Bank account details stolen

Hi there. I am checking the laptop of a friend who has had problems with online banking. He received a letter from the bank advising that they had detected unusual activity on the account and had stopped an attempt to transfer out an important amount of money. In conversations with the bank, they suggested the origin of the problem could be that his computer is infected. He is sure that he has only ever accessed his online bank from this computer.

The laptop is running Windows 7 Home Premium SP1 (in Catalan/Spanish) with all current updates and uses AVG Free Anti-Virus and Windows Firewall. It works fine and shows no obvious problems although the ‘Event History Log’ of AVG 2012 shows ‘Ignoring the Anti-Virus component state was enabled’ after each start-up even though this option is not selected.

I have run the processes indicated for Windows 7 in the Malware Removal Guide and attach the files created. I would be grateful if someone could explain whether or not the threats detected by HitmanPro are capable of ‘stealing’ bank details. I would also be grateful for any additional ‘cleaning’ instructions that you would suggest.

Thanks in advance for your help.

 

Hello mixa

No, just that FoxTabVideoConverter is considered adware by 18/42 antivirus companies.

Reviewing the rest of your logs now.

 

From Programs and Features (via Control Panel), please uninstall the below:

• Easy Driver Pro
• Java(TM) 6 Update 31

__

I want you to read and follow these instructions: TDSSKiller - How to run

__

Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

1. O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
2. O3 - Toolbar: (no name) - !{8175e372-1ff1-4288-8e6e-addebd415d47} - (no file)
3. O3 - Toolbar: (no name) - !{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
4. O3 - Toolbar: (no name) - !{B922D405-6D13-4A2B-AE89-08A030DA4402} - (no file)
5. O3 - Toolbar: (no name) - !{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

__

Open Notepad and copy everything in the code box below into it.

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{ffab9ec5-7889-45c9-b6fa-5d19ccfea2d2}]

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.
If successful, reboot your computer before completing the next step.

__

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what malware related problems remain after you have completed these steps.

 

Hi thisisu. Thank you for your help. I have followed your instructions:

- Easy Driver Pro and Java (both x86 and x64 versions) have been uninstalled.
- TDSSKiller log is attached.
- C:\MGTools\analyse.exe (HijackThis) only deleted the first line you indicated. The other 4 lines reappear. I can see there is also an ‘02’ line with ‘No name/No file’ that can also be removed.
- The registry merge ran successfully.
- MGLogs.zip is attached.

I await your instructions regarding any further action to be taken.

I have a couple of questions for you:

- An analysis with AVG reports that CieoNetUtilities is an adware installer so I guess this should be uninstalled.
- As for the 3 FoxTab programs, can these be removed safely using their own uninstaller? I ask because the uninstallers appear on the HitmanPro report.

Thanks again for your assistance.

 

Yes, it's related to MyWebSearch which is also adware.

Not 100% sure on this because I haven't seen them first hand but the uninstallers should work and may be the best route to take with these. If they work, great, if not we can manually the traces later.

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

The uninstaller for CieoNet Utilities fails with a RunDLL error as it does not find C:\PROGRA~2\CIEONE~2\bar\1.bin\0ebar.dll

Should I let AVG remove what it reports for this product and then manually remove any leftovers?

The uninstalls for the 3 FoxTab products were reported as ‘Succeeded’.

I attach the OTL.txt report and the Extras.txt report produced by OTL.

With regard to lines 2 to 5 of the ’03 – Tooolbar’ that reappear after removing them with HijackThis, I have found that they correspond, respectively, to:
- CieoNetUtilities Toolbar {8175E372....
- AVG Security Toolbar {95B7759C....
- PDFForge Toolbar {B922D405.....
- Ask.com Toolbar {D4027C7F.....

There is also a difference between these 4 lines and the first line that was successfully deleted by HJT. These 4 have the ! (interrogation sign) before the left bracket ‘{‘. Should I try to remove these by another method?

Thanks again for your help.

 

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=119&systemid=406&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2849812
IE - HKLM\..\SearchScopes\{ffab9ec5-7889-45c9-b6fa-5d19ccfea2d2}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YUxdm010YYes&ptb=DDEE3B62-7E0F-4CBE-8F47-A7E0719D1FDF&ind=2011082014&ptnrS=YUxdm010YYes&si=translateye&n=77dead1e&psa=&st=sb&searchfor={searchTerms}
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
FF - prefs.js..browser.search.defaultthis.engineName: "BittorrentBar_ES Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2849812&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "BittorrentBar_ES Customized Web Search"
FF - prefs.js..keyword.URL: "http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YUxdm010YYes&ptb=DDEE3B62-7E0F-4CBE-8F47-A7E0719D1FDF&ind=2011082014&ptnrS=YUxdm010YYes&si=translateye&n=77dead1e&psa=&st=kwd&searchfor="
FF - HKLM\Software\MozillaPlugins\@CieoNetUtilities_0e.com/Plugin: C:\Program Files (x86)\CieoNetUtilities_0e\bar\1.bin\NP0eStub.dll (MindSpark)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\0effxtbr@CieoNetUtilities_0e.com: C:\Program Files (x86)\CieoNetUtilities_0e\bar\1.bin [2012/07/06 12:02:03 | 000,000,000 | ---D | M]
[2012/07/06 12:02:03 | 000,000,000 | ---D | M] (CieoNet Utilities) -- C:\PROGRAM FILES (X86)\CIEONETUTILITIES_0E\BAR\1.BIN
[2012/02/07 17:15:20 | 000,002,310 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
O2:64bit: - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{8175e372-1ff1-4288-8e6e-addebd415d47} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{B922D405-6D13-4A2B-AE89-08A030DA4402} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{8175e372-1ff1-4288-8e6e-addebd415d47} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{B922D405-6D13-4A2B-AE89-08A030DA4402} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Geoff\Desktop\*.tmp files -> C:\Users\Geoff\Desktop\*.tmp -> ]
[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files (x86)\CieoNetUtilities_0e /d
C:\user.js
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Rescan with OTL by OldTimer

• No custom scan settings this time. Simply open OTL and then press Run Scan.
• Attach the latest OTL.txt when finished (How to attach)

 

Fix and scan reports from OTL attached. Thanks again.

 

That looks like it worked. OTL did the trick
Just one more minor fix.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKCU\..\URLSearchHook: {f864ba3f-9878-458a-ba2b-dad32bcbc472} - No CLSID value found

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Let me know how the system is running after you have completed these steps.

 

Hi thisisu. Here is the latest OTL fix report.

The laptop shows no signs of problems or anomalies but then I have been using it only while investigating the problem of the unauthorised access to the owner’s bank account – using IE, Firefox and malware checking/cleaning software. Do you consider it now to be free of any risk of the problem occurring again? (Assuming that this laptop was the origin of the problem in the first place.)

Do you have any recommendations if the owner wishes to continue to use this laptop for online banking? For example: different (better) AV or Internet Security package, third-party firewall, etc.

How would you recommend I remove CieoNet Utilities as the uninstaller gives an error? (See my first post today at 12:55.) Should I let AVG remove what it can and then manually delete anything I find?

Thanks again for all your help.

 

Yes.

Read the How to Protect yourself from malware! topic at the end of this post.

I set to remove the traces I found in your logs in the first OTL fix script.

Code:

C:\Program Files (x86)\CieoNetUtilities_0e\bar\Settings\s_pid.dat deleted successfully.
C:\Program Files (x86)\CieoNetUtilities_0e\bar\Settings folder deleted successfully.
C:\Program Files (x86)\CieoNetUtilities_0e\bar\Message\COMMON.T8S deleted successfully.
C:\Program Files (x86)\CieoNetUtilities_0e\bar\Message folder deleted successfully.
C:\Program Files (x86)\CieoNetUtilities_0e\bar\IE9Mesg\COMMON.T8S deleted successfully.
C:\Program Files (x86)\CieoNetUtilities_0e\bar\IE9Mesg folder deleted successfully.
C:\Program Files (x86)\CieoNetUtilities_0e\bar folder deleted successfully.
C:\Program Files (x86)\CieoNetUtilities_0e folder deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@CieoNetUtilities_0e.com/Plugin\ deleted successfully.

To remove it from the add/remove programs list, do this (reboot afterwards):

Open Notepad and copy everything in the code box below into it.

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CieoNetUtilities_0ebar Uninstall]

• File -> Save As -> Save as type: "All Files" -> File Name: fixme2.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Thank you for your reply and the information referenced.

I asked about the removal of CieoNet Utilities again because it still appeared in the Add/Remove Programs list and there is still a sub-folder in C:\Program Files (x86) with the name ‘CieoNetUtilities_0eEI’. The ‘fixme2.reg’ has removed the Add/Remove Programs list entry. Shall I manually delete the sub-folder from C:\Program Files (x86)?

For the moment I have not run MGclean.bat or eliminated restore points.

 

Yes

 

I have deleted the CieoNet Utilities sub-folder that remained in C:\Program Files (x86).

Before cleaning up, I decided to run HitmanPro once more to confirm that no problems remain. It now finds no threats but did report ‘Hosts file is compromised. Hosts file contains Byte order mark (BOM) obfuscation. C:\Windows\system32\drivers\etc’. Although it did not offer me the options to Replace, Quarantine or Ignore the object, it did then report that it was ‘removed’. I can now see that the ‘hosts’ file contains only one line with ‘127.0.0.1 localhost’ and, in the same directory, there is a file ‘hosts.hitmanpro’ (attached as 'hosts-hitmanpro.txt') containing this line and a second with ‘::1 localhost’. Have I created a problem doing this?

Should I undo the change made by HitmanPro by renaming ‘hosts.hitmanpro’ to ‘hosts’?

Thanks again for your help.

 

Yes go ahead and do this.
There was nothing wrong with the hosts file according to your first logs.

 

Good morning thisisu,

I have renamed ‘hosts.hitmanpro’ to ‘hosts’ to leave the hosts file with the 2 lines. I have also run ‘MGclean.bat’, reset System Restore and deleted other files used for the clean-up.

Having read ‘How to protect yourself from malware’, I will discuss with the owner the possible use of Restricted User Accounts and I intend to remove AVG Free Antivirus and install:
- Avira Free Antivirus
- Comodo Free Firewall
- Spybot Search & Destroy
- SpywareBlaster

Do you consider this a good combination? Or, instead of a separate AV and firewall, would you suggest one of the free Internet Security suites: Comodo o Avira?

 

An additional question: You had me uninstall Java 6/31. Can I now install the current version of Java? (Is Java really necessary?) Thanks.

 

One more question:

On start-up, perhaps only on the first start-up each day, a small Window opens to advise ‘Server busy’ and ‘This action could not be completed because the other program is busy. Click the “Switch to” button to activate the busy program and correct the problem.’

The “Switch to” button opens the Start Menu but does not indicate the busy program.

The message itself disappears quite rapidly – the laptop is an Intel i5 – so does not seem to be a real problem. But, is it that simple? Is there any way to identify the cause of this message?

Thanks again for all your help.

 

I'd remove Spybot from the list of installed applications. It is not very effective nowadays and I consider it overkill in this setup.

What I would recommend is keeping it uninstalled unless you come across an application that utilizes it. Most of the applications that require Java will detect that it is not installed and then prompt you to install it. If you must use Java, make sure it is the latest version as older versions are targetted by malware authors to infect systems.

From Extras.txt

Code:

Error - 25/06/2012 7:03:32 | Computer Name = Toshiba-L775 | [COLOR="Red"][B]Source = Bonjour Service[/B][/COLOR] | ID = 100
Description = Task Scheduling Error: [COLOR="Red"]Continuously busy for more than a second[/COLOR]
 
Error - 25/06/2012 7:03:32 | Computer Name = Toshiba-L775 | [B][COLOR="Red"]Source = Bonjour Service[/COLOR][/B] | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1092
 
Error - 25/06/2012 7:03:32 | Computer Name = Toshiba-L775 | [B][COLOR="Red"]Source = Bonjour Service[/COLOR][/B] | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1092
 
Error - 25/06/2012 7:03:33 | Computer Name = Toshiba-L775 | [COLOR="Red"][B]Source = Bonjour Service[/B][/COLOR] | ID = 100
Description = Task Scheduling Error: [COLOR="Red"]Continuously busy for more than a second[/COLOR]

Bonjour seems to be culprit. This application is usually bundled with other applications like iTunes.
Perhaps an uninstall and reinstall of both would fix it. This is something you should probably ask in the Software forum as it is not malware related.

 

thisisu, Thanks again for those answers.

We are going with Avira, Comodo firewall and SpywareBlaster and will leave out Spybot and Java (unless it becomes necessary). I have also disabled the Bonjour service to see if it stops the ‘Server busy’ messages. If they continue to appear, I’ll try uninstalling Bonjour.

I don`t know if you `close’ threads but, if so, this one can now be closed. If a new issue arises, I will start a new thread.

Thank you for your time and interest (and knowledge). We owe you a cool one.

 

You're welcome.
Be safe.