PWSteal remover

Microsoft's AntiSpyware Beta software is found to be vulnerable to "PWSteal.Bankash.A" a password-stealing Trojan. This Trojan tries to steal usernames and passwords from certain financial Web sites. This Trojan also attacks and disables Microsoft's AntiSpyware software.

Variants of PWSteal.Bankash.A Trojan horse

1) PWS-Banker.j

2) Troj/BankAsh-A

3) Trojan-Downloader.Win32.Small.ain

This Trojan affects Windows 95, Windows 98, Windows 2000, Windows Me, Windows NT, Windows Server 2003 and Windows XP operating systems.

The list of affected financial websites

www.ebank.hsbc.co.uk

www.ebank.hsbc.com.hk

ibank.barclays.co.uk

www.iblogin.com

online.lloydstsb.co.uk

www.national.com.au

myonlineaccounts2.abbeynational.co.uk

ibank.cahoot.com

www.halifax-online.co.uk

www.bpinet.pt

www.activobank7.pt

olb.westpactrust.com.au

olb2.nationet.com

www.rbsdigital.com

web.da-us.citibank.com

welcome9.smile.co.uk

sec.westpactrust.co.nz

www.nwolb.com

After effects of PWSteal.Bankash.A Trojan infection

This Trojan does following things after infection...

a) PWSteal.Bankash.A Trojan drops the file %System%ASH.DLL.

b) It creates the following registry subkeys;

HKEY_CLASSES_ROOTCLSID{C6176B04-8896-4446-9939-E00EE94C420F} HKEY_CLASSES_ROOTAntiSpy.AntiSpy HKEY_CLASSES_ROOTAntiSpy.AntiSpy.1

c) To register its dll file it adds the value, "(Default)" = "IIEHlprObj" To the registry subkey, "HKEY_CLASSES_ROOTInterface{17A45F93-AEC8-440B-AC33-1BA9CC3192AC}"

d) Also adds the following value,to register its dll file.

"(Default)" = "AS 0.96 Type Library" to the registry subkey, "HKEY_CLASSES_ROOTTypeLib{D941DA88-1DAA-4ED2-8946-ABABCF2A4C3F}.0"

e) PWSteal.Bankash.A Trojan creates the following registry subkey to automatically load the dll file by Windows Explorer.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftCurrentVersionExplorerBrowser Helper Object{C6176B04-8896-4446-9939-E00EE94C420F}

f) It also modifies the following value:

"Start Page" = "about:blank"

in the following registry subkeys to enable IE to open the "about:blank" page.

HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMain HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain

g) It redirects the IE browser to open spoof Websites to steal login IDs and passwords of users.

h) In attempt to disable the Microsoft AntiSpyware application, PWSteal.Bankash.A Trojan deletes the following subkey:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun gcasServ

i) It permanently damages the following processes of the Microsoft AntiSpyware application:

* GCASCLEANER
* GCASDTSERV
* GCASINSTALLHELPER
* GCASNOTICE
* GCASSERV
* GCASSERVALERT
* GCASSWUPDATER
* GCIPTOHOSTQUEUE
* GIANTANTISPYWAREMAIN
* GIANTANTISPYWAREUPDATER

PWSteal.Bankash.A Trojan deletes all the files in the C:Program FilesMicrosoft AntiSpyware folder. It also stops users to view warning messages from the Microsoft AntiSpyware application and modifies the Hosts file to block access to several Web sites.

It downloads and installs the threat updates. It also attempts to unregistered and then deletes the %System%IEHELPER.DLL file.

How to remove PWSteal.Bankash.A Trojan?

a) Disable System Restore (Windows Me/XP).
b) Update the virus definitions.
c) Delete all the files detected as PWSteal.Bankash.A.
by running a full system scan.
d) From registry delete the added value.
e) Finally reset the Internet Explorer start page.

It is recommended to use Symantec AntiVirus and Norton AntiVirus programs for better results. The above instructions are applicable to Symantec AntiVirus and Norton AntiVirus programs.

We always try to guide you to fight against Trojan related problems. We are also trying to add more Trojan related solutions on our Website. Do visit our Website regularly for more updates.

Subscribe to "COMPTECH" ezine to get the latest news and updates on Windows Vista.

Google Search