BleepingComputer.com: Has a very resilient trojan

Mod Edit: Moved to Proper forum~~ boop

I've recently been battling with a trojan that got onto my computer while ironically doing the most innocent of activities, searching google images for a nice background.

I'm a decently tech savvy person, but at the time I didn't have any active firewalls to stop programs and one of the links I clicked was the sites which start a non-escapable download saying that malware has been found, you know the sort.

so I ended up in this long and annoying struggle.
some symptoms of it include:
-bypassing system restore(my second action)
-bypassing malwarebytes destroying the file
-shutting down firewalls and initiating network and file sharing
-I'm pretty sure that it is also latching onto and impersonating necessary windows OS applications

however, on my windows firewall with advanced security, I've noticed files that are the exact same IDs and all and while my wireless adapter was disconnected from the computer hardware wise even, there were packets being sent; if that's any significance.

I've also seen odd processes being used.
Now though, I'm pretty sure I've ridden my network of the trojans/malware, but here's a few log files

Logfile of IObit HijackScan v1.0.2.0
Scan saved at 15:36:27, on 2011-4-28

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Windows\system32\conhost.exe
C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\WN311BFCS.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
C:\Windows\System32\nvraidservice.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\ManyCam\Bin\ManyCam.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Logitech\Ereg\eReg.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Logitech\LWS\LU\LULnchr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\mmc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin0.dll
O2 - BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: DivX HiQ - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit1.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Runescape Toolbar - {a8864317-e18b-4292-99d9-e6e65ab905d3} - C:\Program Files\Runescape\tbRune.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit1.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe"
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [ManyCam] "C:\Program Files\ManyCam\Bin\ManyCam.exe" /silent
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AS00_WN311B] C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe /hide
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_24 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}Java Plug-in 1.6.0_24 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_24 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Adobe Licensing Console (Adobe Licensing Console) - Unknown - C:\Windows\system32\msvfd32.exe
O23 - Service: Apple Mobile Device (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service (AVG Security Toolbar Service) - Unknown - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgfws.exe
O23 - Service: AVGIDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown -
O23 - Service: Diagnostic Policy Service (DPS) - Unknown -
O23 - Service: FLEXnet Licensing Service (FLEXnet Licensing Service) - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) (ForceWare Intelligent Application Manager (IAM)) - Unknown - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Group Policy Client (gpsvc) - Unknown -
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
O23 - Service: iPod Service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Net.Tcp Port Sharing Service (NetTcpPortSharing) - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown - C:\Windows\system32\GameMon.des
O23 - Service: ForceWare IP service (nSvcIp) - Unknown - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Quality Windows Audio Video Experience (QWAVE) - Unknown - %windir%\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown -
O23 - Service: Security Accounts Manager (SamSs) - Unknown -
O23 - Service: Secondary Logon (seclogon) - Unknown - %windir%\system32\svchost.exe
O23 - Service: Steam Client Service (Steam Client Service) - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown -
O23 - Service: Windows Modules Installer (TrustedInstaller) - Unknown -
O23 - Service: Block Level Backup Engine Service (wbengine) - Unknown - %systemroot%\system32\wbengine.exe
O23 - Service: Diagnostic Service Host (WdiServiceHost) - Unknown -
O23 - Service: Diagnostic System Host (WdiSystemHost) - Unknown -
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe
O23 - Service: Netgear WN311B Wireless Control Service (WN311BFCS) - NetGear - C:\Windows\system32\WN311BFCS.exe

This post has been edited by boopme: 28 April 2011 - 09:47 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.


• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
  
  
• A window will open instructing you save & post the logs
  
• Save the logs to a convenient place such as your desktop
  
• Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
  
• Now double-click on RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan.
  
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  
• Wait till the scanner has finished and then click File, Save Report.
  
• Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".


information and logs:

In your next post I need the following


• .logs from DDS
  
• log from RKUnHooker
  
• let me know of any problems you may have had

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.