Jump to content


Photo

Help please regarding possible infection + other questions.


  • Please log in to reply
4 replies to this topic

#1 H0peless

H0peless

    New Member

  • Members
  • Pip
  • 5 posts

Posted 08 December 2011 - 01:26 PM

Hi, Hope it is alright to post in here. Please feel free to delete if this shouldn't be in here.


I have been a victim of bank fraud [identity as well maybe] recently and i am trying to find out the source. Getting information as to the exact source from my bank is very difficult and i have a feeling they may never tell me or even find out themselves. I understand this is happening to plenty of people so in the greater scheme of things i am pretty insignificant. I have been told to take my computer/s to a specialist and to have them all cleaned, but to be honest i don't have the money at the moment and i don't wont to wipe[re-install] any computers i have used until i know how i was hacked [apart form the fact the thought fills me with dread if i have last all my files etc [none of which are back up - i'm a genius i know].

As my online banking was hacked it would seem a computer i used to log in would be an obvious source although i'm not so sure. Even though it's logical to think it's from online there are plenty of other explanations, i would just like to try and discount as many of them as possible in some kind of method of illumination, whatever is left is the answer type thing etc.


Anyway. My friend recommended malwarebytes so that was the first program i used. When i did a full scan it only found these 3 files to be infected:




Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8330

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

08/12/2011 01:31:52
mbam-log-2011-12-08 (01-31-40).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 259529
Time elapsed: 56 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\$RECYCLE.BIN\s-1-5-21-4054292811-2639179496-1958547070-1000\$RTSR0FK\CSDATA\1000000600002i\svchost.exe (Rootkit.Dropper) -> No action taken.
c:\$RECYCLE.BIN\s-1-5-21-4054292811-2639179496-1958547070-1000\$RTSR0FK\CSDATA\1000000800002i\svchost.exe (Rootkit.Dropper) -> No action taken.
c:\$RECYCLE.BIN\s-1-5-21-4054292811-2639179496-1958547070-1000\$RTSR0FK\CSDATA\1000000b00002i\rundll32.exe (Rootkit.Dropper) -> No action taken.
c:\$RECYCLE.BIN\s-1-5-21-4054292811-2639179496-1958547070-1000\$RTSR0FK\CSDATA\4000002c0600002i\photoshop.exe (Rootkit.Dropper) -> No action taken.




As i know almost nothing about computers my first reaction is, yep that's it, it's is some kind of tracking trojan horse etc. But then what confused me is why it was in the weird location of c:\$RECYCLE.BIN and why one of them is photoshop.exe. I have tried to google but i can't seem to find whether malware can operate from this location.

I should not that:

I have a deleted Photoshop C3S portable folder in my recycle bin.

I informed my friend whom i got this from [but didn't work because of operating system issues maybe] and he has ran malwarebytes and got similar results except in a different location [my documents i think] and only 3 files, but nothing else like mine.


He told me to run Spybot S&D and see what it find as well. Sorry if i shouldn't have said that but i'm kind of desperate at the moment. What is weird is it seems to have found loads of stuff:




Search results from Spybot - Search & Destroy

08/12/2011 02:06:10
Scan took 00:24:05.

Babylon.Toolbar: [SBI $554A5FF0] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore

Babylon.Toolbar: [SBI $554A5FF0] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1

Babylon.Toolbar: [SBI $554A5FF0] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}

Babylon.Toolbar: [SBI $554A5FF0] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1

Babylon.Toolbar: [SBI $554A5FF0] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}

Babylon.Toolbar: [SBI $554A5FF0] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore

Babylon.Toolbar: [SBI $86348D5E] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Babylon.dskBnd

Babylon.Toolbar: [SBI $86348D5E] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1

Babylon.Toolbar: [SBI $86348D5E] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}

Babylon.Toolbar: [SBI $86348D5E] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Babylon.dskBnd.1

Babylon.Toolbar: [SBI $86348D5E] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}

Babylon.Toolbar: [SBI $86348D5E] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Babylon.dskBnd

Babylon.Toolbar: [SBI $F75ED516] IE toolbar (Registry Value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{98889811-442D-49dd-99D7-DC866BE87DBC}

Babylon.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane

Babylon.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1

Babylon.Toolbar: [SBI $07586C96] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}

Babylon.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1

Babylon.Toolbar: [SBI $07586C96] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}

Babylon.Toolbar: [SBI $07586C96] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane

Babylon.Toolbar: [SBI $B04483F7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr

Babylon.Toolbar: [SBI $B04483F7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1

Babylon.Toolbar: [SBI $B04483F7] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}

Babylon.Toolbar: [SBI $B04483F7] Browser helper object (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}

Babylon.Toolbar: [SBI $B04483F7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1

Babylon.Toolbar: [SBI $B04483F7] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}

Babylon.Toolbar: [SBI $B04483F7] Browser helper object (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}

Babylon.Toolbar: [SBI $B04483F7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr

Babylon.Toolbar: [SBI $52C6ABB7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc

Babylon.Toolbar: [SBI $52C6ABB7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc.1

Babylon.Toolbar: [SBI $52C6ABB7] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}

Babylon.Toolbar: [SBI $52C6ABB7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc.1

Babylon.Toolbar: [SBI $52C6ABB7] Class ID (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}

Babylon.Toolbar: [SBI $52C6ABB7] Root class (Registry Key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.BabylonESrvc

DoubleClick: [SBI $7F76510F] Tracking cookie (Firefox: Charmaine (default)) (Browser: Cookie, nothing done)


