Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

bankerfox.a


  • This topic is locked This topic is locked
46 replies to this topic

#1 silverspoon

silverspoon

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 18 January 2011 - 04:16 PM

I had this virus and was able to remove most of it with MBAM. I am still getting redirects to Infomash and others...so I disabled the internet connection, as well as the AV (McAfee and ThreatFire). The connection issue seems to be the main problem, however some of the .docs aren't able to open (due to MS WORD converter??).

I have to work in resolving this issue thru another pc via (D:) due to the inability of getting a proper connection with the affected pc, an older, but normally reliable IBM notebook R51 (XP Pro)...no doubt running too many processes.

1) Google Redirect
2) Word Converter (?)
3) Processes (start up)

The files can be viewed at:
[url="http://www.mediafire.com/?55l3wrfc7v5y7"]

Or see attached:
Attached File  Attach.txt   21.81KB   2 downloads
Attached File  TMRB1.txt   958bytes   1 downloads
Attached File  DDS.txt   18.14KB   4 downloads

Edited by silverspoon, 18 January 2011 - 05:34 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 23 January 2011 - 03:25 PM

Hello and welcome. I apologize for the delay. If you no longer need help with this issue, we would appreciate you letting us know. Otherwise, please perform the following steps so I can have a look at the current condition of your machine. I realize that you have already posted logs, but because of the time that has passed I'd like a fresh set.

Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 silverspoon

silverspoon
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 25 January 2011 - 08:01 PM

Sorry for the delay in reply...
Yes, I'm still interested in getting the issue resolved.
Not successful in getting the gmer.exe tool to run. Tried twice in normal mode and twice in safe mode.
It stalled each time. The fourth time I did give it a WTF look...
I do have RootKitBuster if that would be of any help in identifying what you're looking for.


The newer files are here:
Attached File  DDS1.25.txt   15.89KB   2 downloads
Attached File  Attach1.25.txt   9.34KB   1 downloads

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 25 January 2011 - 10:33 PM

silverspoon:

Please run this for me instead of GMER

Posted Image Please download Rootkit Unhooker and save it on your desktop.
  • Disable your security programs
  • Double click RKUnhookerLE.exe to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.
Note - You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please include the following in your next post:
  • Rootkit Unhooker log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 silverspoon

silverspoon
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 26 January 2011 - 04:00 PM

In order to get RKUnhook to run I ended up uninstalling the AV (McAfee) entirely (I had disabled it initially).
Not necessary in every case I'm sure, but it did the scan (well over an hour) without issue.

See file:
Attached File  RKUReport.txt   43.98KB   1 downloads

If you get to this on Wednesday I'll answer back...however...
***I will be traveling Thursday-Monday

PLEASE KEEP ME (this thread) ACTIVE!!
I WILL BE BACK!!!

---Thanks

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 26 January 2011 - 10:50 PM

silverspoon:

I'll keep the thread open - thank you for letting me know. Please do this when you can:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 silverspoon

silverspoon
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 01 February 2011 - 05:23 PM

Thanks for your continued effort.

The ComboFix log is here:
Attached File  CFlog.txt   15.81KB   4 downloads

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 01 February 2011 - 09:00 PM

silverspoon:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
Trusted Zone: MarketConnection.com
Trusted Zone: MarketConnection.com\www
Trusted Zone: MySodexho.com
Trusted Zone: MySodexho.com\www
Trusted Zone: MySodexo.com
Trusted Zone: MySodexo.com\www
Trusted Zone: sodexhoinfo-usa.com
Trusted Zone: Sodexo.com
Trusted Zone: Sodexo.com\www
Trusted Zone: sodexonet.com
DirLook::
c:\documents and settings\All Users\Application Data\eHaGc08400
Driver::
ALGEventlog
clr_optimization_v2.0.50727_32SharedAccess
helpsvcWmi
McDetect.exeNetDDE
TapiSrvSwPrv

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    regedit.*
    Version.*
    winlogon.*
    explorer.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please include the following in your next post:
  • ComboFix log
  • SystemLook log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 silverspoon

silverspoon
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 02 February 2011 - 10:28 AM

I've had success with most of the file transfers via cd to the affected pc. This latest .exe file SystemLook is not able to open after transfer to the IBM thinkpad desktop. The AV has previously been entirely removed and I've attempted at least three different methods of copy/transfer with the same failed result. I suspect internet connection with the thinkpad pc through a browser is still going to be a redirect issue, so I haven't tried.

