Solved

need advice on if the malware i found has helped a hacker break into a bank account

Posted on 2014-03-19
11
345 Views
Last Modified: 2014-03-31
hi, I have a customer who has had money taken out of there bank account. I've done a malwarebytes scan and found the following on the attached txt file.
Can you advice me if any of these programs would have helped a hacker gain access to the bank account.

many thanks
MBAM-log-2014-03-19--19-20-36-.txt
0
Comment
Question by:total123
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 24

Expert Comment

by:aadih
ID: 39940964
Did he have his bank user id and password in an unencrypted file?

Did (s)he log on to his bank account using the infected computer?
0
 

Author Comment

by:total123
ID: 39941003
the pc they use for the bank was the infected one.
the login details aren't stored on file.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39941011
buguw.exe seems suspicious.

What security software is protecting the PC?
0
 

Author Comment

by:total123
ID: 39941032
it was free avg 2012, but now avg IS
0
 
LVL 39

Assisted Solution

by:footech
footech earned 66 total points
ID: 39941209
Just from the results I'm seeing the scan, I wouldn't think those had directly contributed.  A PUP (Potential Unwanted Program) is usually not malicious, just annoying (because of ads, search suggestions, etc.).  The trojan.downloader could have gotten something else (which is now gone or not detected by MalwareBytes) on the machine which could have helped to intercept traffic.  So, as I mentioned, just by what's been reported so far I wouldn't say conclusively that this machine is the number one suspect.

You might try running RogueKiller (or rkill) first, and then immediately running another scan with MalwareBytes to see if anything further is revealed.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 67 total points
ID: 39941290
I see that you haven't yet received any attention to your question over at bleepingcomputer.

Trojan.Downloader is unfortunately such a generic malware term that it would be impossible to know what malicious activity it performed, other than the usual business of helping to download additional unwanted software.

The log file implies that you haven't removed any of the malware.  If you still have the file:
C:\Users\user\AppData\Local\Temp\Falag\buguw.exe
then submit it to https://www.virustotal.com and see if any of the various online scanners identify it as malware with a more specific name.  Different AntiVirus companies use different names for specific viruses and their variants.  Knowing what that file may or may not be capable of would help you to know if it featured in the hacking activity.   The file name "buguw.exe" and the folder name "Falag" are most probably just random names.

If you haven't yet removed any of the entries flagged by the scan, then "buguw.exe" is still being run each time the system is booted, using the "Buguw" value in the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
0
 
LVL 18

Accepted Solution

by:
web_tracker earned 67 total points
ID: 39941332
If a person had their bank account hacked, it is extremely important that the person do the following: 1) contact their bank and inform them of what happened so the user can change their banking login information.
2) DO NOT connect the infected computer to the internet until the problem has been resolved. UNPLUG the network cable and if the system has a wireless network card disable it.
3) Even if scanners may not detect any more evidence of an infection, this system MUST be backed up and reinstall the operating system. Why take a chance that the system may still be infected and may compromise their banking in the future. The malware may be hidden where malware detection can not see it. Something may trigger it to be live again and thereby compromise the users sensitive data.
I sure would not take that chance.....
0
 

Author Comment

by:total123
ID: 39949726
thanks for your advice every one, we have ended up formatting the machine.
0
 

Author Closing Comment

by:total123
ID: 39966193
reformatted in the end. As noted, also posted on bleeping computer, with no replies until a good few days have passed.

thank you EE
0
 
LVL 38

Expert Comment

by:BillDL
ID: 39966213
Thank you total123

Yes, over on bleepingcomputer there are about 6 "sticky" comments you need to plough through first to make sure that you run all the various freely available utility programs and only post the log files in specific forums.  An expert will arrive to examine the log files and suggest a bunch of other utilities to run, whilst examining the new logs in between, until either the programs have done their job or you are advised to format your hard drive.  By the time you have been through all of that, you will have been quicker (and safer) repartitioning and wiping the hard drive anyway.

Your question here was specifically about whether we thought that the reported malware might have helped somebody hack into a banking account, which (in case you were wondering) is why I simply offered my opinion and suggestions about that aspect only and didn't go into any depth about cleaning up the malware.
0
 

Author Comment

by:total123
ID: 39966280
Hi, you were right in what I was asking for.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now