Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

win32.trojan.spy.banker.bai

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

win32.trojan.spy.banker.bai

Unread postby templars » December 13th, 2007, 3:40 pm

My anti-virus is detecting some downloaders and trojans. Zone-Alarm detected win32.trojan.spy.banker.bai.

Could some-one help me?
Here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:11:42, on 13-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\acer\epm\epm-dm.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programas\Synaptics\SynTP\SynTPLpr.exe
C:\Programas\Synaptics\SynTP\SynTPEnh.exe
C:\Programas\Launch Manager\QtZgAcer.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SONICS~1\SsAAD.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
D:\XAMPP\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Bluetooth\BTTray.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Programas\CATIAV5\intel_a\code\bin\CATSysDemon.exe
C:\Programas\Symantec AntiVirus\DefWatch.exe
D:\XAMPP\xampp\FileZillaFTP\FileZillaServer.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\WINDOWS\system32\rclumad.exe
D:\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Symantec AntiVirus\Rtvscan.exe
D:\XAMPP\xampp\apache\bin\apache.exe
C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe
C:\Programas\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Mozilla Thunderbird\thunderbird.exe
C:\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 127.255.255.255 http://www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 http://www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 http://www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 http://www.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programas\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programas\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\Programas\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.metrodoporto.pt/mapa/mgaxctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Apache2 - Unknown owner - D:\XAMPP\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Programas\CATIAV5\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\XAMPP\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Programas\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programas\Ficheiros comuns\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\FLEXlm\flexlm_marc\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programas\Ficheiros comuns\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cluster Manager Service V2 (rcluma) - Unknown owner - C:\WINDOWS\system32\rclumad.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - D:\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\Ficheiros comuns\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programas\Ficheiros comuns\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programas\Ficheiros comuns\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programas\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
templars
Regular Member
 
Posts: 48
Joined: July 4th, 2006, 1:55 pm
Advertisement
Register to Remove

Re: win32.trojan.spy.banker.bai

Unread postby Katana » December 14th, 2007, 7:39 pm

Hi templars,

It has come to my attention that you have posted for help with your computer at other forums.

http://forums.spybot.info/showthread.php?t=21343

May I draw your attention to the Forum Guidelines on Multi-Posting
  • If you wish to continue here, please notify the other forums so they can close your threads.
  • If you wish to be helped elsewhere let me know so I can close your thread here.
If I do not hear back from you on this matter within 24 hours, this thread will be closed.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: win32.trojan.spy.banker.bai

Unread postby templars » December 14th, 2007, 9:02 pm

I've notified the other forum that I wish to be helped in this one. I'm sorry for double posting. Thank you
templars
Regular Member
 
Posts: 48
Joined: July 4th, 2006, 1:55 pm

Re: win32.trojan.spy.banker.bai

Unread postby Katana » December 14th, 2007, 9:28 pm

templars wrote:I've notified the other forum that I wish to be helped in this one. I'm sorry for double posting. Thank you

Hi Templar :hello2:
I know :lol: I help at that forum as well :D
I fully understand that you want to be up and running as soon as possible, so no harm done :)

There is an unknown service running on your machine, so we will have to find out what it is.

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\system32\rclumad.exe
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O1 - Hosts: 127.255.255.255 http://www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 http://www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 http://www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 http://www.alcohol-soft.com

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O23 - Service: Cluster Manager Service V2 (rcluma) - Unknown owner - C:\WINDOWS\system32\rclumad.exe

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Download and Run ComboFix
  • Download Combofix from one of the links below :

    ComboFix.exe 1
    ComboFix.exe 2
    ComboFix.exe 3
  • Then double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: win32.trojan.spy.banker.bai

Unread postby templars » December 15th, 2007, 6:46 am

Thank you for your time. My VirusTotal Scan came out like this:

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - Not analyzed yet
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - Win32.Malware.gen
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional Information
MD5: 6b2a1cb019fc54f559bb0213fe69aa71

As for the ComboFix, it posted the following results:

ComboFix 07-12-15.5 - templars 2007-12-15 10:35:07.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.2070.18.470 [GMT 0:00]
Executando de: D:\Download\ComboFix.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\templars\Application Data\macromedia\Flash Player\#SharedObjects\5LPKCTEP\www.broadcaster.com
C:\Documents and Settings\templars\Application Data\macromedia\Flash Player\#SharedObjects\5LPKCTEP\www.broadcaster.com\played_list.sol
C:\Documents and Settings\templars\Application Data\macromedia\Flash Player\#SharedObjects\5LPKCTEP\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\templars\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\templars\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\autorun.ini

.
((((((((((((((((((((((( Ficheiros criados de 2007-11-15 to 2007-12-15 ))))))))))))))))))))))))))))))))
.

2007-12-13 16:29 . 2007-12-13 16:29 <DIR> d-------- C:\Documents and Settings\templars\Application Data\MySQL
2007-12-13 16:21 . 2007-12-13 16:21 64 --a------ C:\WINDOWS\my.ini
2007-12-13 16:20 . 2007-12-13 16:20 <DIR> d-------- C:\Programas\MySQL
2007-12-13 09:46 . 2007-12-13 09:46 94 --a------ C:\WINDOWS\wininit.ini
2007-12-06 16:32 . 2007-12-06 16:47 476 --a------ C:\WebServer0a.fcs
2007-12-04 14:35 . 2007-12-04 14:35 499 --a------ C:\PLC32.fcs
2007-12-02 21:39 . 2007-12-02 21:39 <DIR> d-------- C:\Programas\aMSN
2007-12-02 01:36 . 2007-12-02 01:36 <DIR> d-------- C:\Documents and Settings\templars\amsn
2007-11-29 17:37 . 2007-11-29 17:37 <DIR> d-------- C:\Programas\Fatek
2007-11-29 16:42 . 1999-03-23 09:12 299,520 --a------ C:\WINDOWS\uninst.exe
2007-11-28 16:36 . 2007-11-28 16:36 <DIR> d-------- C:\Programas\mozilla.org
2007-11-28 16:06 . 2007-11-29 10:23 25 --a------ C:\WINDOWS\.prj
2007-11-28 16:04 . 1999-05-15 00:24 97,280 --a------ C:\WINDOWS\system32\vspell32.ocx
2007-11-28 16:04 . 1997-02-24 17:44 70,656 --a------ C:\WINDOWS\system32\vspell32.dll
2007-11-28 16:04 . 2007-11-29 10:23 430 --a------ C:\WINDOWS\pagebreeze.ini
2007-11-28 16:04 . 2007-11-28 16:04 35 --a------ C:\WINDOWS\formbreeze.ini
2007-11-28 16:03 . 2005-01-24 12:39 503,808 --a------ C:\WINDOWS\system32\ChilkatFTPx.dll
2007-11-28 16:03 . 1998-11-18 11:40 89,600 --a------ C:\WINDOWS\system32\Leocx32.ocx
2007-11-28 16:03 . 1998-11-22 14:23 84,992 --a------ C:\WINDOWS\system32\Ledit32.dll
2007-11-28 15:44 . 2007-11-28 15:44 <DIR> d-------- C:\Programas\MSXML 6.0
2007-11-28 11:57 . 2007-11-28 11:57 <DIR> d-------- C:\WINDOWS\l2schemas
2007-11-28 11:57 . 2005-04-20 19:31 474,624 --------- C:\WINDOWS\system32\dllcache\wzcsvc.dll
2007-11-28 11:57 . 2006-11-01 07:15 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2007-11-28 11:57 . 2005-04-20 19:31 52,736 --------- C:\WINDOWS\system32\dllcache\wzcsapi.dll
2007-11-28 11:57 . 2005-04-19 23:54 14,592 --------- C:\WINDOWS\system32\dllcache\ndisuio.sys
2007-11-28 11:27 . 2001-11-21 07:20 894,464 --------- C:\WINDOWS\system32\MFC40D.DLL
2007-11-28 11:27 . 2001-11-21 07:20 444,928 --------- C:\WINDOWS\system32\MSVCR40D.DLL
2007-11-28 11:27 . 2003-11-11 07:23 188,416 --a------ C:\WINDOWS\system32\drivers\S5MCD.SYS
2007-11-28 11:27 . 2003-11-11 07:23 77,312 --a------ C:\WINDOWS\system32\S5_VDD.DLL
2007-11-28 11:27 . 2003-11-11 07:23 15,360 --a------ C:\WINDOWS\system32\drivers\S5AS511.SYS
2007-11-25 13:07 . 2007-11-25 13:07 <DIR> d-------- C:\Programas\FileZilla Client
2007-11-25 13:07 . 2007-11-25 13:07 <DIR> d-------- C:\Documents and Settings\templars\Application Data\FileZilla
2007-11-23 23:37 . 2007-11-23 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COSMOS Applications
2007-11-23 23:05 . 2007-11-23 23:05 <DIR> d-------- C:\Programas\Ficheiros comuns\SolidWorks Shared
2007-11-23 23:02 . 2007-11-23 23:02 <DIR> d-------- C:\Programas\Bluebeam Software
2007-11-23 23:02 . 2007-11-23 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluebeam Software
2007-11-22 17:55 . 2007-11-25 18:55 159 --a------ C:\motor_off.html
2007-11-22 17:55 . 2007-11-25 18:55 157 --a------ C:\motor_on.html
2007-11-22 17:08 . 2007-11-22 16:58 68 --a------ C:\pagina1.html
2007-11-18 16:17 . 2007-11-18 16:17 13,824 --ahs---- C:\WINDOWS\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 21:53 --------- d-----w C:\Programas\Boilsoft MOV Converter
2007-11-07 18:12 --------- d-----w C:\Documents and Settings\templars\Application Data\vlc
2007-11-07 18:07 --------- d-----w C:\Programas\VideoLAN
2007-11-07 18:04 --------- d-----w C:\Documents and Settings\templars\Application Data\TrueCrypt
2007-11-07 16:30 --------- d-----w C:\Programas\TrueCrypt
2007-10-31 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\MiKTeX
2007-10-31 15:20 --------- d-----w C:\Programas\MiKTeX 2.6
2007-10-31 15:18 --------- d-----w C:\Programas\Ghostgum
2007-10-31 15:17 --------- d-----w C:\Programas\gs
2007-10-30 23:23 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,294,336 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,294,336 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:43 8,501,248 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 09:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 09:28 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-16 16:25 --------- d-----w C:\Programas\Ficheiros comuns\Wise Installation Wizard
2007-10-16 16:25 --------- d-----w C:\Programas\AGEIA Technologies
2007-10-10 23:49 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:49 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:49 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:49 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:49 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:49 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:49 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:49 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:49 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:49 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:49 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:49 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:49 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:49 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:49 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:49 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:49 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:49 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:49 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:49 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:49 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:49 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 16:45 846 ----a-w C:\Programas\uninstal.log
2007-10-10 11:03 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:03 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-05 19:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-05 19:51 249,856 ------w C:\WINDOWS\Setup1.exe
2007-03-09 10:15 561 ----a-w C:\Programas\INSTALL.LOG
2006-11-17 13:11 62,607 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_11_17_11_08_42_small.dmp.zip
2006-10-14 10:12 3,342,336 ------w C:\WINDOWS\Internet Logs\tvDebug.zip
2006-10-09 22:13 562,056 ----a-w C:\Documents and Settings\templars\Application Data\GDIPFONTCACHEV1.DAT
2006-07-07 23:25 623,709 --sh--w C:\WINDOWS\system32\uvvwa.bak1
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"epm-dm"="c:\acer\epm\epm-dm.exe" [2005-01-25 14:02]
"Zone Labs Client"="C:\Programas\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27]
"SynTPLpr"="C:\Programas\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 22:44]
"SynTPEnh"="C:\Programas\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 22:43]
"LManager"="C:\Programas\Launch Manager\QtZgAcer.EXE" [2004-12-09 12:50]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-01-21 15:21]
"ccApp"="C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe" [2005-06-02 09:21]
"ATIPTA"="C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-07 21:10]
"LaunchApp"="Alaunch" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 20:00 C:\WINDOWS\system32\bthprops.cpl]
"SsAAD.exe"="C:\PROGRA~1\SONICS~1\SsAAD.exe" [2006-01-07 02:36]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-07 16:27]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
BTTray.lnk - D:\Bluetooth\BTTray.exe [2002-10-25 14:18:40]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-12 20:52 483328 --a------ C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 14:54 241664 --a------ C:\Programas\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programas\QuickTime\qttask.exe -atboottime

R1 LUMDriver;LUMDriver;\??\C:\WINDOWS\system32\drivers\LUMDriver.sys
R1 UBHelper;MRW remapping;C:\WINDOWS\system32\drivers\UBHelper.sys
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
R2 BBDemon;Backbone Service;C:\Programas\CATIAV5\intel_a\code\bin\CATSysDemon.exe -service
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys
R2 rcluma;Cluster Manager Service V2;C:\WINDOWS\system32\rclumad.exe
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S3 int15.sys;int15.sys;\??\C:\Programas\acer\eRecovery\int15.sys
S3 PD1030VID;Creative WebCam Pro;C:\WINDOWS\system32\DRIVERS\P1030Vid.sys
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINDOWS\system32\Drivers\usb2vcom.sys
S3 WINIO;WINIO;\??\C:\WINDOWS\system32\winio.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fc7c174-867b-11da-8586-000b0d20ea90}]
\Shell\Auto\command - RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87fb0a2c-981b-11dc-8a3d-000b0d20ea90}]
\Shell\Auto\command - RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{918455dc-9841-11dc-8a3e-000b0d20ea90}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5a87e98-9f65-11dc-8a56-00c09f8884d0}]
\Shell\auto\command - G:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - G:\Knight.exe open
\Shell\find\command - G:\Knight.exe open
\Shell\install\command - G:\Knight.exe open
\Shell\open\command - G:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd8a5804-9d9c-11dc-8a4d-000b0d20ea90}]
\Shell\auto\command - G:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - G:\Knight.exe open
\Shell\find\command - G:\Knight.exe open
\Shell\install\command - G:\Knight.exe open
\Shell\open\command - G:\Knight.exe open

