2012-03-06 12:34:26 6552120 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5489fa73-8cb2-4902-b9c8-dc003c183cbc}\mpengine.dll

2012-03-06 12:25:16 -------- d-----w- C:\$RECYCLE.BIN

2012-03-06 12:23:39 -------- d-----w- c:\users\jhornby\appdata\local\temp

2012-03-06 12:09:31 98816 ----a-w- c:\windows\sed.exe

2012-03-06 12:09:31 518144 ----a-w- c:\windows\SWREG.exe

2012-03-06 12:09:31 256000 ----a-w- c:\windows\PEV.exe

2012-03-06 12:09:31 208896 ----a-w- c:\windows\MBR.exe

2012-03-06 11:47:15 388096 ----a-r- c:\users\jhornby\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-03-06 10:58:14 -------- d-----w- c:\users\jhornby\appdata\roaming\Malwarebytes

2012-03-06 10:58:08 -------- d-----w- c:\programdata\Malwarebytes

2012-03-06 10:58:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-06 10:58:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-03-05 11:41:52 -------- d-----w- c:\users\jhornby\appdata\local\uigjklxv

2012-02-20 09:36:48 478208 ----a-w- c:\windows\system32\timedate.cpl

2012-02-20 09:36:45 690688 ----a-w- c:\windows\system32\msvcrt.dll

2012-02-20 09:36:42 442880 ----a-w- c:\windows\system32\ntshrui.dll

2012-02-20 09:36:33 2340864 ----a-w- c:\windows\system32\win32k.sys

2012-02-14 09:12:29 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e81df2c1-888a-4592-8fc9-66c2c48b985f}\gapaengine.dll

2012-02-10 14:39:15 -------- d-----w- C:\Method4Licenses

.

==================== Find3M ====================

.

2012-02-29 09:01:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 15:50:19.52 ===============

I've noticed that somebody else has had this same problem too recently:

http://forums.malwarebytes.org/index.php?showtopic=107004

There are no replies though. At least I know I'm not the only one this is happening to.

DDS.txt

Attach.txt

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!