JS:Banker-IC help

[dallasa]

Hi,

Recently Avast has been giving me warnings that it has blocked a "JS:Banker-IC" trojan. This happens when opening any program (or even trying to do things such as update Avast or Firefox) or download any file. I don't remember opening anything or visiting any website that could have given me this, and Avast and Malwarebytes scans come up with nothing. I have no idea what to do or how dangerous this is to my online passwords. Help please?

Here are my Malwarebytes log, OTL log, and aswMBR log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.22.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Arnand :: ARNAND-HP [administrator]

6/22/2012 7:53:57 PM
mbam-log-2012-06-22 (19-53-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210464
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[true indian]

essexboy or jeff will arrive to help later today evening 

[essexboy]

I see that you have run Combofix, could you attach the log please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[dallasa]

Yes sir here are the logs.

[essexboy]

Is Avast still warning about this ?  If so what file does it reference

[dallasa]

Yes it is. It references whatever file I'm running or trying to run at the time. Everything from the Avast updater to Firefox to Skype, etc. Sometimes it references a "wpad.dat".

[essexboy]

Do you use a proxy to get online ?

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[dallasa]

No, I don't. Here you go.

[essexboy]

OK lets now delve really deep

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
  
• Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries 

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning

[dallasa]

Here you go. Only hit is a videogame that I've had installed for months with no problem, so I'm assuming it's a false positive. Although Gmer would only let me scan for Services, Registry, and Files... all other boxes were untickable.

[essexboy]

This programme will produce a zip file for me to analyse, the forum does not allow this type of attachment so could you upload to a file sharing site or dropbox for me to collect

Download AVPTool from Here to your desktop 
   
Run the programme you have just downloaded to your desktop (it will be randomly named ) 
 
First we will run a virus scan  
 
Click the cog in the upper right 

 
This programme will create a zip file for me to analyse, unfortunately the forum does not allow that type of attachment so could you upload it to a file sharing site or dropbox for me to collect 


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan 


 
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
 
 
Now the Analysis
 
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information 
 

 
On completion click the link to locate the zip file to upload and attach to your next post 
 

[gpearson]

Hello,

I too suddenly have this exact same problem. I have done a boot-time scan... Avast detects the virus but for some reason, it does not get deleted. When I start my PC Avast throws up the message...

A script started by c:\...\AvastUI.exe
JS:Banker-IC[Trj]
Process: c:\Program Files\...\AvastUI.exe

Sometimes when opening a browser the process is "AvastUI.exe".

I am fastidious about security & have no idea where this came from. My OS is Windows 7 & I use IE 8

Any insight would be sincerely appreciated.

Geoff Pearson

[dallasa]

If you've been fastidious too, perhaps it is a problem with Avast? I've certainly had no luck getting anywhere so far, although I will report back in once the Kaspersky scan is done (which will be a while, estimating 16 hours now).

[gpearson]

That has crossed my mind too. I might give Kaspersky a go overnight.

GP

[pevans8180]

I am also suffering with the same JS:Banker-IC issue. I receive the warning message from Avast when I open IE(9), Skype and Avast.

Have run Avast virus scan and the boot time scan, which both claim to have deleted the virus, but it reappears.

I have also run MBAM and even installed Microsoft Security Essentials, both returned 0 infection results.

Please help as I am pulling my hair out here!

Thanks

Paul