Tech Support Forum banner
Cancel

Bank virus

1626 Views 3 Replies 2 Participants Last post by  sjpritch25
K
First of all, thanks so much for helping me out.
I have a virus that I can not find on my system, my bank will not let me log in to my account and warns me of identity theft if I do not remove my virus, the problem is I do not know what virus it is and there is no sign of it on my system when I use it. Please help me remove this virus!
Thank you

Ka

DDS (Ver_10-03-17.01) - NTFSx86
Run by danny lo at 0:11:09.62 on 07/09/2010 Fri
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2038.1407 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: 360杀毒 *On-access scanning enabled* (Updated) {D737F2DE-FA43-4036-AF5B-911612E2D674}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\360\360sd\360rp.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\酷6网\极速酷6\Ku6SpeedUpper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\danny lo\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [极速酷6] "c:\program files\酷6眸\极膣酷6\Ku6SpeedUpper.exe" /start
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [360safeuninst] c:\docume~1\dannyl~1\locals~1\temp\REMOVE~1.BAT
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [RunNarrator] Narrator.exe
IE: &Search
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: 使用迅雷下载 - c:\program files\thunder network\thunder\program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\thunder network\thunder\program\getallurl.htm
IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\thunder network\thunder\Thunder.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\jade mao\start menu\programs\accessories\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2375BEE5-F175-4F1C-81EC-8E4E2E72E2DD} - hxxp://imgcache.qq.com/qzone/client/photo/pages/QQPhotoDrawSetup.exe
DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - hxxps://accounting.quickbooks.com/c3/v16.579/qboax9.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167988779298
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://webmail.coloradonga.org/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Notification Packages = scecli c:\windows\system32\warejugo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dannyl~1\applic~1\mozilla\firefox\profiles\bq7ruih6.default\
FF - prefs.js: browser.startup.homepage - hxxp://i.g-fox.cn/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-27 218592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-12-27 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-12-27 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-12-27 233136]
R2 360rp;360 杀毒实时防护服务;c:\program files\360\360sd\360rp.exe [2010-3-31 914944]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-7-8 112592]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-7-8 366840]
R2 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-7-8 1142224]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-12-27 63360]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-12-27 33552]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
R4 360netmon;360netmon;\??\c:\windows\system32\drivers\360netmon.sys --> c:\windows\system32\drivers\360netmon.sys [?]
R4 qutmipc;qutmipc;\??\c:\windows\system32\drivers\qutmipc.sys --> c:\windows\system32\drivers\qutmipc.sys [?]
RUnknown 360SelfProtection;360SelfProtection; [x]
RUnknown BAPIDRV;BAPIDRV; [x]
RUnknown EfiMon;EfiMon; [x]
RUnknown HookPort;HookPort; [x]
RUnknown qutmdserv;qutmdserv; [x]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
SUnknown ZhuDongFangYu;ZhuDongFangYu; [x]

============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2010-07-09 05:22:07 0 d-----w- c:\program files\Spyware Doctor
2010-07-09 05:22:07 0 d-----w- c:\docume~1\dannyl~1\applic~1\PC Tools
2010-07-09 05:18:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 05:18:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 05:18:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-09 05:17:24 0 d-----w- c:\docume~1\dannyl~1\applic~1\360SE
2010-06-28 12:07:14 170 ----a-w- c:\windows\system32\Ku6Kss.ini
2010-06-28 12:07:14 0 d-sh--w- C:\kvideo_cache
2010-06-28 12:06:50 0 d-----w- c:\program files\酷6网
2010-06-16 17:59:20 0 d-----w- c:\program files\PartyGaming

==================== Find3M ====================

2010-06-09 02:27:22 325232 ----a-w- c:\windows\system32\Ku6Kss.dll
2010-05-05 04:50:40 3600384 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-05-03 10:35:50 1859 ----a-w- c:\windows\system32\cid_store.dat
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 13:24:05 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-04-16 13:24:05 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-04-16 11:43:25 634656 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-05-17 00:10:54 88 --sh--r- c:\windows\system32\4647626C1F.sys
2009-05-17 00:11:04 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-15 21:43:31 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091520080916\index.dat

============= FINISH: 0:15:23.09 ===============

Attachments

See less See more
Save
Like
Status
Not open for further replies.
1 - 4 of 4 Posts
sjpritch25
Please open malwarebytes, update to the latest def's and run a quicks scan. Posts the results in your next reply.

How is your bank reaching your about your computer being infected? I only ask because there are ways criminals use a method similar to get your information.
Save
Like
K
No issue, I think my Dad logged in to his bank online at work and left it logged in and someone tried to do something on it. his laptop is good. please close issue. Also want to request possibility of joining the Acadamy?
Save
Like
sjpritch25
I believe the academy is not accepting any more trainees at the moment.

http://www.techsupportforum.com/f50/please-read-before-applying-to-join-the-academy-294775.html
Save
Like
1 - 4 of 4 Posts
Status
Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top