On a computer that is running Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003, you may experience the following symptoms:
-
The home page in Internet Explorer is reset to "about:blank."
-
Microsoft Windows Defender unexpectedly quits.
Symptoms
This problem may occur because your computer is infected by the TrojanSpy:Win32/Banker Trojan horse program.
Cause
Most antivirus software can detect and prevent infection by malicious software. To work around this problem, run antivirus software that is updated with the latest signature files. Then, reinstall Microsoft Windows Defender.
Workaround
When this problem occurs, TrojanSpy:Win32/Banker takes the following actions:
-
TrojanSpy:Win32/Banker sets the Internet Explorer home page to "about:blank."
-
TrojanSpy:Win32/Banker deletes all the files in the C:\Program Files\Microsoft AntiSpyware folder.
-
TrojanSpy:Win32/Banker looks for Windows relating to Microsoft Windows AntiSpyware (Beta) and sends messages to these windows to close them.
-
TrojanSpy:Win32/Banker shuts down processes that are associated with Microsoft Windows AntiSpyware (Beta).
-
TrojanSpy:Win32/Banker tries to download and then run updates from a Web server.
-
TrojanSpy:Win32/Banker tries to download and then run additional software from an FTP server.
-
TrojanSpy:Win32/Banker prevents the user from accessing certain security websites.
-
TrojanSpy:Win32/Banker removes the gcasServ registry entry from the following subkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
TrojanSpy:Win32/Banker collects personal user information when a user visits online banking sites.
These sites include the following:-
ibank.barclays.co.uk
-
ibank.cahoot.com
-
myonlineaccounts2.abbeynational.co.uk
-
olb.westpac.com.au
-
olb2.nationet.com
-
online.lloydstsb.co.uk
-
sec.westpactrust.co.nz
-
web.da-us.citibank.com
-
www.bpinet.pt
-
www.ebank.hsbc.co.uk
-
www.ebank.hsbc.com.hk
-
www.halifax-online.co.uk
-
www.iblogin.com
-
www.national.com.au
-
www.nwolb.com
-
www.rbsdigital.com
TrojanSpy:Win32/Banker then tries to send this infromation to an FTP server.
-
-
TrojanSpy:Win32/Banker logs URLs that you visit to the %windir%\Req.log file. However, URLs that contain the following strings are not logged:
-
https
-
safeform.com
-
northeast.on.ca
-
salesforce.com
-
prudential.com.hk
-
sammikk.com
-
samsunggsbn.com
-
sbc.com
-
s-central.com.au
-
ebay
-
sciamdigital.com
-
scicollege.org.sg
-
upjs.sk
-
eutelsat.net
-
searchfit.org
-
seatbooker.net
-
sebra.com
-
yimg.com
-
acadiau.ca
-
adultfriendfinder.com
-
advisor.com
-
authorize.net
-
bearshare.com
-
betbanking.com
-
bnpparibas.net
-
c1hrapps.com
-
customersvc.com
-
konetic.org
-
delias.com
-
deluxepass.com
-
directnic.com
-
directsex.com
-
earthport.com
-
elance.com
-
element5.com
-
elsevier
-
emetrix.com
-
e-registernow.com
-
europeonline.com
-
ezpeer.com
-
fredericks.com
-
gevalia.com
-
hilton.com
-
hostdozy.com
-
hotbar.com
-
idx.com .au
-
indigosp.com
-
infusion-studios.com
-
intuitcanada.com
-
reuters.com
-
kent.net lkw-walter.com
-
medibank.com.au
-
mouse2mobile.com
-
mysylvan.com
-
nacelink.com
-
netbilling.com
-
netfirms.com
-
netspeed.com.au
-
nike.com.hk
-
novuslink.net
-
nzqa.govt.nz
-
oberon-media.com
-
onlineaccess.net
-
optusnet.com.au
-
orcon.net
-
ordering.co.uk
-
oztralia.com
-
register.com
-
safesite.com
-
shaw.ca
-
billerweb.com