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 10:40:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2007-12-15 10:40:59
C:\ComboFix2.txt ... 2006-07-08 00:01
C:\ComboFix.2006-07-07.235941.txt ... 2006-07-07 23:49
.
2007-12-12 22:09:55 --- E O F ---

If you need help with any of the portuguese words, please let me know.
templars
Regular Member
 
Posts: 48
Joined: July 4th, 2006, 1:55 pm

Re: win32.trojan.spy.banker.bai

Unread postby Katana » December 15th, 2007, 5:31 pm

Flash Disinfector by sUBs
Please downloadFlash_Disinfector.exe by sUBs and save it to your desktop:


* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


Please restart your computer.



Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=11&t=26053&p=246215#p246215
    Comment:: Katana
    Collect::[4]
    C:\WINDOWS\system32\rclumad.exe
    
    File::
    C:\WINDOWS\system32\uvvwa.bak1
    
    Driver::
    Cluster Manager Service V2
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fc7c174-867b-11da-8586-000b0d20ea90}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87fb0a2c-981b-11dc-8a3d-000b0d20ea90}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{918455dc-9841-11dc-8a3e-000b0d20ea90}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5a87e98-9f65-11dc-8a56-00c09f8884d0}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd8a5804-9d9c-11dc-8a4d-000b0d20ea90}]
    
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: win32.trojan.spy.banker.bai

Unread postby templars » December 15th, 2007, 6:19 pm

ComboFix 07-12-15.5 - templars 2007-12-15 22:10:40.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.2070.18.454 [GMT 0:00]
Executando de: C:\Documents and Settings\templars\Ambiente de trabalho\ComboFix.exe
Command switches used :: C:\Documents and Settings\templars\Ambiente de trabalho\CFScript.txt
* Criado um novo ponto de restauro

FILE
C:\WINDOWS\system32\uvvwa.bak1
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rclumad.exe
C:\WINDOWS\system32\uvvwa.bak1

.
((((((((((((((((((((((( Ficheiros criados de 2007-11-15 to 2007-12-15 ))))))))))))))))))))))))))))))))
.

2007-12-13 16:29 . 2007-12-13 16:29 <DIR> d-------- C:\Documents and Settings\templars\Application Data\MySQL
2007-12-13 16:21 . 2007-12-13 16:21 64 --a------ C:\WINDOWS\my.ini
2007-12-13 16:20 . 2007-12-13 16:20 <DIR> d-------- C:\Programas\MySQL
2007-12-13 09:46 . 2007-12-13 09:46 94 --a------ C:\WINDOWS\wininit.ini
2007-12-06 16:32 . 2007-12-06 16:47 476 --a------ C:\WebServer0a.fcs
2007-12-04 14:35 . 2007-12-15 19:45 539 --a------ C:\PLC32.fcs
2007-12-02 21:39 . 2007-12-02 21:39 <DIR> d-------- C:\Programas\aMSN
2007-12-02 01:36 . 2007-12-02 01:36 <DIR> d-------- C:\Documents and Settings\templars\amsn
2007-11-29 17:37 . 2007-11-29 17:37 <DIR> d-------- C:\Programas\Fatek
2007-11-29 16:42 . 1999-03-23 09:12 299,520 --a------ C:\WINDOWS\uninst.exe
2007-11-28 16:36 . 2007-11-28 16:36 <DIR> d-------- C:\Programas\mozilla.org
2007-11-28 16:06 . 2007-11-29 10:23 25 --a------ C:\WINDOWS\.prj
2007-11-28 16:04 . 1999-05-15 00:24 97,280 --a------ C:\WINDOWS\system32\vspell32.ocx
2007-11-28 16:04 . 1997-02-24 17:44 70,656 --a------ C:\WINDOWS\system32\vspell32.dll
2007-11-28 16:04 . 2007-11-29 10:23 430 --a------ C:\WINDOWS\pagebreeze.ini
2007-11-28 16:04 . 2007-11-28 16:04 35 --a------ C:\WINDOWS\formbreeze.ini
2007-11-28 16:03 . 2005-01-24 12:39 503,808 --a------ C:\WINDOWS\system32\ChilkatFTPx.dll
2007-11-28 16:03 . 1998-11-18 11:40 89,600 --a------ C:\WINDOWS\system32\Leocx32.ocx
2007-11-28 16:03 . 1998-11-22 14:23 84,992 --a------ C:\WINDOWS\system32\Ledit32.dll
2007-11-28 15:44 . 2007-11-28 15:44 <DIR> d-------- C:\Programas\MSXML 6.0
2007-11-28 11:57 . 2007-11-28 11:57 <DIR> d-------- C:\WINDOWS\l2schemas
2007-11-28 11:57 . 2005-04-20 19:31 474,624 --------- C:\WINDOWS\system32\dllcache\wzcsvc.dll
2007-11-28 11:57 . 2006-11-01 07:15 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2007-11-28 11:57 . 2005-04-20 19:31 52,736 --------- C:\WINDOWS\system32\dllcache\wzcsapi.dll
2007-11-28 11:57 . 2005-04-19 23:54 14,592 --------- C:\WINDOWS\system32\dllcache\ndisuio.sys
2007-11-28 11:27 . 2001-11-21 07:20 894,464 --------- C:\WINDOWS\system32\MFC40D.DLL
2007-11-28 11:27 . 2001-11-21 07:20 444,928 --------- C:\WINDOWS\system32\MSVCR40D.DLL
2007-11-28 11:27 . 2003-11-11 07:23 188,416 --a------ C:\WINDOWS\system32\drivers\S5MCD.SYS
2007-11-28 11:27 . 2003-11-11 07:23 77,312 --a------ C:\WINDOWS\system32\S5_VDD.DLL
2007-11-28 11:27 . 2003-11-11 07:23 15,360 --a------ C:\WINDOWS\system32\drivers\S5AS511.SYS
2007-11-25 13:07 . 2007-11-25 13:07 <DIR> d-------- C:\Programas\FileZilla Client
2007-11-25 13:07 . 2007-11-25 13:07 <DIR> d-------- C:\Documents and Settings\templars\Application Data\FileZilla
2007-11-23 23:37 . 2007-11-23 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COSMOS Applications
2007-11-23 23:05 . 2007-11-23 23:05 <DIR> d-------- C:\Programas\Ficheiros comuns\SolidWorks Shared
2007-11-23 23:02 . 2007-11-23 23:02 <DIR> d-------- C:\Programas\Bluebeam Software
2007-11-23 23:02 . 2007-11-23 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluebeam Software
2007-11-22 17:55 . 2007-11-25 18:55 159 --a------ C:\motor_off.html
2007-11-22 17:55 . 2007-11-25 18:55 157 --a------ C:\motor_on.html
2007-11-22 17:08 . 2007-11-22 16:58 68 --a------ C:\pagina1.html
2007-11-18 16:17 . 2007-11-18 16:17 13,824 --ahs---- C:\WINDOWS\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 21:53 --------- d-----w C:\Programas\Boilsoft MOV Converter
2007-11-07 18:12 --------- d-----w C:\Documents and Settings\templars\Application Data\vlc
2007-11-07 18:07 --------- d-----w C:\Programas\VideoLAN
2007-11-07 18:04 --------- d-----w C:\Documents and Settings\templars\Application Data\TrueCrypt
2007-11-07 16:30 --------- d-----w C:\Programas\TrueCrypt
2007-10-31 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\MiKTeX
2007-10-31 15:20 --------- d-----w C:\Programas\MiKTeX 2.6
2007-10-31 15:18 --------- d-----w C:\Programas\Ghostgum
2007-10-31 15:17 --------- d-----w C:\Programas\gs
2007-10-30 23:23 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,294,336 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,294,336 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:43 8,501,248 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 09:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 09:28 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-16 16:25 --------- d-----w C:\Programas\Ficheiros comuns\Wise Installation Wizard
2007-10-16 16:25 --------- d-----w C:\Programas\AGEIA Technologies
2007-10-10 23:49 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:49 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:49 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:49 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:49 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:49 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:49 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:49 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:49 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:49 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:49 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:49 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:49 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:49 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:49 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:49 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:49 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:49 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:49 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:49 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:49 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:49 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 16:45 846 ----a-w C:\Programas\uninstal.log
2007-10-10 11:03 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:03 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-05 19:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-05 19:51 249,856 ------w C:\WINDOWS\Setup1.exe
2007-03-09 10:15 561 ----a-w C:\Programas\INSTALL.LOG
2006-11-17 13:11 62,607 ------w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_11_17_11_08_42_small.dmp.zip
2006-10-14 10:12 3,342,336 ------w C:\WINDOWS\Internet Logs\tvDebug.zip
2006-10-09 22:13 562,056 ----a-w C:\Documents and Settings\templars\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-12-15_10.40.30,54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 10:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"epm-dm"="c:\acer\epm\epm-dm.exe" [2005-01-25 14:02]
"Zone Labs Client"="C:\Programas\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27]
"SynTPLpr"="C:\Programas\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 22:44]
"SynTPEnh"="C:\Programas\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 22:43]
"LManager"="C:\Programas\Launch Manager\QtZgAcer.EXE" [2004-12-09 12:50]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-01-21 15:21]
"ccApp"="C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe" [2005-06-02 09:21]
"ATIPTA"="C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-07 21:10]
"LaunchApp"="Alaunch" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 20:00 C:\WINDOWS\system32\bthprops.cpl]
"SsAAD.exe"="C:\PROGRA~1\SONICS~1\SsAAD.exe" [2006-01-07 02:36]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-07 16:27]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
BTTray.lnk - D:\Bluetooth\BTTray.exe [2002-10-25 14:18:40]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-12 20:52 483328 --a------ C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 14:54 241664 --a------ C:\Programas\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programas\QuickTime\qttask.exe -atboottime

R1 LUMDriver;LUMDriver;\??\C:\WINDOWS\system32\drivers\LUMDriver.sys
R1 UBHelper;MRW remapping;C:\WINDOWS\system32\drivers\UBHelper.sys
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
R2 BBDemon;Backbone Service;C:\Programas\CATIAV5\intel_a\code\bin\CATSysDemon.exe -service
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys
R2 rcluma;Cluster Manager Service V2;C:\WINDOWS\system32\rclumad.exe
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S3 int15.sys;int15.sys;\??\C:\Programas\acer\eRecovery\int15.sys
S3 PD1030VID;Creative WebCam Pro;C:\WINDOWS\system32\DRIVERS\P1030Vid.sys
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINDOWS\system32\Drivers\usb2vcom.sys
S3 WINIO;WINIO;\??\C:\WINDOWS\system32\winio.sys

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 22:16:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2007-12-15 22:16:51
C:\ComboFix3.txt ... 2006-07-08 00:01
C:\ComboFix.2006-07-07.235941.txt ... 2006-07-07 23:49
C:\ComboFix2.txt ... 2007-12-15 10:41
.
2007-12-12 22:09:55 --- E O F ---
templars
Regular Member
 
Posts: 48
Joined: July 4th, 2006, 1:55 pm

Re: win32.trojan.spy.banker.bai

Unread postby Katana » December 15th, 2007, 6:27 pm

Well, that is looking good :thumbup:

There is very little information about win32.trojan.spy.banker.bai. and we will have to wait for that file to be analyzed properly
but to be on the safe side I would recommend that you change any passwords that you use online
( including any banking or financial passwords)

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/virusscanner ( please use IE. and allow active X)

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Please post the report in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: win32.trojan.spy.banker.bai

Unread postby templars » December 16th, 2007, 7:50 am

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 16, 2007 11:47:07 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/12/2007
Kaspersky Anti-Virus database records: 483501
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 332960
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 05:26:37

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5837.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D9BB70C3-46D0-4447-B6E3-07FEFC7B879A}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\templars\ntuser.dat Object is locked skipped
C:\Documents and Settings\templars\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Temp\Free Download Manager\tic47.tmp Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Temp\Free Download Manager\tic51.tmp Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Histórico\History.IE5\MSHist012007121520071216\index.dat Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\templars\Definições locais\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\templars\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\templars\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\history.dat Object is locked skipped
C:\Documents and Settings\templars\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\parent.lock Object is locked skipped
C:\Documents and Settings\templars\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\templars\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\cert8.db Object is locked skipped
C:\Documents and Settings\templars\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\key3.db Object is locked skipped
C:\Documents and Settings\templars\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\search.sqlite Object is locked skipped
C:\Documents and Settings\templars\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\templars\Application Data\Mozilla\Firefox\Profiles\leriqk4z.default\flashgot.log Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\storage.sdb Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\cert8.db Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\key3.db Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\parent.lock Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\panacea.dat Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\abook.mab Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\WebmailData\imapdata.db3 Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\WebmailData\domains.db3 Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\Mail\localhost\Inbox.msf Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\Mail\mail.ua.pt\Inbox.msf Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\Mail\Notícias e Blogs\Trash.msf Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\Mail\pop.gmail.com\Inbox.msf Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\Mail\Notícias e Blogs-1\Trash.msf Object is locked skipped
C:\Documents and Settings\templars\Application Data\Thunderbird\Profiles\jzg4wqym.default\urlclassifier2.sqlite Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Programas\Symantec AntiVirus\SAVRT\0979NAV~.TMP Object is locked skipped
C:\Programas\Symantec AntiVirus\SAVRT\0882NAV~.TMP Object is locked skipped
C:\Programas\Ansys Inc\Shared Files\Licensing\license.log Object is locked skipped
C:\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\XAMPP\xampp\apache\logs\access.log Object is locked skipped
D:\XAMPP\xampp\apache\logs\error.log Object is locked skipped
D:\XAMPP\xampp\apache\logs\ssl_request.log Object is locked skipped
D:\XAMPP\xampp\mysql\data\acer-99e7ae3a68.err Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\download\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\download\SmitfraudFix.zip ZIP: infected - 1 skipped

Scan process completed.
templars
Regular Member
 
Posts: 48
Joined: July 4th, 2006, 1:55 pm

Re: win32.trojan.spy.banker.bai

Unread postby Katana » December 16th, 2007, 8:25 am

Well that is fine :thumbup:

Is your AV still detecting anything, do you have any other problems ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: win32.trojan.spy.banker.bai

Unread postby templars » December 16th, 2007, 8:39 am

No, everything is looking good. During the online scan, my symantec detected a downloader but I suppose it was due to the scan, right?

Thank you so much for your time. This flash pen virus is spreading very fast in my University, with all the pen swapping going on... It almost looks like a STD :D
templars
Regular Member
 
Posts: 48
Joined: July 4th, 2006, 1:55 pm

Re: win32.trojan.spy.banker.bai

Unread postby Katana » December 16th, 2007, 8:55 am

Yes, the downloader was more than likely the scan itself.
USB infections do spread quickly, because they put files on the USB drive and on the PC.
So it infects both ways round :roll:

Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up :D

  • This will uninstall ComboFix completely
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Image
Delete Flash_Disinfector.exe
You can also delete any logs we have produced, and empty your Recycle bin.

Reset System Restore.
Now you should disable System restore to purge any infected files and then re-enable it,

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer

Turn ON System Restore

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Un-Check Turn off System Restore.
Click Apply, and then click OK.

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    All the programs in this list have a free version.
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • AVG Anti-Spyware 7.5 <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner
  • Ad-Aware 2007 Free <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 3.5.1
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep


Also PLEASE read this article.......So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: win32.trojan.spy.banker.bai

Unread postby templars » December 16th, 2007, 10:02 am

Thank you so much for your time and advice. I've beeing using SpyBot, Ad-Ware and Zone-Alarm (with anti-spyware) firewall but that flash pen virus caught me off-guard... Merry Xmas and happy new year!
templars
Regular Member
 
Posts: 48
Joined: July 4th, 2006, 1:55 pm

Re: win32.trojan.spy.banker.bai

Unread postby NonSuch » December 23rd, 2007, 3:07 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware