Bankerfox.A amongst other things

Hi, I'm trying to fix a laptop for a friend, but I'm completely stumped on this one. It's been infected by Bankerfox.A, so whenever i open IE, it doesn't let me access anything. I open firefox, but it won't let me browse any webpages either. They all eventually fall back to [You must be registered and logged in to see this link.] or say the page cannot be found in the server. I am unable to download any antivirus software, do a system restore, or anything, because any .exe file i try to open comes out as "Application cannot be executed. the file xxxxx.exe is infected. Do you want to activate your antivirus software now?". I also cannot install any software through a USB, since it will give me the same error message when it's trying to read the USB drivers. I tried with a CD, same thing. I can't start the laptop on safe mode because the screen is broken (i have it connected to a monitor) and when I press F8 at startup, that doesn't show on the external monitor. Any ideas?

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  
• Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

I'm sorry, but like I said, it won't let me access any websites. I'm typing this from another computer because any website i try to access goes to a fake google page that says that the requested URL was not found on the server.

Please transfer the download from a clean computer on to the infected one.

I did try. The laptop won't let me open any executable files. It won't let me open task manager. It won't even let me open system restore. I can't download, install, or run anything

Rename it to blackpudding.bat and try again please.

It does the same thing...Sorry, I forgot to add, it gives me a fake Windows Security Alert popup that says "Application cannot be executed. The file blackpudding.bat (or whichever is trying to open) is infected. Do you want to activate your antivirus software now?"

Rename it to iexplore.exe

Then, go to Start > Run and paste this command and press OK:

"%desktop%\iexplore.exe" /stepdel

it brings up a search window, like if it can't find the file. Also, just thought you might need to know, if i double click the icon, a little bar comes up that says "ComboFix", it loads, but then at the end it doesn't do anything.

Last try here. If bust, then we will get a more powerful option.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Then, try ComboFix again.

The laptop's screen is not working, so it doesn't let me start in safe mode

Odd. But, you start just fine in normal mode?

Yes, I have it plugged in to a monitor. But when I press F8 as its starting up, the boot screen doesn't show on the external monitor. It only starts showing after the vista logo comes up

ComboFix is running now..I guess the computer just needed to rest, maybe? Well, it's scanning atm, so I'll post the scan log as soon as it comes up. Thanks

ComboFix 10-02-09.03 - Daniel 02/13/2010 22:03:34.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1161 [GMT -6:00]
Running from: c:\users\Daniel\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3443657032-2903806523-3540040041-500
c:\$recycle.bin\S-1-5-21-3967032013-1912477881-1511816985-1001
c:\$recycle.bin\S-1-5-21-3967032013-1912477881-1511816985-500
c:\users\Daniel\AppData\Local\vmibou
c:\users\Daniel\AppData\Local\vmibou\bdsxsftav.exe
c:\windows\fxstaller.exe
c:\windows\system32\KBL.LOG
c:\windows\system32\oem3.inf
c:\users\Daniel\secupdat.dat . . . . failed to delete
c:\windows\system32\secupdat.dat . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-14 04:17 . 2010-02-14 04:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-10 04:16 . 2009-12-04 16:27 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 04:16 . 2009-12-04 16:27 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-09 04:37 . 2010-02-09 04:37 -------- dc----w- C:\89f2b01f43ee574fe247
2010-02-07 01:33 . 2010-02-07 01:33 16384 ---ha-w- c:\users\Daniel\fnlqaf.exe
2010-02-01 17:00 . 2010-02-01 17:00 -------- d-----w- c:\users\Daniel\AppData\Roaming\Facebook
2010-02-01 14:08 . 2010-02-01 14:08 16384 ---ha-w- c:\users\Daniel\bwuy.exe
2010-01-22 11:43 . 2009-12-18 12:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-16 04:35 . 2010-01-15 19:24 225280 --sh--r- c:\windows\system32\wmisktp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 04:21 . 2008-07-29 04:17 -------- d-----w- c:\users\Daniel\AppData\Roaming\LimeWire
2010-02-14 03:59 . 2008-07-23 19:26 290886 ----a-w- c:\users\Daniel\AppData\Roaming\nvModes.dat
2010-02-12 22:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-09 04:46 . 2007-11-02 07:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-09 04:42 . 2007-11-02 07:25 -------- d-----w- c:\progra~2\Symantec
2010-02-01 17:00 . 2010-02-01 17:00 50354 ----a-w- c:\users\Daniel\AppData\Roaming\Facebook\uninstall.exe
2010-02-01 14:14 . 2009-09-30 00:09 -------- d-----w- c:\program files\AIM Toolbar
2010-01-27 03:21 . 2010-01-27 03:21 847040 ----a-w- c:\users\Daniel\AppData\Roaming\Facebook\axfbootloader.dll
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
2010-01-22 18:36 . 2009-11-10 06:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-22 18:27 . 2008-07-29 04:16 -------- d-----w- c:\program files\LimeWire
2010-01-14 17:12 . 2009-10-02 16:23 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-18 12:48 . 2010-01-22 11:42 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 11:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:46 . 2010-01-22 11:42 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 11:42 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 11:42 48128 ----a-w- c:\windows\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-07-28 1232896]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-01 1783136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-09 159744]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-11-02 1006264]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"CFmon"="c:\users\Daniel\fnlqaf.exe" [2010-02-07 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\cguvmmot.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - true.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKCU-Run-jhdalwnw - c:\users\Daniel\AppData\Local\vmibou\bdsxsftav.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
SafeBoot-exxmdlzs.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-13 22:21
Windows 6.0.6000 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5472)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\LimeWire\LimeWire.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\lpremove.exe
c:\windows\system32\lpksetup.exe
.
**************************************************************************
.
Completion time: 2010-02-13 22:36:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-14 04:35

Pre-Run: 82,781,044,736 bytes free
Post-Run: 83,650,134,016 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4,5
- - End Of File - - 8B66006D7C20D3A77F5DC800DEF3CD86