Win32.Banker.ekn

[EinsteinLD]

Some users of our forum reported this entry in Spybot:

Win32.Banker.ekn: Settings (Chave do registro, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv

Win32.Banker.ekn: Settings (Chave do registro, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\GbpSv

Win32.Banker.ekn: Settings (Chave do registro, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv

I think could be a false positive. Two cases, with HijackThis logs:
http://linhadefensiva.uol.com.br/for...howtopic=59949
http://linhadefensiva.uol.com.br/for...howtopic=59749

GbpSv is the service of GBPlugin, a internet banking plugin very common in Brazil:
http://www.prevx.com/filenames/40203...GBPSV.EXE.html

Please analyse,

Fabio Assolini
www.linhadefensiva.org

[EinsteinLD]

Confirmed: is a false positive. I run Spybot in a clean machine with the plugin installed and Spybot show the keys reported in the first post.

This is the legitime entries of GbPlugin in a Hijackthis log:

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe

Fabio Assolini
www.linhadefensiva.org

[tashi]

Thank you for reporting, I left a note for our detectives directing them to this topic.

[Buster]

Thanks for reporting. This false positive will be fixed in our next update.

[EinsteinLD]

Thanks for the support!

[Humptvivacqua]

These Spy is not a false positive,

because i find him with others virus and trojans...then this could not be a false positive but a problem that spybot canot resolve

[spybotsandra]

Hello,

That is a service that does not have to be bad.
Could you please tell us which program does it also detect?

Best regards
Sandra
Team Spybot

[EinsteinLD]

These Spy is not a false positive, because i find him with others virus and trojans...then this could not be a false positive but a problem that spybot canot resolve

Gbp is an internet banking plugin, not a spy, used to access online services with a lof of brazilian banks, including Bank of Brazil.
Of course that are fake Gbp, created by brazilian hackers to stole data from the bank customers. The original file is located at C:\arquivos de programas\GbPlugin\GbpSv.exe or
C:\Program Files\GbPlugin\GbpSv.exe

When you try to access a https page from Bank of Brazil, you need to install this plugin. Try it: www.bancodobrasil.com.br

This false positive cause a great inconvenience in Brazil. In our forum we receive a lot of reports about this mistake.

The only interested people that want to remove this plugin are brazilian hackers and VX's creators.

Best Regards

Fabio Assolini
Security Coordenator - Linha Defensiva
MIRT Hunter - CastleCops.com

[sansa13]

I guess theres 2 gbpsv.exe, one of them is the bank program, the another one is a virus, who apropriates the name of the bank service... i never used a internet banking here and i got the virus, i cannot delete it even in safe mode, and i cannot remove it or stop it and cant stop it from runnin auto when start windows...
i dont guess a program from the good will protect itself this way...
also, ad-aware and avg say its a virus too...

[AdvNetSol]

This seems to be a virus. i am having the same problems as the poster above, the service won't allow itself to be stopped, even when in safe mode. i cannot remove the registry entries for this service manually. it lists itself as a plug-in in internet explorer, but upon disabling it, it re-enables itself. these are all virus like activities. there is not easy way to remove this utility, and because of that it should be categorized as a virus if i am not mistaken. I believe that is US law now. I will find how to remove this virus and post my finding ASAP. for record, the files for this service are found in c:\program files\GbPlugin\ on my machine.

Anthony Tobin
Advanced Network Solutions