Attack On GMAIL or My PC? HTML:Bankfraud-BYL Trojan

[UserA789]

Actually can someone check GMAIL. This is a consistent warning when I navigate to https://mail.google.com/ and Iv either been personally infected, walking past Avast to insert the file, but Avast stops its initiation or GMail is being attacked.

It is unique to the Internet Explorer 10 browser and does not occur on Chrome.

[Secondmineboy]

No alert for me on chrome.

[Michael (alan1998)]

Twin has arrived. Please listen to him.

Message deletred by OP

[polonus]

Gi UserA789

Trojan-Spy.HTML.BankFraud.dq is usually installed on the victims system after clicking on fake banking e-mail links, freeware, file-sharing p2p and pornographic related sites. After infecting the system Trojan-Spy.HTML.BankFraud.dq creates random malvare files in windows system32 registry. BankFraud.dq trojan will collect credit card, passwords and other confidential information and infect your computer with additional viruses.

This is a detection for HTML format e-mail messages that contain phishing-related content. Manual removal is not recommended for this threat.
You have to do the removal under guidance of a qualified malware removal specialist, we have several here on the forum. Do as alan1998 has advised and wait for the qualified malware removal expert on duty,

polonus

[TwinHeadedEagle]

Hi,


Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
  
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  
• Post logfile will also be saved in the C:\AdwCleaner folder.

Then...



Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named



Double-clicking to run GMER.

• Wait for initial scan to finish - if there is any query, click No;
  
• Click Scan button and wait until the full scan is complete;
  
• Click Save ... - save the report to the Desktop (named Gmer );
  

> Attach here Gmer logreports.



Then...



Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[UserA789]

Hi UserA789

Trojan-Spy.HTML.BankFraud.dq is usually installed on the victims system after clicking on fake banking e-mail links, freeware, file-sharing p2p and pornographic related sites. After infecting the system Trojan-Spy.HTML.BankFraud.dq creates random malvare files in windows system32 registry. BankFraud.dq trojan will collect credit card, passwords and other confidential information and infect your computer with additional viruses.

polonus

Okay.. I will research and follow TwinEagles information.  so far he is suggesting WELL KNOWN documented softwares (by users who have made no effort to conceal their real identities) to get this done so Im comfortable enough with this.

Otherwise; unless they completely faked an email header from someone Im already in contact with; I have not opened any banking sites (don't have a bank to use) nor have I clicked on any links in those emails.  I already understood this is not something that just happens and usually requires the user to iniaite via clicking on an illicit link (unknowingly). As well, this began occurring right after posting on the DNS stuff and I had already been in my GMail before that today with no problems.

I got over downloading/viewing porn whenI first upgraded to fiber.. I downloaqed al of it in two nights and erased my HDD seven times just to make room for new clips, when I ahdnt even watched the ones I was deleting.  This was over five years ago. 

We should all know my feelings on filesharing at this point... its not that Im against the sharing but logic says since so many are freely trading it; ilicit users would be using it to spread their virus.  And don't most packages tell you to disable your AV to use the CodeGenerator or Key Cracker?

I will begin immediate clearing of this Trojan type exploit/malware but can it install without user interaction (IE:  click links, etc.)?

[UserA789]

On Farbar... I got the warning that the file is rarely downladed by other users (which makes sense) but shouldn't someone have reported this files safety to MSFT, being its legitimacy?

[TwinHeadedEagle]

All the tools used here are perfectly legitimate, so you can be sure when using them...

[polonus]

Hi UserA789,

Nothing to do with you opening or using banking sites etc, the malcode came via the postman, it came by mail.
Did this pass your ISP's virus and spam mail detection.?
Did you have the avast mail detection active at the time you received this?
Did it go passed this as well?
Were you socially engineered into opening it?.

I still use the old webwasher free version with all the nice spam detection lists hammered in there myself .
 I won't shout on the Interwebs, because that is not polite.
So please think of the next sentence in italics as written in big capitals. I trust nobody!

polonus

[polonus]

Hi UserA789,

You are not the only one with this malware, so change your adaptations accordingly, see: http://forum.avast.com/index.php?topic=137700.0

polonus

[UserA789]

Here are the log files.  I will ask that this thread later be deleted or my log files removed from view.  There is a lot one can do simply with the directory structure or computer name.  However, I will participate on this one.

[UserA789]

Hi UserA789,

You are not the only one with this malware, so change your adaptations accordingly, see: http://forum.avast.com/index.php?topic=137700.0

polonus

That thread is referred back to this one.  I believe this thread is the superseding documentation(s).

Thanks for seeing that though.  I noticed as well.

Other than Im just patiently waiting.

Oh yea, I used the tools without my internet connection active but it looks like something was uncovered.  Let me know my next steps when you are ready.

[UserA789]

Hi UserA789,

Nothing to do with you opening or using banking sites etc, the malcode came via the postman, it came by mail.
Did this pass your ISP's virus and spam mail detection.? -Apparently... and they are one of the best for catching stuff like this
Did you have the avast mail detection active at the time you received this? No... I do not use mail client readers because they download header and other information no matter what you steps one takes to prevent this.  Its an inherent flaw in client email readers.
Did it go passed this as well? Yes.  Past everything.
Were you socially engineered into opening it?. Only if it was caused through communication here.  I don't do FB links from even my friends. I turst many links on this forum, however.  I wasn't insulting anyone just saying this is the only place I really click links.

I still use the old webwasher free version with all the nice spam detection lists hammered in there myself .
 I won't shout on the Interwebs, because that is not polite.  -I am a former Admin Chief from the USMC and capitals were not shouting, asthey are now.  they were simple denotation of importance.
So please think of the next sentence in italics as written in big capitals. I trust nobody!

polonus

Havent opened any unknown webmails, that Im aware of.  Im pretty good at investigating the FULL header information as well.  The other user on the machine had a scare with ID fraud two years ago (Iv posted about it) and she has stepped up her efforts as high as mine.  There is another machine on the network (laptop) coming up with the infection just today as well.  Do I need to run the same logs or can we assume that we can deal with it along with the main device here?

The other user does not do ANY social web interfacing.  She thinks its all a waste of breathe and is right.

EDIT:  If this is a new variant; I would like to submit 'The HyJax Variant' for its name.

[TheChad]

I am also interested in the answer to this thread.  I am in the process of setting up a brand new PC and I am getting this same error message when trying to navigate to Gmail through IE. If needed, I can also post my log files as I have going through twins recommended steps as well.

Best,
TheChad

[Saavik]

Hello. This is also started happening to me every time I load the gmail login page since this evening, whenever I'm using Firefox (version 24.0). It doesn't happen with Safari. I have a Mac OS 10.7.5.

Today was also the first time for me of the new gmail login interface, and I didn't click on any suspect e-mails recently, so it seems that it may be a problem with this new gmail interface on some browsers.