Author Topic: [Resolved K] Suspected malware download from a connected scammer  (Read 1460 times)

0 Members and 1 Guest are viewing this topic.

Offline talacrush

  • Bronze Member
  • Posts: 24
Hi,

A friend was recently contacted by a scammer claiming his PC was infected with a virus and persuaded him to download some remote access software so they could help him with it.

He fell for it initially and downloaded and ran the following software:

AA_v3
TeamViewerQS_en

This allowed the scammer into his system, but after a while he became suspicious and terminated the phone call.

I've checked out both these downloads and they seem genuine remote access pieces of software.  However, there is a concern of course that once the scammer had access (which he did) he may have downloaded something nasty too.  It may be, on the other hand, just have been an attempt to get him to part with money for the 'help' he was receiving.

I have run Avast, Malwarebytes and SuperAntiSpyware on his PC and found nothing. I have now run DDS and would be grateful if someone could run their eyes over the logs to see if there is anything unusual there.  Your help is much appreciated.

DDS log pasted below:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Mike at 18:12:37 on 2012-01-29
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.511.113 [GMT 0:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\Atievxx.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [eyeBeam SIP Client]
mRun: [EzPrint] "c:\program files\lexmark 5400 series\ezprint.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [LXCTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCTtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\windows\installer\{b93d24b3-928d-4805-b379-4aa47cb3794e}\NewShortcut1_1.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173117604647
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mike\application data\mozilla\firefox\profiles\p9bnd8t7.default\
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-11-7 56208]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-18 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-8-18 314456]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-6 390528]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-16 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-11-7 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-11-7 164112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-18 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-20 44768]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-11-7 931640]
R3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [2007-2-12 281600]
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [2007-2-12 55999]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [2007-2-12 174464]
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [2007-2-12 701386]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-12 21520]
.
=============== Created Last 30 ================
.
2012-01-29 15:39:57   388096   ----a-r-   c:\documents and settings\mike\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-01-29 15:39:53   --------   d-----w-   c:\program files\Trend Micro
2012-01-29 13:27:25   --------   d-----w-   c:\documents and settings\mike\application data\SUPERAntiSpyware.com
2012-01-29 13:25:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-29 13:25:40   --------   d-----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-28 20:08:55   --------   d-----w-   c:\documents and settings\mike\application data\Malwarebytes
2012-01-28 20:08:03   --------   d-----w-   c:\documents and settings\all users\application data\Malwarebytes
2012-01-28 20:07:58   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-28 20:07:58   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-01-28 14:46:00   --------   d-----w-   c:\windows\pss
2012-01-28 12:31:20   --------   d-----w-   c:\documents and settings\all users\application data\AMMYY
2012-01-28 12:27:01   --------   d-----w-   c:\documents and settings\mike\application data\TeamViewer
2012-01-04 02:27:26   479232   ----a-w-   c:\program files\mozilla firefox\msvcm80.dll
2012-01-04 02:27:26   43992   ----a-w-   c:\program files\mozilla firefox\mozutils.dll
2012-01-04 02:27:25   626688   ----a-w-   c:\program files\mozilla firefox\msvcr80.dll
2012-01-04 02:27:25   548864   ----a-w-   c:\program files\mozilla firefox\msvcp80.dll
.
==================== Find3M  ====================
.
2012-01-04 02:26:04   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-28 18:01:25   41184   ----a-w-   c:\windows\avastSS.scr
2011-11-28 17:53:53   435032   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-11-25 21:57:19   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-11-23 13:25:32   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-18 12:35:08   60416   ----a-w-   c:\windows\system32\packager.exe
2011-11-16 14:21:44   354816   ----a-w-   c:\windows\system32\winhttp.dll
2011-11-16 14:21:44   152064   ----a-w-   c:\windows\system32\schannel.dll
2011-11-07 21:28:38   56208   ----a-w-   c:\windows\system32\drivers\RapportKELL.sys
2011-11-03 15:28:36   386048   ----a-w-   c:\windows\system32\qdvd.dll
2011-11-03 15:28:36   1292288   ----a-w-   c:\windows\system32\quartz.dll
2011-11-01 16:07:10   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-31 23:43:21   832512   ----a-w-   c:\windows\system32\wininet.dll
2011-10-31 23:43:21   78336   ----a-w-   c:\windows\system32\ieencode.dll
2011-10-31 23:43:21   1830912   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20   17408   ------w-   c:\windows\system32\corpol.dll
.
============= FINISH: 18:14:09.69 ===============

Thanks
« Last Edit: January 30, 2012, 12:27:12 pm by kevinf80 »



Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7280
Re: [Resolved K] Suspected malware download from a connected scammer
« Reply #1 on: January 29, 2012, 01:11:43 pm »
Hello talacrush and welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.
  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
  • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
  • If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
  • If you are using Cracked or Illegal software your thread will be locked and all help will cease.

DDS produces two logs, you`ve only posted one; copy and paste Attach.txt to next reply.

Next,

Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur

Altenative mirror

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
Temporarily disable Security
 
Do not use your computer for anything else during the scan.
  • Double click GMER.exe.

  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO
    Then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)


      Click the image to enlarge it

  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please copy and paste the report into your Post.

Kevin.
« Last Edit: January 29, 2012, 05:09:17 pm by kevinf80 »

Offline talacrush

  • Bronze Member
  • Posts: 24
Re: [Resolved K] Suspected malware download from a connected scammer
« Reply #2 on: January 29, 2012, 04:45:24 pm »
Thanks for your help so far.

I'm attaching the Attach.txt file here.  I tried pasting the ark.txt log but got the following error

:The message exceeds the maximum allowed length (50000 characters).

So I am attaching that logfile too instead.

Thanks

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7280
Re: [Resolved K] Suspected malware download from a connected scammer
« Reply #3 on: January 29, 2012, 05:25:20 pm »
GMER does not show anything sinister, DDS gives these two folders which belong to Remote Access service:

c:\documents and settings\all users\application data\AMMYY
c:\documents and settings\mike\application data\TeamViewer


If you do not recognize those folders or know of there existence go ahead and delete them.

Next,

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Kevin


Offline talacrush

  • Bronze Member
  • Posts: 24
Re: [Resolved K] Suspected malware download from a connected scammer
« Reply #4 on: January 29, 2012, 06:59:41 pm »
Security Check run and the checkup.txt log attached as requested.

Thanks.

Results of screen317's Security Check version 0.99.30 
 Windows XP Service Pack 3 x86   
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

 Windows Firewall Disabled! 
 avast! Free Antivirus   
 Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

 Ad-Aware
 SUPERAntiSpyware     
 Adobe Flash Player 9 Flash Player out of date!
 Adobe Flash Player    11.1.102.55 
 Adobe Reader 8 Adobe Reader out of date!
 Mozilla Firefox (9.0.1)
````````````````````````````````
Process Check: 
objlist.exe by Laurent

 Ad-Aware AAWService.exe is disabled!
 Ad-Aware AAWTray.exe is disabled!
 Alwil Software Avast5 AvastSvc.exe 
 Alwil Software Avast5 avastUI.exe 
``````````End of Log````````````
« Last Edit: January 29, 2012, 07:19:32 pm by kevinf80 »

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7280
Re: [Resolved K] Suspected malware download from a connected scammer
« Reply #5 on: January 29, 2012, 07:25:52 pm »
I`ve shown the log from Security Check in your reply so its is easy to read....

Do the following:

1. Turn on the Windows Firewall, currently shows as OFF

2. Turn on Realtime protection for Avast, currently OFF

3. Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.
Please go to the link below to update. Adobe Reader Untick the Free McAfeeŽ Security Scan Plus (optional) Not required.

4. Your Adobe Flash Player is out of date. Older versions are vulnerable to attack and exploitation

Please go to the link below to update. Adobe Flash Player Untick the Free McAfeeŽ Security Scan Plus (optional) Not required.

Let me know if the above completes OK, also if any remaining issues or concerns...

Kevin


Offline talacrush

  • Bronze Member
  • Posts: 24
Re: [Resolved K] Suspected malware download from a connected scammer
« Reply #6 on: January 30, 2012, 07:09:41 am »
All updated as suggested and all seems fine now.

Thank you so much :)

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7280
Re: [Resolved K] Suspected malware download from a connected scammer
« Reply #7 on: January 30, 2012, 07:39:01 am »
All updated as suggested and all seems fine now.

Thank you so much :)

You`re very welcome, if no more issues here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol  This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained Here

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here   Before clicking the Start scan  button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
 
Firefox,

Opera, and

Chrome.
 
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.


Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

Let me know if you are OK for your thread to be closed out,

Take care,

Kevin

Offline talacrush

  • Bronze Member
  • Posts: 24
Re: [Resolved K] Suspected malware download from a connected scammer
« Reply #8 on: January 30, 2012, 11:37:53 am »
All seems fine. Please close this thread and thanks again.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7280
Re: [Resolved K] Suspected malware download from a connected scammer
« Reply #9 on: January 30, 2012, 12:26:46 pm »
Since this issue appears to be resolved  the topic has been closed. Glad we could help. :t 

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.