Your Internet Explorer home page is reset to "about:blank" and Windows Defender unexpectedly quits in Windows 2000, Windows XP, or Windows Server 2003

Symptoms

On a computer that is running Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003, you may experience the following symptoms:

Cause

This problem may occur because your computer is infected by the TrojanSpy:Win32/Banker Trojan horse program.

Workaround

Most antivirus software can detect and prevent infection by malicious software. To work around this problem, run antivirus software that is updated with the latest signature files. Then, reinstall Microsoft Windows Defender.

More Information

When this problem occurs, TrojanSpy:Win32/Banker takes the following actions:
  • TrojanSpy:Win32/Banker sets the Internet Explorer home page to "about:blank."
  • TrojanSpy:Win32/Banker deletes all the files in the C:\Program Files\Microsoft AntiSpyware folder.
  • TrojanSpy:Win32/Banker looks for Windows relating to Microsoft Windows AntiSpyware (Beta) and sends messages to these windows to close them.
  • TrojanSpy:Win32/Banker shuts down processes that are associated with Microsoft Windows AntiSpyware (Beta).
  • TrojanSpy:Win32/Banker tries to download and then run updates from a Web server.
  • TrojanSpy:Win32/Banker tries to download and then run additional software from an FTP server.
  • TrojanSpy:Win32/Banker prevents the user from accessing certain security websites.
  • TrojanSpy:Win32/Banker removes the gcasServ registry entry from the following subkey:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • TrojanSpy:Win32/Banker collects personal user information when a user visits online banking sites.

    These sites include the following:
    • ibank.barclays.co.uk
    • ibank.cahoot.com
    • myonlineaccounts2.abbeynational.co.uk
    • olb.westpac.com.au
    • olb2.nationet.com
    • online.lloydstsb.co.uk
    • sec.westpactrust.co.nz
    • web.da-us.citibank.com
    • www.bpinet.pt
    • www.ebank.hsbc.co.uk
    • www.ebank.hsbc.com.hk
    • www.halifax-online.co.uk
    • www.iblogin.com
    • www.national.com.au
    • www.nwolb.com
    • www.rbsdigital.com
    TrojanSpy:Win32/Banker then tries to send this infromation to an FTP server.
  • TrojanSpy:Win32/Banker logs URLs that you visit to the %windir%\Req.log file. However, URLs that contain the following strings are not logged:
TrojanSpy:Win32/Banker is installed in Internet Explorer as a Browser Helper Object.

To automatically help protect your computer from infection, always run antivirus software that uses the latest signature files. To help make sure your computer is protected against present and future threats, visit the following Microsoft Web site:
คุณสมบัติ

รหัสบทความ: 894269 - การตรวจสอบครั้งสุดท้าย: 1 ก.ค. 2010 - ฉบับแก้ไข: 1

คำติชม