Spyware.Banker Detected in MBAM Scan

**evilfantasy** · #51 20th Apr 2009, 18:32

Scan with Panda ActiveScan 2.0

This scanner requires Internet Explorer

Once you are on the Panda site click the Scan your PC now button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Select the appropriate Yes or No to receiving marketing information
Click the Free Online Scan button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report in your next reply.

**SevenYears** · #52 21st Apr 2009, 03:11

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-04-21 06:11:03
PROTECTIONS: 0
MALWARE: 1
SUSPECTS: 1
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP833\A0189656.sys
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location V
;================================================= ================================================== ================================================== ==============================
No C:\WINDOWS\system32\wbem\grpconv.exe V
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description V
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================

**evilfantasy** · #53 21st Apr 2009, 14:34

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code:

C:\WINDOWS\system32\wbem\grpconv.exe

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

**SevenYears** · #54 21st Apr 2009, 15:02

How in the world do I view the clipboard? I'm using firefox.

**evilfantasy** · #55 21st Apr 2009, 15:04

You just copy the file path and it is saved to the clipboard. You can't actually view it normally.

Or you can click Browse at VirScan and locate the file like that.

**SevenYears** · #56 21st Apr 2009, 15:08

Sooooo I'm just pasting this?

C:\WINDOWS\system32\wbem\grpconv.exe

**evilfantasy** · #57 21st Apr 2009, 15:10

Yes thats it.

**SevenYears** · #58 21st Apr 2009, 15:13

Bleh, I'm so lost. So that is all you needed for the step or is there something additional that I need to do?

**evilfantasy** · #59 21st Apr 2009, 15:22

I just need the scan results for that file.

Just copy it then go to Virscan.org. Click once in the window next to Browse then on your keyboard press ctrl and V both at the same time and you will see the file path being pasted. Then press Enter on your keyboard.

**SevenYears** · #60 21st Apr 2009, 15:33

Scanner

Engine Ver Sig Ver Sig Date Scan result Time a-squared 4.0.0.32 20090422050124 2009-04-22 Trojan.Waledac!IK
2.542 AhnLab V3 2009.04.22.00 2009.04.22 2009-04-22 -
0.630 AntiVir 7.9.0.148 7.1.3.86 2009-04-21 TR/Waledac.22016.1
2.026 Antiy 2.0.18 20090421.2315191 2009-04-21 -
0.120 Arcavir 2009 200904211745 2009-04-21 -
0.029 Authentium 5.1.1 200904211722 2009-04-21 -
1.103 AVAST! 3.0.1 090421-0 2009-04-21 -
0.005 AVG 7.5.52.442 270.12.2/2072 2009-04-21 -
2.011 BitDefender 7.81008.2849578 7.24925 2009-04-22 Trojan.Waledac.Gen.1
2.625 CA (VET) 9.0.0.143 31.6.6466 2009-04-21 -
7.653 ClamAV 0.95 9267 2009-04-21 -
0.010 Comodo 3.8 1124 2009-04-21 TrojWare.Win32.Trojan.Agent.Gen
1.272 CP Secure 1.1.0.715 2009.04.22 2009-04-22 -
8.375 Dr.Web 4.44.0.9170 2009.04.21 2009-04-21 -
4.406 F-Prot 4.4.4.56 20090421 2009-04-21 -
1.102 F-Secure 5.51.6100 2009.04.21.09 2009-04-21 -
5.222 Fortinet 2.81-3.117 10.306 2009-04-21 -
0.183 GData 19.4782/19.306 20090421 2009-04-21 -
3.834 Ikarus T3.1.01.49 2009.04.21.72612 2009-04-21 Trojan.Waledac
2.688 JiangMin 11.0.706 2009.04.20 2009-04-20 -
3.095 Kaspersky 5.5.10 2009.04.21 2009-04-21 -
0.049 KingSoft 2009.2.5.15 2009.4.21.21 2009-04-21 -
0.579 McAfee 5.3.00 5591 2009-04-21 -
2.784 Microsoft 1.4602 2009.04.21 2009-04-21 -
11.852 mks_vir 2.01 2009.04.21 2009-04-21 -
2.710 Norman 6.00.06 6.00.00 2009-04-21 -
10.009 nProtect 20090420.03 3484263 2009-04-20 Trojan.Waledac.Gen.1
12.905 Panda 9.05.01 2009.04.21 2009-04-21 -
1.661 Quick Heal 10.00 2009.04.21 2009-04-21 -
1.216 Rising 20.0 21.26.14.00 2009-04-21 -
0.727 Sophos 2.85.0 4.40 2009-04-22 -
2.253 Sunbelt 5105 5105 2009-04-21 -
4.919 Symantec 1.3.0.24 20090421.006 2009-04-21 -
0.049 The Hacker 6.3.4.0 v00312 2009-04-21 -
0.576 Trend Micro 8.700-1004 5.978.03 2009-04-21 -
0.028 VBA32 3.12.10.2 20090421.1001 2009-04-21 -
1.772 ViRobot 20090421 2009.04.21 2009-04-21 -
0.944 VirusBuster 4.5.11.10 10.105.2/1261525 2009-04-21 -
1.561 NOTICE: It may be false positive by some scanners when they found a malware, so you should judge it by yourself.

Copy to clipboard

>