Jump to content

VBS:Banker-EA [Trj] in system32 software.log2 file


Recommended Posts

File is in C:/Windows/System32/config/SOFTWARE.LOG2 and the possible virus is named VBS:Banker-EA [Trj]. Virustotal detects nothing wrong with the file(link below).  Avast has detected this potential virus on my computer 2/3 of my last scans, and it wont let me do anything with it, im wondering if this is a false positive or something, or if i can safetly manually delete the file. ive tried researching the specific virus name but i dont find anything of use on google. all i know is apparently software.log2 is some sort of clean reboot to a previous version of my windows in case something goes wrong, which seams like an odd place for a virus to hide (i dont know much about viruses). any help is greatly appreciated.


Virustotal: https://www.virustotal.com/en/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1453778008/

Link to post
Share on other sites

"possible virus is named VBS:Banker-EA [Trj]"

TRJ = trojan, not virus.

VBS:Banker would mean a Visual Basic Script (VBS) associated with a Banker trojan.  Most likely to download a  Banker / Bancos trojan.  In other words a Banload trojan [ Banker / Bancos trojan downloader ]


You posted a Virus Total report URL to a Zero Byte file.


In other words - EMPTY, nothing, non-malicious, zero content........


There could be two reasons for the empty file.

1.  The file SOFTWARE.LOG2 is indeed empty

2.  The file SOFTWARE.LOG2 is a System File whose File Handle is held open by the OS and as such you can not access it to submit it to Virus Total.  Thus Zero Bytes.


Let's assume that SOFTWARE.LOG2 was a VBS script, it doesn't have a VBS or VBE file extension so it loses potency ( so to speak ).

To use it the VBS Script Interpreter would have to specifically be called specifically loading that file.  However  C:\Windows\System32\config  is a special location that contains highly sensitive OS boot information and thus is protected by the OS.


Therfore it looks like Avast is generating a False Positive.  Even if you didn't mention that you used Avast, I can tell be the detection name syntax "VBS:Banker-EA [Trj]" we are talking about Avast.


BTW:  In Windows the path nomenclature is;  C:\Windows\System32\config\SOFTWARE.LOG2

Link to post
Share on other sites

Yeah, I know.  My point was I could tell just by the naming convention it was Avast.


71,936 KB ==> ~72MB.


No VB Script would be 72MB.


Another indicator of an Avast False Positive.


This reminds me of another Avast False Positive.  VBS:Zulu  was detected on Microsoft web pages [ microsoft.com ]  9 years ago.  It took like 2 months to fix that False Positive.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.