My bank is telling me I have "WebMoney Advisor" on my computer and tell me that they can detect this on my logging into my banks web page. Yet Mcafee Security center (fully updated) cannot detect is. Neither can any of the major free Spyware detection tools. Currently my bank has switched off my user account until this is resolved. Any advice would be highly appreciatedon 26/06/11 8:05:04 EDT AM
Solved! Go to Solution.
The bank now tells me that my browser is not triggering their system any longer. Somwhere in the steps I took with Bleeping computers the "MAAU fingerprint" was removed and this stopped the triggering of the Bank system. I am not sure the underlying problem is removed but based on all the tests on this site and Bleeping Computer my computer is clean. Thank you for all your help and all those on this site. Hopefully in the future Mcaffee and the Bank detection software groups can coordinate to avoid this type of issue.
Look I am not familiar with that program though I see heaps of google hits re it .
If you or your bank thinks it is suspect their uninstalation method is to remove it via add/remove programs (XP) or its equivalent in Win7. Also disable/remove any browser addins in IE or FF etc.
If you think you have a virus infection on your PC do one or both of the following :
- Run the free Mcafee Stinger program from http://vil.nai.com/vil/stinger/ -
Download here latest version of Mcafee’s new tool GETSUSP https://community.mcafee.com/thread/32269
Add your email to the program preferences so mcafee can reply if they think it is suspect
Before you use Getsusp, you should go to this document
and download the PDF file explaining what Getsusp is and how it works, and this document
which downloads the installation guide PDF document.
If you want another opinion, or to be on the safe side, then you can do a scan with the free versions of these tools :
Thank you for your prompt response. I have tried Malwarebytes and SuperAntiSpyware and they found nothing. I am busy running Stinger. I will try GETSUSP later today. This is a very strange situation the Bank can remotely detect the problem yet I cannot detect locally using reputable tools.
I asls tried " remove it via add/remove programs (XP) or its equivalent in Win7. Also disable/remove any browser addins in IE or FF etc."
Web Money Advisor does not appear in any of these places so cannot be removed. Any further advice will be highly appreciated.
Another thing to try as it seems nothing else is working would be to run Hijackthis and post its log on one of the specialist forums (you choose) dealing with those logs. Explain the problem. They will advise what to do.
Be patient with them, they are extremely busy.
Do not post Hijackthis logs here, we can't help with those!
Post the logs at a specialist Forum:
Be sure to read all the sticky announcements/instructions at the top of each malware forum!Message was edited by: Ex_Brit on 26/06/11 8:09:11 EDT AM
I tried GETSUSP today as well and it turned up one suspicious file virtualcamera.a_ and this has been submitted to the Mcafee labs and I received confirmation. This was installed my the manufacturer (Asus) of the laptop when the computer wasin production. So next I will try what Peter suggests above. It is very strange that the bank has detected this Trojan remotely yet with all these tools I cannot detect locally. I would welcome any more inputs or suggestions. The Bank is taking this very seriously and have locked me out of all the Banks online banking. So they are highly confident that I have a problem on this computer.
So far the only tool to detect anything on my computer has been Exterminate it. It reports I have Zlob.dns changer on my computer. I beleive this a is false positive and have not taken any action (I have not paid the activation fee...). Does anyone have any input on this? This appears to not be related to Webmoney advisor at all.
The only reference I can find to Webmoney advisor is:
"Once installed, the Trojan captures data from HTTPS sessions, specifically to several banking sites. Domains containing any of the following strings are targeted:
Captured data is then sent via HTTP to be processed by a script residing on a remote server:
Administrators should block HTTP access to this domain." This is exactly what my bank is warning me of. So they must be detecting something of this type. I have the latest Mcaffee security center running with all the latest updates. So I am mystified why this is not been detected.
This is strange Mcafee says 2004 detection all I can say is they the makers have changed the code and Mcafee and all other now do not detect it or it is considered legit though your bank seems to deny this is the case.
Will ask in our meeting
Zlob.dns changer is a member of the Smitfraud class of trojans and as such can steal banking information. That Hijackthis suggestion might be a good one.