Another cry for help with JS:Banker-IC [Trj]

Viruses and worms
21

Hmm this is the one area where information about how this element functions is sparser than the hair on a chihauhua

I will run a different approach

Download Complete Internet Repair to your desktop

Unzip all the files to their own folder on the desktop
Within the folder double click CIntRep
The programme will then run
Select all items
Press go
Select file to get the log
Post the log here

https://dl.dropbox.com/u/73555776/intrepall.JPG

22

Thanks for your persistence on this, file attached.

23

This is confirmed as not being a false positive as I have a case on another forum where OA is now detecting this

Is the alert still occuring ?

24

Doh!

I’m afraid I am still getting the alerts :frowning:

25

Still working on this I haven’t forgotten you

26

Thanks essexboy, you’re a star!

27

OK lets see if I can find a reference in the registry

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:regfind
wpad.net.ms
wpad.dat
85.214.17.43

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

28

Thanks for persisting with this!

29

Thank you that gave me some data to check out… Back anon

30

I may have it, fingers crossed. Those Reg keys were known to have been inserted by malware

Mike, lets see how bad I messed this up. This is on my computer at home, not the one I posted about earlier. Downloaded Windows Media Player from the Windows Update site.

Downloaded InCtrl5, installed and played with it some.

Downloaded, installed and updated Tauscan.

Next I ran a up to date virus scan, came up clean. Ran Spybot and came up clean except for the WMP thing and the usual usage tracks which I had Spybot take care of. Ran Tauscan and came up clean. Took a picture of the system with InCtrl5 in 2phaze mode.

Next I came here, clicked on the link in question, closed out the Lurkhere page, waited for the link in question and a MSN window it apperantly opened to finish loading, closed out the MSN window and clicked on everything I could.

I got the same virus alert when I let them atempt to show me a picture in WMP but it didn’t work, probably because eTrust stopped it. I do have Java and Scripting enabled but almost nothing on the page seemed to work.

Closed everything out and ran the second part of InCtrl5, ran virus scan, clean, Ran Tauscan, came up clean. Ran Spybot, came up clean except for some usage tracks. Restarted the computer to see if Encoder Agent would show up, it didn’t.

Here is the InCtrl5 log of the changes made buy the site:

Installation Report: (two-phase mode)
Generated by InCtrl5, version 1.0.0.0
Install program:
12/17/2002 10:27 PM

Registry

Keys ignored: 0

  • (none)

Keys added: 8

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Media\MimeTypes
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache\LAN
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Sources
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Media
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Media\WMSDK
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Media\WMSDK\Sources

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Reg [-HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache\LAN] [-HKEY_USERS\S-1-5-21-178807639-1017700611-2209763930-1000\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache\LAN]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

31

This one (several topics) has been a bit of a marathon.
I take it that this is a completely new infection method that we have found in a round about way (avast’s web shield alerting on malware, but not found on the system) ?

I take it that the malware that created these doesn’t hang around on the system ?

32

Nope the downloader self deletes and if Webshield wasn’t on the case you wouldn’t even know it was there apart from starting to get redirected

33

So you are unlikely to see many of these in geek2go, yet another case of AV tests not reflecting real life use, as this would be unlikely to be found by conventional scan.

34

What is not well understood here is, sometimes, is that some of these types of malware infestations are on the cutting edge, and thanks to the work of essexboy and others here, we are able to find a solution to these issues before anyone else does.

The fact that Avast! works as well as it does is a definite plus here.

35

I have seen one other outside these forums and that was an OA block that someone was querying …

36

Just makes you wonder what else might be going on in this way without avast blocking the remote content.

37

[*]Run OTL.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
wpad.dat
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

38

Scrub my last I think I have found the common denominator

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.ms

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

39

After running the OTL fix please do the following

Go start > all programs > accessories
Right click the command prompt and enter the following two commands pressing enter between each

ipconfig /release
ipconfig /renew

40

Hi,

Sorry for not replying sooner, I went away for the weekend and forgot my laptop charger!

Logs attached!

Thanks as always