Microsoft KB Archive/894269

= Your Internet Explorer home page is reset to &quot;about:blank&quot; and Windows Defender unexpectedly quits in Windows 2000, Windows XP, or Windows Server 2003 =

Article ID: 894269

Article Last Modified on 10/18/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional 64-Bit Edition (Itanium)
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Tablet PC Edition 2005
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Advanced Server
 * Windows Defender

-



SYMPTOMS
On a computer that is running Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003, you may experience the following symptoms:
 * 1) The home page in Internet Explorer is reset to &quot;about:blank.&quot;
 * 2) Microsoft Windows Defender unexpectedly quits.



CAUSE
This problem may occur because your computer is infected by the TrojanSpy:Win32/Banker Trojan horse program.



WORKAROUND
Most antivirus software can detect and prevent infection by malicious software. To work around this problem, run antivirus software that is updated with the latest signature files. Then, reinstall Microsoft Windows Defender.



MORE INFORMATION
When this problem occurs, TrojanSpy:Win32/Banker takes the following actions:  TrojanSpy:Win32/Banker sets the Internet Explorer home page to &quot;about:blank.&quot; TrojanSpy:Win32/Banker deletes all the files in the C:\Program Files\Microsoft AntiSpyware folder. TrojanSpy:Win32/Banker looks for Windows relating to Microsoft Windows AntiSpyware (Beta) and sends messages to these windows to close them. TrojanSpy:Win32/Banker shuts down processes that are associated with Microsoft Windows AntiSpyware (Beta). TrojanSpy:Win32/Banker tries to download and then run updates from a Web server. TrojanSpy:Win32/Banker tries to download and then run additional software from an FTP server.</li> TrojanSpy:Win32/Banker prevents the user from accessing certain security websites.</li> TrojanSpy:Win32/Banker removes the gcasServ registry entry from the following subkey:

</li> TrojanSpy:Win32/Banker collects personal user information when a user visits online banking sites.

These sites include the following: <ul> ibank.barclays.co.uk</li> ibank.cahoot.com</li> myonlineaccounts2.abbeynational.co.uk</li> olb.westpac.com.au</li> olb2.nationet.com</li> online.lloydstsb.co.uk</li> sec.westpactrust.co.nz</li> web.da-us.citibank.com</li> www.bpinet.pt</li> www.ebank.hsbc.co.uk</li> www.ebank.hsbc.com.hk</li> www.halifax-online.co.uk</li> www.iblogin.com</li> <li>www.national.com.au</li> <li>www.nwolb.com</li> <li>www.rbsdigital.com</li></ul>

