Discussion Topic |
|
This thread has been locked |
Crimpergirl
Social climber
Boulder, Colorado!
|
|
|
Topic Author's Original Post - Jan 22, 2009 - 08:38pm PT
|
Never heard of it. Sitting here doing nothing and WHAM one of our machines is gasping, dying. What do I do???
|
|
thedogfather
climber
Midwest
|
|
|
Jan 22, 2009 - 08:47pm PT
|
Crimpie, did you install a firefox add-on recently? How do you know it is the one you have (note the last set of info below)? Here is the scoop on that virus:
Banker.LAX is designed to steal bank details. To do this, it drops a library on targeted computers passing itself off as a legitimate Firefox plug-in. Then, if the user accesses the website of their bank, the malicious code will capture all the information entered. The malware creator will then use this information to empty the users' accounts. This malware can steal passwords from more than one hundred banking institutions.
Visible Symptoms
BankerFox.A is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.
|
|
noshoesnoshirt
climber
I don't even know anymore
|
|
|
Jan 22, 2009 - 08:57pm PT
|
isolate from network and reformat
|
|
Crimpergirl
Social climber
Boulder, Colorado!
|
|
|
Topic Author's Reply - Jan 22, 2009 - 09:17pm PT
|
A little window came up as MacAfee was breathing it's last breath that said "threat bankerfox.a" or something like that. Firefox was installed on this machine about 4 months ago. Haven't done anything since with firefox or any software. Weird.
It jacked with the registry. Disable access to the internet (firefox and IE won't work). And it killed the virus software.
I restarted in safe mode and disabled everything on the startup menu. Still it made itself known. It keeps popping up the microsoft looking "this machine may be at risk" note, but it is full of typos and grammatical errors. Didn't dare touch it.
Weird thing is that this machine is NEVER used for banking stuff at all.
I managed to download Norton on another machine and tried to install it. No go. It gets in a loop.
Now I've gone to www.trendmicro.com and am making a free housecall. It stopped it about three times, but now it seems like it is letting the site scan the computer.
Maybe this will work???
|
|
thedogfather
climber
Midwest
|
|
|
Jan 22, 2009 - 09:28pm PT
|
Crimpie, anytime I have odd stuff happening on my machine I restore the system to several days previously. On XP there is an option on the Start menu for Help. One of the options on that menu is usually System Restore and it allows you to pick the day you want to restore to.
The virus targets your banking but did not get there from accessing a bank. The info on it says it gets there normally from a fake McDonald's email message.
|
|
Crimpergirl
Social climber
Boulder, Colorado!
|
|
|
Topic Author's Reply - Jan 22, 2009 - 09:43pm PT
|
fake McDonalds message? Weird! We'll see if we can do a restore...
thanks much!
|
|
Crimpergirl
Social climber
Boulder, Colorado!
|
|
|
Topic Author's Reply - Jan 22, 2009 - 09:52pm PT
|
Happily, it is not a network machine... just one here at the house. Still distressing nonetheless! I'm trying a restore now. While wiping it clean sounds good, it's soooo painful! I'd love to hear what each has to say about this too. While this is not fun, it is certainly informative...
|
|
noshoesnoshirt
climber
I don't even know anymore
|
|
|
Jan 22, 2009 - 09:54pm PT
|
Skip,
Good points.
The system restore may well do the trick, but it may not... and you could have a lurking problem sending your data to some dooshbag.
If critical data was backed up (prior to the problem - this is an important distinction*), I'd always go for a full reformat.
* A trojan can hide in data files backed up after the initial infection
|
|
nature
climber
Tucson, AZ
|
|
|
Jan 22, 2009 - 09:58pm PT
|
reboot and install linux.
|
|
Crimpergirl
Social climber
Boulder, Colorado!
|
|
|
Topic Author's Reply - Jan 22, 2009 - 09:59pm PT
|
First attempt at system restore failed. BLARRRGGGHHH.
Second attempt at a week earlier failed. SUPER BLARRRGGHHHHSSHS!
This isn't fair! This is not a naughty machine!!! I have a CLEAN machine my home. :)
BTW, the "home call" on trend micro appears to have done some nice cleaning, but obviously something rotten remains.
|
|
noshoesnoshirt
climber
I don't even know anymore
|
|
|
Jan 22, 2009 - 10:11pm PT
|
Nah, I'm merely an amateur geek.
|
|
WBraun
climber
|
|
|
Jan 22, 2009 - 10:13pm PT
|
DO NOT USE SYSTEM RESTORE.
The virus will be in there. You need the best tools and unhack me is one of them but it takes great skill to know how to use it correctly.
This is not a simple eradication job by using a few mouse clicks.
I've dealt with these types before and took me hours to fix.
Sometimes a complete reformat and reinstall is easier.
|
|
thedogfather
climber
Midwest
|
|
|
Jan 22, 2009 - 10:20pm PT
|
Crimpie, I was giving you advice that has worked for me in the past when I had strange things suddenly happen on my machine, especially since it could save you the full restore. But, I certainly would defer to the more system savvy of the group since I am more of a software developer than a system guy.
|
|
BrassNuts
Trad climber
Boulder Colorado
|
|
|
Jan 22, 2009 - 10:25pm PT
|
Crimpie here on Brass' machine...
All of the comments are helpful. I'm just shocked that Hardman Knott hasn't posted about how I should throw this machine away and buy and Apple. :)
Have you guys seen this virus/worm much before? I didn't see much about it online making me wonder if it's not a new one or something...
|
|
BrassNuts
Trad climber
Boulder Colorado
|
|
|
Jan 22, 2009 - 10:29pm PT
|
Thanks Werner -
It'll take a second... hold on...
|
|
Dr.Sprock
Boulder climber
Sprocketville
|
|
|
Jan 22, 2009 - 10:34pm PT
|
See if you can get into DOS mode.
If you can, you can copy files, like Bookmark.bak, Programs.etc, before you re install the OS.
You could try and re install over the crippled OS, get your important info, and the re format.
But I would wipe that hard drive, one way or another.
Go to Circuit City. The are having a sale.
Or install Windows 98. That is what I use, nobody writes hack stuff for 98 anymore.
Kind of like Firewall by Retro.
|
|
BrassNuts
Trad climber
Boulder Colorado
|
|
|
Jan 22, 2009 - 10:35pm PT
|
Crimper here again:
|
|
WBraun
climber
|
|
|
Jan 22, 2009 - 10:39pm PT
|
hgfdge4unjdfdg.dll this is the one
I'll be back in a minute with more instructions.
Here's how it runs:
SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgfdge4unjdfdg.dll
|
|
WBraun
climber
|
|
|
Jan 22, 2009 - 10:42pm PT
|
Google it: hgfdge4unjdfdg.dll
|
|
|
SuperTopo on the Web
|
Let us know!