# Banker fox virus on windows xp

## Banker fox virus on windows xp

Hi,

Yesterday l got a virus Banker fox on my desktop pc which iis running windows xp home sp 3. l have run several cleaners and programs to try and get rid of it, but it is still there and it wont let me run some programs and utilities. l have also tried in safe mode but still the same. l am sending a hijack this log which l has to run in safe mode.
Would be grateful for any help.
Thanks,
Sue.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:54 PM, on 2/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - (no file)
O3 - Toolbar: (no name) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - (no file)
O4 - HKLM\..\Run: [EPSON PhotoStarter] C:\Program Files\EPSON\EPSON PhotoStarter\EPSON_PhotoStarter.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [deobaepq] C:\Documents and Settings\Owner\Local Settings\Application Data\xdodrl\gkrgsftav.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - [You must be registered and logged in to see this link.]
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4616 bytes

sue1601

Newbie Surfer

Posts : 7
Joined : 2010-02-13
Operating System : windows xp home

## Re: Banker fox virus on windows xp

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.

[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products. ~DMJ GeekPolice Academy Manager Donations/Contributions DragonMaster Jay Manager | Tech Officer Posts : 13451 Joined : 2009-09-07 Operating System : Windows 7 Ultimate ## Re: Banker fox virus on windows xp Hi, Thanks for helping. l have downloaded combofix but it will not run, it says SWSC not recognised. l have read in other posts that you have to change the name of combofix, but it did not tell me to, ls this were l went wrong? Thanks, Sue. sue1601 Newbie Surfer Posts : 7 Joined : 2010-02-13 Operating System : windows xp home ## Re: Banker fox virus on windows xp Hi, l have managed to download amd run it with internet explorer, l usually use firefox. ComboFix 10-02-12.01 - Administrator 02/13/2010 18:29:49.1.1 - x86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.1024 [GMT 0:00] Running from: c:\documents and settings\Administrator\Desktop\myfix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Local Settings\Application Data\xdodrl c:\documents and settings\Owner\Local Settings\Application Data\xdodrl\gkrgsftav.exe c:\windows\system32\dljaxmvv.ini c:\windows\system32\lktpbedn.ini c:\windows\system32\okvrbnas.ini . ((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 ))))))))))))))))))))))))))))))) . 2010-02-13 13:42 . 2010-02-13 13:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2010-02-13 11:03 . 2010-02-13 11:05 -------- d-----w- c:\program files\Windows Live Safety Center 2010-02-13 10:54 . 2008-12-04 01:25 120832 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\arty093f.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll 2010-02-13 10:07 . 2010-02-13 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-02-12 22:22 . 2010-02-12 22:22 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2010-02-12 21:47 . 2010-02-12 21:47 -------- d-----w- C:\36532ab574896b82eb348965c83e62 2010-02-12 21:47 . 2010-02-12 21:47 -------- d-----w- C:\fc36e6082d7ee152aedbc1aa86 2010-02-12 21:45 . 2010-02-12 21:45 -------- d-----w- C:\_090218_ 2010-02-12 21:45 . 2010-02-12 21:45 -------- d-----w- C:\be08e71b175db5277aaeb9c5103d93 2010-02-12 21:39 . 2010-02-12 21:39 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2010-02-12 21:37 . 2010-02-12 21:37 36736 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-12 17:37 . 2010-02-12 17:37 -------- d-----w- c:\program files\Panda Security 2010-02-12 16:19 . 2010-02-12 16:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2010-02-12 15:27 . 2010-02-12 15:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-02-12 14:38 . 2010-02-12 14:38 -------- d-----w- c:\program files\Trend Micro 2010-02-12 13:56 . 2010-02-12 13:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-01-27 14:57 . 2010-01-27 14:57 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71764d4c-n\msvcp71.dll 2010-01-27 14:57 . 2010-01-27 14:57 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71764d4c-n\jmc.dll 2010-01-27 14:57 . 2010-01-27 14:57 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71764d4c-n\msvcr71.dll 2010-01-27 14:57 . 2010-01-27 14:57 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332f68e6-n\decora-sse.dll 2010-01-27 14:57 . 2010-01-27 14:57 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332f68e6-n\decora-d3d.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-13 17:04 . 2008-05-25 17:49 -------- d-----w- c:\program files\Avira 2010-02-13 16:47 . 2008-02-08 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-13 10:48 . 2007-10-01 06:55 -------- d-----w- c:\program files\Java 2010-02-13 10:42 . 2007-08-18 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip 2010-02-12 19:54 . 2008-05-25 16:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-02-11 18:14 . 2009-07-15 12:13 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc 2010-02-11 13:29 . 2009-04-06 07:11 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss 2010-01-27 14:58 . 2007-10-01 06:53 -------- d-----w- c:\program files\Common Files\Java 2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-30 12:27 . 2009-12-30 12:27 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Software 2009-12-30 12:05 . 2009-12-30 12:04 -------- d-----w- c:\program files\NCH Software 2009-12-26 21:03 . 2007-08-14 20:27 36736 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-21 19:14 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll 2009-12-17 17:14 . 2008-12-02 06:25 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-12-16 18:43 . 2007-08-14 20:18 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2004-08-12 13:56 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-08 19:27 . 2004-08-12 14:02 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-12-08 11:48 . 2009-07-14 19:09 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-04 18:22 . 2004-08-12 14:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2009-11-27 17:11 . 2004-08-12 14:03 1291776 ----a-w- c:\windows\system32\quartz.dll 2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll 2009-11-27 16:07 . 2004-08-12 14:01 28672 ----a-w- c:\windows\system32\msvidc32.dll 2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll 2009-11-27 16:07 . 2004-08-12 14:01 11264 ----a-w- c:\windows\system32\msrle32.dll 2009-11-27 16:07 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll 2009-11-21 15:51 . 2004-08-12 13:55 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2008-11-02 14:15 . 2008-11-02 14:15 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON PhotoStarter"="c:\program files\EPSON\EPSON PhotoStarter\EPSON_PhotoStarter.exe" [2000-03-06 241664] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ \0 [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check(2).lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(2).lnk backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check(2).lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-02-19 13:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-01-31 23:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2007-08-17 05:37 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AntiVirService"=2 (0x2) "AntiVirSchedulerService"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\SopCast\\sopvod.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= S3 EPUSBDSK;EPSON USB Mass Storage Driver;c:\windows\system32\drivers\EPUSBDSK.sys [9/8/2007 8:53 AM 29983] . Contents of the 'Scheduled Tasks' folder 2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Supplementary Scan ------- . mSearch Bar = [You must be registered and logged in to see this link.] FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\arty093f.default\ FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - BHO-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file) HKLM-Run-deobaepq - c:\documents and settings\Owner\Local Settings\Application Data\xdodrl\gkrgsftav.exe MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe MSConfigStartUp-Veoh - c:\program files\Veoh Networks\Veoh\VeohClient.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.] Rootkit scan 2010-02-13 18:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hȋdden processes ... scanning hȋdden autostart entries ... scanning hȋdden files ... scan completed successfully hȋdden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-515967899-1454471165-725345543-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,88,de,5d,9b,fc,d6,4a,b9,bc,59,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4b,88,de,5d,9b,fc,d6,4a,b9,bc,59,\ . Completion time: 2010-02-13 18:35:27 ComboFix-quarantined-files.txt 2010-02-13 18:35 Pre-Run: 23,594,565,632 bytes free Post-Run: 28,334,923,776 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 4398EC5CF2528C7E7ED145E13163D4D8 sue1601 Newbie Surfer Posts : 7 Joined : 2010-02-13 Operating System : windows xp home ## Re: Banker fox virus on windows xp Hi, l have since run malwarebytes again and it found 2 bugs which it got rid of. The virus warning have gone but are now having trouble with internet. Firefox wont download from certain sites and internet explorer says conected to net but to try and connect again. l have run another combofix. Thanks, Sue. ComboFix 10-02-12.01 - Owner 14/02/2010 9:21.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.940 [GMT 0:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 ))))))))))))))))))))))))))))))) . 2010-02-13 13:42 . 2010-02-13 13:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2010-02-13 11:03 . 2010-02-13 11:05 -------- d-----w- c:\program files\Windows Live Safety Center 2010-02-13 10:54 . 2008-12-04 01:25 120832 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\arty093f.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll 2010-02-13 10:07 . 2010-02-13 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-02-12 22:22 . 2010-02-12 22:22 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2010-02-12 21:47 . 2010-02-12 21:47 -------- d-----w- C:\36532ab574896b82eb348965c83e62 2010-02-12 21:47 . 2010-02-12 21:47 -------- d-----w- C:\fc36e6082d7ee152aedbc1aa86 2010-02-12 21:45 . 2010-02-12 21:45 -------- d-----w- C:\_090218_ 2010-02-12 21:45 . 2010-02-12 21:45 -------- d-----w- C:\be08e71b175db5277aaeb9c5103d93 2010-02-12 21:39 . 2010-02-12 21:39 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2010-02-12 21:37 . 2010-02-12 21:37 36736 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-12 17:37 . 2010-02-12 17:37 -------- d-----w- c:\program files\Panda Security 2010-02-12 16:19 . 2010-02-12 16:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2010-02-12 15:27 . 2010-02-12 15:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-02-12 14:38 . 2010-02-12 14:38 -------- d-----w- c:\program files\Trend Micro 2010-02-12 13:56 . 2010-02-12 13:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-01-27 14:57 . 2010-01-27 14:57 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71764d4c-n\msvcp71.dll 2010-01-27 14:57 . 2010-01-27 14:57 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71764d4c-n\jmc.dll 2010-01-27 14:57 . 2010-01-27 14:57 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71764d4c-n\msvcr71.dll 2010-01-27 14:57 . 2010-01-27 14:57 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332f68e6-n\decora-sse.dll 2010-01-27 14:57 . 2010-01-27 14:57 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332f68e6-n\decora-d3d.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-14 09:19 . 2008-05-25 17:49 -------- d-----w- c:\program files\Avira 2010-02-14 07:05 . 2009-07-15 12:13 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc 2010-02-13 16:47 . 2008-02-08 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-13 10:48 . 2007-10-01 06:55 -------- d-----w- c:\program files\Java 2010-02-13 10:42 . 2007-08-18 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip 2010-02-12 19:54 . 2008-05-25 16:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-02-11 13:29 . 2009-04-06 07:11 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss 2010-01-27 14:58 . 2007-10-01 06:53 -------- d-----w- c:\program files\Common Files\Java 2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-30 12:27 . 2009-12-30 12:27 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Software 2009-12-30 12:05 . 2009-12-30 12:04 -------- d-----w- c:\program files\NCH Software 2009-12-26 21:03 . 2007-08-14 20:27 36736 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-21 19:14 . 2004-08-12 14:09 916480 ------w- c:\windows\system32\wininet.dll 2009-12-17 17:14 . 2008-12-02 06:25 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-12-16 18:43 . 2007-08-14 20:18 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2004-08-12 13:56 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-08 19:27 . 2004-08-12 14:02 2189184 ------w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe 2009-12-08 11:48 . 2009-07-14 19:09 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-04 18:22 . 2004-08-12 14:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2009-11-27 17:11 . 2004-08-12 14:03 1291776 ----a-w- c:\windows\system32\quartz.dll 2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll 2009-11-27 16:07 . 2004-08-12 14:01 28672 ----a-w- c:\windows\system32\msvidc32.dll 2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll 2009-11-27 16:07 . 2004-08-12 14:01 11264 ----a-w- c:\windows\system32\msrle32.dll 2009-11-27 16:07 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll 2009-11-21 15:51 . 2004-08-12 13:55 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2008-11-02 14:15 . 2008-11-02 14:15 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe . ((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] ))))))))))))))))))))))))))))))))))))))))) . - 2007-11-07 01:19 . 2007-11-07 01:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll + 2007-11-07 02:19 . 2007-11-07 02:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll + 2008-07-29 08:05 . 2008-07-29 08:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll - 2008-07-29 07:05 . 2008-07-29 07:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll + 2008-07-29 08:05 . 2008-07-29 08:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll - 2008-07-29 07:05 . 2008-07-29 07:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll - 2008-07-29 07:05 . 2008-07-29 07:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll + 2008-07-29 08:05 . 2008-07-29 08:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll - 2008-07-29 07:05 . 2008-07-29 07:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll + 2008-07-29 08:05 . 2008-07-29 08:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll + 2008-07-29 08:05 . 2008-07-29 08:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll - 2008-07-29 07:05 . 2008-07-29 07:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll + 2008-07-29 08:05 . 2008-07-29 08:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll - 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll - 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll + 2008-07-29 08:05 . 2008-07-29 08:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll - 2008-07-29 07:05 . 2008-07-29 07:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll + 2008-07-29 08:05 . 2008-07-29 08:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll + 2008-07-29 08:05 . 2008-07-29 08:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll - 2008-07-29 07:05 . 2008-07-29 07:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll + 2008-07-29 08:05 . 2008-07-29 08:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll - 2008-07-29 07:05 . 2008-07-29 07:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll + 2008-07-29 08:05 . 2008-07-29 08:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll - 2008-07-29 07:05 . 2008-07-29 07:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll - 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll + 2008-07-29 06:07 . 2008-07-29 06:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll + 2008-07-29 06:07 . 2008-07-29 06:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll - 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll + 2010-02-14 09:20 . 2010-02-14 09:20 16384 c:\windows\temp\Perflib_Perfdata_268.dat + 2008-07-29 08:05 . 2008-07-29 08:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll - 2008-07-29 07:05 . 2008-07-29 07:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll - 2008-07-29 07:05 . 2008-07-29 07:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll + 2008-07-29 08:05 . 2008-07-29 08:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll - 2008-07-29 02:54 . 2008-07-29 02:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll + 2008-07-29 03:54 . 2008-07-29 03:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll - 2008-07-29 07:05 . 2008-07-29 07:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll + 2008-07-29 08:05 . 2008-07-29 08:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll - 2008-07-29 07:05 . 2008-07-29 07:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll + 2008-07-29 08:05 . 2008-07-29 08:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll - 2008-07-29 07:05 . 2008-07-29 07:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll + 2008-07-29 08:05 . 2008-07-29 08:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON PhotoStarter"="c:\program files\EPSON\EPSON PhotoStarter\EPSON_PhotoStarter.exe" [2000-03-06 241664] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ \0 [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check(2).lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(2).lnk backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check(2).lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-02-19 13:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-01-31 23:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2007-08-17 05:37 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AntiVirService"=2 (0x2) "AntiVirSchedulerService"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\SopCast\\sopvod.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= S3 EPUSBDSK;EPSON USB Mass Storage Driver;c:\windows\system32\drivers\EPUSBDSK.sys [08/09/2007 08:53 29983] . Contents of the 'Scheduled Tasks' folder 2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Supplementary Scan ------- . uStart Page = [You must be registered and logged in to see this link.] uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.] mSearch Bar = [You must be registered and logged in to see this link.] uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = uSearchURL,(Default) = [You must be registered and logged in to see this link.] FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\iacp07oo.default\ FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.] FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.] FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. - - - - ORPHANS REMOVED - - - - HKCU-Run-deobaepq - c:\documents and settings\Owner\Local Settings\Application Data\xdodrl\gkrgsftav.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.] Rootkit scan 2010-02-14 09:26 Windows 5.1.2600 Service Pack 3 NTFS scanning hȋdden processes ... scanning hȋdden autostart entries ... scanning hȋdden files ... scan completed successfully hȋdden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-515967899-1454471165-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3580) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2010-02-14 09:29:04 ComboFix-quarantined-files.txt 2010-02-14 09:29 ComboFix2.txt 2010-02-13 18:35 Pre-Run: 46,610,944,000 bytes free Post-Run: 46,576,320,512 bytes free - - End Of File - - C62F60BA26379C03A17931190AE5C3E1 sue1601 Newbie Surfer Posts : 7 Joined : 2010-02-13 Operating System : windows xp home ## Re: Banker fox virus on windows xp Hi again. Please do these steps in order. 1. Please download TFC by OldTimer to your desktop • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). • It will close all programs when run, so make sure you have saved all your work before you begin. • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. 2. Please download Malwarebytes Anti-Malware from Malwarebytes.org. Alternate link: BleepingComputer.com. (Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!) Double Click mbam-setup.exe to install the application. (Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!) • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish. • If an update is found, it will download and install the latest version. • Once the program has loaded, select "Perform Full Scan", then click Scan. • The scan may take some time to finish,so please be patient. • When the scan is complete, click OK, then Show Results to view the results. • Make sure that everything is checked, and click Remove Selected. • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note) • Please save the log to a location you will remember. • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. • Copy and paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. 3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer: [You must be registered and logged in to see this link.] Post the log from SUPERAntiSpyware when you've accomplished that. 4. Please run a free online scan with the ESET Online Scanner • Tick the box next to YES, I accept the Terms of Use • Click Start • When asked, allow the ActiveX control to install • Click Start • Make sure that the options Remove found threats and the option Scan unwanted applications is checked • Click Scan (This scan can take several hours, so please be patient) • Once the scan is completed, you may close the window • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt • Copy and paste that log as a reply to this topic 5. Post the following in your next reply: • MBAM log • SAS log • ESET log And, please tell me how your computer is doing. [You must be registered and logged in to see this link.] - Get$30 off Kaspersky products.

