if this is BankerFox.a, how to get rid without internet?

View previous topic View next topic Go down

if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 2:39 am

first got hit with what looked like the BankerFox.a yesterday, but it quickly "learned" apparently that i was after it. it then disabled my internet connection and began turning off my system (abruptly with a loud audible pop) going to a black screen, then a blue error screen. now, the machine can only be turned on in safe mode, and cannot connect to the internet. it also somehow disabled the CD driver as no CD is readable and i can't reinstall anything. i try to run a very clean system (XP with IE7 and paid McAfee antivirus and firewalled) so i'm not sure how this got through - and think it is a clone of BankerFox.A - or else why would it turn off the internet and then do further damage?

this week started bad, because Monday i was hit with the click-jack trojan Lando. after quickly assessing that, i downloaded Malwarebytes and took care of that one fairly easily. i cussed out McAfee for letting it through anyway... until last night's hit with this, i thought it was a fluke. this is more than a fluke. i think this was deliberate and it trashed my computer.

still, i have no way to download anything to fix it, i tried from this computer to download several fixes onto an external thumb drive and transport that to the infected computer. in safe mode, it will read and copy files externally, but it won't install or run them - unless i'm doing it wrong. is there a way to download a fix to a thumbdrive and then install from there? its the only way i have to clean it up, or otherwise it will become a doorstop. i run a business and a website on it, and it will take me weeks to recover that loss since i hadn't backed anything up this month. i know... bad practice. so, can it be fixed from the thumbdrive? if so, how do i install, in safe mode, from the thumbdrive? thanks

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 29th March 2009, 1:48 pm

Hello.
Download Hijack This onto the thumb drive, but rename it before saving it.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 5:22 pm

thanks Belahzur! downloaded the HJT onto my thumbdrive and will take it back to my office to run in the infected computer - in safe mode. will post the results back here this afternoon. ;) reeko

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 29th March 2009, 5:26 pm

Hello.
Are any other computers in this office effected?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 5:37 pm

[You must be registered and logged in to see this link.] wrote:Hello.
Are any other computers in this office effected?

negative. the other machine is not online. the one i am using now to contact u is at another location (i maintain it also). the only switch i have at the office is a "keyboard" type switch between two towers, not a router. it allows me to switch between the two completely separate CPUs with one keyboard and monitor - no data can be transferred except manually. if the infected hardrive is toast - then i may be putting the backup machine online using the same IP. and that is what scares me... remember, i got hit TWICE this week, on top of running a paid and up-to-date McAfee antivirus and firewall. they BOTH got past McAfee, and McAfee never did find them in scans.

anyway, i hope this machine can be fixed/cleaned via the thumbdrive. i will probably buy another CD drive anyway (i wanted to upgrade to CD/DVD rewriteable).

will get back with the hijack file in an hour or so. thanks! ;) reeko

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 6:56 pm

here is the hijack file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:57 PM, on 3/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 [You must be registered and logged in to see this link.]
O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 knocker
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {92108C26-F8BC-4A12-BAE9-2EF17BEAD0EE} - c:\windows\system32\csrwecy.dll
O2 - BHO: BHO - {ABD42510-9B22-41cd-9DCD-8182A2D07C63} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [You must be registered and logged in to see this link.] (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: pkyhmnmp - C:\WINDOWS\SYSTEM32\csrwecy.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7765 bytes

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 29th March 2009, 6:59 pm

Hello. Once you have done this next Hijack This fix, see if you can get on the internet.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
    O1 - Hosts: 91.212.65.122 spyware-protector-2009.com
    O1 - Hosts: 91.212.65.122 [You must be registered and logged in to see this link.]
    O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com
    O1 - Hosts: 91.212.65.122 knocker
    O2 - BHO: (no name) - {92108C26-F8BC-4A12-BAE9-2EF17BEAD0EE} - c:\windows\system32\csrwecy.dll
    O2 - BHO: BHO - {ABD42510-9B22-41cd-9DCD-8182A2D07C63} - C:\WINDOWS\system32\iehelper.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [You must be registered and logged in to see this link.] (file missing)
    O20 - Winlogon Notify: pkyhmnmp - C:\WINDOWS\SYSTEM32\csrwecy.dll


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\WINDOWS\system32\sdra64.exe
c:\windows\system32\csrwecy.dll
C:\WINDOWS\system32\iehelper.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 7:16 pm

thanks. this will take awhile, as i have to put all this on my thumbdrive and take it back to the office. might be a couple hours. but i HOPE that my next post will be from the infected computer! (keeping fingers crossed!) - reeko

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 9:12 pm

here is the avenger file. it was successful in that i was able to reboot and even enable the internet connection... but the BankerFox.a popups are still there. i am back over at the uninfected computer. will the infected computer allow me to download a fix? or should i try to do it here on this good computer and store it on my thumbdrive? how do i do that? - reeko

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACixllrvxm.sys
Driver disabled successfully.