TrojanSpy:Win32/Banker then tries to send this infromation to an FTP server.</li> <li>TrojanSpy:Win32/Banker logs URLs that you visit to the %windir%\Req.log file. However, URLs that contain the following strings are not logged: <ul> <li>https</li> <li>safeform.com</li> <li>northeast.on.ca</li> <li>salesforce.com</li> <li>prudential.com.hk</li> <li>sammikk.com</li> <li>samsunggsbn.com</li> <li>sbc.com</li> <li>s-central.com.au</li> <li>ebay</li> <li>sciamdigital.com</li> <li>scicollege.org.sg</li> <li>upjs.sk</li> <li>eutelsat.net</li> <li>searchfit.org</li> <li>seatbooker.net</li> <li>sebra.com</li> <li>yimg.com</li> <li>acadiau.ca</li> <li>adultfriendfinder.com</li> <li>advisor.com</li> <li>authorize.net</li> <li>bearshare.com</li> <li>betbanking.com</li> <li>bnpparibas.net</li> <li>c1hrapps.com</li> <li>customersvc.com</li> <li>konetic.org</li> <li>delias.com</li> <li>deluxepass.com</li> <li>directnic.com</li> <li>directsex.com</li> <li>earthport.com</li> <li>elance.com</li> <li>element5.com</li> <li>elsevier</li> <li>emetrix.com</li> <li>e-registernow.com</li> <li>europeonline.com</li> <li>ezpeer.com</li> <li>fredericks.com</li> <li>gevalia.com</li> <li>hilton.com</li> <li>hostdozy.com</li> <li>hotbar.com</li> <li>idx.com .au</li> <li>indigosp.com</li> <li>infusion-studios.com</li> <li>intuitcanada.com</li> <li>reuters.com</li> <li>kent.net lkw-walter.com</li> <li>medibank.com.au</li> <li>mouse2mobile.com</li> <li>mysylvan.com</li> <li>nacelink.com</li> <li>netbilling.com</li> <li>netfirms.com</li> <li>netspeed.com.au</li> <li>nike.com.hk</li> <li>novuslink.net</li> <li>nzqa.govt.nz</li> <li>oberon-media.com</li> <li>onlineaccess.net</li> <li>optusnet.com.au</li> <li>orcon.net</li> <li>ordering.co.uk</li> <li>oztralia.com</li> <li>register.com</li> <li>safesite.com</li> <li>shaw.ca</li> <li>billerweb.com</li> <li>sms.ac</li> <li>sparkart.com</li> <li>sparknotes.com</li> <li>starbiz.net.sg</li> <li>telusmobility.com</li> <li>thewheelconnection.com</li> <li>tickle.com</li> <li>trekblue.com</li> <li>tsn.cc</li> <li>ubi.com</li> <li>vandyke.com</li> <li>w2express.com</li> <li>mgm-mirage.com</li> <li>webeweb.net</li> <li>wn.com.au</li> <li>securecart.net</li> <li>secureordering.com</li> <li>secureserver.net</li> <li>imrworldwide.com</li> <li>playstation.com</li> <li>western-inventory.com</li> <li>securewebexchange.com</li> <li>securitymetrics.com</li> <li>selfmgmt.com</li> <li>t-mobile.co.uk</li> <li>xtra.co.nz</li> <li>canon-europe.com</li> <li>senecac.on.ca</li> <li>sephora.com</li> <li>liveperson.net</li> <li>ariba.com</li> <li>sympatico.ca</li> <li>xs4all.nl</li> <li>macau.ctm.net</li> <li>rogers.com</li> <li>sfgov.org</li> <li>cic.gc.ca</li> <li>vodafone.co.uk</li> <li>hku.hk</li> <li>sfa.prudential.com.sg</li> <li>shkcorpws5.shkp.com</li> <li>ecompanystore.com</li> <li>o2online.de</li> <li>shopadmin.daum.net</li> <li>shoppersoptimum.ca</li> <li>go-fia.com</li> <li>zoovy.com</li> <li>shopundco.com</li> <li>shutterfly.com</li> <li>signup.sprint.ca</li> <li>silicon-power.com</li> <li>singnet.com.sg</li> <li>simplyhotels.com</li> <li>sims.sfu.ca</li> <li>singaporeair.com</li> <li>site-secure.com</li> <li>esdlife.com</li> <li>flextronics.com</li> <li>cometsystems.com</li> <li>snapfish.com</li> <li>solo3.nordea.fi soccer.com</li> <li>hkuspace.org</li> <li>soundclick.com</li> <li>swamp.lan spiritair.com</li> <li>sportingbet.com</li> <li>sportodds.com</li> <li>worldgaming.net