Jump to content

Trojan.Banker possibly false positive

John A

By John A
in File Detections

 Share

Recommended Posts

leofelix

leofelix

Posted
Posted
See attached log file

Hi I got same problem in my desktop PC with XP Pro SP 3. (32 bit)

SUPERAntiSpyware free found no malware

PREVX 3.0 found no malware too

No malware detected in laptop with my Vista Home Premium SP 1 (32 bit), instead.

I think is a f.p too.

Link to post
Share on other sites
ky331

ky331

Posted
Posted
Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\W2KLpk (Trojan.Banker) -> No action taken.

same here... the one thing i can add is that this detection was part of the extra/heuristics scanning.

Link to post
Share on other sites
Blue452

Blue452

Posted
Posted

I got same entry when I scanned a few minutes ago and hit the removal button. My log says . . . Quarantined and deleted successfully.

I have a question: If this is a false positive, what did Malwarebytes delete and quarantine?

Blue452

XP SP3

IE6

Link to post
Share on other sites
secret365

secret365

Posted
Posted
I got same entry when I scanned a few minutes ago and hit the removal button. My log says . . . Quarantined and deleted successfully.

I have a question: If this is a false positive, what did Malwarebytes delete and quarantine?

Blue452

XP SP3

IE6

I am also running XP SP3.

Do you still have this entry in the registry?

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\W2KLpk

Link to post
Share on other sites
TonyKlein

TonyKlein

Posted
Posted
I have a question: If this is a false positive, what did Malwarebytes delete and quarantine?

It's a registry value, the default value data of which determine whether the installation of Language Packs is allowed or prohibited.

Certain malware does set a restriction there, but that needn't be the case here.

You can simply have MBAM restore that quarantined item.

Link to post
Share on other sites
hulabird1

hulabird1

Posted
Posted
It's a registry value, the default value data of which determine whether the installation of Language Packs is allowed or prohibited.

Certain malware does set a restriction there, but that needn't be the case here.

You can simply have MBAM restore that quarantined item.

Is it also ok if you leave it deleted? I have no clue about registry stuff, so when this was detected on my system I deleted it thinking it WAS a virus and just wanted to get rid of it, but is it something I should not have deleted?

Thank You.

Link to post
Share on other sites
TonyKlein

TonyKlein

Posted
Posted
Is it also ok if you leave it deleted? I have no clue about registry stuff, so when this was detected on my system I deleted it thinking it WAS a virus and just wanted to get rid of it, but is it something I should not have deleted?

The "W2KLpk" DWORD value isn't always there by default. If it IS present, value data of "00000000" prevents language pack installation, and "00000001" enables it.

My guess is that, if the value is absent altogether, Language Pack installation is automatically allowed without prompt

I'd have MBAM restore the item from quarantine, then check the Registry to make sure that LP installation is prohibited.

This because there was a known Language Pack Installation vulnerability in IE (prolly fixed by now, but nevertheless...)

Alternatively (obviously only if MBAM did quarantine this item on your system), you could merge the following regfile (for XP and Vista):

Copy the text inside the 'Code' box to Notepad, and save in a location of your choice as Fix.reg (make sure you save as type: 'all files')

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International]

"W2KLpk"=dword:00000000

Doubleclick Fix.reg, and answer yes when prompted to add its contents to the Registry

Editing the regfile by changing dword:00000000 to dword:00000001 re-enables LP Installation

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.