JS:Bankfraud-DE [Trj]

Hi

I keep getting a message from avast that a threat has been found (JS:Bankfraud-DE [Trj]) . Although it states that no damage has occurred, it keeps showing and is very anoying.
I tried scanning but didn’t have success, everything went fine but the message keeps showing.
Is there anything I can do to remove it?

Thanks.

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

AdwCleaner v3.001 - Report created 01/09/2013 at 09:07:12

Updated 24/08/2013 by Xplode

Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)

Username : pharaohlxvi - TRICOLOR

Running from : C:\temp\adwcleaner.exe

Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\boost_interprocess

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Headlight

***** [ Browsers ] *****

-\ Internet Explorer v10.0.9200.16660

-\ Mozilla Firefox v23.0.1 (en-GB)

[ File : C:\Users\pharaohlxvi\AppData\Roaming\Mozilla\Firefox\Profiles\1sh0sbrh.default\prefs.js ]

[ File : C:\Users\Agatka\AppData\Roaming\Mozilla\Firefox\Profiles\lcrhtvv7.default\prefs.js ]

[ File : C:\Users\ABH-FabricioLeal\AppData\Roaming\Mozilla\Firefox\Profiles\v8ew43fo.default\prefs.js ]

-\ Google Chrome v29.0.1547.62

[ File : C:\Users\pharaohlxvi\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users\Agatka\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users\ABH-FabricioLeal\AppData\Local\Google\Chrome\User Data\Default\preferences ]


AdwCleaner[R0].txt - [1424 octets] - [01/09/2013 09:05:56]
AdwCleaner[S0].txt - [1308 octets] - [01/09/2013 09:07:12]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1368 octets] ##########

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.01.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
pharaohlxvi :: TRICOLOR [administrator]

Protection: Enabled

01/09/2013 09:57:17
mbam-log-2013-09-01 (09-57-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 290261
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|sbthost (Trojan.Agent.Gen) → Data: C:\Users\pharaohlxvi\AppData\Roaming\update.vbe → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\pharaohlxvi\AppData\Roaming\update.vbe (Trojan.Agent.Gen) → Quarantined and deleted successfully.

(end)

OTL logs attached.

aswMBR log attached.

Is that all you need? Please let me know if there’s anything missing. I appreciate your help.
Thanks a lot.

Essexboy has been notified, he or someone else will help you to clean this up.

When he needs something else he will give you instructions.

Are you still getting the alerts ? If so could you screenshot the Avast popup and attach here please

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Yes, still getting it.

Screenshot attached.

Thanks.

OK got it but I need to find the launch point

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
[2013/09/01 10:05:40 | 000,007,623 | ---- | M] () -- C:\Users\pharaohlxvi\AppData\Roaming\seta.vbe
[2013/08/08 10:17:15 | 000,007,623 | ---- | C] () -- C:\Users\pharaohlxvi\AppData\Roaming\seta.vbe

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

For 32bit systems, please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

For 64bit systems, download SystemLook from here.

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:regfind
seta.vbe

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

otl log attached.

SystemLook log attached.

Have the alerts now ceased ?

No, still getting them.

OK bigger hammer time

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi,

As far as I can see the messages are gone, but now when I open IE it keeps crashing and reopening. It shows a message about running DW20.exe, and no matter if I say yes or no it shows me an error mesage, crashes and reopens in a loop.
Please advise.
I attached the log.

Thanks for your help.

Actually when I let dw20.exe run it just restarts without a message and then asks me everything all over again.

Another thing I noticed (that was happening earlier actually) is that when I go to the page (http://edition.cnn.com/), it loads it and then forwards to one of our local banks main page. I don’t know if it happens with any other site, and it is not always that it happens, but surely most of the times. Also it only seems to happen with Google Chrome.

OK DWE is a windows reporting tool

Open an elevated command prompt :

Go Start > All Programmes > Accessories
Right click command prompt and select “run as administrator”
In the black box that opens type the following and press enter :

sfc /scannow

On completion reboot and try again