WiredWX Hobby Weather ToolsLog in

 


Bankerfox.a, wuauclt.exe and Antivirus Pro Help

3 posters

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyBankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
I have got a computer infected with the bankerfox.a virus and need help getting it cleaned up. It will not let me open anything on the infected machine. How do I go about downloading the Hijack This program? Can I follow steps you have posted for others with this infection? Thanks for any help you can give me.

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
Please download ComboFix Bankerfox.a, wuauclt.exe and Antivirus Pro  Help Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Bankerfox.a, wuauclt.exe and Antivirus Pro  Help Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Bankerfox.a, wuauclt.exe and Antivirus Pro  Help RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
I can not get to the web page to do any downloading. When I try to change the web page it goes to this address http://awareremover2010.microsoft.com/block.php?r=57.5 There are 20 plus red shields with white x's in them across the bottom taskbar and a yellow one that jumps through the red ones one by one. I downloaded the commy.exe to a disk from a different computer and put it on the desktop of the infected one the "run" feature comes up with an error that it can't find the commy.exe. When I double click or select run on the commy icon a small box flashes and says Combofix but that is all it does.

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
I can not even get to geekpolice web site and if I let the computer set long enough porno pages come up.

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
Please download: HijackThis to your Desktop.
  • Double Click the HijackThis icon, located on your Desktop.
  • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
    It will also create a shortcut on your Desktop.
  • Accept the license agreement.
  • Click Do a System Scan and Save a Logfile.
  • Please post the log in your next reply.

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
yippe...I got the hijackthis to work, but it's on the other computer and I can't access any email nor can I get to this web page to post the results :-( any help?

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options.
  • Now click on the Connections tab and then the Lan Settings button
  • Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the Apply button and then the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.


Post the HijackThis log when ready.

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
last night nothing would work. I couldn't get the LAN setting to where you advised it kept resetting. I shut down and this morning I restarted avg picked up the antivirus program and I got rid of it through there. Why it didn't do it before?? I ran commy.exe and am including the log here. Let me know what you think...am I healed?

ComboFix 09-12-07.09 - Owner 12/08/2009 10:35.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.203 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\program files\Shared\lib.sig
c:\recycler\S-1-5-21-763046184-1108015167-220856613-1003
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-08 to 2009-12-08 )))))))))))))))))))))))))))))))
.

2009-12-08 04:56 . 2009-12-08 04:56 -------- d-----w- c:\program files\Trend Micro
2009-12-08 02:55 . 2009-12-08 08:43 3585369 ----a-w- c:\documents and settings\commy.exe.exe
2009-12-08 02:39 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-08 02:39 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-08 02:38 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-12-08 02:38 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-12-04 22:47 . 2009-12-08 15:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\fxgupx
2009-12-04 19:55 . 2009-12-04 19:55 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-08 16:09 . 2009-09-25 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-04 22:13 . 2009-04-26 22:23 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-12-02 22:41 . 2009-05-31 01:10 6588 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-12-01 03:13 . 2009-04-27 21:29 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-09-25 00:08 . 2009-09-25 00:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-25 00:08 . 2009-09-25 00:08 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-25 00:08 . 2009-09-25 00:08 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-25 00:08 . 2009-09-25 00:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-24 22:52 . 2009-04-26 21:04 38112 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-24 22:32 . 2004-08-26 18:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-24 22:30 . 2009-09-24 22:30 73728 ----a-w- c:\windows\ALCFDRTM.EXE
2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-08-24 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-24 2552320]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-08 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-26 2029336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-25 00:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/24/2009 6:08 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/24/2009 6:08 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/24/2009 6:08 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/24/2009 6:08 PM 297752]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 11:02 AM 1213728]
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
mStart Page = hxxp://qwest.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
Please run a Full Scan with AVG - and post a log, if available.

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
there is no log to post. No infections and some tracking cookies are all it found. So this must mean my machine is clean? AVG must have caught the antivirus virus this morning and cleaned it off. Thank you for being here and I have bookmarked the address. This is great!!! I definately will donate towards a great cause. Thanks for all the time you spend here. Hooray!

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
Let us do a final check then I will help you prevent malware in the future.

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 9.0
``````````````````````````````
Anti-malware/Other Utilities Check:

HijackThis 2.0.2
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 6.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
I updated Java and Adobe Reader then reran the SecurityCheck and here are the results:

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 9.0
``````````````````````````````
Anti-malware/Other Utilities Check:

HijackThis 2.0.2
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
Moderated Message: Hello, your comment has been removed. Please do not post in another member's topic. If you need help, please read this over and click here to open a new topic. ~DragonMaster Jay


Last edited by DragonMaster Jay on 9th December 2009, 9:25 pm; edited 2 times in total

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

  • Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  • Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • PC Tools Firewall Plus: free and excellent firewall.


AntiSpyware

  • SpywareBlaster
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  • Spybot - Search & Destroy.
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here: http://www.lavasoft.com/mylavasoft/rogues

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

  • Firefox may be downloaded from here: http://www.getfirefox.com
  • Opera is available here: http://www.opera.com/download/


Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

descriptionBankerfox.a, wuauclt.exe and Antivirus Pro  Help EmptyRe: Bankerfox.a, wuauclt.exe and Antivirus Pro Help

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum