Redirect for CC and Bank logins

About 3 weeks ago my PC was infiltrated somehow and as a result, when I try to login to my online banking or CC accounts I receive a page that asks for the most personal identity items. I've done some experimenting and just about any major bank/cc/financial institute seems to be included (even though I do not have accounts with these institutions. This affects only my (administrative) user and not my wife's user (no admin privledges). Additionally I receive frequent IE7 aborts and in some cases Blue screen of death on startup, which isgone next power-up.

Using Trend Micro PC-cillin Internet Security/Malwarebytes/Spybot S&D (no longer installed) I found and erradicated many viruses (Virtumond? Smitfraud) but its load has been left behind it seems.

I now have Hijack this installed, but before posting a log file I wanted to see if anyone would advise actions to take before posting, to clean up and simplify the debug process for those who are kind enough to assist.

Kind regards

 

PS: I have already taken actions recommended by Sticky: READ & RUN ME FIRST. Malware Removal Guide

 

OK, so I am an idiot...here are the files results from your procedure that I ran. There is no Malwarebytes file as it found nothing and did not create a log.

To Summarize my issue:

About3 weeks back somehow I got infected. As a result, whenever I go to login to my online banking or CC account I am (re)directed to a page that appears totally legit asking for CC number, CVV2 expire date, SS#...anything they think they may need. Fortunately, I knew enough not to give them this info. (What I wanted to add I can't say here).

In any case after running SAS, Combofix, Spybot, MGTools etc etc the problem still exists.

Additionally, it seems also that before running these scans I had frequent unexplained IE7 crashes, some with Blue screen reboots with things like:

Bad_Pool_ Caller

Page_fault_In_Nonpaged_area

In the short time since running the scans it seems IE7 is a little calmer.

I hope you can help...I'll do all I can to support correcting this poblem.

Thanks in advance and Kind regards.

 

Welcome! to MajorGeeks.com!

Were you able to run MBAM? If so, please attach that log as well. If not, please go back to the READ ME and run a full scan and attach the log once complete.

 

Thank you for your reply. As I mentioned when I ran MBAM there was nothing found and it did not create a log as a result. I ran it again now and the same results were reached...nothing found.

However, as I had MBAM on my machine already before following the cleaning process you have posted, I have a few old logs. They would be ot of time sequence from what I sent you. They are nearly 3 weeks old.

I can send one of those if you wish.

Thanks again.

 

Uninstall the current version of MBAM and download the new update below. Once downloaded, install, update and run a full scan. Attach the new log once complete along with a new set of logs from MGTools.

Malwarebytes Anti-Malware 1.33

 

Thanks again for your assistance.

MBAM was uninstalled, reinstalled from your supplied link and run for a full scan. Again, nothing was found and no log was generated. I have taken the liberty of attaching the MBAM log from 12-30-2008. It contains the original virus info. I hope this is helpful. Additionally as requested I have attached a new MGTools log as well.

Thanks

 

Okay! I just want to make sure I understand because attaching old logs is throwing me off. I want to confirm you have the lastest version and nothing was found with that version with the updates. The reason for the updates is a better scanning engine for removing these newer infections. Also, remember just because nothing is found doesn't mean we don't want to see the log. If we request something to be ran, we want to see the log regardless of the results.

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:

Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.​

Step 2:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 3:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 4:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 5:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Here are requested logs. The bank login (at least) is still redirected to a phishing page asking for personal information. It looks lie we may be communicating back and forth for a while yet.

Tell me what to do next...

Thanks

 

Your logs are clean!

Is it just one website or is it multiple websites? Also, have you tried accessing the website from another computer? If so, doesn it do the same thing? Give me the URL of the website that is re-directing you to a phishing site.

 

Thanks again for your assistance. I would say multiple websites. I have tried accessing from another computer, no problem. As I mentioned in my original post it is only from my user, which has Admin rights applied. I can access the same websites from my wife's user no problem.

When I login to www.wachovia.com I am redircted to a page that is asking me for debit card #, expiration date, cvv2 # and ATM pin. The listed url is totally legit, verified by Wachovia fraud folks https://onlineservices.wachovia.com/auth/AuthService. The page has a somewhat legit look to it but it obviously is not. The same thing happens for www.chase.com, www.citibank.com, www.bankofamerica.com etc. Trust me I don't have bank accounts in all those banks but I experimented. There may be more that I have not found I suppose.

Additionally I continue to have a high instance of IE7 failures. Also, I have a Garmin GPS. The other day I went to download an address to it and my PC totally locked. It did not work.

I hope there is something else we can try...

 

Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Options comes up click on the Advanced Tab. Once you get here, click on the "Reset" button and then click "Reset" once more. Doing this will default the settings for IE.

After doing this, run CCleaner and try the websites again.

 

Recommended actions performed, no luck. Bogus redirect page(s) still come up. Additionally I can tell you www.wellsfargo.com is also affected.

One other noteworthy change perhaps: when I typed in and selected the bank site url (www.wachovia.com) a popup came up saying the Windows phishing filter was off. I assume this is legit, but I did not turn it on. Should I?

Waiting for your next instructions.

 

See the thread below and attach a log.

Running GMER to detect rootkits

 

As instructed, see attached log. It seems you are getting to the "root" of the problem?

Thanks

 

At this point there are some things that I would recommend you do. First, from an un-infected computer I would suggest changing all passwords that were used on this computer such as banking login passwords, email passwords, etc;.

Due to the nature of these infections known as "rootkits" it makes it very difficult to detect/remove these infections therefore even when cleaning a computer thoroughly it makes the computer untrustworthy.

At this point, I am going to recommend a complete clean install from scratch. When I say "clean" I mean deleting all partitions and then creating a new partition, formatting it and then reinstalling the OS.

You can see the articles below for more information.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When should I re-format? How should I reinstall?"
Help: I Got Hacked. Now What Do I Do?"
Where to draw the line? When to recommend a format and reinstall?"

 

Well, not the outcome that I'd hoped for, but probably what I was expecting to some degree. I don't think I ever received an OS disc with my machine when I purchased it, so yesterday I contacted Dell for one. I won't be able to do this until it arrives. I think I will purchase a USB HD for backing up my personal data...is there a chance that it is compromised as well? I'd appreciate hearing what you think about this.

It looks like some other posts have rootkit infections but this looked like the first time I saw a recommendation for reinstallation...in fact I was telling a Colleague that I never saw you guys recommend that. Is this a particularlly bad one? I'm still not sure exactly when or where I got infected...I do check a work email daily via webmail and ther was a note not long ago from the IT admin regarding keeping Jave RT environment up to date and he specifically mentioned (Vundo) virus problems, so maybe that was where it came from. I know that one day all of a sudden my AV stuff got all jacked up and I knew the stuff was hitting the fan. Since last post a BSOD Bad Pool Header fault occurred in teh middle of doing nothing but reading an article on the Baltimore Sun. Then today I got a Windows DEP (Data Execution Prevention) stop

We have been real careful with passwords etc ever since this hit an keeping a very close eye on accounts, activities etc. I guess knowing what I know now, when I am prepared to reformat and reinstall I can do as I want and drop the perpetrator a big "F" bomb.

I will be in Ft. Morgan AL the end of February. I'd like to buy you a beer for your help if you are close by...let me know. I appreciate your diligence and professionalism in assisting me...just wish there had been an easier outcome.

Many thanks and kind regards

 

This should be fine as long as it's just files such as documents, music, etc;. Once you get the date backed up and the OS reinstalled, I would run a scan on the files before copying them back just to be 100% sure.

All rootkits are bad because of their stealth and nature. Every once and a while we recommend this be done. The majority of the time we can successfully remove the infection however there are times like this where it's safer in the long run to start from scratch because as I said even if we clean this thoroughly the computer will still be untrustworthy.

This rootkit isn't related to Vundo at all. Vundo is a fairly easy trojan to remove. There are security holes in old versions of Java but infections like this come from the internet. This is why we stress up-to-date multi layer security software with an updated OS.

I actually live less than an hour from Ft. Morgan.

 

Drop me a note how to get in touch with you and we can figure out how to get together. I tried to send you a private message but because of my rookie status I was stopped from doing so. FYI we are having a family gathering in Fort Morgan from all over creation. I'd really like to buy you that beer...

 

Thanks but I don't drink:-D Sweet Tea is about all I drink.

 

The offer stands...we can do lunch or whatever...I sure do miss the sweet tea up here in New York.

Thanks again for your help.

 

You're Welcome!:major

If you have any questions regarding deleting the partition or formatting you can post in the Software Forum and those guys can answer any questions about this.