WiredWX Hobby Weather ToolsLog in

 


Bankerfox.A amongst other things

3 posters

descriptionBankerfox.A amongst other things EmptyBankerfox.A amongst other things

more_horiz
Hi, I'm trying to fix a laptop for a friend, but I'm completely stumped on this one. It's been infected by Bankerfox.A, so whenever i open IE, it doesn't let me access anything. I open firefox, but it won't let me browse any webpages either. They all eventually fall back to www.google.com, or say the page cannot be found in the server. I am unable to download any antivirus software, do a system restore, or anything, because any .exe file i try to open comes out as "Application cannot be executed. the file xxxxx.exe is infected. Do you want to activate your antivirus software now?". I also cannot install any software through a USB, since it will give me the same error message when it's trying to read the USB drivers. I tried with a CD, same thing. I can't start the laptop on safe mode because the screen is broken (i have it connected to a monitor) and when I press F8 at startup, that doesn't show on the external monitor. Any ideas?

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
Please download ComboFix Bankerfox.A amongst other things Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
I'm sorry, but like I said, it won't let me access any websites. I'm typing this from another computer because any website i try to access goes to a fake google page that says that the requested URL was not found on the server.

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
Please transfer the download from a clean computer on to the infected one.

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
I did try. The laptop won't let me open any executable files. It won't let me open task manager. It won't even let me open system restore. I can't download, install, or run anything

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
Rename it to blackpudding.bat and try again please.

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
It does the same thing...Sorry, I forgot to add, it gives me a fake Windows Security Alert popup that says "Application cannot be executed. The file blackpudding.bat (or whichever is trying to open) is infected. Do you want to activate your antivirus software now?"

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
Rename it to iexplore.exe

Then, go to Start > Run and paste this command and press OK:

"%desktop%\iexplore.exe" /stepdel

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
it brings up a search window, like if it can't find the file. Also, just thought you might need to know, if i double click the icon, a little bar comes up that says "ComboFix", it loads, but then at the end it doesn't do anything.

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
Last try here. If bust, then we will get a more powerful option. Shh a secret

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Then, try ComboFix again.

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
Moderated Message: Hello, your comment has been removed. Please do not post in another member's topic. If you need help, please read this over and click here to open a new topic. ~DragonMaster Jay

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
The laptop's screen is not working, so it doesn't let me start in safe mode :sad:

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
Odd. But, you start just fine in normal mode?

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
Yes, I have it plugged in to a monitor. But when I press F8 as its starting up, the boot screen doesn't show on the external monitor. It only starts showing after the vista logo comes up

ComboFix is running now..I guess the computer just needed to rest, maybe? Well, it's scanning atm, so I'll post the scan log as soon as it comes up. Thanks

Last edited by aivlis on 14th February 2010, 4:04 am; edited 1 time in total (Reason for editing : update)

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
ComboFix 10-02-09.03 - Daniel 02/13/2010 22:03:34.1.2 - x86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1161 [GMT -6:00]
Running from: c:\users\Daniel\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3443657032-2903806523-3540040041-500
c:\$recycle.bin\S-1-5-21-3967032013-1912477881-1511816985-1001
c:\$recycle.bin\S-1-5-21-3967032013-1912477881-1511816985-500
c:\users\Daniel\AppData\Local\vmibou
c:\users\Daniel\AppData\Local\vmibou\bdsxsftav.exe
c:\windows\fxstaller.exe
c:\windows\system32\KBL.LOG
c:\windows\system32\oem3.inf
c:\users\Daniel\secupdat.dat . . . . failed to delete
c:\windows\system32\secupdat.dat . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-14 04:17 . 2010-02-14 04:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-10 04:16 . 2009-12-04 16:27 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 04:16 . 2009-12-04 16:27 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-09 04:37 . 2010-02-09 04:37 -------- dc----w- C:\89f2b01f43ee574fe247
2010-02-07 01:33 . 2010-02-07 01:33 16384 ---ha-w- c:\users\Daniel\fnlqaf.exe
2010-02-01 17:00 . 2010-02-01 17:00 -------- d-----w- c:\users\Daniel\AppData\Roaming\Facebook
2010-02-01 14:08 . 2010-02-01 14:08 16384 ---ha-w- c:\users\Daniel\bwuy.exe
2010-01-22 11:43 . 2009-12-18 12:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-16 04:35 . 2010-01-15 19:24 225280 --sh--r- c:\windows\system32\wmisktp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 04:21 . 2008-07-29 04:17 -------- d-----w- c:\users\Daniel\AppData\Roaming\LimeWire
2010-02-14 03:59 . 2008-07-23 19:26 290886 ----a-w- c:\users\Daniel\AppData\Roaming\nvModes.dat
2010-02-12 22:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-09 04:46 . 2007-11-02 07:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-09 04:42 . 2007-11-02 07:25 -------- d-----w- c:\progra~2\Symantec
2010-02-01 17:00 . 2010-02-01 17:00 50354 ----a-w- c:\users\Daniel\AppData\Roaming\Facebook\uninstall.exe
2010-02-01 14:14 . 2009-09-30 00:09 -------- d-----w- c:\program files\AIM Toolbar
2010-01-27 03:21 . 2010-01-27 03:21 847040 ----a-w- c:\users\Daniel\AppData\Roaming\Facebook\axfbootloader.dll
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
2010-01-22 18:36 . 2009-11-10 06:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-22 18:27 . 2008-07-29 04:16 -------- d-----w- c:\program files\LimeWire
2010-01-14 17:12 . 2009-10-02 16:23 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-18 12:48 . 2010-01-22 11:42 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 11:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:46 . 2010-01-22 11:42 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 11:42 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 11:42 48128 ----a-w- c:\windows\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-07-28 1232896]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-01 1783136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-09 159744]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-11-02 1006264]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"CFmon"="c:\users\Daniel\fnlqaf.exe" [2010-02-07 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\cguvmmot.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Daniel\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - true.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKCU-Run-jhdalwnw - c:\users\Daniel\AppData\Local\vmibou\bdsxsftav.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
SafeBoot-exxmdlzs.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 22:21
Windows 6.0.6000 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5472)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\LimeWire\LimeWire.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\lpremove.exe
c:\windows\system32\lpksetup.exe
.
**************************************************************************
.
Completion time: 2010-02-13 22:36:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-14 04:35

Pre-Run: 82,781,044,736 bytes free
Post-Run: 83,650,134,016 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4,5
- - End Of File - - 8B66006D7C20D3A77F5DC800DEF3CD86

descriptionBankerfox.A amongst other things EmptyRe: Bankerfox.A amongst other things

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum