JS:Banker-IC help

essexboy · June 24, 2012, 7:27pm

I do not believe it to be a false positive now as I am getting no indication of this on either XP or 7

Is it on any specific page or any specific browser

system · June 24, 2012, 8:48pm

Still getting the warnings after reinstalling. It isn’t on any specific browser, both Firefox and Chrome bring up the warnings. The objects I’ve seen that bring up the warning are anything that requires a connection to the net (Firefox, Chrome, Skype, wpad.dat, avast.setup, etc.)

essexboy · June 24, 2012, 8:51pm

Do you connect via a router ? And do any other computers using it experience the same problem

system · June 24, 2012, 8:52pm

Yes I do. And I don’t have access to the other computers right now, so I don’t know.

essexboy · June 24, 2012, 9:55pm

I t may well be worth resetting the Router

Do you know how to do that ?

What is the router model

DavidR · June 24, 2012, 11:03pm

I’m thinking the same thing, see http://forum.avast.com/index.php?topic=100088.msg799230#msg799230, my reply to a new topic started by pevans8180 in response to request by Pondus.

I have submitted it to avast for analysis.

system · June 24, 2012, 11:06pm

I recall that that this started happening right after Avast did an automatic virus definition update. I don’t have anything else does auto updates on my PC & I hadn’t been doing anything out of the ordinary so… I wonder, could this be Avast itself that is corrupted?

DavidR · June 24, 2012, 11:19pm

Not corrupt as such, but a virus definitions update could have modified a signature that now detects a file as infected by JS:Banker-IC.

However, yours is slightly different different to this and the other topic as this was on a website file but same JS:Banker-IC signature, an update of this could have implications across many files.

Yours however, refers to a script

A script started by c:\...\AvastUI.exe JS:Banker-IC[Trj] Process: c:\Program Files\...\AvastUI.exe

Normally I would say that you should submit the file detected to avast for further analysis, but I don’t see how you can send a script as there is no reference to the script, just the file starting it.

system · June 25, 2012, 1:43am

I should have been more clear earlier, but the same thing (getting a warning for a script) is also what’s happening to me most of the time, with the .exe’s (of Firefox, Avast, etc.) being the objects that start the script. The only warnings that aren’t associated with a script seem to be for wpad.dat.

DavidR · June 25, 2012, 11:56am

OK, that is what I have sent off for analysis, but that doesn’t mean its the same file or site, just the one I investigated from the other topic.

DavidR · June 25, 2012, 1:10pm

I have received a reply in relation my submission for analysis, to the issue in the other topic (not considered an FP), http://forum.avast.com/index.php?topic=100088.msg799388#msg799388.

essexboy · June 25, 2012, 2:43pm

Hi I am trying this on some others now that Avast has given me a heads up on the possible source

[]Select Tools and then Internet Options.
[]Click the Connections tab.
[]If you are using a LAN, click the LAN Settings button. If you are using a Dial-up or Virtual Private Network connection, select the necessary connection and click the Settings button.
[]Make sure the ‘automatically detect proxy settings’ is checked
[]Make sure the ‘use a proxy automatic configuration script’ option is not checked
[]OK out .

https://dl.dropbox.com/u/73555776/Lan%20settings.GIF

system · June 25, 2012, 5:44pm

I’m assuming you meant to post the same OTL scan as you did in the other topic too? Here’s the log, it didn’t give me an Extras.txt though.

DavidR · June 25, 2012, 5:51pm

The extras.txt is only generated on the first run of OTL.

essexboy · June 25, 2012, 6:42pm

OK next step I will reset the reg setting for that area

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"WinHttpSettings"=hex:28,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,\
  00

Copy everything in the above code box to a notepad file
Save the file as HTTP.reg
In the drop down box select all files to save it as a reg file to your desktop

https://dl.dropbox.com/u/73555776/Save%20Host.jpg

The icon will look like this

https://dl.dropbox.com/u/73555776/regicon.GIF

Right click the file and select merge
Accept the warnings
Start IE and see if the alerts are still present

system · June 25, 2012, 7:35pm

Done, and the alerts are still present.

essexboy · June 25, 2012, 7:38pm

OK back to the drawing board… I will find the solution to this

system · June 25, 2012, 8:02pm

Alrighty, I’ll stay tuned. And thank you very much for all of your efforts so far, they are much appreciated!

system · June 26, 2012, 11:25am

Hello,

I think Avast have fixed this issue, maybe in their latest virus definition updates. Problem was, if you already had the virus or whatever it was, the definitions couldn’t update automatically because Avast itself was blocking the update when it detected the JS:Banker virus (falsely or otherwise). I basically just uninstalled Avast then downloaded the latest version & reinstalled. Everything appears to be normal again… at least so far!!

Geoff Pearson

system · June 26, 2012, 11:31am

Amend my last post… the virus message is back! Time to try another anti-virus program perhaps!

Geoff Pearson

JS:Banker-IC help

Announcements