Harris Retail Services Ltd

18 May 2021
Home    Contact    Webmail Service    Forums    Remote Support

search for  

0 New Messages



Viruses & Trojans
Virus Information

Contact us
Email & Telephone


PWS Banker Trojan Removal

  The PWS-Banker trojan captures keystrokes when logging into various bank accounts and sends the logged data to an account on the internet. It's removal is therefore vital.

On some machines this trojan appears to stop Internet Explorer from working altogether. When IE is started, an error message flashes on the screen. If IE is started a number of times, after approximately the third attempt the crash is deteved by Windows and you are offered the opportunity to send a report to Microsoft.

I was hit by this trojan when I opened an email from my daughter. The email purported to have attached photographs from a party. As she had just had her birthday and she is a photographer, the email seemed quite normal. I opened the attachment which was a zip file and it contained the photos. However, the fact that the contained file was an .exe was obscured and as soon as I opened the compressed file I knew I had been hit. From this point on it was a matter of finding out what had been released and how to get rid of it.

It appears to be a fairly new trojan and as on that particular machine the virus scanner was not completely up-to-date I was well and truly infected. As it stopped IE from working, McAfee was unable to download an update and the existing version was unable to detect it. The whole story is a clear warning to keep your virus detection completely up-to-date. However, these are the steps I used to clean the machine.

The trojan can be removed using the following steps:

  1. Use "Start/Run" and type "regedit" and press "OK".
  2. Browse through the registry to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl
  3. Delete this hive.
  4. Exit regedit and reboot the PC.
  5. When the machine has rebooted use find to search for the file "lsd_f3.dll" and delete it - there may be more than one copy, be sure to delete all copies.
It is possible that the registry entry is not in the exact location stated above. If that is the case, search out the string "LSD_F3" throughout the registry. In every case the registry entry will be one to start running the dll at boot time. It is necessary to remove the registry entry in order to stop the program being run, before the file can be deleted.

Please let me know if you require a variation of these instructions to remove the trojan from your PC.



Website Copyright © 2004-2012 Harris Retail Services Ltd. Parts © iStockPhotos
All rights reserved.
Connect from:
Last updated: 05 November 2004