Jump to content

I have a back.door trojan and Malwarebytes can't remove it


Recommended Posts

I run Malwarebytes and it reports that I have a back.door trojan. It says it is at the winlogon\shell location in the registry and says it will be removed at reboot. However, once rebooted, the key is still there. The key points to a file at c:\Users\Abby\appdata\local\4d06512d\x however, there is no file or directory under "local" by that name. It appears the program is correctly identifying a trojan but isn't finding the file. At least not yet.

The computer also keeps trying to hit various IP addresses, like 206.161.121.100 and 67.29.139.153 and Malwarebytes is correctly blocking those attempts.

How do I find the rest of this trojan and remove it? ttached is the DDS log.

Thanks!

Chris

I'm not sure the attachment worked. Here it is again.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7600.16385

Run by Abby at 16:41:18 on 2011-10-17

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3824.1655 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\WLANExt.exe

C:\windows\system32\conhost.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Status Monitor\dlp1Adb.exe

C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe

C:\windows\system32\Dwm.exe

C:\windows\system32\taskhost.exe

C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe

C:\windows\explorer.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe

C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PaperPort\PDFProFiltSrvPP.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\ThpSrv.exe

C:\windows\system32\TODDSrv.exe

C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\TECO\TecoService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe

C:\windows\system32\wbem\unsecapp.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\Power Saver\TPwrMain.exe

C:\Program Files\Toshiba\SmoothView\SmoothView.exe

C:\Program Files\Toshiba\FlashCards\TCrdMain.exe

C:\Program Files\Toshiba\TECO\Teco.exe

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\System32\ThpSrv.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe

C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\windows\system32\igfxext.exe

C:\windows\system32\igfxsrvc.exe

C:\Program Files (x86)\Copernic Desktop Search - Home\DesktopSearchService.exe

C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe

C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files (x86)\Cloudmark\Desktop\Service\cdswin.exe

C:\windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe

C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PaperPort\pptd40nt.exe

C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PDFViewer\pdfPro5Hook.exe

C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Updater\dlu1Aupr.exe

C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Launcher\dlq1Alauncher.exe

C:\Program Files (x86)\Browny02\BrYNSvc.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Status Monitor\dlp1AW.exe

C:\windows\system32\conhost.exe

C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Status Monitor\dlp1Awj.exe

C:\windows\system32\conhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\windows\system32\DllHost.exe

C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Copernic Desktop Search - Home\DesktopSearch.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\windows\system32\SearchProtocolHost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://my.yahoo.com/

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND

uInternet Settings,ProxyOverride = <local>;*.local

uWinlogon: Shell=C:\Users\Abby\AppData\Local\4d06512d\X

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PDFViewer\Bin\PlusIEContextMenu.dll

BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - C:\ProgramData\Partner\Partner.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - C:\Program Files (x86)\Copernic Desktop Search - Home\Toolbar\ToolbarContainer101000325.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [Copernic Desktop Search - Home] "C:\Program Files (x86)\Copernic Desktop Search - Home\DesktopSearchService.exe" /tray

uRun: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler

uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

mRun: [TOSDCR] %ProgramFiles%\TOSHIBA\PasswordUtility\TOSDCR.exe

mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun: [brMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun

mRun: [brStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [indexSearch] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PaperPort\IndexSearch.exe"

mRun: [PaperPort PTD] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PaperPort\pptd40nt.exe"

mRun: [PDFHook] C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PDFViewer\pdfpro5hook.exe

mRun: [PDF5 Registry Controller] C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PDFViewer\RegistryController.exe

mRun: [RUNUPDATER] C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Updater\dlu1Aupr.exe

mRun: [Dell 1355 MFP Launcher] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Launcher\dlq1Alauncher.exe" /Run

mRun: [Dell 1355 MFP RUN] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Status Monitor\dlp1ARun.exe"

mRun: [statusAutoRun] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Status Monitor\dlp1Apl.exe" RUNSTART

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BILLMI~1.LNK - C:\Program Files (x86)\Quicken\billmind.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CLOUDM~1.LNK - C:\Program Files (x86)\Cloudmark\Desktop\Service\cdswin.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKE~1.LNK - C:\Program Files (x86)\Quicken\bagent.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKE~2.LNK - C:\Program Files (x86)\Quicken\QWDLLS.EXE

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

Trusted Zone: zipformonline.com\www.plr

DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} - hxxp://actris.mlxchange.com/5.2.03.11234/Control/FileCruiser.cab

DPF: {16FD824B-8E7B-11D2-9855-00802962956C} - hxxp://actris.mlxchange.com/5.2.03.11234/Control/Specfile.cab

DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://actris.mlxchange.com/5.2.03.11234/Control/MLSClientUtils.cab

DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} - hxxp://actris.mlxchange.com/5.2.03.11234/Control/LiteGrid.cab

DPF: {7A7537FC-5988-11D3-8B33-00104B9E5A4A} - hxxp://actris.mlxchange.com/5.2.03.11234/Control/IRCWebPrint.cab

DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://actris.mlxchange.com/5.2.03.11234/Control/IRCSharc.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} - hxxp://actris.mlxchange.com/5.2.03.11234/Control/WebDog.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://realtytrac.webex.com/client/T27LC/webex/ieatgpc1.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} - hxxp://actris.mlxchange.com/5.2.03.11234/Control/AspCustomCtrls.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{DAE3E714-CB39-4AE1-A969-D75D051BA60C} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{DAE3E714-CB39-4AE1-A969-D75D051BA60C}\76F676F696E666C696768647 : DhcpNameServer = 172.19.134.2

TCP: Interfaces\{DAE3E714-CB39-4AE1-A969-D75D051BA60C}\D6F6E6B65697 : DhcpNameServer = 68.87.69.150 68.87.85.102

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

BHO-X64: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PDFViewer\Bin\PlusIEContextMenu.dll

BHO-X64: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB-X64: Copernic Desktop Search - Home Toolbar: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - C:\Program Files (x86)\Copernic Desktop Search - Home\Toolbar\ToolbarContainer101000325.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [TOSDCR] %ProgramFiles%\TOSHIBA\PasswordUtility\TOSDCR.exe

mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"

mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED

mRun-x64: [brMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

mRun-x64: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun

mRun-x64: [brStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [indexSearch] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PaperPort\IndexSearch.exe"

mRun-x64: [PaperPort PTD] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PaperPort\pptd40nt.exe"

mRun-x64: [PDFHook] C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PDFViewer\pdfpro5hook.exe

mRun-x64: [PDF5 Registry Controller] C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PDFViewer\RegistryController.exe

mRun-x64: [RUNUPDATER] C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Updater\dlu1Aupr.exe

mRun-x64: [Dell 1355 MFP Launcher] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Launcher\dlq1Alauncher.exe" /Run

mRun-x64: [Dell 1355 MFP RUN] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Status Monitor\dlp1ARun.exe"

mRun-x64: [statusAutoRun] "C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Status Monitor\dlp1Apl.exe" RUNSTART

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

============= SERVICES / DRIVERS ===============

.

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]

R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]

R1 MpFilter;Microsoft Malware Protection Driver;C:\windows\system32\DRIVERS\MpFilter.sys --> C:\windows\system32\DRIVERS\MpFilter.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]

R2 DLNADB;Dell 1355cn Status Database;C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\Status Monitor\dlp1Adb.exe [2011-1-28 90432]

R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-7-6 375176]

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-1-11 15928]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\windows\system32\drivers\LMIRfsDriver.sys --> C:\windows\system32\drivers\LMIRfsDriver.sys [?]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-10-17 366152]

R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2010-10-23 123320]

R2 PDFProFiltSrvPP;PDFProFiltSrvPP;C:\Program Files (x86)\Dell Printers\Dell 1355 Multifunction Color Printer\PaperPort\PDFProFiltSrvPP.exe [2010-6-15 144672]

R2 risdpcie;risdpcie;C:\windows\system32\DRIVERS\risdpe64.sys --> C:\windows\system32\DRIVERS\risdpe64.sys [?]