Rootkit scan completed.

File "C:\WINDOWS\system32\sdra64.exe" deleted successfully.
File "c:\windows\system32\csrwecy.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\iehelper.dll" not found!
Deletion of file "C:\WINDOWS\system32\iehelper.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 29th March 2009, 9:19 pm

Hello.
Now you have internet connection, lets not waste anytime.

Since you have to go back to the infected computer, lets stop using the USB stick and make use of the internet.

Download these following tools to the USB stick:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

DO NOT RUN THEM YET!

Lets kill this rootkit now.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACixllrvxm.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 9:31 pm

roger that! going back to the office and will do this from the infected computer. i will have to click off on the virus popups in order to do this. just in case, i'm copying these instructions and taking them with me on the thumbdrive. be back in a bit... - reeko

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 29th March 2009, 9:34 pm

Post the logs from the infected machine and we can finish this off quicker than you going back and forth. Wink


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 10:46 pm

i see Belahzur is not online.... dammit. i couldn't post here from the infected computer because the infection will NOT allow me to stay on the geekpolice site more than a few seconds. it KNOWS who u guys are!!!

here is the latest avenger file that you wanted. i also did NOT run the Malwarebytes removal. plz let me know when i can do that:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACixllrvxm.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 10:54 pm

from what i've read about BankerFox.a, it just steals data right? then how could this one that looks like it - with all the same popups - be evolved to know that it is under attack and tries to protect itself? it KNOWS the geekpolice website apparently, as well as any other fix site. how does it do that? is this malware that evolves?

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 29th March 2009, 11:17 pm

Back online.
May malware block websites to stop users from getting it. We weren't blocked as far as I knew because were still only small, but lately we have attracted attention from some good guys and the bad guys from the looks of it.

UACd.sys is a varaint of a rootkit known as TDSS, it has awesome powers to be able to hide deep down in the system, there's only a few tools that are able to take it down. The avenger being one is very powerful, but the bad guys haven't figured this out yet.

Don't give up on me, were winning this fight.

We can use MBAM now.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 29th March 2009, 11:28 pm

roger that. printed out the instructions and will go now with the Malwarebytes on my thumbdrive. be back later - hopefully on the infected computer (if successful) and if not, then back over here. reeko

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 12:35 am

limited success! i am posting this from the infected computer - however, there was a popup immediately prior to this saying "Internet Explorer cannot open the internet site [You must be registered and logged in to see this link.] etc..." and it shut off and went to the windows error msg. i then hit the "refresh" button and it came back here. i am writing this now and sending it.... now

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 30th March 2009, 12:36 am

Told you were making progress.
You can see how powerful and annoying this rootkit can be.

Any MBAM log yet?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 12:44 am

seems to be working, but that popup isn't right.

congratulations! u guys are being noticed by the hackers who build these stupid malwares! LOL

here comes the mbam log. this thing was HUGE. it found 32 infected files. i also am in the habit of always running Windows Task Manager to monitor how many processes and CPU time is running while i work. normal is 32 processes. during the malware attack it was 41 processes. it is now back closer to normal = 34 processes. so i think we done good... but not sure yet. here is the log:

Malwarebytes' Anti-Malware 1.35
Database version: 1916
Windows 5.1.2600 Service Pack 3

3/29/2009 7:19:10 PM
mbam-log-2009-03-29 (19-19-09).txt

Scan type: Quick Scan
Objects scanned: 88834
Time elapsed: 15 minute(s), 10 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Unloaded process

successfully.
C:\WINDOWS\svcho.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\B

rowser Helper Objects\{92108c26-f8bc-4a12-bae9-2ef17bead0ee}

(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\pkyhmnmp (Trojan.Vundo.H) ->

Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{92108c26-f8bc-4a12-bae9-2ef17bead0ee}

(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\B

rowser Helper Objects\{abd42510-9b22-41cd-9dcd-8182a2d07c63}

(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{abd42510-9b22-41cd-9dcd-8182a2d07c63}

(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and

deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and

deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ex

plorer\Run\svcho (Trojan.Agent) -> Quarantined and deleted

successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system

tool (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and

deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad:

(C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,)

Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\SYSTEM32\lowsec (Spyware.StolenData) -> Quarantined and

deleted successfully.

Files Infected:
c:\windows\system32\csrwecy.dll (Trojan.Vundo.H) -> Quarantined and

deleted successfully.
C:\WINDOWS\SYSTEM32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and

deleted successfully.
C:\WINDOWS\SYSTEM32\UACjkxihflo.dll (Trojan.TDSS) -> Quarantined and

deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary

Directory 1 for avenger.zip\avenger.exe (Malware.Tool) -> Quarantined

and deleted successfully.
C:\Documents and Settings\Bev\Local Settings\Temp\UAC57a7.tmp

(Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bev\Local Settings\Temp\Temporary Directory 1

for avenger.zip\avenger.exe (Malware.Tool) -> Quarantined and deleted

successfully.
C:\WINDOWS\SYSTEM32\lowsec\local.ds (Spyware.StolenData) -> Quarantined

and deleted successfully.
C:\WINDOWS\SYSTEM32\lowsec\user.ds (Spyware.StolenData) -> Quarantined

and deleted successfully.
C:\WINDOWS\SYSTEM32\lowsec\user.ds.lll (Spyware.StolenData) ->

Quarantined and deleted successfully.
C:\WINDOWS\svcho.exe (Trojan.Agent) -> Quarantined and deleted

successfully.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted

successfully.
C:\WINDOWS\SYSTEM32\uacinit.dll (Trojan.Agent) -> Quarantined and

deleted successfully.
C:\WINDOWS\SYSTEM32\UAChowmfxwb.dll (Trojan.Agent) -> Quarantined and

deleted successfully.
C:\WINDOWS\SYSTEM32\UAChypecymr.log (Trojan.Agent) -> Quarantined and

deleted successfully.
C:\WINDOWS\SYSTEM32\UACiqxnmjsl.dll (Trojan.Agent) -> Quarantined and

deleted successfully.
C:\WINDOWS\SYSTEM32\UACknoashbn.dll (Trojan.Agent) -> Quarantined and

deleted successfully.
C:\WINDOWS\SYSTEM32\UACmtalktlw.dat (Trojan.Agent) -> Quarantined and

deleted successfully.
C:\WINDOWS\SYSTEM32\UACvrbgtycb.log (Trojan.Agent) -> Quarantined and

deleted successfully.

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 12:52 am

just noticed that these are all still in Quarantine - mbam did NOT remove them. there are 28 objects in Quarantine, including the rootkit TDSS.
shouldn't i delete all of these?

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 1:08 am

i have to leave the office and go back to the other computer. anything else i need to do can probably wait. if it can't, let me know asap, and i will get back over here.

i've put the word out about u guys to my mil and intel blogs. some of those guys are superduty geeks. the kind that can actually say they "invented" the internet... LOL ciao yall. ;) reeko

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 30th March 2009, 1:12 am

I really should tell them MBAM guys about the false positive on the avenger. LMBO or ROFL

One lasts scan to make sure it's gone.
Run DDS please.

Two logs will open, one is called DDS.txt, the other is called attach.txt.
Post DDS.txt please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 4:37 pm

Belahzur, i might have misunderstood your last instructions, but i ran MBAB again - full scan - and it found nothing. BUT when i go to geekpolice.net the Windows warning pops up that tells me that it can't go there. i did a screensave of that prompt. then like yesterday, i then do a refresh and here i am. ???

anyway, the MBAM quarantine is still full of the crap from yesterday. i haven't hit the "delete all" button yet. is there a reason i should NOT get rid of them?
here is the latest mbam log. i can't find the dds.txt that u asked for... is this it?

Malwarebytes' Anti-Malware 1.35
Database version: 1916
Windows 5.1.2600 Service Pack 3

3/30/2009 11:15:44 AM
mbam-log-2009-03-30 (11-15-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144085
Time elapsed: 1 hour(s), 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 30th March 2009, 4:40 pm

Hello.
The first MBAM scan found a lot of items and you quarantined them, so it's fine.
The second scan found nothing.

Items in quarantine are harmless, they are dead now.

