Hi everybody,

I need some help with the Banker trojan. I always run a Spybot scan every Sunday. This Sunday, it came back telling me that I have the Banker trojan in 2 locations. This has me pretty concerned about the security of my system although I have McAfee that's constantly updated. I've done several deep scans with McAfee and nothing comes up with that.

The 2 registries are:
(SBl $EBFB4022) Browser Helper Object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}

(SBl $7F6039C1) CLASS ID
HKEY_CLASSES_ROOT\CLSlD\{8CA5ED52-F3FB-4414-A105-2E3491156990}

I hope I copied all this right. I don't even use Explorer as my browser. I use Firefox.

I hope somebody can help me. I stopped at the bank to see if I need to change my accounts and they say their High Risk IT Dept hasn't sent any messages out about this and they hadn't heard of it at the bank at all.

Thanks for your help.

Splat Cat Too

Sorry, but this does not look like a false positive to me. If you should experience any problems fixing this BHO for the Internet Explorer please visit our malware removal subforum. If you're only using Firefox for your banking stuff, you don't have to worry about your banking details. Anyway this BHO should be removed as soon as possible. Did you install any new game like iWinGames lately?

best,
buster!

Hi SplatCatToo,

This CLSID is "bad" and should be removed. It seems to be an orphan from an previous adware infection you had. See here (http://www.systemlookup.com/CLSID/29038-iWinGamesHookIE_dll_IWINGA_1_DLL_IEHelper_dll.html).

Thanks Buster. I do only use Firefox for looking at my banking stuff. I have IE, but rarely go into it. I think Firefox is safer and better.
And, YES, I did download from iWin, unfortunately. I also bought the game Gardenscapes from them and ordered a backup CD. Will the CD be safe to use? Or, should I just eat the loss of the money and consider it a lesson learned. I had a feeling the problem had something to do with iWin from some of the other crap I was able to clean off with Spybot and the names that came up were related to iWin. I never had problems like this before I downloaded the game from them.
Is there an easy way to get rid of this problem or should I use my last advanced tech call to Dell and ask them to get rid of it?
I just learned a hard lesson trying to save a few bucks and because I liked the game. I can order it from another site I know is good like PopCap instead. It will cost more, but at this point, it's worth it.
Thanks for your help!

Splat Cat Too

Thank you too Matt,

Is there an easy way to remove this part? Like I just said to Buster, I learned a hard lesson on this. From now on, I'll stick to sites I know like PopCap, Pogo and Big Fish.
Again, do you think the CD I ordered from iWin is safe to install? I also have a laptop but have not installed anything from iWin on that and won't either!

Thanks again.

Splat Cat Too

Hi Splat Cat Too,



Is there an easy way to remove this part? Like I just said to Buster, I learned a hard lesson on this.

Does Spybot still find the following two entries?


(SBl $EBFB4022) Browser Helper Object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}

(SBl $7F6039C1) CLASS ID
HKEY_CLASSES_ROOT\CLSlD\{8CA5ED52-F3FB-4414-A105-2E3491156990}
You can let Spybot fix these two problems. Shouldn't be a problem I think.



Thank you too Matt
You're welcome. :)

Hi Matt,

It's still listed when I run Spybot. It won't still won't let me remove it. When I go into the "recovery" section, it tells me I have 20 listed under the Banker. I wasn't sure whether or not I need to get rid of it from here or from somewhere else. I just don't know enough about the registries to even have an idea what I'm doing. Under the Recovery section, it also tells me I have a lot of other stuff too, that's all been backed up. I don't want to lose anything or delete something I shouldn't but if I'm reading this correctly, it backed the bad stuff up at this point.

Thanks again for your help.
SplatCatToo

Hello SplatCatToo,

Please follow the instructions in this link to produce a HJT log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where an analyst will take a look at the system and advise you as soon as available. :)

It would be helpful if in your new topic you provide a link back to this one.

Best regards.

Hi SplatCatToo,



Please follow the instructions in this link to produce a HJT log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where an analyst will take a look at the system and advise you as soon as available. :)

It would be helpful if in your new topic you provide a link back to this one.
Tashi has already given you all important information.

I hope you can get rid of the Malware with the help of the analyst as soon as possible. ;)

Take care :bigthumb:

Thanks Tashi and Matt,

I took a brief look at the instructions and since I have tomorrow off, that would be a good time to work with this so I get it right rather than trying to do it tonight after a long day of work.
I appreciate your help!

SplatCatToo