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-10-17 1153368]

R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\TECO\TecoService.exe [2010-4-23 259440]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]

R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-10-23 2320920]

R3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2010-12-7 245760]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\windows\system32\DRIVERS\e1k62x64.sys --> C:\windows\system32\DRIVERS\e1k62x64.sys [?]

R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]

R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]

R3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]

R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETwNs64.sys --> C:\windows\system32\DRIVERS\NETwNs64.sys [?]

R3 NisDrv;Microsoft Network Inspection System;C:\windows\system32\DRIVERS\NisDrvWFP.sys --> C:\windows\system32\DRIVERS\NisDrvWFP.sys [?]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]

R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]

R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-10-23 54136]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]

R3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2010-5-10 836016]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]

R3 wdkmd;Intel WiDi KMD;C:\windows\system32\DRIVERS\WDKMD.sys --> C:\windows\system32\DRIVERS\WDKMD.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-29 136176]

S2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2010-10-23 126392]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-29 136176]

S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\windows\system32\DRIVERS\MpNWMon.sys --> C:\windows\system32\DRIVERS\MpNWMon.sys [?]

S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-10-19 340240]

S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETw5s64.sys --> C:\windows\system32\DRIVERS\NETw5s64.sys [?]

S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\windows\system32\DRIVERS\nusb3hub.sys --> C:\windows\system32\DRIVERS\nusb3hub.sys [?]

S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\windows\system32\DRIVERS\nusb3xhc.sys --> C:\windows\system32\DRIVERS\nusb3xhc.sys [?]

S3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2010-7-29 332272]

S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S3 WSDPrintDevice;WSD Print Support via UMB;C:\windows\system32\DRIVERS\WSDPrint.sys --> C:\windows\system32\DRIVERS\WSDPrint.sys [?]

.

=============== Created Last 30 ================

.

2011-10-17 21:10:02 41272 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-10-17 19:53:17 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{51AA931B-B177-4E64-9890-5D4BF0872221}\offreg.dll

2011-10-17 19:19:42 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-10-17 18:17:11 256000 ----a-w- C:\windows\PEV.exe

2011-10-17 18:17:11 208896 ----a-w- C:\windows\MBR.exe

2011-10-17 18:17:10 98816 ----a-w- C:\windows\sed.exe

2011-10-17 18:17:10 518144 ----a-w- C:\windows\SWREG.exe

2011-10-17 17:38:09 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2011-10-17 17:38:09 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2011-10-17 16:13:03 -------- d-----w- C:\Program Files (x86)\Free Window Registry Repair

2011-10-17 15:59:41 9049936 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{51AA931B-B177-4E64-9890-5D4BF0872221}\mpengine.dll

2011-10-17 15:52:05 3134976 ----a-w- C:\windows\System32\win32k.sys

2011-10-17 15:20:40 -------- d-----w- C:\Program Files (x86)\VS Revo Group

2011-10-17 15:13:20 25416 ----a-w- C:\windows\System32\drivers\mbam.sys

2011-10-17 12:45:44 -------- d-----w- C:\Users\Abby\AppData\Roaming\Malwarebytes

2011-10-17 12:44:15 -------- d-----w- C:\ProgramData\Malwarebytes

2011-10-12 20:41:30 -------- d-----w- C:\Program Files\iTunes

2011-10-12 20:41:30 -------- d-----w- C:\Program Files\iPod

2011-10-12 20:41:30 -------- d-----w- C:\Program Files (x86)\iTunes

2011-10-12 20:39:37 -------- d-----w- C:\Program Files\Bonjour

2011-10-12 20:39:37 -------- d-----w- C:\Program Files (x86)\Bonjour

2011-10-12 12:29:48 -------- d-sh--w- C:\Users\Abby\AppData\Local\4d06512d

2011-10-11 15:08:41 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2925B0C8-3118-4F27-A46E-8E787C3D9795}\gapaengine.dll

.

==================== Find3M ====================

.

