1 2 Previous Next 19 Replies Latest reply on Jul 21, 2011 1:49 PM by Hayton

    Webmoney Advisor

      My bank is telling me I have "WebMoney Advisor" on my computer and tell me that they can detect this on my logging into my banks web page. Yet Mcafee Security center (fully updated) cannot detect is. Neither can any of the major free Spyware detection tools. Currently my bank has switched off my user account until this is resolved. Any advice would be highly appreciated

       

      on 26/06/11 8:05:04 EDT AM
        • 1. Re: Webmoney Advisor
          Peacekeeper

          Look I am not familiar with that program though I see heaps of google hits re it .

           

          If you or your bank thinks it is suspect their uninstalation method is to remove it via add/remove programs (XP) or its equivalent in Win7. Also disable/remove any browser addins in IE or FF etc.

           

          Then

           

          If you think you have a virus infection on your PC do one or both of the following :

          - Run the free Mcafee Stinger program from http://vil.nai.com/vil/stinger/ -

           

          Download here latest version of Mcafee’s new tool GETSUSP https://community.mcafee.com/thread/32269

          Add your email to the program preferences so mcafee can reply if they think it is suspect

           

          Before you use Getsusp, you should go to this document

          https://community.mcafee.com/docs/DOC-1323

          and download the PDF file explaining what Getsusp is and how it works, and this document

          https://community.mcafee.com/docs/DOC-1761

          which downloads the installation guide PDF document.

           

          If you want another opinion, or to be on the safe side, then you can do a scan with the free versions of these tools :

          Malwarebytes and SuperAntiSpyware

          • 2. Re: Webmoney Advisor

            Thank you for your prompt response. I have tried Malwarebytes and SuperAntiSpyware and they found nothing. I am busy running Stinger. I will try GETSUSP later today. This is a very strange situation the Bank can remotely detect the problem yet I cannot detect locally using reputable tools.

            I asls tried " remove it via add/remove programs (XP) or its equivalent in Win7. Also disable/remove any browser addins in IE or FF etc."

            Web Money Advisor does not appear in any of these places so cannot be removed. Any further advice will be highly appreciated.

             

            Thanks, James

            • 3. Re: Webmoney Advisor
              Peter M

              Another thing to try as it seems nothing else is working would be to run Hijackthis and post its log on one of the specialist forums (you choose) dealing with those logs.  Explain the problem.  They will advise what to do.

               

              Be patient with them, they are extremely busy.

               

              DOWNLOAD HIJACKTHIS

               

              Do not post Hijackthis logs here, we can't help with  those!

               

              Post the logs at a specialist Forum:

               

              AUMHA

               

              BLEEPINGCOMPUTER

               

              MAJOR GEEKS

               

              MALWAREBYTES

               

              MALWARE REMOVAL

               

              SPYWAREHAMMER

               

              SPYWARE INFO

               

              WHATTHETECH

               

              Be sure to read all the sticky announcements/instructions at the top of each malware forum!

               

              Message was edited by: Ex_Brit on 26/06/11 8:09:11 EDT AM
              • 4. Re: Webmoney Advisor

                Hi Tony,

                 

                I tried GETSUSP today as well and it turned up one suspicious file virtualcamera.a_    and this has been submitted to the Mcafee labs and I received confirmation. This was installed my the manufacturer (Asus) of the laptop when the computer wasin production. So next I will try what Peter suggests above.  It is very strange that the bank has detected this Trojan remotely yet with all these tools I cannot detect locally. I would welcome any more inputs or suggestions. The Bank is taking this very seriously and have locked me out of all the Banks online banking. So they are highly confident that I have a problem on this computer.

                • 5. Re: Webmoney Advisor

                  So far the only tool to detect anything on my computer has been Exterminate it. It reports I have Zlob.dns changer on my computer. I beleive this a is false positive and have not taken any action (I have not paid the activation fee...). Does anyone have any input on this? This appears to not be related to Webmoney advisor at all.

                  • 6. Re: Webmoney Advisor

                    The only reference I can find to Webmoney advisor is:

                     

                    http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=101042

                     

                    "Once installed, the Trojan captures data from HTTPS sessions, specifically to several banking sites. Domains containing any of the following strings are targeted:

                    Captured data is then sent via HTTP to be processed by a script residing on a remote server:

                    • www.refestltd.com

                     

                    Administrators should block HTTP access to this domain." This is exactly what my bank is warning me of. So they must be detecting something of this type. I have the latest Mcaffee security center running with all the latest updates. So I am mystified why this is not been detected. 

                    • 7. Re: Webmoney Advisor
                      Peacekeeper

                      This is strange Mcafee says 2004 detection all I can say is they the makers have changed the code and Mcafee and all other now do not detect it or it is considered legit though your bank seems to deny this is the case.

                       

                      Will ask in our meeting

                      • 8. Re: Webmoney Advisor

                        Thanks Tony. I look forward to the feedback from the meeting.

                        • 9. Re: Webmoney Advisor
                          Peter M

                          Zlob.dns changer is a member of the Smitfraud class of trojans and as such can steal banking information.  That Hijackthis suggestion might be a good one.

                          1 2 Previous Next