Credit Card Phishing on IE6

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jammyb, May 28, 2008.

  1. jammyb

    jammyb Private E-2

    Hi,

    I'm new to this forum so I apologise in advance if I haven't used the correct procedure.

    My IE (running under W2K) seems to have picked up a Trojan. I've tried a number of removal programs, including the ones recommended on this site, but none seems to spot it or remove it.

    It seems to work by scanning forms for input that resembles a credit card number. It then pops up a window with the card details requesting more information like the CVV and PIN numbers.

    I've attached a zip file with an image, the source of the window (mainly javascript) and the URL it accesses if you make the mistake of filling it in. (The card number shown has been cancelled!)

    Any help, even an identification, would be much appreciated.

    Thanks in advance.

    Jim
     

    Attached Files:

    • bad.zip
      File size:
      34 KB
      Views:
      3
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

    READ & RUN ME FIRST. Malware Removal Guide
     
  3. jammyb

    jammyb Private E-2

    Thanks for your quick response to my initial post - very sorry for the delay in responding - I had to attend a trade event.

    I have run your recommended procedure as closely as I can but the problem is still showing so I've attached the files that were generated by the procedure (3 of them are zipped into the diags file).

    As far as I can tell, the attacker scans ALL browser form input (on IE) and looks for valid credit card numbers. If it finds one it pops up a window (script attached to previous post) which prompts for sensitive details and then ships them off. It seems to slow down Javascript execution.

    I hope this is OK. Many thanks in advance for your advice.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on your logs you do not have any protection software installed. So first I want you to address this problem by doing the below.

    1. download and install this Avast! Home Edition and then make sure you update it and run a full scan of your PC
    2. download and install PC Tools Firewall Plus <-- make sure you uncheck the options to install Google Toolbar and Threatfire free edition. There's is no sense in installing excess baggage.
    Now continue with the below.

    First since you appear to have installed MSconfig onto your Windows 2000 PC and are using it to control startups. You need to see step 1 of the READ & RUN ME and put your system into Normal Startup mode as requested. MSconfig is not on a Windows 2000 PC by default.

    Now you need to download, install and run the current version of Malwarebytes Anti-Malware as you are way out of date. Probably due to downloading when you first posted but not finishing the READ & RUN ME until just yesterday.

    Now you need to download, and rename ComboFix.exe as requested in the READ & RUN ME. You put it here D:\antivirus\ComboFix.exe which means you will not be able to follow the below instructions. It must be on your Desktop and you should have renamed it to cf.exe


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    After clicking Fix, exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner!

    Now flush your Internet Explorer Cache:
    • click Tools
    • Internet Options
    • Now on the General tab and click Delete Files and select Delete all Offline content too
    • Click OK.
    • When it finishes Click OK.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. jammyb

    jammyb Private E-2

    Many thanks for your suggestions and procedure.

    I tried to follow it as closely as possible.

    Avast seemed to identify and partially remove the main infection - the one I was really worried about. It scanned the system at boot time after it detected a boot sector infection. Unfortunately, the machine blue-screened on reboot.

    The blue screen gave me an error about a file in windows/system32 called reg0x86a.sys which windows said it couldn't run. (Eventually) I rebooted in safe mode and renamed the file to reg0x86a-bad.sys and windows rebooted OK.

    I checked out IE after that and it didn't show the popup screen on credit card entry.

    After that I ran the rest of your procedure except I used reg0x86a-bad.sys instead of reg0x86a.sys as I had renamed it to get past the blue screen.

    Combofix seemed to run OK and rebooted the system but eventually gave the message "Cannot import temp00.dat. Not all data was successfully written to the registry. Some keys are open by the system or other processes." It may not be significant.

    I've attached the log files you requested.

    Thank you very much for the time you spent on this problem and your sage advice. I would almost certainly not have been able to sort this problem out without your help.

    Many thanks
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Yes I was sure this was part of your problem which was why it along with another driver were in my fix with ComboFix.

    Excellent news. ;)

    Now we just have a left over to fix due to you having used MSconfig.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

    After clicking Fix, exit HJT.

    Your logs are clean now!

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds