Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

On a computer that is running Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003, you may experience the following symptoms:

  1. The home page in Internet Explorer is reset to "about:blank."

  2. Microsoft Windows Defender unexpectedly quits.

Symptoms

This problem may occur because your computer is infected by the TrojanSpy:Win32/Banker Trojan horse program.

Cause

Most antivirus software can detect and prevent infection by malicious software. To work around this problem, run antivirus software that is updated with the latest signature files. Then, reinstall Microsoft Windows Defender.

Workaround

When this problem occurs, TrojanSpy:Win32/Banker takes the following actions:

  • TrojanSpy:Win32/Banker sets the Internet Explorer home page to "about:blank."

  • TrojanSpy:Win32/Banker deletes all the files in the C:\Program Files\Microsoft AntiSpyware folder.

  • TrojanSpy:Win32/Banker looks for Windows relating to Microsoft Windows AntiSpyware (Beta) and sends messages to these windows to close them.

  • TrojanSpy:Win32/Banker shuts down processes that are associated with Microsoft Windows AntiSpyware (Beta).

  • TrojanSpy:Win32/Banker tries to download and then run updates from a Web server.

  • TrojanSpy:Win32/Banker tries to download and then run additional software from an FTP server.

  • TrojanSpy:Win32/Banker prevents the user from accessing certain security websites.

  • TrojanSpy:Win32/Banker removes the gcasServ registry entry from the following subkey:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  • TrojanSpy:Win32/Banker collects personal user information when a user visits online banking sites.

    These sites include the following:

    • ibank.barclays.co.uk

    • ibank.cahoot.com

    • myonlineaccounts2.abbeynational.co.uk

    • olb.westpac.com.au

    • olb2.nationet.com

    • online.lloydstsb.co.uk

    • sec.westpactrust.co.nz

    • web.da-us.citibank.com

    • www.bpinet.pt

    • www.ebank.hsbc.co.uk

    • www.ebank.hsbc.com.hk

    • www.halifax-online.co.uk

    • www.iblogin.com

    • www.national.com.au

    • www.nwolb.com

    • www.rbsdigital.com

    TrojanSpy:Win32/Banker then tries to send this infromation to an FTP server.

  • TrojanSpy:Win32/Banker logs URLs that you visit to the %windir%\Req.log file. However, URLs that contain the following strings are not logged:

