Author Topic: Banker-BHS [Trj] (Read 6285 times)

jonthepain · « **on:** December 21, 2006, 01:41:17 PM »

Avast moved Win32:Banker-BHS [Trj] to the chest during my morning boot time scan today. Thank you.

Mine is the only machine in the office affected. Is it safe for me to access my bank online now? Should I delete my restore points and start over?

How does this Trojan generally get into a machine?

Avast: would you like me to email it to you? It resided in:

C:\ system volume information\_restore{DFC2681-5971-4EDD-8DEO-3A7F799D8CA5}RP399
C:\ Program Files\ Blaze Media Pro
C:\ Docs and Sets\all users\app data\{CFE49F60...

Thanks Again,
Jon

jonthepain · « **Reply #1 on:** December 21, 2006, 09:48:02 PM »

i guess nobody cares *sigh*

oh well. so much for customer service.

mouniernetwork · « **Reply #2 on:** December 21, 2006, 10:27:17 PM »

Welcome to the Forum

Quote from: jonthepain on December 21, 2006, 09:48:02 PM

i guess nobody cares *sigh*

oh well. so much for customer service.

Maybe you should wait more then one day

Can you larify what you are saying ?
What files where infected ?
What actions did you take ?
What is you Operating Systam ?

Thanks

Al968

Lisandro · « **Reply #3 on:** December 21, 2006, 11:25:54 PM »

Quote from: jonthepain on December 21, 2006, 01:41:17 PM

Is it safe for me to access my bank online now?

Not yet...

Quote from: jonthepain on December 21, 2006, 01:41:17 PM

Should I delete my restore points and start over?

It will be good.
Also, run a boot time scanning with avast.

Quote from: jonthepain on December 21, 2006, 01:41:17 PM

How does this Trojan generally get into a machine?

Did you Google for it... I'm not an expert on virus generation

Quote from: jonthepain on December 21, 2006, 01:41:17 PM

Avast: would you like me to email it to you?

Please, send it in a password protected zip to virus@avast.com
Please, mention in the body the password used and a link to this thread. Thanks.

jonthepain · « **Reply #4 on:** December 22, 2006, 12:41:42 AM »

Thanks for responding. Yes, maybe I should wait more than one day, however, the company that I work for would fail if we waited more than one day to respond to our clients. That is why I made the comment. I guess I shouldn't judge other companies by the expectations of our clients, but the issue was serious enough to affect business and so the boss wanted some action and was unhappy that the entire business day went by without any answers from me. Also, the last time we had an issue I received great service from avast only after I made a snide comment on the forum. Unfortunately oftentimes it's the squeeky wheel that gets the grease.

re: not yet. when?

re: run a boot time scan. Yes, that is how avast intercepted Banker. I run a boot time scan on all the office machines every morning at 6 before anyone comes in.

re: google it. yes i have but not much there as to point of entry and i am reticent to click on some of the results.

re: send it. will do. thank you.

Quote

Welcome to the Forum
Maybe you should wait more then one day

Can you larify what you are saying ?
What files where infected ?
What actions did you take ?
What is you Operating Systam ?

re: welcome. thank you. i was here some months ago but i am not a prodigious poster so i understand your sentiment although i'm not certain that is wholehearted considering the next comment in the post.

re: "larification." can you be more specific? maybe i was too succinct.
re: what files. please see first post.
re: what actions. none; have been waiting for a reply. i really need to go to our online banking site asap. i have just left the files in the chest. i ran another boot time scan and it has not reappeared.

XP Pro SP2. Auto updates. Windows Defender and a router on the T1 line.

thanks again,
Jon

Lisandro · « **Reply #5 on:** December 22, 2006, 01:14:39 AM »

Quote from: jonthepain on December 22, 2006, 12:41:42 AM

re: run a boot time scan. Yes, that is how avast intercepted Banker. I run a boot time scan on all the office machines every morning at 6 before anyone comes in.

Well... after running a boot time scanning... maybe it's safe to surf again.

Can you run antitrojans in the suspect machines?
a-squared
Free AVG Antispyware
SUPERantispyware

aspen · « **Reply #6 on:** December 22, 2006, 02:07:19 AM »

Good evening,

I'm glad this thread was posted. I use the Home Edition of Avast. I had this same virus show up two days ago on a full system scan. Four instances of the virus were found. Two in app data, one in the system restore volume, and one infecting bmp.exe (Blaze Media Pro). Sounds just like jonthepain's posting. Because of the type of Trojan, I became quickly concerned. Thinking the virus was new in the last two days, I did a system restore from 9 November 2006 using Acronis. I re-scanned and Avast again found the infected files in the same locations. I am also a licensed Ewido user, now AVG Anti-spyware. Ewido could not find the infection. I'm wondering if this is just not a false positive. If not, then it must be lag in the signature updates. This virus is not new, but the variant might be. I have already deleted the files and repaired the damage. I am most interested in the outcome. Thank you.

jonthepain · « **Reply #7 on:** December 22, 2006, 02:08:06 AM »

Quote

Can you run antitrojans in the suspect machines?

Yes that is a good suggestion. Can you recommend one?

Thank you.

Jon

Quote

I'm glad this thread was posted.

my pleasure. sort of. $:-\$

p.s. I would recommend upgrading to avast pro. great product. I have switched most of my business associates, friends and family to avast and firefox, which i dont do lightly because i am the first to hear it when any tech issues come up.

aspen · « **Reply #8 on:** December 22, 2006, 02:44:27 AM »

I know what you mean by "my pleasure, sort of". After I did the system restore and the virus was found again, I started thinking about all the on line transactions I completed in the last five weeks. It couldn't be some other virus Avast found, it had to be a keylogger Trojan. A lot of damage can occur in five weeks. Maybe tech support will find it was just a false positive. I run Ewido resident as a backup so I thought it would have caught anything Avast missed. Wrong! According to AVG tech support, Avast blocks access to the files so ewido reports them as clean. AVG's recommendation was to disable Avast and then do the scan. If AVG tech support is correct and I have to disable Avast for ewido to work, ewido is really doing nothing for me. So much for compatibility. I use Opera as my primary browser and IE only when I have to.

oldman · « **Reply #9 on:** December 22, 2006, 03:27:42 AM »

aspen & jonthepain

Have either of you submitted the suspect file to http://virusscan.jotti.org/ to see if any other avs also detect the trojan?

I ask because you both found it in the same program.

DavidR · « **Reply #10 on:** December 22, 2006, 02:24:59 PM »

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner This multi-engine scanner is I believe better than Jotti for the following reasons, 1) it uses the windows version of avast (what you are using), 2) it has far more AV scanners to check against 29 at this time.

jonthepain · « **Reply #11 on:** December 22, 2006, 04:22:07 PM »

will do. thanks.

Author Topic: Banker-BHS [Trj] (Read 6285 times)

jonthepain

Banker-BHS [Trj]

jonthepain

Re: Banker-BHS [Trj]

mouniernetwork

Re: Banker-BHS [Trj]

Lisandro

Re: Banker-BHS [Trj]

jonthepain

Re: Banker-BHS [Trj]

Lisandro

Re: Banker-BHS [Trj]

aspen

Re: Banker-BHS [Trj]

jonthepain

Re: Banker-BHS [Trj]

aspen

Re: Banker-BHS [Trj]

oldman

Re: Banker-BHS [Trj]

DavidR

Re: Banker-BHS [Trj]

jonthepain

Re: Banker-BHS [Trj]