Author Topic: JS:Banker-IC help  (Read 39187 times)

0 Members and 1 Guest are viewing this topic.

dallasa

  • Guest
JS:Banker-IC help
« on: June 23, 2012, 05:45:13 AM »
Hi,

Recently Avast has been giving me warnings that it has blocked a "JS:Banker-IC" trojan. This happens when opening any program (or even trying to do things such as update Avast or Firefox) or download any file. I don't remember opening anything or visiting any website that could have given me this, and Avast and Malwarebytes scans come up with nothing. I have no idea what to do or how dangerous this is to my online passwords. Help please?

Here are my Malwarebytes log, OTL log, and aswMBR log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.22.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Arnand :: ARNAND-HP [administrator]

6/22/2012 7:53:57 PM
mbam-log-2012-06-22 (19-53-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210464
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

true indian

  • Guest
Re: JS:Banker-IC help
« Reply #1 on: June 23, 2012, 07:57:30 AM »
essexboy or jeff will arrive to help later today evening  ;D

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: JS:Banker-IC help
« Reply #2 on: June 23, 2012, 02:17:05 PM »
I see that you have run Combofix, could you attach the log please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

dallasa

  • Guest
Re: JS:Banker-IC help
« Reply #3 on: June 23, 2012, 08:00:32 PM »
Yes sir here are the logs.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: JS:Banker-IC help
« Reply #4 on: June 23, 2012, 08:05:00 PM »
Is Avast still warning about this ?  If so what file does it reference

dallasa

  • Guest
Re: JS:Banker-IC help
« Reply #5 on: June 23, 2012, 08:17:43 PM »
Yes it is. It references whatever file I'm running or trying to run at the time. Everything from the Avast updater to Firefox to Skype, etc. Sometimes it references a "wpad.dat".
« Last Edit: June 23, 2012, 09:08:24 PM by dallasa »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: JS:Banker-IC help
« Reply #6 on: June 23, 2012, 09:24:36 PM »
Do you use a proxy to get online ?

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

dallasa

  • Guest
Re: JS:Banker-IC help
« Reply #7 on: June 23, 2012, 09:59:38 PM »
No, I don't. Here you go.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: JS:Banker-IC help
« Reply #8 on: June 23, 2012, 10:32:57 PM »
OK lets now delve really deep

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    • Save it where you can easily find it, such as your desktop, and attach it in your reply.

    Notes:
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries 

    -- If you encounter any problems, try running GMER in safe mode.
    -- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning


    dallasa

    • Guest
    Re: JS:Banker-IC help
    « Reply #9 on: June 23, 2012, 11:18:45 PM »
    Here you go. Only hit is a videogame that I've had installed for months with no problem, so I'm assuming it's a false positive. Although Gmer would only let me scan for Services, Registry, and Files... all other boxes were untickable.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: JS:Banker-IC help
    « Reply #10 on: June 23, 2012, 11:26:38 PM »
    This programme will produce a zip file for me to analyse, the forum does not allow this type of attachment so could you upload to a file sharing site or dropbox for me to collect

    Download AVPTool from Here to your desktop 
       
    Run the programme you have just downloaded to your desktop (it will be randomly named ) 
     
    First we will run a virus scan  
     
    Click the cog in the upper right 

     
    This programme will create a zip file for me to analyse, unfortunately the forum does not allow that type of attachment so could you upload it to a file sharing site or dropbox for me to collect 


    Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan 


     
    Allow AVP to delete all infections found
    Once it has finished select report tab (last tab)
    Select Detected threats report from the left and press Save button
    Save it to your desktop and attach to your next post
     
     
    Now the Analysis
     
    Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information 
     

     
    On completion click the link to locate the zip file to upload and attach to your next post 
     


    gpearson

    • Guest
    Re: JS:Banker-IC help
    « Reply #11 on: June 23, 2012, 11:40:00 PM »
    Hello,

    I too suddenly have this exact same problem. I have done a boot-time scan... Avast detects the virus but for some reason, it does not get deleted. When I start my PC Avast throws up the message...

    A script started by c:\...\AvastUI.exe
    JS:Banker-IC[Trj]
    Process: c:\Program Files\...\AvastUI.exe

    Sometimes when opening a browser the process is "AvastUI.exe".

    I am fastidious about security & have no idea where this came from. My OS is Windows 7 & I use IE 8

    Any insight would be sincerely appreciated.

    Geoff Pearson

    dallasa

    • Guest
    Re: JS:Banker-IC help
    « Reply #12 on: June 24, 2012, 01:49:57 AM »
    If you've been fastidious too, perhaps it is a problem with Avast? I've certainly had no luck getting anywhere so far, although I will report back in once the Kaspersky scan is done (which will be a while, estimating 16 hours now).

    gpearson

    • Guest
    Re: JS:Banker-IC help
    « Reply #13 on: June 24, 2012, 04:42:04 AM »
    That has crossed my mind too. I might give Kaspersky a go overnight.

    GP

    pevans8180

    • Guest
    Re: JS:Banker-IC help
    « Reply #14 on: June 24, 2012, 04:52:18 PM »
    I am also suffering with the same JS:Banker-IC issue. I receive the warning message from Avast when I open IE(9), Skype and Avast.

    Have run Avast virus scan and the boot time scan, which both claim to have deleted the virus, but it reappears.

    I have also run MBAM and even installed Microsoft Security Essentials, both returned 0 infection results.

    Please help as I am pulling my hair out here!

    Thanks

    Paul