Spyware.Banker Detected in MBAM Scan

**SevenYears** · #31 14th Apr 2009, 18:52

FML. Tried re-installing several times, and kept getting this. I have excellent luck.

**evilfantasy** · #32 14th Apr 2009, 19:06

Please download RegQuery by Noviciate to your desktop

Copy the following registry keypath.

Code:

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

Double click RegQuery.exe to run the program
Paste the text you have copied using CRTL and V, into the textbox
Click the Query button
A Notepad file will open. Please paste the contents in your next reply
You may now close the RegQuery program

**SevenYears** · #33 14th Apr 2009, 19:35

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32. ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm "
"wave"="serwvdrv.dll"
"wave1"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"wave2"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux1"="wdmaud.drv"
"wave4"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux2"="wdmaud.drv"
"vidc.DIVX"="DivX.dll"
"vidc.yv12"="DivX.dll"
"wave5"="wdmaud.drv"
"midi4"="wdmaud.drv"
"mixer4"="wdmaud.drv"
"aux3"="wdmaud.drv"
"msacm.vorbis"="vorbis.acm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

**evilfantasy** · #34 14th Apr 2009, 19:56

You are restarting the computer after Malwarebytes is finished right?

**SevenYears** · #35 14th Apr 2009, 20:00

For the most recent scan, I wanted to get the log in before I restarted. When MBAM prompted to restart, I came and posted the log first then proceeded to restart. I just was not sure if the log would still be there if I restarted.

**evilfantasy** · #36 14th Apr 2009, 20:10

OK run a new scan with the updated version and see if it is still there.

**SevenYears** · #37 14th Apr 2009, 20:11

No malicious items were found.

**evilfantasy** · #38 14th Apr 2009, 20:20

OK that is good then. I've seen MBAM do that when not updated and I'm not sure why. Updating clears it up though.

Now for the errors.

Have your XP CD ready. You might need it. If you don't have it then run this anyway.

Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
- Let this run undisturbed until the window with the blue progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

**SevenYears** · #39 17th Apr 2009, 19:39

Just ran the last step; sorry I have had much work to do. I also ran another MBAM scan and got this. I'm so confused as to why it would be there.

Malwarebytes' Anti-Malware 1.36
Database version: 1983
Windows 5.1.2600 Service Pack 3

4/17/2009 9:47:03 PM
mbam-log-2009-04-17 (21-47-03).txt

Scan type: Quick Scan
Objects scanned: 84329
Time elapsed: 8 minute(s), 59 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
C:\WINDOWS\system32\lodupgd.jpg (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{967b15bc-c0b0-4a69-bfe3-2cdcd20adce4} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1c1ebef0-37cf-4408-b494-f6c000fd6ed7} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{339949fb-4a8c-4aa3-bd04-8b888d9a642a} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf3e4737-a002-49ce-8e07-3460cb177a28} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b42bf63c-5354-4c5c-a789-66efeec5e1b0} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{b42bf63c-5354-4c5c-a789-66efeec5e1b0} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{b42bf63c-5354-4c5c-a789-66efeec5e1b0} (Spyware.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\syste m32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Delete on reboot.
C:\WINDOWS\system32\lodupgd.jpg (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv041239980166.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AcroIEHelpe.dll (Spyware.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AcroIEHelpe1.dll (Spyware.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

**evilfantasy** · #40 17th Apr 2009, 19:43

OK try checking for updates again and then run a new scan to see if it comes back again.