bankerfox.a with no connectivity

I have been trying to remove the "Banker.A" virus from my wifes computer with no sucess... the computer has no connectivity and will not open programs such as malaware or spybot. the nortons shows nothing infected and I tried loading hijacker via a flash drive and it will onot allow me to run it. I run on internet explorer and can not get online to download anything.... can u help me??

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

I have downloaded the current version to a flash drive and attempted to open it on the infected computer both by doubble clicking and right click then install both ways result in a message saying "application can not be executed. the file msiexec.exe is infected. Do you want to activate your antivirus software now?"
At the same time this virus appeared a program called "Antivirus Live" also appeared poping up at every instance. I presume this is part of the virus as well. I can not find it in the menu bar adn can not open the add/remove menu from control pannel. Any advice??

Lets try this instead, I didn't think Hijack This would work, but worth a try.

Please download Ice Sword from HERE

1. Download the zip to your desktop and extract it.
   
2. Open the Ice Sword folder and then launch IceSword.exe.
   
3. Will IceSword open?
   

I was just experiencing these same problems. But after following the geek police instructions to remove Anitvirus Live everything seems to be back to normal. I did have to reinstall Malware to get the updates and I did that in safe mode, then restarted and rescanned/removed infected files. Thank you Geek Police and Doctor Inferno. Good luck azemt.

Thanks stacybix... no it did not open ice sword. Should I try to start in safe mode to uninstall "Antivirus Live"?

Yes.

Okay... some reason I was able to open it while playing on it waiting for your responce... now what?

Safe mode or Ice Sword?

Last edited by azemt_j_rod on 4th January 2010, 12:31 am; edited 1 time in total

Hello.

• Now, on the left hand side tool, hit the Process button at the top of the list.
  
• Just above the list, there is a log button, press that and save the log to your Desktop.
  
• Next, hit the Startup on the left side list.
  
• Press the log button again.
  
• Post the two logs in your next reply.
  

Log #1

Process:

System Idle Process
System
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
H:\IceSword122en\IceSword122en\IceSword.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\DISC\DISCover.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\arpwrmsg.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DISC\DISCUpdMgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Compaq_Administrator.KANDICE\Local Settings\Application Data\mggmfx\fllnsysguard.exe




Log #2

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ehTray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ftutil2
rundll32.exe ftutil2.dll,SetWriteCacheMode

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AlwaysReady Power Message APP
ARPWRMSG.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
C:\WINDOWS\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PCDrProfiler


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPBootOp
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Reminder
"C:\Windows\Creator\Remind_XP.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec PIF AlertEng
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HP Software Update
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lxqtspoj
C:\Documents and Settings\Compaq_Administrator.KANDICE\Local Settings\Application Data\mggmfx\fllnsysguard.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
lxqtspoj
C:\Documents and Settings\Compaq_Administrator.KANDICE\Local Settings\Application Data\mggmfx\fllnsysguard.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
AutoUpdate Monitor.lnk
C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Compaq Connections.lnk
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe (Remark£ºCompaq Connections)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Windows Search.lnk
C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Remark£ºSearch your desktop)

C:\Documents and Settings\Compaq_Administrator.KANDICE\Start Menu\Programs\Startup
desktop.ini

• Open IceSword again.
  
• Go into the Process list again, and right click on the following filename:
  
  fllnsysguard.exe
  
  
• Select Terminate Process.
  

Now try using MBAM.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Performing "FULL SCAN" can expect to take 1.5 hours...... thanks, will let you know the results as they are reported.

Full scan doesn't find anything more than quick scan really, just System Restore and Quarantine folders.