Win32.banker.fs

Discussion in 'Malware Help (A Specialist Will Reply)' started by ksbcos, Mar 22, 2010.

  1. ksbcos

    ksbcos Private E-2

    I started receiving the Win32.Banker.FS and the Trojan.SpyAgent.DA fake virus warnings on 3/20/2010. Along with these pop-up were various dialog boxes from "Security Center" that system files and register changing are detected, Warning!Security report - Your computer is infected, Your computer is in danger and critical kernel error detected, Warning! Spyware files Wind32.Banker.32 Trojan.SpyAgent.DA and other detected. The 4 colored shield also appeared in the taskbar tray and a bogus SpyEraser antivirus popup arrived. I first tried Malwarebites and this removed teh SpyEraser popup but left the other stuff that I mentioned. I than ran this sites Windows XP Cleaning process to no avail. I will attach the log files now. This machine is an HP Media Center machine running XP Media Edition.

    Thanks in advance for your help because as of now I am stumped on this one.

    ksbcos

    View attachment SAS.log

    View attachment mbam-log-2010-03-21 (21-29-13).txt

    View attachment Combofixlog.txt

    View attachment RRlog.txt
     
    ksbcos, Mar 22, 2010
    #1
  2. ksbcos

    ksbcos Private E-2

    ksbcos, Mar 22, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. What issues are you still having? Is what you described in your first post what is still occurring?

    2. What exactly are you using for an anti virus at the moment?

    3. Please go to Add/Remove programs and uninstall the following software:

    • J2SE Runtime Environment 5.0

    4. Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

    5. Now use windows explorer to delete the below:
    6. Now reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6


    7. Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
    "%userprofile%\Desktop\TDSSKiller.exe" -v

    • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    • When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

    8. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from TDSSKiller.

    9. Let me know how things are running and answer any questions that I asked. :)
     
    Kestrel13!, Mar 22, 2010
    #3
  4. ksbcos

    ksbcos Private E-2

    I am currently not at home so I will give you some partial answers.

    1. After running the cleaning procedure, I am still getting all of the pop-ups regarding the "critical kernel error", "your computer is infected with Win32.Banker.FS Trojan.SpyAgent.DA and the others" and other urging to run a virus scanner. The only improvement has been that the Spy Eraser popup is now gone. An interesting note is that everytime that I run Malwarebites after a reboot I get the same 7 problems as listed in the earlier log file. I have tried this 4 times and the same 7 problems keep reappearing after they are removed so either they are not being removed for they are being re-installed at startup.

    2. Currently the only running real time virus scanner is the one in Windows Live Onecare. Coincidentally, or not!, I ran a complete deep virus scan using Onecare that took 6 hours to complete on Saturday and then 3 hours later I started having these major problems.

    Tonight I will follow your suggested procedure and report back as soon as possible.

    Thanks alot for you help so far:)
     
    ksbcos, Mar 22, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK post back with fresh logs and we will see what can be done. :)
     
    Kestrel13!, Mar 22, 2010
    #5
  6. ksbcos

    ksbcos Private E-2

    OK, I just followed the instructions from your post. Unfortunately I was not able to delete anything in the Windows/Temp directory as all of the files had todays date. Also the TMP0000000C02AD5EA49BC62826 was not there or at least it was not visible.

    Java 6 installed correctly.

    TDDSkiller did not find anything.

    After rebooting the machine nothing has changed. I still have the 4 colored shield in the right side of the task bar and I am still getting the pop ups.

    I guess we are ready for the next phase:confused

    Thanks again for the help! View attachment MGlogs.zip

    View attachment TDSSKiller.2.2.8.1_22.03.2010_19.58.32_log.txt
     
    ksbcos, Mar 22, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\WINDOWS\Temp\TMP0000000C02AD5EA49BC62826 

Folder::
C:\WINDOWS\Temp\TMP0000000C02AD5EA49BC62826
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please run this:

    Using ESET's Online Scanner

    Attach the ESETScan.txt to your next reply as well as the log from Combofix.
     
    Kestrel13!, Mar 22, 2010
    #7
  8. ksbcos

    ksbcos Private E-2

    OK, I am finally posting back. I ran combofix and the Eset online scan as recommended and the computer is still behaving the same as before. The Eset scan came back clean. I do not have an Eset log to attach. I could not find a way to generate a log file maybe either because it did not find any threats or else because I messed up. I have attached the combofix log file. Any other ideas? Thanks again for you time and assistance.
     

    Attached Files:

    ksbcos, Mar 24, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It would be a good idea for you to attach the below previous MBAM logs which shows what was previously found.

    Code:
    C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
Mar 21 2010        2102  "mbam-log-2010-03-21 (21-29-13).txt"
Mar 21 2010        2114  "mbam-log-2010-03-21 (11-24-24).txt"
Mar 21 2010        1011  "mbam-log-2010-03-21 (14-43-07).txt"
Mar 21 2010        2113  "mbam-log-2010-03-21 (14-58-24).txt"
Mar 21 2010        2138  "mbam-log-2010-03-21 (16-07-00).txt"
    Also there is a possibility the warning of the infection is just due your protection software seeing it in System Restore or a Quarantine. Perhaps it is a fake/rogue program warning but rather a legit but misleading report. Toggle system restore.

    Disable and re-enable system restore
    http://forums.majorgeeks.com/showthread.php?t=31668

    and empty the MBAM quarantine. Then reboot and see what happens.
     
    Kestrel13!, Mar 24, 2010
    #9
  10. ksbcos

    ksbcos Private E-2

    OK, I have attached the MBAM logs that your asked for. I am a little embarrassed because I found that I had never sent you the very first MBAM log that actually found something before I turned to Major Geeks for help. It was ran from a different user account and therefore was stored in a different. It shows the detection of the Spy eraser virus. Hopefully it will provide you a clue! The file is mbam-log-2010-03-21(10-42-25)

    I deleted all of the quarantined files and rebooted but I am still getting the pop ups. I have not yet toggled the restore yet but will do so soon. Speaking of the restore, I have a dumb question, I know that in most cases you should not try to roll back to a previous restore for virus removal and my question is why? My naive thought is that if the infection is only in the registry and not in any other system files it might help.

    One other piece of info that probably does not mean much is that whatever is causing the pop ups is loaded very earlier when windows starts up. The task bar shield icon and the first pop up occur before any other icons on the desktop or anything else on the task bar shows up.

    Thanks again for the help and I apologize for not finding the original MBAM file sooner.:-o
     

    Attached Files:

    ksbcos, Mar 24, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member


    Could you take screenshots for us?

    Now try this:

    Using Sophos Anti-Rootkit
     
    Kestrel13!, Mar 24, 2010
    #11
  12. ksbcos

    ksbcos Private E-2

    OK, attached are the Sophos anti-rootkit log file and some pictures of the pop-ups. I used a camera instead of screen dump and zoomed in on the concerned area. Everything is still behaving the same way as before.
    Thanks.
     

    Attached Files:

    ksbcos, Mar 25, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmmm .... Let's clear up from Norton and then Iolo -


    We need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
 
SecCenter::
{E10A9785-9598-4754-B552-92431C1C35F8}
{7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
 
Driver::
ioloFileInfoList
ioloSystemService
 
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now I want you to toggle system restore as per these instructions:

    Disable and re-enable system restore


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the below new logs:
    • the new c:\combofix.txt log
    • the new C:\MGlogs.zip log
    Also tell me know how things are running now.
     
    Last edited by a moderator: Mar 25, 2010
    Kestrel13!, Mar 25, 2010
    #13
  14. ksbcos

    ksbcos Private E-2

    OK guys, great news, it appears that everything is OK now:) I ran combofix as requested and then followed it with malwarebytes. This time malwarebytes found the culprit, a fake message trojan. I have attached the combofit and the mbam logs.

    I just noticed the edit requesting the running of Getlogs.bat. Let me know if you would still like me to get you that data.

    Thanks a million for all of your help, it is greatly appreciated.
     

    Attached Files:

    ksbcos, Mar 26, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's great news! :)

    Yes please, then we can have one final sweep through the logs and all being well, give you final steps to follow.
     
    Kestrel13!, Mar 26, 2010
    #15
  16. ksbcos

    ksbcos Private E-2

    OK, everything still seems good:) Here is the final (hopefully) MGtools log.

    Thanks,
     

    Attached Files:

    ksbcos, Mar 27, 2010
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Mar 27, 2010
    #17
  18. ksbcos

    ksbcos Private E-2

    Kestrel13!,

    Well thanks to you it looks like I am in the clear. I have created a new restore point and things look good. I also took the advice of not surfing from an administrator account. Thanks again and keep up the good work.

    ksbcos
     
    ksbcos, Mar 28, 2010
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome. safe surfing :)
     
    Kestrel13!, Mar 29, 2010
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds