Hi,

Recently Avast has been giving me warnings that it has blocked a “JS:Banker-IC” trojan. This happens when opening any program (or even trying to do things such as update Avast or Firefox) or download any file. I don’t remember opening anything or visiting any website that could have given me this, and Avast and Malwarebytes scans come up with nothing. I have no idea what to do or how dangerous this is to my online passwords. Help please?

Here are my Malwarebytes log, OTL log, and aswMBR log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.22.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Arnand :: ARNAND-HP [administrator]

6/22/2012 7:53:57 PM
mbam-log-2012-06-22 (19-53-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210464
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

essexboy or jeff will arrive to help later today evening ;D

I see that you have run Combofix, could you attach the log please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Yes sir here are the logs.

Is Avast still warning about this ? If so what file does it reference

Yes it is. It references whatever file I’m running or trying to run at the time. Everything from the Avast updater to Firefox to Skype, etc. Sometimes it references a “wpad.dat”.

Do you use a proxy to get online ?

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

No, I don’t. Here you go.

OK lets now delve really deep

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

Download GMER Rootkit Scanner from here or here.

[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[] Show All (don’t miss this one)

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
[I]Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

[i]-- If you encounter any problems, try running GMER in safe mode.
– If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning

Here you go. Only hit is a videogame that I’ve had installed for months with no problem, so I’m assuming it’s a false positive. Although Gmer would only let me scan for Services, Registry, and Files… all other boxes were untickable.

This programme will produce a zip file for me to analyse, the forum does not allow this type of attachment so could you upload to a file sharing site or dropbox for me to collect

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://dl.dropbox.com/u/73555776/Kas%20front.JPG

This programme will create a zip file for me to analyse, unfortunately the forum does not allow that type of attachment so could you upload it to a file sharing site or dropbox for me to collect

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://dl.dropbox.com/u/73555776/Kas%20Scan%20area.JPG

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://dl.dropbox.com/u/73555776/kas%20manual.JPG

On completion click the link to locate the zip file to upload and attach to your next post

http://dl.dropbox.com/u/73555776/Kas%20Zip.JPG

Hello,

I too suddenly have this exact same problem. I have done a boot-time scan… Avast detects the virus but for some reason, it does not get deleted. When I start my PC Avast throws up the message…

A script started by c:.…\AvastUI.exe
JS:Banker-IC[Trj]
Process: c:\Program Files.…\AvastUI.exe

Sometimes when opening a browser the process is “AvastUI.exe”.

I am fastidious about security & have no idea where this came from. My OS is Windows 7 & I use IE 8

Any insight would be sincerely appreciated.

Geoff Pearson

If you’ve been fastidious too, perhaps it is a problem with Avast? I’ve certainly had no luck getting anywhere so far, although I will report back in once the Kaspersky scan is done (which will be a while, estimating 16 hours now).

That has crossed my mind too. I might give Kaspersky a go overnight.

GP

I am also suffering with the same JS:Banker-IC issue. I receive the warning message from Avast when I open IE(9), Skype and Avast.

Have run Avast virus scan and the boot time scan, which both claim to have deleted the virus, but it reappears.

I have also run MBAM and even installed Microsoft Security Essentials, both returned 0 infection results.

Please help as I am pulling my hair out here!

Thanks

Paul

start your own topic in the virus and worms section…where you attach the requested logs

follow this guide and attach (not copy and paste) Logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

I am wondering whether this is a false positive, could you manually update the virus definitions and see if it still occurs

Kaspersky came up with nothing. All of my virus definitions are up to date so I can’t manually update… I’ll try uninstalling and reinstalling Avast in a bit and see what happens.

OK this is really weird as I am not seeing anything that would cause this

I keep getting this “JS:Banker-IC [Trj]” thing come up too… ive already run sophos antirootkit aswell as spybot/adaware and pc-matic, before seeing this entry… none of the above came up with anything…