Trojan, Key logger - Confirmed by Wachovia

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ailicis01, Apr 25, 2006.

  1. ailicis01

    ailicis01 Private E-2

    Good afternoon sirs. This recruit was just told by Wachovia E-Fraud Department that a trojan virus or a key logger is present on my system and has compromised my online banking with Wachovia and apparently ever other account I have. They advised me to bring my computer to Best Buy or ohter retailer to let them clean it and format the hard drive. I cannot believe what I am hearing. I use Avast antivirus, ZoneAlarm Firewall, Spybot, AdAware, CCleaner, Kill2Me on a regular basis and never find anything. They (Wachovia IT Security) claim the person penetrating is from a Sweedish IP and he/she constantly changes the signatures on the virus and being it is so new there are no present defenses???? Where do I start this process of finding out? Please help.
     
  2. ailicis01

    ailicis01 Private E-2

    Sorry, here is the attached HJT log
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We have seen a variety of trojans like this where we recommend that people call all there financial institutions to check for fraud and to change all their passwords (not from the infected PC).

    For us to help you we will need more info from the standard cleaning procedures we specify. And I will add a couple other things to them. HijackThis logs by themselves do not dig deep enough to see many of these kinds of trojans. But please note that you MUST NOT use msconfig to control startups like you are doing and HijackThis must be run from normal boot mode. This is all covered in the steps below.

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    Run the below two procedures and then attach the two logs:

    Running Spy Sweeper

    Running Ewido Anti-Malware

    Attach the Ewido and Spy Sweeper logs before you continue on to the below. The below steps will require three more logs and you cannot attach 5 total logs in a single message anyway. It is best of you get the results of the above two scans to us before continuing because the below steps will take quite awhile to run.




    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
      • Bitdefender
      • Panda Scan
      • HijackThis
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After completing everything in my previous message, continue with the below scan (with need to be very thorough on digging into what could be hiding on your PC).

    Now Download & run Blacklight Beta
    • Hit I accept. It will take you to download page.
    • Download blbeta.exe and save it to the Desktop.
    • Once saved... double click blbeta.exe to install the program.
    • Click accept agreement and Click scan
      This app too may fire off a warning from antivirus. Let the driver load.
      Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please attach the Blacklight log file here.
     
  5. ailicis01

    ailicis01 Private E-2

    Ran sticky procedures, fixed startup to normal boot, cannot save log file from spy sweeper, but ewido found same problems. Attached are Ewido log and HJT log. I will proceed with next steps as instructed.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I need the Bitdefender and Panda logs as requested.

    Why couldn't you save the Spy Sweeper log? Ewido would not be finding the samethings that Spy Sweeper had found. Spy Sweeper would have removed them already.

    Thus far I see no major problems! Just a couple of minor items that can be fixed with HJT:

    O18 - Filter: text/html - (no CLSID) - (no file)
    O18 - Filter: text/plain - (no CLSID) - (no file)

    I see no signs of any malware. Is this the only PC you ever use to do your online banking! Are you 100% sure you never do anything from any other PC?
     
    Last edited: Apr 26, 2006
  7. ailicis01

    ailicis01 Private E-2

    SpySweeper trial version will not let me save a file unless I purchased it. Also Zone Alarm kept shutting internet traffic down because of what appeared as a hijack attempt (I attached a .txt file of that warning). The bitdefender and panda logs are attached and I will continue on to the Blacklight scan.
     

    Attached Files:

  8. ailicis01

    ailicis01 Private E-2

    Here is the blacklight file, nothing found. By the way the system is very, very slow and explorer Beta is locking up frequently. I use Firefox with no problem. What should be the next step?
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then you did not download and use Spy Sweeper from the link I gave to you!

    Did you do what ZoneAlarm requested? Did it help? Did you call them and explain to them that no malware is being found on your PC?
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is why it is a beta and most people should not be using it.

    You could try one more tool to see if it detects anything but I'm starting to think maybe your problems originated from a different PC.

    a-squared (a²) Free edition free but requires an email address to register
     
  11. ailicis01

    ailicis01 Private E-2

    I will immediately stop using the explorer browser but how about the system status? What more can I do to clean the computer? Can you see anything relevant? Should I re-run Spy Sweeper?
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you read message # 10?

    Running the same Spy Sweeper which is probably not the one I asked you to download, will not do anything. And if it is not detecting anything, it does not matter anyway.
     
  13. ailicis01

    ailicis01 Private E-2

    ran a-squared and removed the attached...What should be done next? Thank you.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Depends on what problems you are still having. Based on what I have seen in all the logs you have no malware issues.
     
  15. ailicis01

    ailicis01 Private E-2

    If I shouldn't use msconfig selective startup, how do I remove unwanted programs from the startup/ boot menu? ANd I currently have ZoneAlarm, Avast antivirus, Ewido anti-malware, & Microsoft Antispyware running in the system tray. Can I get rid of some or one antivirus program, the system takes very long on startup? Thanks again!
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You only have one antivirus program (Avast). As far as Ewido and MS Antispyware (which are antispyware programs) you should only have one of them. So since I was the one that asked you to install Ewido, you should uninstall it since it is only a trial. You should also uninstall the SpySweeper trial if still installed.

    However, at some point you should attempt to update from MS Antispyware to MS Windows Defender. MS Antispyware has actually been replaced by Windows Defender. I would recommend you try getting Windows Defender installed first, and once it is installed and updated, uninstall MS Antispyware. The reason I suggest doing it in this order is that some people just have problems getting Windows Defender (which is in our READ & RUN ME) installed.

    You need ZoneAlarm! It is a firewall which you must have so you should expect to see it in your tray.

    What programs is it that you don't want to have load at startup? If they are things you never use, you should just uninstall them. If they are things you want to use sometimes, let's see what you are talking about. Which items were you previously using MSconfig to control. It is not that we do not want you to ever use msconfig, but more that while trying to look for malware that we do not want it used. However, in many cases things that users disable with msconfig can just be permanently removed from startup rather than using msconfig. Here are a couple examples of things never really needed to load at startup:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
    O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
     
    Last edited: Apr 28, 2006
  17. ailicis01

    ailicis01 Private E-2

    Thank you for your help.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! But you did not respond to my question. What have you decided to do about startups? What have you uninstalled?
     
  19. ailicis01

    ailicis01 Private E-2

    Sorry. I remove Ewido and MS ANtispyware. I've installled Windodows Defender and removed several programs through Uninstall and cleaned up some through HJT. Attached is a HJT log. If you can glance over it and make anymore suggestions, that would be great! Thanks.
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is impossible for me to know what things you use/need on your PC it would be best for you to just Google the processes and decide for yourself.

    Below are some to look at though. I give a link to some info on each one. You could first just stop them from loading using msconfig and then if you find they do not cause you any difficulties, you could enable them in msconfig and then use HJT to remove them from the startup list permanently. Don't forget HJT does make backups too. So they can be restored if you change your mine.


    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    http://www.bleepingcomputer.com/startups/SSBkgdupdate.exe-5170.html
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    http://www.liutilities.com/products/wintaskspro/processlibrary/igfxtray/

    O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
    http://www.liutilities.com/products/wintaskspro/processlibrary/dxdllreg/
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    http://www.liutilities.com/products/wintaskspro/processlibrary/syntplpr/

    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    http://castlecops.com/s3619-SynTPEnh.html
     
  21. ailicis01

    ailicis01 Private E-2

    Removed some more processes, left 3 which were for the touchpad and for graphics controller. Thanks again!
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds