Thread: PSW.Banker3.SXK Trojan Horse
View Single Post
Old 08-08-2007, 09:02 PM   #1 (permalink)
hanoihancock
Registered User
 
Join Date: Jun 2006
Posts: 14
OS: XP


PSW.Banker3.SXK Trojan Horse
Hi Tech Support Forum,

My AVG Software was performing it's daily scan and found the trojan horse PSW.Banker3.SXK. It immediately went in the Virus Vault, and thus far I've experienced no noticeable performance decrease or HiJacking of browsers. I deleted the files from the virus vault. Still, I'd like to make sure my system is clean.

Note, although I believe I update Windows as recently as a month ago, I am prevented from using the update site now...

Here are my Panda and HiJack this logs....

Deckard's System Scanner v20070807.62
Run by Paul Hancock on 2007-08-08 at 21:35:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
36: 2007-08-09 02:36:00 UTC - RP267 - Deckard's System Scanner Restore Point
35: 2007-08-09 01:58:57 UTC - RP266 - System Checkpoint
34: 2007-08-08 01:23:35 UTC - RP265 - System Checkpoint
33: 2007-08-07 01:08:40 UTC - RP264 - System Checkpoint
32: 2007-08-05 16:29:36 UTC - RP263 - System Checkpoint


-- First Restore Point --
1: 2007-06-28 12:07:56 UTC - RP232 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 10.22 GiB (less than 15%) free.


-- HijackThis (run as Paul Hancock.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:17 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Paul Hancock\Local Settings\Temporary Internet Files\Content.IE5\GLJF2BZ3\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Paul Hancock.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162953281468
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5178 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 DigiFilter - c:\windows\system32\drivers\digifilt.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro ToolsŪ>
R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>
R1 NCPro - c:\windows\system32\drivers\mtictwl.sys <Not Verified; Samsung Electronics, Inc.; MagicTunePremium>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 dalwdmservice (dal service) - c:\windows\system32\drivers\dalwdm.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro ToolsŪ>
S3 MagicTune - c:\windows\system32\drivers\mtictwl.sys <Not Verified; Samsung Electronics, Inc.; MagicTunePremium>
S3 MBX2DFU - c:\windows\system32\drivers\mbx2dfu.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Digidesign Mbox 2>
S3 W8100PCI (D-Link AirPlus G Wireless Driver) - c:\windows\system32\drivers\mrv8k51.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DigiRefresh (Digidesign MME Refresh Service) - c:\program files\digidesign\drivers\mmerefresh.exe -s <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Digidesign MME Binder>
R2 MagicTuneEngine - c:\program files\magictune premium\magictuneengine.exe

S3 digiSPTIService - "c:\program files\digidesign\pro tools\digisptiservice.exe" <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools CD Ripping Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link AirPlus G DWL-G510 Wireless PCI Card
Device ID: PCI\VEN_11AB&DEV_1FA6&SUBSYS_3B091186&REV_07\3&267A616A&0&70
Manufacturer: D-Link
Name: D-Link AirPlus G DWL-G510 Wireless PCI Card
PNP Device ID: PCI\VEN_11AB&DEV_1FA6&SUBSYS_3B091186&REV_07\3&267A616A&0&70
Service: W8100PCI


-- Files created between 2007-07-08 and 2007-08-08 -----------------------------

2007-08-08 21:37:09 0 d-------- C:\Program Files\Trend Micro
2007-08-08 20:15:48 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-03 19:21:17 0 d-------- C:\Documents and Settings\Paul Hancock\Application Data\U3
2007-07-29 23:55:42 0 dr-h----- C:\$VAULT$.AVG
2007-07-23 19:00:53 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-07-23 18:59:19 0 d-------- C:\WINDOWS\SHELLNEW
2007-07-23 18:59:07 0 d-------- C:\Program Files\Microsoft.NET
2007-07-21 08:23:25 0 d-------- C:\Documents and Settings\Paul Hancock\Application Data\IGN_DLM
2007-07-21 08:23:22 0 d-------- C:\Program Files\IGN
2007-07-21 07:55:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2007-07-21 07:55:25 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-07-15 17:21:15 0 d-------- C:\Program Files\MagicTune Premium
2007-07-15 17:20:42 12544 --a------ C:\WINDOWS\system32\drivers\MTiCtwl.sys <Not Verified; Samsung Electronics, Inc.; MagicTunePremium>
2007-07-15 17:20:36 0 d-------- C:\Program Files\SEC


-- Find3M Report ---------------------------------------------------------------

2007-08-08 21:28:39 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000C-00001102-00000004-20021102}.dat
2007-08-08 21:28:39 384 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000C-00001102-00000004-20021102}.dat
2007-08-08 20:04:33 0 d-------- C:\Documents and Settings\Paul Hancock\Application Data\Azureus
2007-08-08 19:30:44 0 d-------- C:\Documents and Settings\Paul Hancock\Application Data\AVG7
2007-08-05 19:29:47 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-08-05 17:46:43 0 d-------- C:\Documents and Settings\Paul Hancock\Application Data\Digidesign
2007-08-05 16:40:31 32 --a------ C:\WINDOWS\system32\msvcsv60.dll
2007-08-05 16:40:31 32 --a------ C:\WINDOWS\msocreg32.dat
2007-08-02 17:44:03 0 d-------- C:\Documents and Settings\Paul Hancock\Application Data\Vso
2007-07-28 22:14:42 0 d-------- C:\Program Files\Azureus
2007-07-23 19:00:05 0 d-------- C:\Program Files\Common Files
2007-07-22 00:28:08 0 d-------- C:\Program Files\DivX
2007-07-15 17:21:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-26 21:05:46 0 d-------- C:\Program Files\Common Files\Adobe
2007-06-05 18:18:40 95 --a------ C:\AUTOEXEC.BAT
2007-05-22 18:03:31 7988 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 01:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [10/22/2006 01:22 PM C:\WINDOWS\system32\nvmctray.dll]
"CTHelper"="CTHELPER.EXE" [10/06/2003 01:57 AM C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [12/03/2002 07:06 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 02:00 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [03/10/2004 05:26 PM]
"Ptipbmf"="ptipbmf.dll" [06/20/2003 02:06 AM C:\WINDOWS\system32\ptipbmf.dll]
"PCLEPCI"="C:\PROGRA~1\Pinnacle\PPE\PPE.EXE" [02/03/2004 04:13 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [05/10/2007 06:09 PM]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [10/26/2005 01:21 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"Logitech Utility"="Logi_MwX.Exe" [11/07/2003 04:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [03/05/2007 01:57 PM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2007-08-08 at 21:38:51 ---------


Panda ActiveScan

Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Paul Hancock\Application Data\Mozilla\Firefox\Profiles\zssrvbu0.default\cookies.txt[.com.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Paul Hancock\Application Data\Mozilla\Firefox\Profiles\zssrvbu0.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@atdmt[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@burstnet[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@fastclick[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@media.adrevolver[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@realmedia[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@target[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Paul Hancock\Cookies\paul_hancock@www.burstbeacon[1].txt
Attached Files
File Type: txt extra.txt (17.3 KB, 1 views)
hanoihancock is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here