Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Phishing attempts while using internet banking - possible trojan?


  • This topic is locked This topic is locked
32 replies to this topic

#1 MrChips69

MrChips69

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 18 March 2009 - 12:58 PM

Hi there. While doing some internet banking recently, I noticed that after submitting my usual log in details (on the genuine bank website) I was taken to a page asking me for information that wouldn't normally be requested (e.g. 16 digit card number, ATM pin etc). I was pretty certain this was a phishing attempt and so I shut down the window. Subsequent attempts have shown this wasn't a one off, and I have also noticed a pop up window sometimes which is masquerading as a "verified by visa" window, also asking for the same details. From a google search, I've noticed I am not alone to suffer this and the general feedback is that this is caused by a trojan. The bank have confirmed that they definitely do not ask for such information and that this is fraudulent.

The problem only arises when using Internet Explorer - Firefox works fine. I've also noticed that Internet Explorer has been very temperamental over the last couple of months (such that I was using Firefox exclusively over this period - the first time I managed to get IE to work, I noticed this problem). By temperamental, I mean that when I try and launch it, I just get a blank white screen with an hour glass - it never connects to a web page. I eventually solved this by using the Reset button under Tools/Options/Advanced.

I've tried running AVG, malwarebytes and Spybot Search and Destroy (in normal and in safe mode) but they don't seem to have fixed the problem.

For information, I am using Windows XP.

Any other ideas?

Thanks in advance.

Edited by MrChips69, 18 March 2009 - 01:03 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:43 PM

Posted 18 March 2009 - 02:34 PM

Hi, did MBAM find things.. Please post that infected log and a new one.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MrChips69

MrChips69
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 18 March 2009 - 02:39 PM

Thank you for your attention. I'm at work now but will reply properly when I get home.

MBAM did find a trojan as I recall, but I figured it was the wrong one as the problem still occurred after the scan.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:43 PM

Posted 18 March 2009 - 02:46 PM

You're welcome .I'll look for you later. May as well then run these also and post back yhe 2 MBAM log and this SAS log.
From your regular user account... Run ATF and SAS.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 MrChips69

MrChips69
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 18 March 2009 - 03:38 PM

Here is the MBAM log from the scan I did a couple of days ago:

Malwarebytes' Anti-Malware 1.34
Database version: 1857
Windows 5.1.2600 Service Pack 3

17/03/2009 08:58:46
mbam-log-2009-03-17 (08-58-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142551
Time elapsed: 1 hour(s), 13 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5792aa9-d373-4039-8670-2cdab6a71f15} (Trojan.Lop) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I'll post back with the other items asap

#6 MrChips69

MrChips69
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 18 March 2009 - 03:58 PM

Here is the 2nd MBAM scan log

Malwarebytes' Anti-Malware 1.34
Database version: 1866
Windows 5.1.2600 Service Pack 3

18/03/2009 20:57:12
mbam-log-2009-03-18 (20-57-12).txt

Scan type: Quick Scan
Objects scanned: 67240
Time elapsed: 9 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 MrChips69

MrChips69
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 18 March 2009 - 08:45 PM

I think SAS found a couple of things. Here is the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/19/2009 at 01:34 AM

Application Version : 4.25.1014

Core Rules Database Version : 3803
Trace Rules Database Version: 1758

Scan type : Complete Scan
Total Scan Time : 03:59:26

Memory items scanned : 226
Memory threats detected : 0
Registry items scanned : 5660
Registry threats detected : 2
File items scanned : 74555
File threats detected : 0

NLS UrlCatcher Class BHO
HKU\S-1-5-21-1559292233-1588768191-2780797578-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}

ADP UrlCatcher Class BHO
HKU\S-1-5-21-1559292233-1588768191-2780797578-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:43 PM

Posted 18 March 2009 - 09:27 PM

Hello these are from Bargain Buddy
Go to Start>>Control Panel >>Add/Remove Programs
Find these(if existant) Bullseye Network, Cashback , Navisearch>> click Remove. Note some of these require a short survey to uninstall. Pay attention as some of the questions are worded in such a way as to make you keep the product.

Now run SDFix:
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 MrChips69

MrChips69
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 18 March 2009 - 10:40 PM

Thanks again for your help so far!

I didn't find any of those three programs under "add/remove programs". I ran the additional scan as requested and report is pasted below:


SDFix: Version 1.240
Run by Bill on 19/03/2009 at 03:15

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\TFTP2500 - Deleted
C:\WINDOWS\system32\TFTP2960 - Deleted
C:\WINDOWS\system32\TFTP3036 - Deleted
C:\WINDOWS\system32\TFTP3828 - Deleted
C:\WINDOWS\system32\TFTP4092 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 03:28:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\SYSTEM32\\wkssvr.exe"="C:\\WINDOWS\\SYSTEM32\\wkssvr.exe:*:Disabled:wkssvr"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Direct Connect\\Direct Connect.exe"="C:\\Program Files\\Direct Connect\\Direct Connect.exe:*:Enabled:Direct Connect"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\TorrentStorm\\Downloader\\tor020.exe"="C:\\Program Files\\TorrentStorm\\Downloader\\tor020.exe:*:Disabled:tor020"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Betfair Poker\\UA.exe"="C:\\Program Files\\Betfair Poker\\UA.exe:*:Enabled:UA Application"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Real\\RealPlayer\\trueplay.exe"="C:\\Program Files\\Real\\RealPlayer\\trueplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 9 Apr 2003 49,221 A..H. --- "C:\Program Files\AOL 8.0\aolphx.exe"
Wed 9 Apr 2003 36,937 A..H. --- "C:\Program Files\AOL 8.0\aoltray.exe"
Wed 9 Apr 2003 40,960 A..H. --- "C:\Program Files\AOL 8.0\RBM.exe"
Wed 9 Apr 2003 237,633 A..H. --- "C:\Program Files\AOL 8.0\waol.exe"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 29 Jun 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 9 Apr 2003 49,223 A..H. --- "C:\Program Files\AOL 8.0\COMIT\cswitch.exe"
Sun 18 Jan 2009 9,934,392 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Sat 13 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Bill\Application Data\U3\temp\Launchpad Removal.exe"
Sat 29 Mar 2008 24,064 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\~WRL0005.tmp"
Sat 29 Mar 2008 25,088 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\~WRL1756.tmp"
Sun 3 Jun 2007 68,096 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\~WRL2367.tmp"
Sat 29 Mar 2008 31,232 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\~WRL2970.tmp"
Sun 23 Mar 2008 241,152 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\~WRL3449.tmp"
Sat 29 Mar 2008 28,160 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\~WRL3506.tmp"
Wed 9 Apr 2003 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\uk\shellext.dll"
Sun 2 Nov 2008 47,616 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Automotive\~WRL0003.tmp"
Sun 2 Nov 2008 27,136 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Automotive\~WRL0292.tmp"
Sun 2 Nov 2008 48,128 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Automotive\~WRL1548.tmp"
Sun 2 Nov 2008 27,136 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Automotive\~WRL2951.tmp"
Fri 28 Dec 2007 57,344 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL0006.tmp"
Sat 29 Dec 2007 75,264 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL0055.tmp"
Fri 28 Dec 2007 46,080 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL0112.tmp"
Fri 28 Dec 2007 43,008 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL0195.tmp"
Sat 29 Dec 2007 77,312 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL0224.tmp"
Sat 29 Dec 2007 56,832 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL0555.tmp"
Sat 5 Jan 2008 131,584 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL0654.tmp"
Fri 28 Dec 2007 59,904 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL0882.tmp"
Sat 29 Dec 2007 56,832 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1063.tmp"
Fri 28 Dec 2007 41,984 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1086.tmp"
Sat 29 Dec 2007 82,944 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1263.tmp"
Sat 29 Dec 2007 91,648 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1327.tmp"
Sat 29 Dec 2007 67,584 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1602.tmp"
Fri 28 Dec 2007 55,296 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1624.tmp"
Sat 29 Dec 2007 77,824 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1659.tmp"
Fri 28 Dec 2007 64,000 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1842.tmp"
Fri 28 Dec 2007 42,496 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1845.tmp"
Fri 28 Dec 2007 58,880 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL1943.tmp"
Fri 28 Dec 2007 73,728 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2077.tmp"
Fri 28 Dec 2007 55,296 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2228.tmp"
Fri 28 Dec 2007 57,344 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2430.tmp"
Fri 28 Dec 2007 50,176 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2442.tmp"
Fri 28 Dec 2007 75,264 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2496.tmp"
Fri 28 Dec 2007 70,656 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2520.tmp"
Sat 29 Dec 2007 64,000 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2559.tmp"
Fri 28 Dec 2007 64,000 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2563.tmp"
Sat 29 Dec 2007 52,224 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2604.tmp"
Sat 29 Dec 2007 61,952 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2666.tmp"
Sat 29 Dec 2007 67,072 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2693.tmp"
Sat 29 Dec 2007 64,512 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL2944.tmp"
Fri 28 Dec 2007 69,120 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3020.tmp"
Fri 28 Dec 2007 71,680 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3040.tmp"
Fri 28 Dec 2007 37,376 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3256.tmp"
Fri 28 Dec 2007 68,096 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3286.tmp"
Fri 28 Dec 2007 71,168 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3342.tmp"
Fri 28 Dec 2007 44,544 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3349.tmp"
Fri 28 Dec 2007 75,264 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3352.tmp"
Fri 28 Dec 2007 66,048 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3449.tmp"
Fri 28 Dec 2007 44,544 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3494.tmp"
Fri 28 Dec 2007 55,808 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3554.tmp"
Fri 28 Dec 2007 48,128 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3570.tmp"
Sun 16 Dec 2007 35,840 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3729.tmp"
Fri 28 Dec 2007 72,192 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3868.tmp"
Fri 28 Dec 2007 66,048 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3924.tmp"
Fri 28 Dec 2007 59,392 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Retail banking\~WRL3955.tmp"
Sun 15 Feb 2009 31,744 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Wedding\~WRL0002.tmp"
Sun 1 Mar 2009 32,256 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Wedding\~WRL1364.tmp"
Sun 1 Mar 2009 34,304 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Wedding\~WRL1817.tmp"
Sun 1 Mar 2009 33,792 ...H. --- "C:\Documents and Settings\Bill\My Documents\My Pictures\N\Wedding\~WRL3271.tmp"

Finished!

What next? ;-)

#10 MrChips69

MrChips69
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 19 March 2009 - 01:42 PM

bumpity bump ;-)

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:43 PM

Posted 19 March 2009 - 01:49 PM

Hi this looks good now. Are there any symptoms on your end?
We should do onme more MBAM...
Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 MrChips69

MrChips69
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 19 March 2009 - 02:25 PM

Ok, I started the scan and just as it was starting I got the "blue screen of death"! I rebooted and tried again and this time it ran successfully - report below. As for symptoms, Internet Explorer wasn't working (same problem as posted in original post). I changed the connection option from "dial whenever a network connection is not present" to "never dial a connection" and that seems to have sorted it. Should I keep it on this option permanently?

I went back to the internet banking site and tried to log on with completely false details - again, rather than telling me my details were wrong, I was taken to this page asking for "dodgy" details so I guess the problem is still there :thumbsup: Is there anything else I can try?

Malwarebytes' Anti-Malware 1.34
Database version: 1871
Windows 5.1.2600 Service Pack 3

19/03/2009 19:17:15
mbam-log-2009-03-19 (19-17-15).txt

Scan type: Quick Scan
Objects scanned: 67213
Time elapsed: 9 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 MrChips69

MrChips69
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 19 March 2009 - 06:17 PM

Any ideas?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:43 PM

Posted 19 March 2009 - 06:24 PM

Hi the restart was most likely from all the registry changes.. Cleaning and corrupted ,,thet needed to get reset.
Ok we are going to run the scanning portion of
S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 MrChips69

MrChips69
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 19 March 2009 - 06:32 PM

Thanks for bearing with me! Here is the log

SmitFraudFix v2.405

Scan done at 23:28:33.35, 19/03/2009
Run from C:\Documents and Settings\Bill\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Bill


C:\DOCUME~1\Bill\LOCALS~1\Temp


C:\Documents and Settings\Bill\Application Data


Start Menu


C:\DOCUME~1\Bill\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 62.24.139.139
DNS Server Search Order: 62.24.139.140

HKLM\SYSTEM\CCS\Services\Tcpip\..\{34143E33-DEC5-49D0-BC1A-ACE7B078A2C3}: NameServer=62.24.139.139 62.24.139.140
HKLM\SYSTEM\CS1\Services\Tcpip\..\{34143E33-DEC5-49D0-BC1A-ACE7B078A2C3}: NameServer=62.24.139.139 62.24.139.140
HKLM\SYSTEM\CS3\Services\Tcpip\..\{34143E33-DEC5-49D0-BC1A-ACE7B078A2C3}: NameServer=62.24.139.140 62.24.139.139


Scanning for wininet.dll infection


End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users