Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troubles With A Trojan-downloader.banload.bxm


  • This topic is locked This topic is locked
13 replies to this topic

#1 the_artz19

the_artz19

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 25 June 2008 - 07:05 AM

i have been speaking with other forums but replies have stopped for about 3 days now so they may be too busy... so i am hoping that the brilliant minds here can help me : P
spyware doctor keeps finding an infection called trojan-downloader.banload.bxm at least every time i get on my computer, it says it cleans it but it always come back. it says that it is coming from the same registry entry, but i have no idea how to edit my registry or if there is anything more to it. the registry entry was "hkey_users\s-1-5-21-268814886-1291103218-2880121485-1006\software\microsoft\windows\currentversion\internet settings\user agent\postplatform, embedded w... browser from hxxp://bsalsa.com/

this downloader may have also been the one that put two other files on my computer, but through all i have done they haven't shown up anymore.

i have looked into and downloaded most of the free anit spyware/malware/etc products from this site and am going to be running scans, but somehow i imagine that completely getting rid of this thing will take more than a scanner can do....but i hope that some of these programs will at least keep it from getting worse. since not only have things gotten slower(all of this being even after a reset to factory settings and clearing the restore points), but also things have froze up, especially under certain conditions when using firefox.

thank you for any help and advice, i really don't want to loose my old things from my computer (specially being a lot of my music, video and work) by just reinstalling windows.

(Moderator edit: post moved to more appropriate forum. jgweed)

Edited by Orange Blossom, 11 February 2013 - 03:23 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2008 - 12:59 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 the_artz19

the_artz19
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 27 June 2008 - 12:30 PM

malwarebytes is one thing that i got soon after i started having this probkem along with spyware doctor, spygaurd, a-squared, supersyware,spybot, stinger, along with registry mechanin...
but none of those programs have found anything besides spyware dr.

malwarebytes hasnt found anything in the past, and the quick scan didnt find anything this time around either. i am not sure if you know specifics about this trojan downloader, but spyware dr. is the only one that has found it out of all my scanners, and it says that it found it in the registry.
i dont know if you are aware of a good way to edit out that part of the registry or if that would even solve rid me of the infection.
atached is the record of the quickscan, i am running a fullscan now, and will mention any difference in a new post if there are any.

i may be missing the button/section to attach a file, so i am just going to copy paste it here...

Malwarebytes' Anti-Malware 1.18
Database version: 889

1:28:59 PM 6/27/2008
mbam-log-6-27-2008 (13-28-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 128087
Time elapsed: 1 hour(s), 45 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2008 - 12:38 PM

Hi,

Please do this:

Go to Kaspersky Online scanner.
Klick Accept
Follow the instructions, and scan your whole system.
Post the logfile in your next reply. :thumbsup:

Greetings,
Superbird

#5 the_artz19

the_artz19
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 28 June 2008 - 06:50 AM

i ran a scan of all fixed drivers, i dont know if there is any other scans i should have done. yet for now i have to be off to a wedding so i will do that later if needed. also i still dont see an attach button so i will copy paste it.

KASPERSKY ONLINE SCANNER REPORT
Saturday, June 28, 2008 7:45:36 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/06/2008
Kaspersky Anti-Virus database records: 894810
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
Scan Statistics
Total number of scanned objects 95502
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 01:55:37

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-06172008-132058.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edbtmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael Bassett\Application Data\Roxio\MediaManager9\Album.ldb Object is locked skipped
C:\Documents and Settings\Michael Bassett\Application Data\Roxio\MediaManager9\Album.psod Object is locked skipped
C:\Documents and Settings\Michael Bassett\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-6-28-2008( 4-38-35 ).LOG Object is locked skipped
C:\Documents and Settings\Michael Bassett\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Michael Bassett\Desktop\issopack.exe/stream/data0023 Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\Documents and Settings\Michael Bassett\Desktop\issopack.exe/stream Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\Documents and Settings\Michael Bassett\Desktop\issopack.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Michael Bassett\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Michael Bassett\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Michael Bassett\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael Bassett\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael Bassett\Local Settings\History\History.IE5\MSHist012008062820080629\index.dat Object is locked skipped
C:\Documents and Settings\Michael Bassett\Local Settings\Temp\~DF2B0A.tmp Object is locked skipped
C:\Documents and Settings\Michael Bassett\Local Settings\Temp\~DFC755.tmp Object is locked skipped
C:\Documents and Settings\Michael Bassett\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Michael Bassett\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael Bassett\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Michael Bassett\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\SubInfo.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\onecaremp_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\Program Files\Spyware Doctor\NetworkLayer\InterfaceDLL.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\a2cache_2E6E08F4.dat Object is locked skipped
C:\WINDOWS\Temp\JET907E.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_e40.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.


thank you for your help, i wonder if this is a program that might fix the issues if i tried the free trial.... i am running liveinecare free 90 day thing along with spyware dr. w/ abtivirus.