-
sms.ac
-
sparkart.com
-
sparknotes.com
-
starbiz.net.sg
-
telusmobility.com
-
thewheelconnection.com
-
tickle.com
-
trekblue.com
-
tsn.cc
-
ubi.com
-
vandyke.com
-
w2express.com
-
mgm-mirage.com
-
webeweb.net
-
wn.com.au
-
securecart.net
-
secureordering.com
-
secureserver.net
-
imrworldwide.com
-
playstation.com
-
western-inventory.com
-
securewebexchange.com
-
securitymetrics.com
-
selfmgmt.com
-
t-mobile.co.uk
-
xtra.co.nz
-
canon-europe.com
-
senecac.on.ca
-
sephora.com
-
liveperson.net
-
ariba.com
-
sympatico.ca
-
xs4all.nl
-
macau.ctm.net
-
rogers.com
-
sfgov.org
-
cic.gc.ca
-
vodafone.co.uk
-
hku.hk
-
sfa.prudential.com.sg
-
shkcorpws5.shkp.com
-
ecompanystore.com
-
o2online.de
-
shopadmin.daum.net
-
shoppersoptimum.ca
-
go-fia.com
-
zoovy.com
-
shopundco.com
-
shutterfly.com
-
signup.sprint.ca
-
silicon-power.com
-
singnet.com.sg
-
simplyhotels.com
-
sims.sfu.ca
-
singaporeair.com
-
site-secure.com
-
esdlife.com
-
flextronics.com
-
cometsystems.com
-
snapfish.com
-
solo3.nordea.fi soccer.com
-
hkuspace.org
-
soundclick.com
-
swamp.lan spiritair.com
-
sportingbet.com
-
sportodds.com
-
worldgaming.net adaptec.com
-
sqnet.com.sg srp.org.sg
-
ains.com.au
-
campoints.net
-
ingrammicro.com
-
kundenserver.de
-
speedera.net
-
farlep.net
-
lanck.net .sok
-
monster.com
-
ihost.com
-
gigaisp.net
-
webtrendslive.com
-
a-net.com
-
puma.com
-
apple.com
-
streamload.com
-
maximonline.com
-
look.ca
-
supergo.com
-
cablebg.net
-
dell
-
sony
-
inlandrevenue.gov.uk
-
tbihosting.com
-
quickbooks.com
-
techdata.com
-
telpacific.com.au
-
telstra.com
-
recruitsoft.com
-
tepore.com
-
theaa.com
-
three.com.hk
-
ticketmaster.com
-
ultrastar.com
-
ti.com
-
tirerack.com
-
tm.net.my
-
tmi-wwa.com
-
tdcwww.net
-
stanfordalumni.org
-
012.net
-
starhubshop.com.sg
-
datasvit.net
-
ssdcl.com.sg
-
music
-
iinet.net.au
-
iprimus.com.au
-
hp.com
-
game
-
towerhobbies.com
-
travel.com.au
-
travel.priceline.com
-
travelclub.swiss.com
-
travelcommunications.co.uk
-
trivita.com
-
trust1.com
-
trustinternational.com
-
yorku.ca
-
preschoicefinancial.com
-
united.intranet.ual.com
-
unixcore.com
-
uwindsor.ca
-
ucas.co.uk
-
ups.com
-
yesasia.com
-
usafis.org
-
uscden.net
-
uscitizenship.info
-
va-bank.com
-
vasa.slsp.sk
-
veloz.com
-
victoriassecret.com
-
videotron.com
-
mcafee.com
-
virginblue.com.au
-
virginmobileusa.com
-
vodafone vpost.com.sg
-
vutbr.cz
-
opusit.com.sg
-
ibm.com
-
aircanada.ca
-
walgreens.com
-
watchguard.com
-
icq.com
-
ych.com
-
uottawa.ca
-
uoguelph.ca
-
there.com
-
webassign.net
-
comcast.net
-
douglas.bc.ca
-
carleton.ca
-
mcgill.ca
-
mcmaster.ca
-
queensu.ca
-
sheridanc.on.ca
-
ubc.ca
-
unb.ca
-
.ac.at
-
.ac.nz
-
.ust.hk
-
microsoft.com
-
guidehome.com
-
sap-ag.de
-
nwa.com
-
webzdarma.cz
-
intel.com
-
bigpond.net.au
-
willhill.com
-
.ac.uk
-
t-mobile.com
-
uwaterloo.ca
-
delawarenorth.com
-
worldwinner.com
-
worth1000.com
-
wrem.sis.yorku.ca
-
sierraclub.org
-
serviticket.com
-
yagma.com
-
yes.com.hk .edu
-
yourastrologysite.com
-
ytv.com .o2.co.uk
-
zwallet.com
-
TrojanSpy:Win32/Banker is installed in Internet Explorer as a Browser Helper Object.
To automatically help protect your computer from infection, always run antivirus software that uses the latest signature files. To help make sure your computer is protected against present and future threats, visit the following Microsoft Web site: