Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Win32.Banload.aghb		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Win32.Banload.aghb  (Read 5021 times)
HawaiiSteve
Newbie
*





   


Posts: 4
Win32.Banload.aghb
« on: Jul 22nd, 2009, 8:36pm »		 Quote Quote  Modify Modify
SpyBot just reported that my pc has the Win32.Banload.aghb trojan. I tried several times to have SpyBot remove it, but it always failed! Will Trojan Hunter remove it?
 
Thanks!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.Banload.aghb
« Reply #1 on: Jul 22nd, 2009, 9:23pm »		 Quote Quote  Modify Modify
Welcome to the forum HawaiiSteve  Wink
 
Can you submit the file that Spybot says is infected to Mischel Internet Security per the instructions in the link below.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Gavin will analyze it.  If it indeed is an infection, he will incorporate its removal in TH if it is not already there.
 
You can download/install the Trial Version of TrojanHunter and run a full scan of your system to see if detects the supposed infection.
 
-  Once you install the TH Trial Version and prior to running the scan, be sure to update the rulesets to the latest version.  The manual update is located at  
 
http://www.misec.net/trojanhunter/updating/
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
HawaiiSteve
Newbie
*





   


Posts: 4
Re: Win32.Banload.aghb
« Reply #2 on: Jul 22nd, 2009, 9:53pm »		 Quote Quote  Modify Modify
Hi. Thanks for your reply!  Sorry, but I don't know enough to know what you mean by sending you "the file that Spybot says is infected".  If this helps, here is the report:
 
======================================
--- Report generated: 2009-07-22 07:24 ---
 
Win32.Banload.aghb: [SBI $4C93D42E] File extension (Registry key, fixing failed)
  HKEY_CLASSES_ROOT\.gbp
 
--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---
 
======================================
 
Please advise,
 
Steve
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.Banload.aghb
« Reply #3 on: Jul 22nd, 2009, 10:24pm »		 Quote Quote  Modify Modify
I'm not familiar with Spybot; however, it does not appear to me that having the registry key HKEY_CLASSES_ROOT\.gbp by itself is an infection.  Did Spybot successfully remove other parts/files of this infection?  
 
What I recommend that you do in an effort to "cross check" Spybot's detection is to go to the link below and download/install the FREE home user version of SuperAntispyware.  
 
http://www.superantispyware.com/superantispywarefreevspro.html
 
Once you get it installed, update its definitions to the very latest definitions from the link below.
 
http://www.superantispyware.com/definitions.html
 
Then run a COMPLETE Scan of your system with SuperAntiSpyware.  It will thoroughly scan the registry as part of the scan.   At the end of the scan, let SAS quarantine anything that it detects as malicious.    
 
Please post back here the SAS scan log which is found under the SAS tab Statistics/Logs in the Preferences window of SAS.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
HawaiiSteve
Newbie
*





   


Posts: 4
Re: Win32.Banload.aghb
« Reply #4 on: Jul 22nd, 2009, 10:57pm »		 Quote Quote  Modify Modify
I downloaded the trial version and ran a quick scan. I got these results:
 
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GBMHome8Agent
Suspicious registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GBMHome8Agent
 
Do these mean anything to you?
 
How long does a full scan take?
 
Thanks,
 
Steve
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.Banload.aghb
« Reply #5 on: Jul 22nd, 2009, 11:13pm »		 Quote Quote  Modify Modify
GBMHome8Agent being started from two registry RUN locations is why TrojanHunter Quick Scan is saying that it is suspicious.  This startup tactic is often used by malware.
 
Please run a FULL Scan with TH.  The scan time depends on your computer hardware and the number of files on your computer hard drive(s).  I suspect that it will take 1-2 hours.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.Banload.aghb
« Reply #6 on: Jul 22nd, 2009, 11:37pm »		 Quote Quote  Modify Modify
In addition to my post above
 
Am I correct in assuming that you have the Genie Software Backup and Restore software on your computer?  GBMHome8Agent is typically part of this software.  Of course, the cybercriminals could also be using the name GBMHome8Agent as part of an infection.  
« Last Edit: Jul 22nd, 2009, 11:37pm by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.Banload.aghb
« Reply #7 on: Jul 24th, 2009, 1:34am »		 Quote Quote  Modify Modify
I see from the Spybot forum that you have resolved this issue via recommendations from the Spybot crew.   Wink
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
HawaiiSteve
Newbie
*





   


Posts: 4
Re: Win32.Banload.aghb removed
« Reply #8 on: Jul 24th, 2009, 1:49am »		 Quote Quote  Modify Modify
First, thanks very much for your information re: Genie Backup. It's only there because I tried it, but didn't like how it worked, and didn't work. I chose another backup solution instead. I need to totally remove it.
 
Yes, Spybot was able to quickly remove Win32.Banload.aghb after I ran Spybot "As Administrator".
 
Before that, I was going to purchase TrojanHunter, whether it removed Win32.Banload.aghb or not, but after it took MUCH longer than I imagined (it was only half done when I went to bed after running for 4 hours!), AND it didn't find anything close to Win32.Banload.aghb, AND I then learned that it can't be used for attempting to remove the other things that it claimed to find... things that Spybot didn't find... unless I pay for it Sad ...I decided to not purchase it... now... or later Sad
 
Thanks anyway,
 
Steve
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.Banload.aghb
« Reply #9 on: Jul 24th, 2009, 2:10am »		 Quote Quote  Modify Modify
You are very welcome.   Wink
 
And thanks for your comments concerning the scan speed and use of the Trial version.  I will pass along to the developer of TH.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »