Troj/Bancos-DH

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Registro
<Windows>\inf\svchostt.exe

and delete it if it exists.

Close the registry editor.

Troj/Bancos-DH is a password-stealing Trojan for the Windows platform.

Troj/Bancos-DH includes functionality to download, install and run new software.

When Troj/Bancos-DH is installed the following files are created:

<Windows>\inf\ansmtp.dll
<Windows>\inf\ansmtpbuild.dll
<Windows>\inf\bb_juridica_1_1.bmp
<Windows>\inf\bradesco_2_3.bmp
<Windows>\inf\comdlg32.ocx
<Windows>\inf\svchostt.exe
<Windows>\inf\wininet.dll
<Windows>\inf\xyzzy.dll
<System>\ansmtp.dll
<System>\ansmtpbuild.dll
<System>\xyzzy.dll
<Windows>\xxx.xxx

svchostt.exe is also detected as Troj/Bancos-DH. The remaining files are clean.

Troj/Bancos-DH may install a new version of the file <System>\comdlg32.ocx.

The following registry entry is created to run svchostt.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Registro
<Windows>\inf\svchostt.exe

Troj/Bancos-DH displays fake login pages for internet banking sites in order to trick the user into entering their details. Any details stolen in this matter are submitted to a preconfigured email address.