~DMJ

Donations/Contributions

DragonMaster Jay

Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

## Re: Banker fox virus on windows xp

Hi,

Here are the logs requested, We have not used the pc for the net until l have downloaded another antivirus, lt has downloaded the programs for the logs ok and has not come up with any problems.
Thanks,
Sue.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/02/2010 22:34:51
mbam-log-2010-02-14 (22-34-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 164022
Time elapsed: 42 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E8AF1262-B901-4850-BD3B-F22E263FC38E}\RP798\A0197270.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{E8AF1262-B901-4850-BD3B-F22E263FC38E}\RP798\A0197465.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{E8AF1262-B901-4850-BD3B-F22E263FC38E}\RP798\A0197534.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{E8AF1262-B901-4850-BD3B-F22E263FC38E}\RP798\A0197604.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{E8AF1262-B901-4850-BD3B-F22E263FC38E}\RP798\A0197717.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{E8AF1262-B901-4850-BD3B-F22E263FC38E}\RP800\A0198002.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{E8AF1262-B901-4850-BD3B-F22E263FC38E}\RP800\A0198168.sys (Malware.Trace) -> No action taken

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 02/15/2010 at 04:36 PM

Application Version : 4.33.1000

Core Rules Database Version : 4585
Trace Rules Database Version: 2397

Scan type : Complete Scan
Total Scan Time : 00:27:35

Memory items scanned : 347
Memory threats detected : 0
Registry items scanned : 4938
Registry threats detected : 0
File items scanned : 21418
File threats detected : 17

all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f33684305bb97b4192827b74f7035f15
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-15 05:55:02
# local_time=2010-02-15 05:55:02 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 272910 272910 0 0
# compatibility_mode=1793 16774142 0 4 18656376 18656376 0 0
# compatibility_mode=8192 67108863 100 0 3765 3765 0 0
# scanned=40969
# found=3
# cleaned=3
# scan_time=1686
C:\Qoobox\Quarantine\C\WINDOWS\system32\dljaxmvv.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\lktpbedn.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\okvrbnas.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

sue1601

Newbie Surfer

Posts : 7
Joined : 2010-02-13
Operating System : windows xp home

## Re: Banker fox virus on windows xp

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
Backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: [You must be registered and logged in to see this link.]
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• What Should I Do If I've Become A Victim Of Identity Theft?
• Identity Theft Victims Guide - What to do

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Help: I Got Hacked. Now What Do I Do? Part II
• Where to draw the line? When to recommend a format and reinstall?
Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products. ~DMJ GeekPolice Academy Manager Donations/Contributions DragonMaster Jay Manager | Tech Officer Posts : 13451 Joined : 2009-09-07 Operating System : Windows 7 Ultimate ## Re: Banker fox virus on windows xp Hi, Thanks for quick reply. lt was a bit of a shock to realise how bad it is. The pc is now off and will reset the router tomorrow. l have also changed some important passwords. lf l reformat (it is a OEM disc) will this be completely safe, or is it still compromised. Thanks, Sue. sue1601 Newbie Surfer Posts : 7 Joined : 2010-02-13 Operating System : windows xp home ## Re: Banker fox virus on windows xp It will be safe after you reformat and reinstall. Before doing so: It is a good idea to backup your important files, music, videos, etc. to an external disc, like a CD - DVD - external drive - or flash drive. [You must be registered and logged in to see this link.] - Get$30 off Kaspersky products.

~DMJ

Donations/Contributions

DragonMaster Jay

Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

## Re: Banker fox virus on windows xp

Hi,

l am going to reformat the drive to make sure it is safe. l would like to thank you for all the help and advice you have given me and my husband whos pc it is. Thanks again,

Regards,
Sue.

sue1601

Newbie Surfer

Posts : 7
Joined : 2010-02-13
Operating System : windows xp home

## Re: Banker fox virus on windows xp

You're welcome.

[You must be registered and logged in to see this link.] - Get \$30 off Kaspersky products.

~DMJ

Donations/Contributions

DragonMaster Jay

Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate