Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Banker C Infestation


  • This topic is locked This topic is locked
3 replies to this topic

#1 Strubbs

Strubbs

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 13 December 2007 - 08:43 PM

I am helping a friend with a computer and have been able to remove all spyware except whatever it is that keeps creating the wsnpoem directory.

Here is my HJT log

Thanks
Strubbs

Attached Files



BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:12:32 AM

Posted 14 December 2007 - 07:39 AM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:12:32 AM

Posted 14 December 2007 - 11:40 AM

Hello,

Your log show me a Trojan horse that may steal sensitive information from the compromised computer. Infostealer.Banker.C

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

We need to update your version of Hijackthis to the latest release.
Please find and delete the Hijackthis.exe you already have installed.
  • Click here to download HijackThis.
  • Save HJTInstall.exe to your Desktop.
  • Double click on the HJTInstall.exe icon to start the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
  • -- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
    Please go to Start Menu > Run > and copy/paste the following line:
    %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
    Press Ok and then run SDFix again.
  • -- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
    %systemdrive%\SDFix\apps\FixPath.exe /Q
    Reboot and then run SDFix again.
  • -- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
    %SystemRoot%\system32\cmd.exe

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 Strubbs

Strubbs
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 18 December 2007 - 09:16 AM

Thanks for the response, but I had it taken care of by someone locally.

Thanks again
Strubbs




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users