We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
HELP!!! 'Man in the browser' Virus UPDATED!
geminibabe
Posts: 491 Forumite
Hi, hoping someone here can help me?
We had a call yesterday from our bank (Natwest) to say they have suspended our online banking as they have detected a 'man in the browser' virus. Apparently this virus is the latest undetectable virus which doesnt get picked up by your average internet security programme. It sits in your browser and 'watches' when you log into your accounts and copies passwords etc and can mess around with your bank balances, but showing no signs of change. Have since googled this and found a thread on this site regarding removal of malicious threats (think its pinned at the top of this page).
I have downloaded and installed the Malwarebytes programme and performed a quick scan and these were the results (I have taken a couple of lines out as has numbers which I dont want to be seen by trolls);
Malwarebytes' Anti-Malware 1.44
Database version: 3922
Windows 6.0.6002 Service Pack 2
Scan type: Quick Scan
Objects scanned: 113577
Time elapsed: 6 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internetprogram (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssmsgs (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbasacodeneqe (Trojan.Agent.U) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.SearchPage) -> Bad: (http://www.iesearch.com/) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
Folders Infected:
C:\ProgramData\Link Axis Bat Wave (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\InternetProgram (Adware.PLayMP3z) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\InternetProgram\InternetProgram.dat (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\InternetProgram\pcre3.dll (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\InternetProgram\uninstall.exe (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Users\Heath & Lia\AppData\Roaming\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Heath & Lia\AppData\Roaming\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
They are still on the 'log' and have been quarantined - I think? Can anyone tell me what to do next to protect my PC and all of its information?
We called a local PC doctor and he said he would charge £30 and would install AVG. I can install that for free??
Thanks in advance.
:mad:
We had a call yesterday from our bank (Natwest) to say they have suspended our online banking as they have detected a 'man in the browser' virus. Apparently this virus is the latest undetectable virus which doesnt get picked up by your average internet security programme. It sits in your browser and 'watches' when you log into your accounts and copies passwords etc and can mess around with your bank balances, but showing no signs of change. Have since googled this and found a thread on this site regarding removal of malicious threats (think its pinned at the top of this page).
I have downloaded and installed the Malwarebytes programme and performed a quick scan and these were the results (I have taken a couple of lines out as has numbers which I dont want to be seen by trolls);
Malwarebytes' Anti-Malware 1.44
Database version: 3922
Windows 6.0.6002 Service Pack 2
Scan type: Quick Scan
Objects scanned: 113577
Time elapsed: 6 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internetprogram (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssmsgs (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbasacodeneqe (Trojan.Agent.U) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.SearchPage) -> Bad: (http://www.iesearch.com/) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
Folders Infected:
C:\ProgramData\Link Axis Bat Wave (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\InternetProgram (Adware.PLayMP3z) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\InternetProgram\InternetProgram.dat (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\InternetProgram\pcre3.dll (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Program Files\InternetProgram\uninstall.exe (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\Users\Heath & Lia\AppData\Roaming\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Heath & Lia\AppData\Roaming\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
They are still on the 'log' and have been quarantined - I think? Can anyone tell me what to do next to protect my PC and all of its information?
We called a local PC doctor and he said he would charge £30 and would install AVG. I can install that for free??
Thanks in advance.
:mad:
:heart2::heart2::heart2: I LOVE MY BEAGLE! :heart2::heart2::heart2:
0
Comments
-
AVG isn't as good as it used to be. you can get better programs for free (microsoft security essentials, avira antivir, avast etc) which often do a better job than AVG.
From that log, it looks like your machine was heavily infected and it may have not detected everything as you only run a quick scan. Run a full scan and see if it picks anything else up0 -
Will do that now thanks, will post the log in a bit!:heart2::heart2::heart2: I LOVE MY BEAGLE! :heart2::heart2::heart2:0
-
I have no doubt our experts will be along soon, but I will say again what I keep on saying, the trick is to prevent these things from getting in, not try to get rid once they are in.
Your machine is so bad it needs a full restore, then please buy proper antivirus, it is a false economy not to.Blackpool_Saver is female, and does not live in Blackpool0 -
geminibabe wrote: »Apparently this virus is the latest undetectable virus
How did they detect it then??
Did you give out any of your security details to them?
You could post a HijackThis log too, it will help identify if there are any keyloggers installed (have a look in the stickies for instructions)
Save your £30, as you say, you can do this yourself for nothing.0 -
you need to run this
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
as you have Vista there is no need to install recovery console , just download and run the program
post the log file when done and post it here , AlienRik is the man to read the combofix logs and give more advice
no need for a hijackthis log file at this point , we will look at that towards the end after combofixEx forum ambassador
Long term forum member0 -
Im just posting so I get a 'bump' once combofix has been run
I would ask that you please run hijack this first ~
Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
REBOOT
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)
then run combofix as Browntoa asked:idea:0 -
How did they detect it then??
I say undetected as taken from google. I mean not picked up by the common internet security packages ie. McAfee and Norton etc. Sorry I am not into computer jargon but that is what I mean, if you know what I mean!
Will post that new log in a minute, just got in...........:heart2::heart2::heart2: I LOVE MY BEAGLE! :heart2::heart2::heart2:0 -
This is the full system scan log taken from Malwarebytes as requested by gaming_guy.
Malwarebytes' Anti-Malware 1.44
Database version: 3922
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
28/03/2010 17:11:43
mbam-log-2010-03-28 (17-11-40).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 359288
Time elapsed: 1 hour(s), 38 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\MemoriesOnTV\msvcirt.dll (Malware.Packer.Gen) -> No action taken.
C:\Program Files\MemoriesOnTV\msvcrt.dll (Malware.Packer.Gen) -> No action taken.
C:\Users\Heath & Lia\Documents\BullGuard Backups\backuptoday\C\Program Files\MemoriesOnTV\msvcirt.dll (Malware.Packer.Gen) -> No action taken.
C:\Users\Heath & Lia\Documents\BullGuard Backups\backuptoday\C\Program Files\MemoriesOnTV\msvcrt.dll (Malware.Packer.Gen) -> No action taken
Thanks for all your help everybody, but I am getting confused with all the suggestions to download this and that. Am I right in saying that I need to run Hijackthis now?
Thanks for your time
:heart2::heart2::heart2: I LOVE MY BEAGLE! :heart2::heart2::heart2:0 -
Yep, run HiJackThis then run combofix and post both logs0
-
Aside from the infection, can you be absolutely sure it was Natwest who contacted you?
I have never heard of them doing this before, and cannot understand how Natwest could be capable of seeing your computer in this way. Did you contact them directly via the phone to confirm this was Natwest?:A:dance:1+1+1=1:dance::A
"Marleyboy you are a legend!"
MarleyBoy "You are the Greatest"
Marleyboy You Are A Legend!
Marleyboy speaks sense
marleyboy (total legend)
Marleyboy - You are, indeed, a legend.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.9K Banking & Borrowing
- 253.9K Reduce Debt & Boost Income
- 454.7K Spending & Discounts
- 246K Work, Benefits & Business
- 602K Mortgages, Homes & Bills
- 177.8K Life & Family
- 259.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards