Backdoor:Win32/RDPopen.b

Please ATTACH the requested logs. :major

 

Not finding much in the way of malware. Let's do this:

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

• 
  [RUN][SUSP PATH] HKCU\[...]\Run : MusicManager ("C:\Users\Nick\AppData\Local\Programs\Google\MusicManager\MusicManager.exe") -> FOUND
  [RUN][SUSP PATH] HKCU\[...]\Run : Java Updater Module (C:\Windows\Sun\Java\bin\javaw.exe -jar C:\Windows\config\systemprofile\AppData\Local\Google\Update\Manifest\Initial\1e611a00) -> FOUND
  [RUN][ROGUE ST] HKLM\[...]\Run : HPWirelessAssistant (C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden) -> FOUND
  [RUN][SUSP PATH] HKUS\S-1-5-21-449478598-2064282937-4253019286-1001[...]\Run : MusicManager ("C:\Users\Nick\AppData\Local\Programs\Google\MusicManager\MusicManager.exe") -> FOUND
  [RUN][SUSP PATH] HKUS\S-1-5-21-449478598-2064282937-4253019286-1001[...]\Run : Java Updater Module (C:\Windows\Sun\Java\bin\javaw.exe -jar C:\Windows\config\systemprofile\AppData\Local\Google\Update\Manifest\Initial\1e611a00) -> FOUND
  [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
  [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
  [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
  [HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
  [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
  [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Now re-run Hitman and have it remove those PUP's

Reboot and re-run both RogueKiller and Hitman.
Attach both those logs.

Also attach the MSE log that shows the infection.

 

MSE is doing it's job. Tell me what is happening now.

 

Next time it shows up, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the new log.

 

It's not showing up in your logs. Let's have you do this:

Please download ComboFix to your desktop. Turn off any AV software you have before you run it. Attach the log when finished. Do not do anything while it is running or it may stall the program.

 

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Attach both of these logs into your next reply.

 

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:killallprocesses
:files
@Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:EA029835
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

Is it still happening? I can't find it in your logs.

 

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:killallprocesses
:files
C:\windows\SysWOW64\lssasr.exe
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I don't know what to tell you. It is not showing up in any of your logs. Let me consult with my colleagues.

 

Go into MSE and delete the history. Then tell me if it shows up again.