adaptec.com</li> <li>sqnet.com.sg srp.org.sg</li> <li>ains.com.au</li> <li>campoints.net</li> <li>ingrammicro.com</li> <li>kundenserver.de</li> <li>speedera.net</li> <li>farlep.net</li> <li>lanck.net .sok</li> <li>monster.com</li> <li>ihost.com</li> <li>gigaisp.net</li> <li>webtrendslive.com</li> <li>a-net.com</li> <li>puma.com</li> <li>apple.com</li> <li>streamload.com</li> <li>maximonline.com</li> <li>look.ca</li> <li>supergo.com</li> <li>cablebg.net</li> <li>dell</li> <li>sony</li> <li>inlandrevenue.gov.uk</li> <li>tbihosting.com</li> <li>quickbooks.com</li> <li>techdata.com</li> <li>telpacific.com.au</li> <li>telstra.com</li> <li>freedom.net</li> <li>recruitsoft.com</li> <li>tepore.com</li> <li>theaa.com</li> <li>three.com.hk</li> <li>ticketmaster.com</li> <li>ultrastar.com</li> <li>ti.com</li> <li>tirerack.com</li> <li>tm.net.my</li> <li>tmi-wwa.com</li> <li>tdcwww.net</li> <li>stanfordalumni.org</li> <li>012.net</li> <li>starhubshop.com.sg</li> <li>datasvit.net</li> <li>ssdcl.com.sg</li> <li>music</li> <li>iinet.net.au</li> <li>iprimus.com.au</li> <li>hp.com</li> <li>game</li> <li>towerhobbies.com</li> <li>travel.com.au</li> <li>travel.priceline.com</li> <li>travelclub.swiss.com</li> <li>travelcommunications.co.uk</li> <li>trivita.com</li> <li>trust1.com</li> <li>trustinternational.com</li> <li>yorku.ca</li> <li>preschoicefinancial.com</li> <li>united.intranet.ual.com</li> <li>unixcore.com</li> <li>uwindsor.ca</li> <li>ucas.co.uk</li> <li>ups.com</li> <li>yesasia.com</li> <li>usafis.org</li> <li>uscden.net</li> <li>uscitizenship.info</li> <li>va-bank.com</li> <li>vasa.slsp.sk</li> <li>veloz.com</li> <li>victoriassecret.com</li> <li>videotron.com</li> <li>mcafee.com</li> <li>virginblue.com.au</li> <li>virginmobileusa.com</li> <li>vodafone vpost.com.sg</li> <li>vutbr.cz</li> <li>opusit.com.sg</li> <li>ibm.com</li> <li>aircanada.ca</li> <li>walgreens.com</li> <li>watchguard.com</li> <li>icq.com</li> <li>ych.com</li> <li>uottawa.ca</li> <li>uoguelph.ca</li> <li>there.com</li> <li>webassign.net</li> <li>comcast.net</li> <li>douglas.bc.ca</li> <li>carleton.ca</li> <li>mcgill.ca</li> <li>mcmaster.ca</li> <li>queensu.ca</li> <li>sheridanc.on.ca</li> <li>ubc.ca</li> <li>unb.ca</li> <li>.ac.at</li> <li>.ac.nz</li> <li>.ust.hk</li> <li>microsoft.com</li> <li>guidehome.com</li> <li>sap-ag.de</li> <li>nwa.com</li> <li>webzdarma.cz</li> <li>intel.com</li> <li>bigpond.net.au</li> <li>willhill.com</li> <li>.ac.uk</li> <li>t-mobile.com</li> <li>uwaterloo.ca</li> <li>delawarenorth.com</li> <li>worldwinner.com</li> <li>worth1000.com</li> <li>wrem.sis.yorku.ca</li> <li>sierraclub.org</li> <li>serviticket.com</li> <li>yagma.com</li> <li>yes.com.hk .edu</li> <li>yourastrologysite.com</li> <li>ytv.com .o2.co.uk</li> <li>zwallet.com</li></ul> </li></ul>

TrojanSpy:Win32/Banker is installed in Internet Explorer as a Browser Helper Object.

To automatically help protect your computer from infection, always run antivirus software that uses the latest signature files. To help make sure your computer is protected against present and future threats, visit the following Microsoft Web site:

http://www.microsoft.com/protect/default.mspx

Additional query words: TrojanSpy.Win32.Banker

Keywords: kbtshoot kbbug kbfix kbvirus kbdefenderrtwyes kbdefenderrtwswept KB894269

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.