Log: [SBI $7F76510F] Install: setupact.log (File, nothing done)
C:\Windows\setupact.log
Properties.size=47261
Properties.md5=1328DC4A7D71CF897F599AC41F6C7365
Properties.filedate=1323271180
Properties.filedatetext=2011-12-07 15:19:40

Log: [SBI $7F76510F] Install: DtcInstall.log (File, nothing done)
C:\Windows\DtcInstall.log
Properties.size=2790
Properties.md5=26B91E0E7E8FDC29A64DD08089316F07
Properties.filedate=1292957106
Properties.filedatetext=2010-12-21 18:45:06

Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id

MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

MS Wordpad: [SBI $4C02334D] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

Windows Explorer: [SBI $AA0766B5] Stream history (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

WinRAR: [SBI $0B56E92B] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\WinRAR\ArcHistory

WinRAR: [SBI $B84F9965] Last used directory (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-4054292811-2639179496-1958547070-1000\Software\WinRAR\General\LastFolder

Cookie: [SBI $49804B54] Browser: Cookie (5) (Browser: Cookie, nothing done)


Cache: [SBI $49804B54] Browser: Cache (134) (Browser: Cache, nothing done)


History: [SBI $49804B54] Browser: History (3) (Browser: History, nothing done)


Cookie: [SBI $49804B54] Browser: Cookie (49) (Browser: Cookie, nothing done)






I know Malwarebytes is supposed to be good and my friend said it is better than Sbybot so i guess that explains the difference between the two and why Sbybot seems to have found so much. Would i be right to presume nothing Sbybot has found is serious? I will post on their forums, if they have any, i know and see what they say.


I should also say that i did have problems with pop ups on internet explorer a few months ago and i got my friend to wipe it all, or i thought i had and i remember the Babylon tool bar. I thought it was all gone but obviously either it's still there or Sbybot has just found some kind of insignificant remnants etc. I know i should have wiped my computer really and it wasn't very intelligent to continue using it and even go on online banking etc but i thought it was all gone and the computer seemed to be running quite well. Also i have even had Avira Antivirus running in the backround since then even though i think your not supposed to as it makes the computer run slower.


Sorry for rambling i'm jut panicking a bit.


I'm grateful for any help any one can give me.

Cheers.

#2 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,041 posts
  • Gender:Male
  • Location:USA

Posted 08 December 2011 - 02:20 PM

Hello and welcome to Malwarebytes

First off, I am sorry that you are having problems and that perhaps your identity has been stolen, I know it must be frustrating. That being said, I know the experts here in this forum can help you with finding out for sure if you are indeed infected and will help you get your computer clean, and all this for FREE, you just have to be patient. Just follow my instructions below to get started.

If you think you are infected, here are the steps needed to get your computer cleaned....
Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support
OPTION 1

As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in the
Malware Removal forum so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the directions here, skipping any steps you are unable to complete.
  • After posting your new post, make sure under options, you select Track this topic and choose Immediate Email Notification,
    so that you're alerted when someone has replied to your post.


NOTE: Please do not post back to (bump) your topic within the first 48 hours.
Replying to your own posts changes the post count and helpers are looking for topics with zero replies.
If you reply to your own post helpers may think that you're already being helped and thus overlook your post.
  • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
    Or
  • You may send a Private Message to a Moderator asking for assistance.


OPTION 2

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or here.



OPTION 3

If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our Malwarebytes Premium Services support site.


Please be patient, someone will assist you as soon as possible.



PS: Please use the "Add Reply" Posted Image button not the Reply button when you start replying.

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#3 daledoc1

daledoc1

    Forum Deity

  • Spam Hunters
  • PipPipPipPipPipPip
  • 11,934 posts
  • Gender:Not Telling

Posted 08 December 2011 - 02:21 PM

Hi, H0peless:

EDIT: OOPS! It looks as if Firefox beat me to it. FWIW, the OP does already have an open topic in the malware section. :)

It looks as if you already have an open topic in the malware removal section?
We don't work on malware issues or review logs in this particular section.
Moreover, as it would be confusing to work on one computer in 2 different places, please stay with your other topic.
An authorized, trained malware expert will assist you there as soon as one becomes available.

If you are having different issues on a different computer that are NOT related to infection, but that have something to do with issues relating to installing or running MBAM, then please try to explain them a bit more clearly in your next post here, so that someone can better assist you.

If the other issues on the other computer are NOT related either to MBAM program problems or to infection, then it might be a good idea to start a fresh topic in the PC Help forum.
Please be sure you mention that you are describing problems about a different computer from the one being discussed in your malware removal topic.

Thanks very much for your patience,

daledoc1

Just a home user & forum volunteer
DT1: Win7/Ult/64 SP1; Intel Core i7-3770 @3.4 GHz; 16 GB RAM; NVidia GeForce GT620; IE9; Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner
DT2: Win7 Ult/64 SP1; Intel Core i7-860 @2.8 GHz; 8 GB RAM; ATI Radeon HD 5770; IE 9, Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner.
LT: Win7 Pro/64 SP1; Intel Core i7-3632 cached @3.2 GHz; 16 GB RAM; NVidia GeForce GT640M; IE 10; Fx; TB; WLAN; MBAM PRO 1.75.0.1300; Sophos ES 10.3; SAS Free; CCleaner.


#4 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,041 posts
  • Gender:Male
  • Location:USA

Posted 08 December 2011 - 02:24 PM

Thanks daledoc1, I had not checked.

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#5 H0peless

H0peless

    New Member

  • Members
  • Pip
  • 5 posts

Posted 08 December 2011 - 03:08 PM

Hi, ok sorry for any trouble, please feel to delete this topic. I'm not really thinking straight at the moment. Cheers.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users