Dangerous new version of old virus running wild "Thinkpoint Scanner"

Trojan-Banker.Win32.Banbra virus. It creates a file named hotfix.exe at location
C:\Documents and Settings\\Application Data\hotfix.exe


Runs as a virus scanner and will not let you do anything until you pay them IF YOU CLICK YES TO A SCAN it is a FAKE)

EXTREMELY difficult to get rid of. BLOCKS just about everything in safe mode, kills your desktop. A PRO will more than likely have to remove it until the scanners catch up. Took over two hours to kill it yesterday on a laptop brought to me. One of the few ways to kill it is in safe mode to control/alt/delete and bring up task manage and stop the 'hotfix.exe' process. After that if you type 'C" into file new task run box at the top of task manager, you can scroll down to your program files and start one of your virus/malware scanners by clicking on the exe file.

How to quickly detect malware presence?

Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Value: “C:\Documents and Settings\Administrator\Application Data\hotfix.exe”

Files: C:\Documents and Settings\Administrator\Application Data\hotfix.exe



This virus/Trojan is a bitch to kill.

(Apple/Linux gnomes don't need to gloat here).

apparently cheeseheads on the keyboard make the same sort of stupid mistakes and he new it well.

Now that I know where it hides, it will take about 15 minutes if the dickwads at work listen to the email I sent everyone today.

The geek squad at Best Buy new the virus right away and told me all it's horrid possibilities that go along with keystroke logging, but they wanted $300 to look at the box and went into a pitch to sell me a new computer...I exited the call and immediately dialed the bank.

to an off-site computer just before I got hit. I think it's gone now after i used system reset to go back to before I hit the trojan.

:)

It is possible for a Windows virus, in the strictest sense, to "run" under Linux. Especially since most of the users have a program called WINE that lets you run Windows programs on Linux. But because of how Linux is set up, it's nearly impossible for it to actually DO anything, like ruining the whole system or sending out a ton of emails claiming to have secret photos of Kournikova.

Then it's a matter of simply killing the process running the virus, and deleting the file.

:evilgrin:

:eyes:

McAfee? I don't click those ads but I'm always concerned they can get in somehow.

I've had others like it slip by my anti-virus software at least 3 times. And, Spybot didn't find it. Malwarebytes did, however.

I've just downloaded it and am running it now. I haven't noticed anything odd the past few days but just want to be sure. Spybot always finds stuff, McAfee now and then.

I went straight to ComboFix (get from BleepingComputer) to get rid of it.

thanks

it looks so much like a real message from Microsoft you accept it. I didn't hit a down load button, but I told it to clean the computer. I think that's what did it.

Here's what it looks like:

http://www.youtube.com/watch?v=TLv6qOZRSio

Thank Nevildog for pointing me to that link!

:hi:

I just got through dealing with my third bout of one of these damn things. I found that if you don't click, you still can't close the browser. You wind up in this perpetual loop of clicking "cancel", only to have another window pop up that you don't dare click "OK" on. Clicking "cancel" just brings back the previous window. It doesn't lock up your machine. Just your browser, depending on the trojan. I had one where I couldn't even open the task manager to close my browser. It wouldn't let me run Malwarebytes, either. I had to change the name of Malwarebytes' "exe" file to get it started. The people that put these things out there need to be tarred and feathered.

The most recent trojan of this type I got showed up when I visited HULU.

Windows 98SD. There were ways that you could delete it, but it was a real pain in the ass, and really tedious.

to these types of malware. Also, change your browser LAN settings by unchecking proxy server. Then you can use your browser again and download something such as malwarebytes or something similar to remove all infected areas.

it's found 31 infected objects!

Thanks RamboLiberal for that advice!

:hi:

I had to remove this kind of crap twice in the past three days. And, these were not the first time. I had this issue a couple of months ago on another computer. This time, recognized what was going on and I was able to stop it before it completely installed. I don't think it was the same trojan, but there are lots of them out there like hotfix. Just remember to update Malwarebytes before you run the scan. Otherwise, you might not get rid of it.

I've also found that when these types of malware get on one's computer, they also bring along crap like browser hijackers along with them. Fortunately, Malwarebytes gets rid of them, too.

didn't give me a clue where it is.

What to do next?

TIA

Browsers usually have a panel/tab which will show recent downloads. In Firefox, it's Tools> Downloads. (Check the menus for something similar if you are using another browser.) Then right click on the malwarebytes file (something like mbam-setup.exe) in the panel and select 'run' or 'open'.

Does it have to be installed?

Go to "Start", when the window comes up, click on "My Computer". There will be a folder that says "bobblink's Documents" (or whatever name you call yourself on that computer). Open that folder, and you'll find another that says "Downloads". It will be in that folder. Click on it to install. It will install in the "Program Files" folder. Unless you have a nasty trojan, it should run right after installation. I got one that wouldn't let me run Malwarebytes or any other anti-spyware. If such is the case, go into the folder where it's installed, and rename the .EXE file. I just add another letter to it. For instance, Malwarebytes EXE file is "mbam.exe". I renamed it "mbamm.exe". That way, you can remember what to change back once you get rid of the spyware.

Look under "Tools" in your browser. Click on "Downloads." It should open a small window with any files you have downloaded. Click on the Malwarebytes download, and it will start the installation.

Delete Browsing History
Pop-up Blocker
Phishing Filter
Manage Add-Ons
Windows Update
Internet Options
@#*)^&*%$)+!!!!

Or at least it should be listed as MalwareBytes under Programs. When you download MalwareBytes you have to run the file you downloaded to install.

to clear I WON'T..I never ever click on to those sites. Even if they say I have a virus.

has never failed me.

I just did a Malwarebytes scan, and this was found:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> Quarantined and deleted successfully.

Thank goodness I do not use Explorer very often.

I also got rid of Microsoft Security Essentials, because I have had a few infections - none found by MSE.

I use Prevx, which is great.

If I run Malwarebytes, Prevx also double-checks every file as it is scanned by Malwarebytes, and Prevx sometimes finds things that Malwarebytes does not.

Btw, thanks for the CrystalDisk info - because of that I have replaced by disk with a new one.

You can try it and see. At one time, I avoided it as it had too many glitches. But Internet Security for 2011 works well.

and had purchased it from Staples the Sunday before.

:scared:

I just worked around it last night.

Once I got the computer booted to the desktop, I ran a full system scan using the version of Norton that Comcast provides to it's subscribers.

When I looked a the Norton security logs: it had "noticed" the registry changes yesterday and logged and noticed the system config changes (like to autoexec.bat) and it noticed a change to what was added to the list of programs that were allowed to access the "network" and changes to the "startup" folder.

It said that "mstsc.exe made 10 modifications to your computer" and then called it a "low severity" issue and did not do jack squat about it.

Do not think that Norton is going to protect you from it.

This is what I did to fix it:

While the ThinkPoint window was on the screen,
I was able to run task manager and used the right mouse menu to found the "properties" of the "hotfix.exe" to find out where it was located.

I used task manager to stop the "hotfix.exe" process.

I ran a "New Task" from task manager and typed "Command" to get a command line.

From there, I cd'd to the directory where this program was located (c:\users\XXXXXX\AppData\Roaming). There was a "batch" file with name like "dksdflsdjkf.bat" and a file called "start" and a file called "init" (or something like it) and the hotfix.exe executable. They were all created within minutes of each other.

I renamed the ".bat" and the other two files to harmless names ending in ".txt" and deleted the hotfix.exe file.

I restarted the computer.

This allowed the computer to restart and bypass this rogue software.

http://www.malwarebytes.org/ download it and let it update right away. Then run it. I`ve never had to fix a computer with Malewarebytes on it. And I`ve fixed alot of computers. Most had McAffee and Norton and Avast and Spybot other crap that people download off the web to try to get rid of the problem before they bring it to me. The link once more.....http://www.malwarebytes.org/

You can drag a program to the desktop, but getting people to run them on a schedule is like asking a horse to eat sand.

http://www.f-secure.com/v-descs/trojan-spy_w32_banbra_rm.shtml


Data Stealing

Once the security measures are removed, the trojan can proceed to its data stealing routine. When the user browses a targeted online banking website, the trojan is able to inject malicious HTML into the webpage. The injection allows the trojan to capture keystrokes the user enters into the log-in fields of the website, essentially stealing the user's credentials.

The stolen credentials are then sent to a number of e-mail addresses registered under VFEmail and Inbox.com:



Blacklight is a good tool also.

http://www.f-secure.com/en_EMEA/security/tools/blacklight/