[Active] Malware removal - remote support

Bahawolf · Sep 1, 2010

Hello everyone. - I am supporting a friend remotely and I was previously working on this issue with Bobby but the user did decide to run a scan on their own which conflicted with the rules.

I've told them that if they do so again, they will NOT be assisted and they have agreed to not touch the unit.

That being said, I'd like to begin the cleansing process if allowed...

Logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4526

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

9/1/2010 19:20:34
mbam-log-2010-09-01 (19-20-34).txt

Scan type: Quick scan
Objects scanned: 137172
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

==

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-01 19:27:42
Windows 6.0.6001 Service Pack 1
Running: w87l01ws.exe; Driver: C:\Users\Chris\AppData\Local\Temp\ufldapoc.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8E3A7B9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8E3A79C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8E3A7AFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

==

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Chris at 19:45:16.49 on Wed 09/01/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1637 [GMT -7:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Users\Chris\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\mri_di~1\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\l8k0id2p.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 173352]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-17 165456]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-17 17744]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-17 50256]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-17 40384]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2007-4-25 99248]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-24 304464]
S2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2010-8-24 1590216]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-17 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-17 40384]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-24 20952]
S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-8-24 12096]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

=============== Created Last 30 ================

2010-08-30 04:42:17 0 d-----w- C:\$RECYCLE.BIN
2010-08-28 16:57:45 0 d-----w- c:\users\chris\appdata\roaming\Webroot
2010-08-28 16:24:14 82 ----a-w- c:\windows\qawin32.INI
2010-08-28 14:24:01 0 d-----w- c:\programdata\Sun
2010-08-28 14:23:38 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-28 13:47:41 0 d-----w- c:\program files\Windows Installer Clean Up
2010-08-28 13:47:34 0 d-----w- c:\program files\MSECACHE
2010-08-28 12:17:38 0 d-----w- c:\program files\JDownloader
2010-08-25 04:51:39 0 d-----w- c:\program files\ESET
2010-08-25 04:48:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-25 04:48:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-25 04:48:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 04:27:59 23872 ----a-w- c:\windows\system32\mv2.dll
2010-08-25 04:27:59 12096 ----a-w- c:\windows\system32\drivers\mv2.sys
2010-08-25 04:27:51 0 d-----w- c:\program files\UltraVNC
2010-08-18 12:21:49 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-18 11:57:06 0 d-----w- c:\programdata\Lavasoft
2010-08-18 11:57:06 0 d-----w- c:\program files\Lavasoft
2010-08-18 05:18:36 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-08-18 05:18:11 38848 ----a-w- c:\windows\avastSS.scr
2010-08-18 05:18:08 0 d-----w- c:\programdata\Alwil Software
2010-08-17 02:40:56 0 d-----w- c:\program files\roguescanfix
2010-08-17 02:32:07 0 d-----w- c:\windows\LMI7445.tmp
2010-08-17 02:27:38 0 d-----w- c:\program files\Trend Micro
2010-08-15 17:01:06 0 d-----w- c:\users\chris\appdata\roaming\TeamViewer
2010-08-15 15:49:02 0 d-----w- c:\users\chris\appdata\roaming\PCToolsFirewallPlus
2010-08-15 15:49:01 0 d-----w- c:\users\chris\appdata\roaming\Spam Monitor
2010-08-15 14:44:08 0 d-----w- c:\programdata\PC Tools
2010-08-15 14:44:08 0 d-----w- c:\program files\PC Tools Internet Security
2010-08-15 14:43:38 0 d-----w- c:\users\chris\appdata\roaming\Swhst
2010-08-15 14:09:02 798 ---ha-w- C:\IPH.PH
2010-08-15 14:09:02 0 d-----w- C:\TEMP
2010-08-15 14:01:16 0 d-----w- c:\program files\common files\PC Tools
2010-08-15 14:01:14 0 d---a-w- c:\programdata\TEMP
2010-08-15 13:11:46 4213696 ----a-w- C:\ExterminateIt.exe
2010-08-15 07:16:34 0 d-----w- c:\program files\Exterminate It!
2010-08-15 06:51:29 226688 ----a-w- C:\BdUninstallTool2010.08.14-11.51.29.reg
2010-08-15 04:22:02 0 d-----w- c:\users\chris\appdata\roaming\QuickScan
2010-08-14 22:56:26 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-10 03:34:33 15892480 ----a-w- C:\Ad-AwareInstall.exe
2010-08-10 03:03:53 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-10 03:03:53 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-10 02:44:19 16409960 ----a-w- C:\spybotsd162.exe
2010-08-10 02:12:38 35 ----a-w- c:\users\chris\appdata\roaming\SetValue.bat
2010-08-10 02:12:37 691 ----a-w- c:\users\chris\appdata\roaming\GetValue.vbs
2010-08-09 23:56:45 0 d-----w- c:\users\chris\appdata\roaming\Malwarebytes
2010-08-09 23:56:27 0 d-----w- c:\programdata\Malwarebytes
2010-08-09 23:50:12 0 d-----w- c:\program files\TeamViewer
2010-08-03 22:46:16 221300608 ----a-w- c:\windows\MEMORY.DMP

==================== Find3M ====================

2010-08-31 16:10:00 4022 ----a-w- c:\users\chris\appdata\roaming\wklnhst.dat
2010-08-25 04:28:06 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-08-25 04:28:06 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-25 04:28:05 86016 ----a-w- c:\windows\inf\infstor.dat
2008-08-03 09:44:02 174 --sha-w- c:\program files\desktop.ini
2008-08-03 09:31:48 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-01 06:44:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-01 06:44:18 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-01 06:44:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-01-15 06:45:41 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-01-15 06:45:41 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-01-15 06:45:41 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 19:46:17.53 ===============

==

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 9/24/2007 12:27:24
System Uptime: 9/1/2010 19:36:25 (0 hours ago)

Motherboard: ELITEGROUP | | 945GCT-M3
Processor: Intel(R) Pentium(R) Dual CPU E2140 @ 1.60GHz | Socket 775 | 1599/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 216.985 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.524 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
ABBYY FineReader 6.0 Sprint
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Agere Systems PCI-SV92PP Soft Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Bejeweled 2 Deluxe
BlackBerry Desktop Software 4.5
Bonjour
Chicago Blackhawks Desktop Communicator
Digital Media Reader
ESET Online Scanner v3
Exterminate It!
FUJIFILM FinePixViewer S Ver.2.1
Gateway Connect
Gateway Game Console
Gateway Recovery Center Installer
Highlight Viewer (Windows Live Toolbar)
HiJackThis
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 21
JDownloader
Lexmark 2500 Series
Lexmark Fax Solutions
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
MobileMe Control Panel
Mozilla Firefox (3.0.19)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MySpaceIM
Power2Go 5.0
QuickTime
Realtek High Definition Audio Driver
Roxio Media Manager
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Smart Menus (Windows Live Toolbar)
Spare Backup
TeamViewer 5
Tradewinds
UltraVNC 1.0.8.2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Installer Clean Up
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

==== End Of File ===========================

Bobbye · Sep 2, 2010

I remember that! Every time I opened a log, some other scan had been done- good that you read the riot act! I'll review the logs shortly. I notices there are some data updated by Webroot on 8/28. This was a problem previously. If possible, find out what's running from Webroot and if it's security, as that it be temporarily disabled.

Back in a bit.

Bahawolf · Sep 2, 2010

It was Webroot System Analyzer that was run, and allegedly removed but the user doesn't know all that much about computers obviously. I can't seem to find it installed either, so I wonder where it could be stemming from.

Thanks for your help!

Bobbye · Sep 2, 2010

Since it's still collecting data, it's using resources. I can remove it in script after Combofix:

First, let's do a Security Check:
Download Security Check and save it to your Desktop.

Double-click SecurityCheck.exe to run.

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post this log in your next reply.

=============================
Follow with download ComboFix from Here and save to your Desktop.

[1]. Do NOT rename Combofix unless instructed.
[2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3].Close any open browsers.
[4]. Double click combofix.exe & follow the prompts to run.

NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
[5]. If Combofix asks you to install Recovery Console, please allow it.
[6]. If Combofix asks you to update the program, always allow.

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=============================
Then Run Eset NOD32 Online AntiVirus scan HERE

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the Active X control to install

Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.

Click Start

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Click Scan

Wait for the scan to finish

Re-enable your Antivirus software.

A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Can you refresh me please on the current problems?

TechSpot

[Active] Malware removal - remote support

Bahawolf Newcomer, in training

Bobbye Helper on the Fringe

Bahawolf Newcomer, in training

Bobbye Helper on the Fringe