JS:Banker-D

Viruses and worms
1

Hio, everyone!

Everytime I open a browser window or tab Avast gives me an alert about JS:Banker-D Trojan horse. I simply can’t get rid of it. Could you help me?
Thanks!
I’m running Mozilla Firefox 3.6.13 on Windows Vista SP2.

2

Hi.

follow these instructions.
http://forum.avast.com/index.php?topic=53253.0

*Post mbam log reports & OTL.txt back to topic.

3

Thank you for your time, magna86.

This is the mbam log. Software is in Portuguese, but I think it won’t be a problem, since nothing was detected - I have already ran mbam two days ago. “(Não foram detectados ítens maliciosos)” means “no malware was detected”:

[i]Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versão da Base de Dados: 5683

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

05/02/2011 12:35:27
mbam-log-2011-02-05 (12-35-27).txt

Tipo de Verificação: Verificação Rápida
Objetos escaneados: 145629
Tempo decorrido: 6 minuto(s), 9 segundo(s)

Processos de Memória Infectados: 0
Módulos de Memória Infectados: 0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 0
Itens de Dados no Registro Infectados: 0
Pastas Infectadas: 0
Arquivos Infectados: 0

Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)

Valores de Registro Infectados:
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)

Pastas Infectadas:
(Não foram detectados ítens maliciosos)

Arquivos Infectados:
(Não foram detectados ítens maliciosos)[/i]

I’ll attach OTL logs ok?

Thanks for your help!

4

a little more information would be good so we could give you better support.

what os you using?

what file is avast almarmed as malware?

have you tryed a boot scan with avast?

http://www.schmahl.net/avastbootscan.php- instructions on how to schadual a boot scan in avast version 5.

good luck

5

Ok, Miakael, tks!

OS is Windows Vista (Windows 6.0.6002 Service Pack 2)

Avast is alarming about:
Object: hXXp://wXwXw.wXinXdoXwsX72X.neXt/X0xfX04X.pac
Infection: JS:Banker-D [Trj]

I’ll run a boot scan now to see what happens…

Thanks!

6

Do this:
Open Firefox > Click on “Tools” > Check what do you have in the Initial Page bar > Change it to www.google.com

Close Firefox and open again. See if the problem persists.
And… can you disable the active link, please? Put hxxp:// instead of http://
Thanks.

7

Try this

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-572750711-2804780265-2420130312-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = hxxp://www.windows72.net/0xf04.pac

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

8

Mikael, I ran a bott scan and nothing was found. Thanks anyway.

9

Silk0, changed the home page, but the problem persists… Thank you anyway.
I also disabled the active link. I’m sorry.
I’ll write a bit in portuguese, because we speak the same language (I’m brazilian).
Meu amigo, obrigado pela ajuda, mas de nada adiantou. Vou seguir a recomendação do outro membro do fórum logo acima. Grande abraço!

10

If you run the OTL fix I posted it should clear it ;D

11

essexboy, thank you SO much!
I think… I think everything is ok now! Am I dreaming?!lol
What the hell did you all just did? Some kind of magic, my friends?!
8)
I can’t believe it worked… I’ll reboot and give this damn JS:Bunker another try.lol

Here are the logs (the first one showed up right after rebooting the system).

12

IT WORKED! It really, really worked!
I’d like to thank you essexboy, Silk0, mikaelrask and magna86 for your time and help.
I’m speechless.
Good night, good bye, take care.
Thanks again from Brazil,
:- )

13
Internet Settings: "AutoConfigURL" = hxxp://www.windows72.net/0xf04.pac
It was autoconfiguring all urls to be routed via this site. Unfortunately no malware removal tools check this area as there are too many variables

Run OTL and hit the cleanup button now ;D

14

And now that it is solved, can the posts with the active link to the site be deactivated? :slight_smile:
(ones containing the fix)

15

Did it!
:- )

16

It is still there in the post where you quoted essexboy’s fix, in Reply #10 (http://forum.avast.com/index.php?topic=70760.msg593483#msg593483). Although the quoted text is his, it is in your post so you can also modify that and change the http to hxxp.

Or are you talking about the cleanup of OTL ?
If so you also have to modify your post to prevent accidental exposure to a malicious site.

17

I’m sorry David, I missed that one… I think it’s ok now.
Thank you, my friends!

18

Oh, I get it… Very clever. ;D
Thanks, man!

19

I believe I’ve found the answer to this one. Its a registry setting located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
There should be a key named AutoConfigURL which points to a text file located on your PC. Mine was named KB_Beast.txt (Beast being the name of my PC). This text file had loads of banking sites, hotmail, Gmail, Paypal sites listed. I deleted the value for the AutoConfigRL key and havent had any warnings since. On the plus side it seems Avast has been blocking this script from running. I hope this helps in your case as well.

Regards

20

@SlaineMacRoth did you check the date on this topic ?

last post was feb 2011 :wink: