Malware or no Malware

Hi

The other morning before I was really properly awake I logged into my online banking website and was asked to enter updated details. I know, I know I should have been more careful and I feel a right twat to have been caught out!

Anyway have been through the thing with my bank and they are satisfied that having asked me to run an online scan with F-Secure, that they can reactivate my account.

I am not so sure. The F-Secure scan found nothing other than what I can only identify as relatively harmless tracking cookies from all the usual suspects.

I have also done a couple of full scans with ESET Smart Security. I have done a scan with ESETs online scanner - nothing found other than the ask toolbar in a Nero exe.

I am now scanning with Malware Bytes having dceleting all my browsing history in both IE8, IE8 x64 and Opera.

I will also scan with Windows Defender overnight tonight.

What I do not understand is how this happened in that I used a link in my favourites (or the opera speedial) that I have been using for months. Somehow that link was hijacked in my sleepyhead session.

I have found nothing on the machine (other than above) that I can say I have removed. So I am still left thinking am I safe, how did this happen?

NB I have also deleted the two links to the banks site and recreated them.

Could anyone offer any advice on where I should go from here?

One event that may or may not be of note (I am clutching at straws here) thing that did happen I think the evening before the morning of the incident was that my router just would not connect to the internet. I restarted it, reset to defaults and reloaded my config file. Still not go. The following morning (the morning of the incident) it was back up and running. I mention it only on the off chance that it could have been related.

 

In addition to Mlalwarebytes, you can scan your system with Hitman Pro http://www.surfright.nl/en/products/ , which uses several AVs (in the cloud) to check that the system is clean - it'll clean up any malware that it finds too.

Prevx SafeOnline is designed to secure browsers for online banking even on infected machines. It can be downloaded at http://info.prevx.com/downloadsafeonline.asp . (The free version does not include cleanup, but Prevx is one of the AVs used by HMP, so run that first.)

 

Thanks.

MalwareBytes found nothing.

Windows defender unfortunately stopped in night due to hibernation but even so has message saying that 'preliminary scan results show that potentially unwanted software might exist on the system'. Never seen that before on Windows Defender.

Will scan with both the others you mention too.

Should have mentioned in first post too that same banking link does not appear to have been hijacked subsequently (but before the bank disabled my account).

 

Can't use PrevX as it's only compatible with 32 bit systems.

 

Sorry, I didn't spot the x64 in your first post.

There's a 64-bit version of Prevx 3 that you could use to scan your system to verify that it's clean. It doesn't include the SafeOnline component, but it should spot any malware that's active on your system.

It might also be worth making sure that your hosts file http://en.wikipedia.org/wiki/Hosts_file is OK in case it's been altered by malware. That could explain how you got redirected to a phishing site from an old bookmark.

You can read the hosts file in c:\windows\system32\drivers\etc using Notepad. If it's corrupted, you can install a safe hosts file from http://www.mvps.org/winhelp2002/hosts.htm (which provides some protection against bad websites). Alternatively, use Spybot Search & Destoy http://www.safer-networking.org/en/spybotsd/index.html .

 

Apology due from me, did not mention x64 operating system in first post

Will try PrevX 3 for x64 bit after Windows Defender has finished.

I am seriously thinking about a clean install anyway as I am not sure I am going to feel it's properly gone unless I do that.

Will post update on outcomes.

 

Thanks, that makes sense up to a point. Is it likely that malware might then change the hosts file back to the default so that the link then worked as usual........? I think that is what was happening subsequently but would have to check that out again and I'm not inclined to do so until after I have checked out the hosts file anyway!

 

Windows Defender found something called Spycar TestSuite but did nto appear to have quarantined it. Cannot find any reference on my system with a search.

PrevX found nothing other than Cain&Abel.exe which have deleted for the time being.

I am trying to look at the Hosts file and failing miserably at the moment.

HitmanPro found nothing either.

I am still suspicious though about whether what ever did this is still on my system.

 

I haven't heard of malware doing that. In any case, if you can locate your hosts file, you can check its last-modified date - hopefully, you'll find that it hasn't actually been tampered with at all since the original Windows installation, and there's absolutely nothing to worry about there.

Spycar is used for security testing http://www.spycar.org/Welcome to Spycar.html and should therefore be benign.

You don't seem to have found any malware that could have caused your original phishing episode. So, after all the scans that you've run. it's unlikely that there's any malware that's gone undetected. The only other thing that I can think of is to check explicitly for rootkits using RootRepeal and GMER so that your PC can get a clean bill of health from them too.

 

Thanks. RootRepeal does not run on x64 apparently.

GMER found nothing either.

Thanks for your help.

 

Decided to wipe the hard drive and start again. Just wiping with zeros.

Is it okay to delete the MBR as well?