Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web Banking Hijacked


  • Please log in to reply
3 replies to this topic

#1 Horatio_too

Horatio_too

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 04 December 2009 - 11:01 AM

Hi

Although I work in IT, it is mainly on the database & process improvement side of things and I am a little out of my depth on this one and would appreciate some help.

A couple of days ago, a friend-of-a-friend brought round his laptop which he said 'had a virus' and was generally slow, so I said I'd take a look.

The laptop already had Sophos installed and a scan showed a couple of Trojans, which it claimed to have removed (stupidly I did not note what).

Just to be sure, I popped the drive out and scanned it using our own PCs - Panda, Trend Housecall, NIS 2010 and F-Secure all claimed that the drive was clear.

Although the PC was still not 'quick', it was far better than it had been initially and as it was only a 1.6GHz, I thought nothing of it and returned the laptop.

Unfortunately, when the user logged onto his Web Banking (he uses LloydsTSB here in the UK), it was clear that something was still wrong with the machine.

He demo'd this to me by logging onto the bank on both his laptop and desktop. The first couple of screens on both machines were the same, but then the laptop prompted him for all of the sorts of things that a bank would NEVER ask for - credit card number, PINs etc, whereas the (uninfected) desktop showed the expected screen.

As such, there is clearly something still amiss with the laptop, but on the basis of no less than FIVE mainstream AV products giving it the 'all clear' - what ???

Many thanks in advance for any advice or assistance that you can give on this.

Horatio_too

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:10 PM

Posted 06 December 2009 - 04:22 PM

Because the computer has been so badly compromised, without even knowing the infection, I must caution you with this warning

IMPORTANT NOTE: One or more of the identified infections (TDSSmaxt.sys) was related to a nasty variant of the TDSSSERV rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Even when identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

€ "When should I re-format? How should I reinstall?"
€ "Help: I Got Hacked. Now What Do I Do?"
€ "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.

Edited by garmanma, 06 December 2009 - 04:26 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Horatio_too

Horatio_too
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 07 December 2009 - 07:36 AM

Hi Garmanma

Many thanks for your reply.

In normal circumstances, I would completely agree with you that scrubbing the drive and reinstalling would be the best way to proceed.

Unfortunately, however, the infected PC is a laptop and the XP CoA, on the bottom of the machine, has been damaged at some point and most of the key is unreadable. This means that a reinstallation would also require another copy of XP to be purchased and, given the age of the machine, would probably cost more than the value of the laptop !

Therefore, I would say that the only option, in this particular case, is to attempt to remove whatever nasties still remain. Is this something that you can advise on ?

Many thanks in advance

Horatio_too

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:10 PM

Posted 07 December 2009 - 06:38 PM

If the laptop is still operational you can retrieve the key using Magical Jellybean
http://www.magicaljellybean.com/keyfinder/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users