Banker-dpn

Have just set up an online banking account. Avast is now finding a Trojan - AO043178.exe aWin32:Banker-DPN(tri).
Google suggests this is malware etc. Any help out there???

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Being a non tech sort of person is AO043178.exe an actual program??

Probably not… could really be a virus…
You can test it with VirusTotal and let us know the result.

To Tech

Thanks for your info.
I have run all the spyware programs you mentioned and it seems to have been secured the AVAST Chest.

However I have some more concerns.

First, I did not find this Malware until I requested Avast to do a scan. If this Trojan Spy is already on
Avast’s list, why did’nt it pick it up when it downloaded to my computer.

Secondly, Google says it is a hackers program to get hold of financial details. I think now that it somehow piggybacked on some free, now unknown,program in November 2007 and undetected.
As I did not find it until after I had set up online banking (full name address, bank details passwords etc), does it mean that the hacker has been able to take all my details.

finally how can I or the bank find out where it came from as all I have is the type of trojan and a single line ending ‘exe’. any ideas? by any chance, it wouldn’t be just part of the banks Java security program that AVAST thinks is a Trojan-spy??
Worried over Identity theft…

Options:

  1. Or the detection signature was added after you’ve downloaded the file.
  2. Or your Standard Shield settings aren’t the default ones (scanning exe files while coping).

I cannot be sure… but, there is such a possibility. If you let the file to be executed before avast could detect it and block it… yes, sorry. I suggest that you change your on-line banking passwords.

Did you submit the file to VirusTotal?

to Tech
Thanks once again for further info.
I presume when you say ‘your Standard Shield settings aren’t the default ones (scanning exe files while coping)’, I guess you mean that Standard Shield setting should be set at normal.

Also the Banker-dpn information is in the Avast Chest. but it says it was in System Volume Information. How would I get the offending file out of ‘storage’ to send to Virus Total.

Now that Avast has it in its Chest, do I assume that it is no longer hidden in my files??

MB

Normal is the best balance between protection and performance. Keep it on this level.

From Chest you can right click it and extract, for example, to an USB drive. Take care handling that infected file although.
If it is on Chest, and you run a full (thorough) scanning with avast, most probably the file is not in your computer (only in Chest, safely there).

Tech, wouldn’t extract be better? You can then select a destination for the file so you can test it.

I’m sure restore will put it back in the original location.

Yes, sure. I thought one thing and wrote the other. Sorry.

| To Tech

Thanks again to you and Oldman for info.
there were two banker-dpn in chest but only the one below would upload to VT. this is their result.
Now they have been extracted does it mean they are deleted from chest or can i delete them.

File A0043944.exe received on 03.10.2008 09:58:59 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 1/32 (3.13%)
Loading server information…
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.10 -
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.09 Win32:Banker-DPN
AVG 7.5.0.516 2008.03.09 -
BitDefender 7.2 2008.03.10 -
CAT-QuickHeal 9.50 2008.03.08 -
ClamAV 0.92.1 2008.03.10 -
DrWeb 4.44.0.09170 2008.03.10 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5597 2008.03.07 -
Ewido 4.0 2008.03.09 -
FileAdvisor 1 2008.03.10 -
Fortinet 3.14.0.0 2008.03.10 -
F-Prot 4.4.2.54 2008.03.09 -
F-Secure 6.70.13260.0 2008.03.10 -
Ikarus T3.1.1.20 2008.03.10 -
Kaspersky 7.0.0.125 2008.03.10 -
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 -
NOD32v2 2933 2008.03.10 -
Norman 5.80.02 2008.03.07 -
Panda 9.0.0.4 2008.03.09 -
Prevx1 V2 2008.03.10 -
Rising 20.35.00.00 2008.03.10 -
Sophos 4.27.0 2008.03.10 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.10 -
TheHacker 6.2.92.239 2008.03.09 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.09 -
Webwasher-Gateway 6.6.2 2008.03.10 -
Additional information
File size: 1963612 bytes
MD5: cabf3bf645ba9a66d5c5f766fbec2764
SHA1: bee6a0b5dea0ee4ff6f70315105d4db4c847d34f
PEiD: -
packers: Execryptor, Execryptor

Seems indeed a false positive. Please, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

to Tech

Thanks for all help.
will send off to Avast. If any more problems will contact.
closing enquiry

to tech
further my last msge.

when I go to chest the offending items have disappeared. It seems they went after I extracted the file to VT.

so guess they are no where on my computer.

When restoring or extracting, the file is kept into Chest.
It’s only removed if you manually delete it into Chest.

to Tech
I realised as soon as I sent message that I had deleted from Chest. so guess off machine now.
Again thanks for all your help

You’re welcome. Feel free to come back any time you need help you just to change experiences 8)