DDS is DDS.scr I had you download when you downloaded the installer for MBAM also.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 5:01 pm

ok. just ran dds. here is that file:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Bev at 11:53:55.60 on Mon 03/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.46 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bev\Desktop\antivirus tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\bev\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\bev\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat

7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support

tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -

[You must be registered and logged in to see this link.]
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - [You must be registered and logged in to see this link.]
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} -

[You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

[You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

[You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-16 213640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-23 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-23 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-23 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-23 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-23 40552]
S2 clcdcnot;Remote Access PPPOE Helper;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-23 34216]

=============== Created Last 30 ================

2009-03-29 18:59 15,504 ac------ c:\windows\system32\drivers\mbam.sys
2009-03-29 18:59 38,496 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-29 17:12 259 ac------ C:\avexport.bat
2009-03-29 13:19 -cd----- c:\program files\Trend Micro
2009-03-28 17:46 61,440 ac------ c:\windows\system32\drivers\pwozri.sys
2009-03-27 19:37 1,071,088 ac------ c:\windows\system32\MSCOMCTL.OCX
2009-03-27 19:37 118,784 ac------ c:\windows\system32\MSSTDFMT.DLL
2009-03-27 19:25 16,896 ac------ c:\windows\syssvc.exe
2009-03-24 12:12 -cd----- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 19:15 6,349 ac------ c:\windows\system32\Config.MPF
2009-03-23 19:09 40,552 ac------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-23 19:09 79,304 ac------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-23 19:09 35,272 ac------ c:\windows\system32\drivers\mfebopk.sys
2009-03-23 19:09 120,136 ac------ c:\windows\system32\drivers\Mpfp.sys
2009-03-23 19:08 -cd----- c:\program files\common files\McAfee
2009-03-23 19:08 -cd----- c:\program files\McAfee.com
2009-03-23 19:07 -cd----- c:\program files\McAfee
2009-03-23 19:00 34,216 ac------ c:\windows\system32\drivers\mferkdk.sys
2009-03-22 17:58 73,728 ac------ c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-03-22 18:01 410,984 ac------ c:\windows\system32\deploytk.dll
2009-02-09 06:13 1,846,784 ac------ c:\windows\system32\win32k.sys
2007-02-15 19:32 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-06-09 01:14 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008060920080610\index.dat

============= FINISH: 11:55:02.57 ===============

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 30th March 2009, 5:04 pm

Hello.
Please delete these two files in bold:

c:\windows\syssvc.exe
C:\avexport.bat

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 5:11 pm

deleted those two files. seems to be running great now...

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 5:14 pm

is there anyway to tell exactly where this came from? i was attacked twice last week. could've been my own fault for opening an attachment or clicking a link in an email, but still, if i knew which one - i'd pass it on.

unless u want a whole bunch more customers eh? LOL

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 30th March 2009, 5:16 pm

Hello.
There's no way of telling how these are getting in, but we aren't done yet.

I overlooked something.

There's still a malicious driver running.

I need you to uninstall Mcafee temporarily, because this tool has a lot of component built into it and Mcafee won't like half of them and will interfere with the removal of this malicious driver.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Mcafee Security Center



  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Please make sure Mcafee is uninstalled before running Combofix.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 6:16 pm

here it is.

ComboFix 09-03-29.04 - Bev 2009-03-30 13:01:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.81 [GMT -5:00]
Running from: c:\documents and settings\Bev\Desktop\antivirus tools\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 18:59 . 2009-03-26 16:49 38,496 --a--c--- c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-29 18:59 . 2009-03-26 16:49 15,504 --a--c--- c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-29 13:19 . 2009-03-29 13:19 d----c--- c:\program files\Trend Micro
2009-03-28 17:56 . 2009-03-28 17:56 d----c--- c:\documents and settings\Administrator\Application Data\Motive
2009-03-28 17:46 . 2009-03-28 17:46 61,440 --a--c--- c:\windows\SYSTEM32\DRIVERS\pwozri.sys
2009-03-27 20:28 . 2004-09-14 13:00 d----c--- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-03-27 20:28 . 2009-03-28 17:03 d----c--- c:\documents and settings\Administrator
2009-03-27 19:37 . 2009-03-27 20:22 d-a--c--- c:\documents and settings\All Users\Application Data\TEMP
2009-03-27 19:37 . 2005-04-15 20:58 1,071,088 --a--c--- c:\windows\SYSTEM32\MSCOMCTL.OCX
2009-03-27 19:37 . 2005-08-25 19:18 118,784 --a--c--- c:\windows\SYSTEM32\MSSTDFMT.DLL
2009-03-24 12:12 . 2009-03-29 18:59 d----c--- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 19:09 . 2009-01-16 20:04 79,304 --a--c--- c:\windows\SYSTEM32\DRIVERS\mfeavfk.sys
2009-03-23 19:09 . 2009-01-16 20:04 40,552 --a--c--- c:\windows\SYSTEM32\DRIVERS\mfesmfk.sys
2009-03-23 19:09 . 2009-01-16 20:04 35,272 --a--c--- c:\windows\SYSTEM32\DRIVERS\mfebopk.sys
2009-03-23 19:00 . 2009-01-16 20:03 34,216 --a--c--- c:\windows\SYSTEM32\DRIVERS\mferkdk.sys
2009-03-22 17:58 . 2009-03-22 18:01 73,728 --a--c--- c:\windows\SYSTEM32\javacpl.cpl
2009-02-19 17:42 . 2009-02-19 17:42 10,304 --a--c--- c:\windows\MSOPrefs.232
2009-02-19 17:42 . 2009-02-19 17:42 4,544 --a--c--- c:\windows\MSOClip.232

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 17:53 --------- dc----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-28 02:04 --------- dc----w c:\program files\Common Files\Real
2009-03-25 19:26 --------- dc----w c:\documents and settings\Bev\Application Data\OpenOffice.org2
2009-03-24 02:37 --------- dc----w c:\program files\CCleaner
2009-03-22 23:16 --------- dc----w c:\program files\Yahoo!
2009-03-22 23:01 --------- dc----w c:\program files\Java
2009-02-25 01:07 --------- dc----w c:\program files\PhotoSuite 8.1
2007-02-16 00:32 848 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2008-06-09 06:14 32,768 -csha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008060920080610\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-09-14 77824]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 148888]

c:\documents and settings\Bev\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-12-01 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-09-14 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= c:\windows\system32\..\xgqkm.ena

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Avanquest\\Web Easy Professional 7\\vcomFtp.exe"=
"c:\\Program Files\\Avanquest\\Web Easy Professional 7\\WebEasy.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

S2 clcdcnot;Remote Access PPPOE Helper;c:\windows\System32\svchost.exe -k netsvcs [2002-08-29 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
clcdcnot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cabb24-ea2e-11dc-9f62-0011112b0405}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\At1.job
- c:\windows\system32\csrwecy.dll []
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-30 13:07:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2009-03-30 13:12:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 18:12:10

Pre-Run: 16,307,019,776 bytes free
Post-Run: 16,609,955,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
134 --- E O F --- 2009-03-13 16:06:22

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 30th March 2009, 6:22 pm

Oh, more malware than I was expecting.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
clcdcnot

File::
c:\windows\xgqkm.ena
c:\windows\Tasks\At1.job
c:\windows\SYSTEM32\DRIVERS\pwozri.sys

NetSvc::
clcdcnot

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 6:56 pm

here is the latest combofix log:

ComboFix 09-03-29.04 - Bev 2009-03-30 13:37:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.84 [GMT -5:00]
Running from: c:\documents and settings\Bev\Desktop\antivirus tools\ComboFix.exe
Command switches used :: c:\documents and settings\Bev\Desktop\antivirus tools\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\DRIVERS\pwozri.sys
c:\windows\Tasks\At1.job
c:\windows\xgqkm.ena
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\DRIVERS\pwozri.sys
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLCDCNOT
-------\Service_clcdcnot


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 18:59 . 2009-03-26 16:49 38,496 --a--c--- c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-29 18:59 . 2009-03-26 16:49 15,504 --a--c--- c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-29 13:19 . 2009-03-29 13:19 d----c--- c:\program files\Trend Micro
2009-03-28 17:56 . 2009-03-28 17:56 d----c--- c:\documents and settings\Administrator\Application Data\Motive
2009-03-27 20:28 . 2004-09-14 13:00 d----c--- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-03-27 20:28 . 2009-03-28 17:03 d----c--- c:\documents and settings\Administrator
2009-03-27 19:37 . 2009-03-27 20:22 d-a--c--- c:\documents and settings\All Users\Application Data\TEMP
2009-03-27 19:37 . 2005-04-15 20:58 1,071,088 --a--c--- c:\windows\SYSTEM32\MSCOMCTL.OCX
2009-03-27 19:37 . 2005-08-25 19:18 118,784 --a--c--- c:\windows\SYSTEM32\MSSTDFMT.DLL
2009-03-24 12:12 . 2009-03-29 18:59 d----c--- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 19:09 . 2009-01-16 20:04 79,304 --a--c--- c:\windows\SYSTEM32\DRIVERS\mfeavfk.sys
2009-03-23 19:09 . 2009-01-16 20:04 40,552 --a--c--- c:\windows\SYSTEM32\DRIVERS\mfesmfk.sys
2009-03-23 19:09 . 2009-01-16 20:04 35,272 --a--c--- c:\windows\SYSTEM32\DRIVERS\mfebopk.sys
2009-03-23 19:00 . 2009-01-16 20:03 34,216 --a--c--- c:\windows\SYSTEM32\DRIVERS\mferkdk.sys
2009-03-22 17:58 . 2009-03-22 18:01 73,728 --a--c--- c:\windows\SYSTEM32\javacpl.cpl
2009-02-19 17:42 . 2009-02-19 17:42 10,304 --a--c--- c:\windows\MSOPrefs.232
2009-02-19 17:42 . 2009-02-19 17:42 4,544 --a--c--- c:\windows\MSOClip.232

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 17:53 --------- dc----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-28 02:04 --------- dc----w c:\program files\Common Files\Real
2009-03-25 19:26 --------- dc----w c:\documents and settings\Bev\Application Data\OpenOffice.org2
2009-03-24 02:37 --------- dc----w c:\program files\CCleaner
2009-03-22 23:16 --------- dc----w c:\program files\Yahoo!
2009-03-22 23:01 --------- dc----w c:\program files\Java
2009-02-25 01:07 --------- dc----w c:\program files\PhotoSuite 8.1
2007-02-16 00:32 848 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2008-06-09 06:14 32,768 -csha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008060920080610\index.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-30 18:42:51 16,384 -c--atw c:\windows\temp\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-09-14 77824]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 148888]

c:\documents and settings\Bev\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-12-01 217088]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-09-14 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Avanquest\\Web Easy Professional 7\\vcomFtp.exe"=
"c:\\Program Files\\Avanquest\\Web Easy Professional 7\\WebEasy.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cabb24-ea2e-11dc-9f62-0011112b0405}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-30 13:43:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2009-03-30 13:48:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 18:48:10
ComboFix2.txt 2009-03-30 18:12:17

Pre-Run: 16,598,663,168 bytes free
Post-Run: 16,599,171,072 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
129 --- E O F --- 2009-03-13 16:06:22

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 30th March 2009, 6:59 pm

Hello.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

The machine should be running a lot better now. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 30th March 2009, 7:13 pm

it said "combofix uninstalled" after it was done. so, do i go ahead and download/reinstall McAfee now?

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 30th March 2009, 7:14 pm

Yep. Were done here. Wink

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 1st April 2009, 11:04 pm

there baaack. i did not have my machine on today until about an hour ago. first thing i did was update MBAM and run a scan. it found 2 "disable.securitycenters" threats and removed them. i then came online and went to geekpolice and sure nuff, after log on, the Windows warning popped up and it kicked off the geekpolice to the Windows error page. i then had to hit refresh the page and it came back. (this was happening before, remember?)

thanks so much for all your patience and help with the previous problem...

but i don't understand this. my McAfee and MBAM are both up to date and running FULL realtime protections. wtf? plz note that i didn't go online and to geekpolice until AFTER this MBAM scan - and supposedly the 2 threats "quarantined and deleted" ...really? then why did i get knocked off geekpolice??? here is the MBAM log:

Malwarebytes' Anti-Malware 1.35
Database version: 1930
Windows 5.1.2600 Service Pack 3

4/1/2009 5:29:25 PM
mbam-log-2009-04-01 (17-29-25).txt

Scan type: Quick Scan
Objects scanned: 87842
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 1st April 2009, 11:07 pm

Hello.
They are registry values edited by the malware from before. MBAM found this now and replaced the value back to default. There was no real malware present.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by reeko on 1st April 2009, 11:15 pm

whew! (sigh of relief!) does that explain why i get kicked off geekpolice? it only happens when i log in, then i refresh and it comes back. if that is not a problem - just annoying - then i can live with that.

by the way, i've looked at the other threads of overload work u are doing today and... GOOD JOB! if mine is no problemo, then i won't bother u anymore. thanks!

reeko
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-03-29
Gender Gender : Male
OS OS : Win7 Home, 64-bit
Protection Protection : MBAM, AVG, CCleaner, HijackThis
Points Points : 28169
# Likes # Likes : 0

View user profile

Back to top Go down

Re: if this is BankerFox.a, how to get rid without internet?

Post by Belahzur on 1st April 2009, 11:50 pm

Heh, I tray to stay on top of it, but days when I'm at school, it can grow, so I try to login to here at school when I can grab a free moment.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum