Another cry for help with JS:Banker-IC [Trj]

system · June 24, 2012, 10:30pm

I am another victim to this wierd Trojan,

This happens everytime I open Skype;
Infection Details
URL:“hxxp://wpad.net.ms/wpad.dat”
Process: "C:\Program Files (x86)\Skype\Phone\Skyp…
Infection:“JS:Banker-IC [Trj]”

I also get similar problems when opening the Avast software
URL:"A script started by C:\Program Files\AV…
Process:"C:\Program Files\AVAST Software\Avast\A…
Infection:“JS:Banker-IC [Trj]”

as well as when opening IE 9 to my google.co.uk homepage, (although it doesn’t happen everytime).

Avast Webshield scan logs shows many of the following blocked;
hxxp://wpad.net.ms/wpad.dat
hxxp://85.214.17.43/wpad.dat

I have reset my router, run avast virus scanner and boot time scanner, which find and remove the virus, but it appears to come straight back. I also tried installing Microsoft Security Essentials, which found nothing. It only occurs on one PC in the house.

Logs as requested;

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.22.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Paul :: PAUL-THINK [administrator]

24/06/2012 18:07:45
mbam-log-2012-06-24 (18-07-45).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Any help would be appreciated!

Many thanks,

Paul

DavidR · June 24, 2012, 10:59pm

It the other topic essexboy thought this might be a false positive detection on the hXXp://wpad.net.ms/wpad.dat file and given several other checks come up clean, I think it may be an FP also.

http://sitecheck.sucuri.net/results/wpad.net.ms/wpad.dat
https://www.virustotal.com/url/cc2bd9369482084a82ebfc309f3265eef30683653d406faccaabc52edbbaa72a/analysis/1340577588/
http://urlquery.net/report.php?id=74739

This is a scan of the actual file, https://www.virustotal.com/file/037f8fc1df550207679c384569be85b1cde1e9d5a20910c3e6edc4124372d4f2/analysis/1340578209/ with only 4/41 detections, one of those GData and that uses avast as one of its two scanners.

I have reported this to avast for further investigation.

system · June 25, 2012, 3:58am

Thanks DavidR. Keeping my fingers crossed for a FP!

DavidR · June 25, 2012, 11:57am

You’re welcome.

DavidR · June 25, 2012, 12:44pm

Update:
I have had a reply from one of the avast virus labs and they state that it isn’t a false positive.

Hi DavidR,
this is not a false positive, for sure. Also the domain will be blocked
in the next stream update.

The detected file is malformed proxy autoconfiguration → more info can
be found here: http://en.wikipedia.org/wiki/Proxy_auto-config

Best Regards

What I’m not sure of is the context of this in regard to the process responsible:

Infection Details URL:"hXXp://wpad.net.ms/wpad.dat" Process: "C:\Program Files (x86)\Skype\Phone\Skyp... Infection:"JS:Banker-IC [Trj]"

Were you actually using Skype when this occurred and or do you even have it installed ?

Your quote above I have changed the http to hXXp to break the link to avoid accidental exposure, can you do the same in your first post, use the modify button.

essexboy · June 25, 2012, 2:35pm

OK that gives me an area to look at ;D

FIRST

[*]Go to Control Panel
[*]Select Internet Options.
[*]Click the Connections tab.
[*]If you are using a LAN, click the LAN Settings button. If you are using a Dial-up or Virtual Private Network connection, select the necessary connection and click the Settings button.
[*]Make sure the ‘automatically detect proxy settings’ is checked
[*]Make sure the ‘use a proxy automatic configuration script’ option is not checked.

https://dl.dropbox.com/u/73555776/Lan%20settings.GIF

THEN

[*]Run OTL.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

DavidR · June 25, 2012, 3:16pm

Thanks for joining this topic, I don’t know if it might also help with the other JS:Banker-IC [Trj] topic/s.

essexboy · June 25, 2012, 5:45pm

Yup going to try this or a variation on them all

system · June 25, 2012, 7:09pm

Thanks for all your continued help.

The Skype warning appears when opening Skype.

Internet LAN settings were already set to what you recommended.

As requested, I have attached the OTL log (saved in ANSI format)

Thanks again and let me know what I should explore next.

Paul

essexboy · June 25, 2012, 7:18pm

I made a slight error with the reg request I am afraid could you run a quick scan with this custom scan please :-[

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections /s

system · June 25, 2012, 7:51pm

Not a problem at all. Attached as requested.

essexboy · June 26, 2012, 3:20pm

I am still trying to locate where this is running from , I currently suspect a dat file but I will still need to confirm some things

OK next step I will reset the reg setting for that area

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"WinHttpSettings"=hex:28,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,\
  00

Copy everything in the above code box to a notepad file
Save the file as HTTP.reg
In the drop down box select all files to save it as a reg file to your desktop

https://dl.dropbox.com/u/73555776/Save%20Host.jpg

The icon will look like this

https://dl.dropbox.com/u/73555776/regicon.GIF

Right click the file and select merge
Accept the warnings
Start IE and see if the alerts are still present

system · June 26, 2012, 6:29pm

Thank you for your time, as always!

Registry keys and values added to the registry successfully…Unfortunately, the Avast alerts are still present

essexboy · June 26, 2012, 8:29pm

Unfortunately I am still trying to determine which file is responsible… When was the first time that this appeared. This way I can narrow down the time frame to search for the responsible dat file

system · June 26, 2012, 8:34pm

I’m pretty sure it occurred on Friday evening or Saturday morning when I downloaded an Adobe format menu from the following website;

hxxp://princealberttwickenham.co.uk/

If nothing else good comes out of this, the Thai food they sell was amazing. Highly recommended…it just may be best to wait until you get to the pub to read the menu!

Thanks as always

essexboy · June 26, 2012, 8:51pm

OK then if you are ready I will start some searches

Use the following OTL custom scan please :

c:\windows\system32*.dat /5
/md5start
Winhttp.*
/md5stop

system · June 26, 2012, 9:07pm

attached, as requested. I’m glad you can make sense of these logs!

essexboy · June 26, 2012, 10:12pm

OK analysing now

system · June 27, 2012, 5:27am

hi… I have this same issue…

hxxp://85.214.17.43/wpad.dat JS:Banker-IC
hxxp://wpad/wpad.dat JS:Banker-IC

do I need to start my own thread to get this sorted?? or just follow steps once theres a solution to the cause??

Thanks

Asyn · June 27, 2012, 6:56am

Yes, please do so.

Another cry for help with JS:Banker-IC [Trj]

Announcements