Fake bank website virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by AlDibb, Mar 10, 2009.

  1. AlDibb

    AlDibb Private E-2

    Hi,

    We've had two recent attacks on our computer but I'm not sure if they are connected. The first was an email sent from a friend's account without her knowledge to everyone in her address book. It contained a link which my wife clicked and the computer then restarted. I scanned with Avira anti-virus and super anti-spyware when I got home and Avira found a trojan which it deleted, SAS came back clean. I'm sorry I can't remember the name of the website as the emails are now long deleted.

    Today, 10 days later, I attempted to log-on to my internet banking page (for the first time since this fake-email arrived) and the page was a very good copy. The only reason I twigged was that the log-in procedure was different - it was asking for all the digits in my security code and not only 3 randomly-choosen digits as usual. The bank confirmed it was a fake-site, probably due to a virus on my computer. Avira again found a trojan.

    I then followed the Malware cleaning procedure from the sticky. It seems that the bank website is now loading properly. However, I've attached all the logs, including the one from Avira in case it helps, and I hope you can confirm the sytem is clear because I'm still worried to log on to internet banking or anything else just in case something is still lurking................

    Many thanks in advance!
     

    Attached Files:

    AlDibb, Mar 10, 2009
    #1
  2. AlDibb

    AlDibb Private E-2

    I can't attach the Avira log because the file size is too big. However, this is the detection that it found:

    ARK4.tmp
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was deleted!
     

    Attached Files:

    AlDibb, Mar 10, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Any time you suspect this kind of thing, you need to use a different ( clean ) computer and change all your passwords!!

    You need to run both CCleaner and ATF Cleaner by Atribune.

    Do you know what this is:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wz123.com/?808 --> from the HJT log.

    And what are these:
    Code:
    C:\Documents and Settings\Admin\"
0016~1         8 Jan 2007              " ¡®ç¨© á⮫"
5D29~1         8 Jan 2007              "ƒ« ¢*®¥ ¬¥*î"
91BD~1         8 Jan 2007              "ˆ§¡à **®¥"
C316~1         8 Jan 2007              "Œ®¨ ¤®ªã¬¥*âë"
    You also need to tell me what this is:
    c:\windows\xdbc
     
    TimW, Mar 13, 2009
    #3
  4. AlDibb

    AlDibb Private E-2

    Hi!

    Thanks for you advice so far.

    I've run both the cleaners that you recommended.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = "http://www.wz123.com/?808"

    - I deleted this entry with Chaslang's advice a while ago. It was a chinese webpage that kept redirecting and causing pop-ups. It's not doing it any more - the computer seemed to be clean of this problem - but I'm surprised that it's still showing in the HJT log. Our start page is coming up as rambler.ru as per usual.

    Code:
    ---------
    C:\Documents and Settings\Admin\"
    0016~1 8 Jan 2007 "Р бочий стол"
    5D29~1 8 Jan 2007 "Гл в*ое ме*ю"
    91BD~1 8 Jan 2007 "Избр **ое"
    C316~1 8 Jan 2007 "Мои докуме*ты"

    - My wife is a translator and she runs a Russian windows version. These directories are simply "desktop", "start menu", "favourites" and "my documents" in Russian.

    c:\windows\xdbc

    - This appears to be an empty directory, on the properties tab it is showing 0 bytes for the contents and I can't see any hidden or unhidden contents. But I've no idea why it's there, we don't have such a program....

    We're in the process of changing our passwords on a different computer. Is there anything more to do to clean this computer??
     
    Last edited by a moderator: Mar 14, 2009
    AlDibb, Mar 14, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's just reset you IE defaults:

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    You will have to reset your home page.

    Tell me what issues you still have?

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Mar 16, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds