Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webmoney Advisor


  • This topic is locked This topic is locked
32 replies to this topic

#1 jamesseattle

jamesseattle

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 27 June 2011 - 07:58 AM

My bank is telling me I have "WebMoney Advisor" on my computer and tell me that they can detect this on my logging into my banks web page. Yet Mcafee Security center (fully updated) cannot detect is. Neither can any of the major free Spyware detection tools. Currently my bank has switched off my user account until this is resolved. Any advice would be highly appreciated. I have tried Mcafee Stinger and I have tried Malwarebytes and SuperAntiSpyware and they found nothing.

The only reference I can find to Webmoney advisor is:


http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=101042


"Once installed, the Trojan captures data from HTTPS sessions, specifically to several banking sites. Domains containing any of the following strings are targeted:

Captured data is then sent via HTTP to be processed by a script residing on a remote server:

www.refestltd.com

Administrators should block HTTP access to this domain." This is exactly what my bank is warning me of. So they must be detecting something of this type. I have the latest Mcaffee security center running with all the latest updates. So I am mystified why this is not been detected.

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 27 June 2011 - 04:45 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:09 PM

Posted 01 July 2011 - 11:59 AM

Hello jamesseattle and welcome to BC. :)

Sorry about the delay, do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:09 PM

Posted 07 July 2011 - 07:49 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:09 PM

Posted 14 July 2011 - 06:28 AM

This topic has been re-opened at the request of the person who originally posted.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:09 PM

Posted 14 July 2011 - 06:36 AM

Hi,

Please reply with the current status of your computer, state all problems and the actions that you've tried in order to fix the problem[s].


:step1: Download OTL by OldTimer from one of the links below:

Link 1
Link 2

  • Save it to your desktop.
  • Close all open windows on the Task Bar.
  • Double click the OTL icon to run the program (run as Administrator for Windows Vista/7).
  • Put a check mark on Scan All Users.
  • Click the Run Scan button and let it run uninterrupted.
  • It will create two reports namely OTL.txt (will be opened) and Extras.txt (will be minimized).
  • Post the contents of both reports when you reply.
  • Exit OTL.


:step2: Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Unchecked the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.


:step3: Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 jamesseattle

jamesseattle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 14 July 2011 - 10:32 PM

Hi Sempai,

This is a summary of what I have tried so far and what the current situation is:

https://community.mcafee.com/message/197808

I will post the rest of the information you request as soon as I can.

Thanks, James

#7 jamesseattle

jamesseattle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 15 July 2011 - 01:15 AM

Hi Sempai, I have attached the requested files. Thank you for your help. James

Attached Files


Edited by jamesseattle, 15 July 2011 - 01:35 AM.


#8 jamesseattle

jamesseattle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 15 July 2011 - 01:42 AM

Hi Sempai, I forgot to attach this file. Regards, James

Attached Files

  • Attached File  OTL.Txt   158.52KB   5 downloads


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:09 PM

Posted 15 July 2011 - 07:23 AM

Hi James,

Please do not run any other tools or install any updates unless instructed to, do not follow different instructions in different forums at the same time because this will do more harm than good. Please do not attach logs unless instructed.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 jamesseattle

jamesseattle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 16 July 2011 - 01:14 AM

Hi Sempai,

I have attached the file as requested.

Regards, James

Attached Files



#11 jamesseattle

jamesseattle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 16 July 2011 - 06:12 AM

Hi Sempai, I realised I had some applications runnig for the scan I attached on previous post so I closed these and redid the scan. I have attached the result. Please confirm what else you need me to do. One interesting thing is that user agent string for explorer no longer has MAAU in it. "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)". So this may have been changed by Combofix the first time I ran it. Please provide feedback as soon as possible. Regards, James

Attached Files



#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:09 PM

Posted 16 July 2011 - 08:13 AM

Hi,

Please do not attach logs unless instructed.


:step1: Please download Malwarebytes' Anti-Malware from here:

MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




:step2: ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, but make sure you copy the logfile first.
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 jamesseattle

jamesseattle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 16 July 2011 - 08:30 AM

Hi Sempai,

As requested

lwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 7161

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

7/16/2011 6:27:20 AM
mbam-log-2011-07-16 (06-27-20).txt

Scan type: Quick scan
Objects scanned: 178873
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Regards, James

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:09 PM

Posted 16 July 2011 - 08:34 AM

Looks good, let's wait for the result of ESET. :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 jamesseattle

jamesseattle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 16 July 2011 - 08:36 AM

Hi Sempai,


7/16/2011 6:35:01 AM
mbam-log-2011-07-16 (06-35-01).txt

Scan type: Quick scan
Objects scanned: 178823
Time elapsed: 1 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Regards, James




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users