I'm having trouble with a virus on my computer. Avast! has identified it as Win32.Banker.B and the offending file is rsasec.dll in the c:\windows\system32 directory (I'm running WinXP, no Service Packs because Microsoft doesn't like my registration key for some bizzare reason ;)). I get Avast! to to a boot scan and it supposedly deletes the file and fixes everything but when the computer boots up the file has returned and we're back to square one. I had a look on Google and I couldn't find much of use. If someone could throw me a bone it would be much appreciated.

1. Google is not the right spot to look. Try http://www.sarc.com/

2. Turn off system restore and do it again.

thingy: that sig is teh funny, source?

I should actually link it in there & give the creators credit eh?

http://www.little-gamers.com/

Run:
Trend Micro (http://housecall.trendmicro.com/)
and
Panda (http://www.pandasoftware.com/activescan/)

Also, as it seems to be a Trojan/keylogger

Trojanspy.Win32.Banker.b

Key Logger: (Keystroke Logger). A program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. For example, a key logger will reveal the contents of all e-mail composed by the user. Keylog programs are commonly included in rootkits and RATs (remote administration trojans).
From (http://www.pestpatrol.com/pestinfo/t/trojanspy_win32_banker_b.asp)

I would run Spybot Search & Destroy (free (http://beam.to/spybotsd)
And also I have found these good for this type of problem (share ware, disabled after 30 days)
Spysweeper (http://www.tucows.com/preview/305123.html)
And Xoftspy (http://www.paretologic.com/xoftspy/lp/14/)

I have cracks/s/n's for both, if you want to keep using them :D
Hope this helps.
(I would use xoftspy. spysweeper and then the home scans in that order, personally)

Edit: updated Spysweeper Here (http://tinyurl.com/2t897)
PM me for serial if needed

Well, I looket at www.sarc.com and did a search for rsasec.dll and it came up with Trojan.Gletta.A that seems to match the description of my virus exactly except for the name. It said to turn of system restore, which I did, and restart in Safe Mode, which I did, and then delete a certain registry entry, which I did, however it also told me to run Symantec Anti-Virus (surprise, surprise) which I don't have (I use Avast! because it is free). Even after I deleted the registry entry and ran Avast! the virus was still there.

I found that PestPatrol site searching through Google and it said to kill the process called "aa1ed92baf3bf7387a5c3c20aa92921c.exe". I don't have that process running and I don't have that file anywhere on my computer so that didn't help me much.

The difficulty with getting rid of this thing is that you can't delete the rsasec.dll file because the "file is currently in use" and I am not entirely sure what process is using it. I'm not sure if this is relavent at all but when I look at the active processes I have three svchost.exe processes running: One is a Local Service, one is a Network Service, and one is SYSTEM.

I downloaded Spysweeper and Xoftspy but they both need s/n to install so I might have to talk nicely to and3w about that unless someone else has any thoughts.

A useful tool I use is called TCPview. It tells you what programs are connected to what addresses.

There's also something called process explorer that's free. That tells you the DLLs. Lot of looking, not sure if there's a search function?

here's a thread from Sophos that gives a cure for this virus. You may have seen it or may not. |Aparently it writes a txt file (krk.txt ) among other things.

http://www.sophos.com/virusinfo/analyses/trojbankerb.html

If you can't stop it from coming back, how about of you "write" one with (the DLL) the same name and put it in it's place, see what happens? :D

It seems to have a few names

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39312

not sure about the gletta one?

http://securityresponse.symantec.com/avcenter/venc/data/trojan.gletta.a.html

http://fr.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=59656&VName=TROJ_GLETTA.A&VSect=T

http://www.google.co.uk/search?q=rsasec.dll&ie=UTF-8&hl=en&btnG=Google+Search&meta=

I would try the deletion at boot and then do all the registry deleting, before booting again. It's gotta be rewriting itself from somewhere?

Oh, and the svchostes are legit but they do get infected. they are loads of services that windows runs. most of 'em are useless? uneeded?

If you go start/run and type services.msc it brings em all up and you can stop 'em and fuck about with the settings. look 'em up on the net first though :D

Originally posted by Deimos

I downloaded Spysweeper and Xoftspy but they both need s/n to install so I might have to talk nicely to and3w about that unless someone else has any thoughts.

Look in your PM folder :D

I tried to follow Symantec's advice which was as follows:
1.Boot in Safe Mode
2.Run a virus scan and delete any infected files
3.Remove "wmiprvse.exe" = "%system%\wmiprvse.exe" from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run.

The problem comes in step 2: When I try to delete rsasec.dll it says that it can't be deleted ("Access Denied" I think it said). Even in safe mode it won't let me delete the file - the only way I can supposedly delete it is by doing a "boot scan" but even when I do that, by the time Windows has loaded again the file has returned.

Have you tried safe mode with command prompt?

This might be bollox, cos I've never done it myself.

choose safe with command.

at the command prompt you've got to get to the folder that the file is in. You're probably at documents and C:documents and settings/deimos?/whatever? not sure on this in safe mode.

So type. "cd .." not sure if you need the space, it doesn't matter anyway.

that takes you up a level, then do it again ("C ..) and you should be at c:

typing "dir" lists the contents of c:

You'll see windows etc.

so now type "cd windows"

takes you to the windows folder

each time you trpe cd whatevr it takes you into that folder, so long as that folder is in the folder you're in.

So if you're in the windows folder and sytem32 is in your windows folder typing cd sytem32 takes you there.

then type "del rsasec.dll"

this should delete it.

you can also open the command prompt in xp by typing "cmd" in the run box. I think you can delete anything from there? I'm not gonna try it to find out though :D You might have to release? the handles on the drive though, it gives you the y/n? option if need be. You'll suss it.

You might also try choosing the move option in avast at boot? I think you can delete it when its moved it.

Really it's down to stopping it from rewriting itself in, which you already know. I go about it by just trying everthing I can think of :D

Hope this helps. :)

Wait a minute. That's crap then. If it returns when you boot I doubt moving will help either.

delete all the registry shit it tells you then do the boot scan/delete? You tried that?

so step three first then 1 then 2?

Or boot in safe mode, clean the reg, then do trhe command thing?

Originally posted by Bostonmess
Wait a minute. That's crap then. If it returns when you boot I doubt moving will help either.

delete all the registry shit it tells you then do the boot scan/delete? You tried that?

so step three first then 1 then 2?

Or boot in safe mode, clean the reg, then do trhe command thing?

I've tried:
1. Delete registry key (after booting in Safe Mode)
2. Reboot with boot scan

and I have also tried

1. Boot with scan into Safe Mode
2. Delete registry key
3. Reboot

Neither has worked. I considered doing a command prompt start and deleting the file from there, but I figured that would be much the same as doing a boot scan. But if I can delete the registry key at the command prompt as well as the offending file then perhaps I can kill it.

This is looking lethal if neither of those have got it...try using DLL Show (http://www.gregorybraun.com/DLLShow.html) which will show you which process is using that DLL. You may then be able to stop it using ctl-alt-dlt and then delete the dll?

SARC also talk about modifying the system.ini and win.ini files. Basically you need to try and stop it from loading on startup.

It's always good to become familiar with all the startup locations for programs, and which programs are/aren't required. Here they are, check what EVERY single program on this list is, and remove those you don't want (if you're not sure, leave it and ask us here).

Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\
HKEY_CURRENT_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\Run

System.ini file under [boot]
shell=*.exe

Win.ini file under [windows]
run=*.exe

Remove all of these, then reboot in safe mode. Run a full AV scan. Check for them again (and if they're there, remove them), reboot in safe mode, repeat once more.

the best trojan killer by far and away is TDS-3.
none of the others mentioned here can search in NT-ADS streams like it can. Its well known that some trojans can hide this feature of NTFS.
get tds-3 from diamondcs.com.au

dave

Well, I think I got it - thanks for all your help guys. It ended up being quite a bit more complicated than I thought it would, but it was undoubtedly a really good learning experience :). By doing various virus scans I found out that the virus files were as follows:

c:\windows\userlogon.exe
c:\windows\system32\wmiprvse.exe
c:\windows\system32\rsasec.dll
c:\windows\system32\ntsvc.exe

I also found that his file: c:\windows\downloaded program files\Iesearch.exe was infected and I suspect that this is where the virus originally came from - this file was not listed on the Symantec site).

Also, there were registry entries to three of the files: userlogon.exe, wmiprvse.exe and ntsvc.exe (the Symantec site only had two of these registry entries listed).

To get rid of the virus I booted in safe mode with command prompt only and deleted all of the offending files. Then I ran regedit (still from the command prompt) and deleted all of the registry entries (I didn't actually delete the one relating to ntsvc.exe at this stage because I didn't know there was one, even though I had deleted the file). Then I rebooted the computer in normal mode and it said "ntsvc.exe - file not found" or something on boot up (which is when I realised that there must be a registry entry for it, which I found by searching the registry) so I got rid of the registry entry and things seem to be all good!

I would suggest you patch your windows to stop future viruses.

SP2 is almost here, and i think microsoft are letting SP2 install on copies with pirate key's because unpatched copies of windows are a breeding ground for worms, trojans and viruses.

Now isn't that nice of them. :D

xpkey.exe is your friend.
dig around on google for it

dave