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 June 2008 - 06:45 AM

Hi,

Please remove this file:
C:\Documents and Settings\Michael Bassett\Desktop\issopack.exe
It's marked as malware.

Then, your pc is clear from infections. :thumbsup:

#7 the_artz19

the_artz19
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 29 June 2008 - 11:34 AM

the mentioned file, malware or not was something that i got recently. i think it at least claimed to be a windows skin, but the file was something that i got far after i started having these problems. i hadnt installed it or anything either.
spyware doctor is still finding the same Trojan downloader infection.

i am currently waiting on further instruction on using "combofix", since i have service pack 3, and the reference site i was given speaking of boot disks only shows up to sp2. so i didn't want to chance simply getting the sp2 backup and running the program.

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 June 2008 - 11:40 AM

Hi,

Spyware Doctor is complaining about a false positive. There isn't a trojan on your pc as far as I can see. :thumbsup:
You can replace an alternative in place of Spyware Doctor. See here for free scanners: http://users.telenet.be/bluepatchy/miekiemoes/Links.html

You say "i am currently waiting on further instruction on using "combofix""... Where are you being helped with ComboFix?

#9 the_artz19

the_artz19
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 29 June 2008 - 07:15 PM

another forum/help site... thespykiller.co.uk

#10 the_artz19

the_artz19
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 29 June 2008 - 07:17 PM

also i have all but windows defender of that list of free spyware, and am using liveonecare temp(just to try out).

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 June 2008 - 05:02 AM

Hi,

It's not very good to be helped at several sites. I didn't knew you were helped at an other forum. If I knew that, I had not helped you in the first way. This, beacause the advices could cross each other. I don't know what the helper on that site advices, and he doesn't know what I'm advising to you.

So please, one forum a time. :thumbsup:

Please tell the helper there that you were helped at this forum, and give him the link to this topic, so he can see what has been done here.
If you have any questions left about this, feel free to ask. :flowers:

#12 the_artz19

the_artz19
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 30 June 2008 - 05:27 AM

ok,
well recently i am becoming even more scared of asking for help because unless my bad luck has continued as i was trying to follow the instruction on using combofix, and the "trojan-downloader.banload.bxm" downloaded another trojan to my computer.....than one of the two components to the combofix process(the combofix file and windows bootdisks sp2) i was told to download may have been infected/an infection.
since when i dragged the sp2 file over the combofix file as shown in the directions... the program started, but just as it did, spyware doctor said that it had stopped a "trojan-pws.bancos". i said to continue blocking, and i guess it did since when the combo fix was running it constantly had a window pop up asking what program i wanted to use to open a "pv.cf.exe".
i heard people saying they had fixed their malware problems with this program(amoung others) when i was initially searching for information about my trojan, but i am no longer sure i can trust that program, or at least where i am getting it from.

i dont know if any part of this sounds familiar or problematic to you. not to ask you to necessarilly make a reflection on someone you dont know, but i am going to keep away from running anymore unknown(to me at least) programs for my computer. that is maybe unless a firned can tell me how to find the registry entry that spyware doctor keeps saying has the infection in it(because i cant find it specifically).

thanks for your help, and i may indeed post a link to this thread at the other spot depending.

#13 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 June 2008 - 05:34 AM

Hi,

You don't need to be scared, please ask what you want.

I only ment that it's not easy for the helpers that you're being helped at two forums.
Can you post the link to the topic at Thespykiller.co.uk where you're being helped? Then I can take a look.

It's difficult for me to give an advice in this way, without seeing where and how you're being helped. :thumbsup:

Edited by superbird, 30 June 2008 - 05:35 AM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 30 June 2008 - 02:45 PM

You posted a hijackthis log here and you are receiving assistance.

Please refrain from asking for help from others while you are being instructed by someone helping you with a hijackthis log elsewhere. Any modifications you make can result in system changes which may not show it the log you already posted. Further, following advice outside of that post may cause confusion for the Helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer. If you had posted your log here, similar rules would apply. We would ask that you refrain from asking for help elsewhere.

If you followed any other advice already, please ensure you inform the HJT Helper when they respond to assist you with your log. This will help them know what has been done and they probably will ask for an updated log.

To avoid confusion, I am closing this topic. If you still need assistance after your log has been reviewed and you have been cleared, please start a new topic. If you have any questions, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users