JS:Banker-D

[pablomaz]

Hio, everyone!

Everytime I open a browser window or tab Avast gives me an alert about JS:Banker-D Trojan horse. I simply can't get rid of it. Could you help me?
Thanks!
I'm running Mozilla Firefox 3.6.13 on Windows Vista SP2.

[magna86]

Hi.

follow these instructions.
http://forum.avast.com/index.php?topic=53253.0

*Post mbam log reports & OTL.txt back to topic.

[pablomaz]

Thank you for your time, magna86.

This is the mbam log. Software is in Portuguese, but I think it won't be a problem, since nothing was detected - I have already ran mbam two days ago. "(Não foram detectados ítens maliciosos)" means "no malware was detected":

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versão da Base de Dados:  5683

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

05/02/2011 12:35:27
mbam-log-2011-02-05 (12-35-27).txt

Tipo de Verificação:  Verificação Rápida
Objetos escaneados:  145629
Tempo decorrido: 6 minuto(s), 9 segundo(s)

Processos de Memória Infectados:  0
Módulos de Memória Infectados:  0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 0
Itens de Dados no Registro Infectados:  0
Pastas Infectadas:  0
Arquivos Infectados: 0

Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)

Valores de Registro Infectados:
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)

Pastas Infectadas:
(Não foram detectados ítens maliciosos)

Arquivos Infectados:
(Não foram detectados ítens maliciosos)

I'll attach OTL logs ok?

Thanks for your help!

[mikaelrask]

a little more information would be good so we could give you better support.

what os you using?

what file is avast almarmed as malware?

have you tryed a boot scan with avast?

http://www.schmahl.net/avastbootscan.php- instructions on how to schadual a boot scan in avast version 5.

good luck

[pablomaz]

Ok, Miakael, tks!

OS is Windows Vista (Windows 6.0.6002 Service Pack 2)

Avast is alarming about:
Object: hXXp://wXwXw.wXinXdoXwsX72X.neXt/X0xfX04X.pac
Infection: JS:Banker-D [Trj]

I'll run a boot scan now to see what happens...

Thanks!

[Silk0]

Hio, everyone!

Everytime I open a browser window or tab Avast gives me an alert about JS:Banker-D Trojan horse. I simply can't get rid of it. Could you help me?
Thanks!
I'm running Mozilla Firefox 3.6.13 on Windows Vista SP2.

Ok, Miakael, tks!

OS is Windows Vista (Windows 6.0.6002 Service Pack 2)

Avast is alarming about:
Object: hxxp://www.windows72.net/0xf04.pac
Infection: JS:Banker-D [Trj]

I'll run a boot scan now to see what happens...

Thanks!

Do this:
Open Firefox > Click on "Tools" > Check what do you have in the Initial Page bar > Change it to www.google.com

Close Firefox and open again. See if the problem persists.
And.. can you disable the active link, please? Put hxxp:// instead of http://
Thanks.

[essexboy]

Try this

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\S-1-5-21-572750711-2804780265-2420130312-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = hxxp://www.windows72.net/0xf04.pac
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[pablomaz]

Ok, Mikael, tks!

OS is Windows Vista (Windows 6.0.6002 Service Pack 2)

Avast is alarming about:
Object: hXXpX:X/X/XwXwXwXX.wXiXnXdXoXwXsX7X2X.XnXeXtX/X0XxXf0X4X.XpXac
Infection: JS:Banker-D [Trj]

I'll run a boot scan now to see what happens...

Thanks!

Mikael, I ran a bott scan and nothing was found. Thanks anyway.

[pablomaz]

Hio, everyone!

Everytime I open a browser window or tab Avast gives me an alert about JS:Banker-D Trojan horse. I simply can't get rid of it. Could you help me?
Thanks!
I'm running Mozilla Firefox 3.6.13 on Windows Vista SP2.

Ok, Miakael, tks!

OS is Windows Vista (Windows 6.0.6002 Service Pack 2)

Avast is alarming about:
Object: hxxpX:X/X/XwXwXwX.XXwXiXnXdXoXwXsX7X2X.XnXeXtX/X0XxXfX0X4X.XpXac
Infection: JS:Banker-D [Trj]

I'll run a boot scan now to see what happens...

Thanks!

Do this:
Open Firefox > Click on "Tools" > Check what do you have in the Initial Page bar > Change it to www.google.com

Close Firefox and open again. See if the problem persists.
And.. can you disable the active link, please? Put hxxp:// instead of http://
Thanks.

Silk0, changed the home page, but the problem persists... Thank you anyway.
I also disabled the active link. I'm sorry.
I'll write a bit in portuguese, because we speak the same language (I'm brazilian).
Meu amigo, obrigado pela ajuda, mas de nada adiantou. Vou seguir a recomendação do outro membro do fórum logo acima. Grande abraço!

[essexboy]

If you run the OTL fix I posted it should clear it  

Try this

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\S-1-5-21-572750711-2804780265-2420130312-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = hxxp://www.windows72.net/0xf04.pac
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[pablomaz]

If you run the OTL fix I posted it should clear it  

Try this

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\S-1-5-21-572750711-2804780265-2420130312-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = hXtXtXpX:X/X/XwXwXwX.XwXiXnXdXows72.net/X0XxfX04X.pXac
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

essexboy, thank you SO much!
I think... I think everything is ok now! Am I dreaming?!lol
What the hell did you all just did? Some kind of magic, my friends?!
 8)
I can't believe it worked... I'll reboot and give this damn JS:Bunker another try.lol

Here are the logs (the first one showed up right after rebooting the system).

[pablomaz]

If you run the OTL fix I posted it should clear it 

IT WORKED! It really, really worked!
I'd like to thank you essexboy, Silk0, mikaelrask and magna86 for your time and help.
I'm speechless.
Good night, good bye, take care.
Thanks again from Brazil,
:- )

[essexboy]

Internet Settings: "AutoConfigURL" = hxxp://www.windows72.net/0xf04.pac

It was autoconfiguring all urls to be routed via this site.  Unfortunately no malware removal tools check this area as there are too many variables

Run OTL and hit the cleanup button now 

[spg SCOTT]

And now that it is solved, can the posts with the active link to the site be deactivated?
(ones containing the fix)

[pablomaz]

Did it!
:- )