    • https

    • safeform.com

    • northeast.on.ca

    • salesforce.com

    • prudential.com.hk

    • sammikk.com

    • samsunggsbn.com

    • sbc.com

    • s-central.com.au

    • ebay

    • sciamdigital.com

    • scicollege.org.sg

    • upjs.sk

    • eutelsat.net

    • searchfit.org

    • seatbooker.net

    • sebra.com

    • yimg.com

    • acadiau.ca

    • adultfriendfinder.com

    • advisor.com

    • authorize.net

    • bearshare.com

    • betbanking.com

    • bnpparibas.net

    • c1hrapps.com

    • customersvc.com

    • konetic.org

    • delias.com

    • deluxepass.com

    • directnic.com

    • directsex.com

    • earthport.com

    • elance.com

    • element5.com

    • elsevier

    • emetrix.com

    • e-registernow.com

    • europeonline.com

    • ezpeer.com

    • fredericks.com

    • gevalia.com

    • hilton.com

    • hostdozy.com

    • hotbar.com

    • idx.com .au

    • indigosp.com

    • infusion-studios.com

    • intuitcanada.com

    • reuters.com

    • kent.net lkw-walter.com

    • medibank.com.au

    • mouse2mobile.com

    • mysylvan.com

    • nacelink.com

    • netbilling.com

    • netfirms.com

    • netspeed.com.au

    • nike.com.hk

    • novuslink.net

    • nzqa.govt.nz

    • oberon-media.com

    • onlineaccess.net

    • optusnet.com.au

    • orcon.net

    • ordering.co.uk

    • oztralia.com

    • register.com

    • safesite.com

    • shaw.ca

    • billerweb.com

    • sms.ac

    • sparkart.com

    • sparknotes.com

    • starbiz.net.sg

    • telusmobility.com

    • thewheelconnection.com

    • tickle.com

    • trekblue.com

    • tsn.cc

    • ubi.com

    • vandyke.com

    • w2express.com

    • mgm-mirage.com

    • webeweb.net

    • wn.com.au

    • securecart.net

    • secureordering.com

    • secureserver.net

    • imrworldwide.com

    • playstation.com

    • western-inventory.com

    • securewebexchange.com

    • securitymetrics.com

    • selfmgmt.com

    • t-mobile.co.uk

    • xtra.co.nz

    • canon-europe.com

    • senecac.on.ca

    • sephora.com

    • liveperson.net

    • ariba.com

    • sympatico.ca

    • xs4all.nl

    • macau.ctm.net

    • rogers.com

    • sfgov.org

    • cic.gc.ca

    • vodafone.co.uk

    • hku.hk

    • sfa.prudential.com.sg

    • shkcorpws5.shkp.com

    • ecompanystore.com

    • o2online.de

    • shopadmin.daum.net

    • shoppersoptimum.ca

    • go-fia.com

    • zoovy.com

    • shopundco.com

    • shutterfly.com

    • signup.sprint.ca

    • silicon-power.com

    • singnet.com.sg

    • simplyhotels.com

    • sims.sfu.ca

    • singaporeair.com

    • site-secure.com

    • esdlife.com

    • flextronics.com

    • cometsystems.com

    • snapfish.com

    • solo3.nordea.fi soccer.com

    • hkuspace.org

    • soundclick.com

    • swamp.lan spiritair.com

    • sportingbet.com

    • sportodds.com

    • worldgaming.net adaptec.com

    • sqnet.com.sg srp.org.sg

    • ains.com.au

    • campoints.net

    • ingrammicro.com

    • kundenserver.de

    • speedera.net

    • farlep.net

    • lanck.net .sok

    • monster.com

    • ihost.com

    • gigaisp.net

    • webtrendslive.com

    • a-net.com

    • puma.com

    • apple.com

    • streamload.com

    • maximonline.com

    • look.ca

    • supergo.com

    • cablebg.net

    • dell

    • sony

    • inlandrevenue.gov.uk

    • tbihosting.com

    • quickbooks.com

    • techdata.com

    • telpacific.com.au

    • telstra.com

    • recruitsoft.com

    • tepore.com

    • theaa.com

    • three.com.hk

    • ticketmaster.com

    • ultrastar.com

    • ti.com

    • tirerack.com

    • tm.net.my

    • tmi-wwa.com

    • tdcwww.net

    • stanfordalumni.org

    • 012.net

    • starhubshop.com.sg

    • datasvit.net

    • ssdcl.com.sg

    • music

    • iinet.net.au

    • iprimus.com.au

    • hp.com

    • game

    • towerhobbies.com

    • travel.com.au

    • travel.priceline.com

    • travelclub.swiss.com

    • travelcommunications.co.uk

    • trivita.com

    • trust1.com

    • trustinternational.com

    • yorku.ca

    • preschoicefinancial.com

    • united.intranet.ual.com

    • unixcore.com

    • uwindsor.ca

    • ucas.co.uk

    • ups.com

    • yesasia.com

    • usafis.org

    • uscden.net

    • uscitizenship.info

    • va-bank.com

    • vasa.slsp.sk

    • veloz.com

    • victoriassecret.com

    • videotron.com

    • mcafee.com

    • virginblue.com.au

    • virginmobileusa.com

    • vodafone vpost.com.sg

    • vutbr.cz

    • opusit.com.sg

    • ibm.com

    • aircanada.ca

    • walgreens.com

    • watchguard.com

    • icq.com

    • ych.com

    • uottawa.ca

    • uoguelph.ca

    • there.com

    • webassign.net

    • comcast.net

    • douglas.bc.ca

    • carleton.ca

    • mcgill.ca

    • mcmaster.ca

    • queensu.ca

    • sheridanc.on.ca

    • ubc.ca

    • unb.ca

    • .ac.at

    • .ac.nz

    • .ust.hk

    • microsoft.com

    • guidehome.com

    • sap-ag.de

    • nwa.com

    • webzdarma.cz

    • intel.com

    • bigpond.net.au

    • willhill.com

    • .ac.uk

    • t-mobile.com

    • uwaterloo.ca

    • delawarenorth.com

    • worldwinner.com

    • worth1000.com

    • wrem.sis.yorku.ca

    • sierraclub.org

    • serviticket.com

    • yagma.com

    • yes.com.hk .edu

    • yourastrologysite.com

    • ytv.com .o2.co.uk

    • zwallet.com

TrojanSpy:Win32/Banker is installed in Internet Explorer as a Browser Helper Object.

To automatically help protect your computer from infection, always run antivirus software that uses the latest signature files. To help make sure your computer is protected against present and future threats, visit the following Microsoft Web site:

http://www.microsoft.com/protect/default.mspx

More Information

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×