The window: "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem."

Please advise...
The second ComboFix log is here:
Attached File  CFlog2.txt   14.15KB   3 downloads

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 02 February 2011 - 07:43 PM

Do you have a Windows XP Professional SP2 install disk available?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 silverspoon

silverspoon
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 02 February 2011 - 08:38 PM

No, it was pre-installed.

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 03 February 2011 - 12:09 AM

silverspoon:

Please do this next:

Posted Image You need to update your OS. Windows XP SP2 is no longer supported, thus you are not receiving critical updates

Download the latest Windows XP service pack from the Microsoft Download Center. This page will say that this installation package is intended for IT professionals and developers. However, you can safely download this file.

http://www.microsoft.com/downloads/details.aspx?FamilyID=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

Posted Image After doing the update, run ComboFix again

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 silverspoon

silverspoon
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 February 2011 - 09:50 AM

I suppose if this were easy, it'd be done.
Just as a review, I have run ComboFix twice already and posted the logs.
SystemLook.exe will not open.

The requested update to XP SP3 extracts almost all its files and then ends with:
"Setup Error"--"The system cannot find the file specified."
So, the installation did not complete. (Tried it twice--same result)

There must be another method of identifying corrupted files, a similar tool to SystemLook perhaps.
Also, I would assume that Bleeping Computers has encountered bankerfox.a (if that IS what this pc was inflected with) on an XP OS and determined a successful methodology of quarantine and clean-up, maybe even before SP3 was available. So, if updating to SP3 is not an available option at this point are there other tools to use?

I guess the obvious question in this particular battle is: What is it that a third run of ComboFix is hoping to discover that wasn't previously posted?

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 03 February 2011 - 11:45 AM

silverspoon:

Apparently we need to back up and cover a few things before moving on, as this form of help may not be suited to you:

I suppose if this were easy, it'd be done.


That much is correct. Malware removal can sometimes be a lengthy and tedious process.

Just as a review, I have run ComboFix twice already and posted the logs.
SystemLook.exe will not open.


Despite how you may feel, I am paying close attention to your replies and am acutely aware that you have run ComboFix twice and were unable to run SystemLook. If I need a review, I will scroll up.

There must be another method of identifying corrupted files, a similar tool to SystemLook perhaps.
Also, I would assume that Bleeping Computers has encountered bankerfox.a (if that IS what this pc was inflected with) on an XP OS and determined a successful methodology of quarantine and clean-up, maybe even before SP3 was available. So, if updating to SP3 is not an available option at this point are there other tools to use?


I have already identified the corrupted files as well as your primary remaining infection several posts ago, thank you. bankerfox.a was the least of your troubles. There are various removal techniques for your remaining infection and I am in the process of trying to move through them with you.

I guess the obvious question in this particular battle is: What is it that a third run of ComboFix is hoping to discover that wasn't previously posted?


ComboFix is not just a scanner that I am running repeatedly expecting a different result each time. It is a very powerful, multifaceted tool that myself and the other volunteers here receive extensive training on. We will not discuss the how's and why's of ComboFix, or any of the specialized tools we use, as malware authors monitor these forums attempting to harvest such information.

While I understand your frustration, I do not appreciate your condescending attitude. You connected a PC to the internet running an out of date, unsupported operating system along with having other vulnerable, out of date applications on board. This made you more susceptible to infection and indeed you picked up more than one. Requesting help in this format (internet forum) is a bit of a leap of faith and understandably isn't for everyone. You may be better off taking your PC to a qualified local repair shop, where as a paying customer you can be as demanding an condescending as you wish. Please decide how you wish to proceed and let me know.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 silverspoon

silverspoon
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 February 2011 - 12:55 PM

While I don't admit to being dismissive or "condescending". I will say that without dialog it has led to some speculation on my part. Please don't be offended by that, it's only diagnostic curiosity. And, obviously some frustration, again on my part, with tools, etc. not operating as expected. I could have initially taken the pc to a shop and perhaps had it fixed. I would have learned nothing. I'm interested in this process and with problem solving both technically and otherwise. Going forward I'll have to accept (on a public forum) the degree to which you state the details of resolving the malware issues need to remain under-rap...but, please we've come this far let's continue.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users