2011-10-12 12:38:30 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-07 18:34:59 87456 ----a-w- C:\windows\System32\LMIRfsClientNP.dll

2011-10-07 18:34:58 80768 ----a-w- C:\windows\System32\LMIinit.dll

2011-10-07 18:34:58 34688 ----a-w- C:\windows\System32\LMIport.dll

2011-08-31 04:05:32 96104 ----a-w- C:\windows\System32\dns-sd.exe

2011-08-31 04:05:32 85864 ----a-w- C:\windows\System32\dnssd.dll

2011-08-31 04:05:32 61288 ----a-w- C:\windows\System32\jdns_sd.dll

2011-08-31 04:05:32 212840 ----a-w- C:\windows\System32\dnssdX.dll

2011-08-31 04:05:04 83816 ----a-w- C:\windows\SysWow64\dns-sd.exe

2011-08-31 04:05:04 73064 ----a-w- C:\windows\SysWow64\dnssd.dll

2011-08-31 04:05:04 50536 ----a-w- C:\windows\SysWow64\jdns_sd.dll

2011-08-31 04:05:04 178536 ----a-w- C:\windows\SysWow64\dnssdX.dll

2011-08-27 05:40:28 861184 ----a-w- C:\windows\System32\oleaut32.dll

2011-08-27 05:40:28 331776 ----a-w- C:\windows\System32\oleacc.dll

2011-08-27 04:43:07 571904 ----a-w- C:\windows\SysWow64\oleaut32.dll

2011-08-27 04:43:06 233472 ----a-w- C:\windows\SysWow64\oleacc.dll

2011-08-17 05:32:24 613888 ----a-w- C:\windows\System32\psisdecd.dll

2011-08-17 05:27:46 75776 ----a-w- C:\windows\System32\MSDvbNP.ax

2011-08-17 05:27:46 288256 ----a-w- C:\windows\System32\MSNP.ax

2011-08-17 05:27:46 108032 ----a-w- C:\windows\System32\psisrndr.ax

2011-08-17 05:27:46 104960 ----a-w- C:\windows\System32\Mpeg2Data.ax

2011-08-17 04:26:02 465408 ----a-w- C:\windows\SysWow64\psisdecd.dll

2011-08-17 04:22:23 75776 ----a-w- C:\windows\SysWow64\psisrndr.ax

2011-08-17 04:22:23 72704 ----a-w- C:\windows\SysWow64\Mpeg2Data.ax

2011-08-17 04:22:23 59904 ----a-w- C:\windows\SysWow64\MSDvbNP.ax

2011-08-17 04:22:23 204288 ----a-w- C:\windows\SysWow64\MSNP.ax

2011-07-22 05:35:08 1638912 ----a-w- C:\windows\System32\mshtml.tlb

2011-07-22 04:56:17 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb

.

============= FINISH: 16:42:12.54 ===============

Link to post
Share on other sites

I have kept working on this with no success. But what I do know is that I can delete the registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell and it comes back instantly. I just click to another key and then back to Winlogon and it has returned. The value for shell is always the same: c:\Users\Abby\appdata\local\4d06512d\x

I have also done this in safe mode and looked at all processes and services and none seem to be incorrect. I looked at the directory and there is no folder of files by the name \4d06512d\x. There is also no clear file in the root.

Link to post
Share on other sites

I looks like I fixed this. I tried about 12 different removal tools and none could find the Trojans. Malwarebytes could see the reg key but as soon as it was deleted it was added back. It also couldn't find the hidden directory and exe. I looked in every way I could and it just wasn't visible.

I am posting this in case someone else is bit. AdAware found and removed Trojan.Win32.Generic/BT and Trojan.Win32.Smadow.b(v). It also found a file vtapi.dll.vir and deleted it. Funny enough, it left the reg key, which didn't matter because it deleted the file and directory at c:\Users\Abby\appdata\local\4d06512d\x

Malwarebytes kept seeing the outbound internet attempts and blocked them but couldn't get rid of it. A new one for you to work on,

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.