Remove Banprox Infostealer Trojan Completely - How to, Technology and PC Security Forum |

Remove Banprox Infostealer Trojan Completely

shutterstock_223094779A Trojan that is known as Banprox.Infostealer has been identified by Symantec threat response team to infect personal computers on various locations all over the world. The Trojan is very specific in it’s actions, redirecting the web traffic of the victim PC through a malicious host via a third-party proxy. It is usually active when you are using banking or other websites where financial data is involved.

NameBanprox Infostealer
TypeInfostealer Trojan
Short DescriptionThe malware may perform various activities such as connecting to remote hosts and stealing financial credentials.
SymptomsUnknown IP addresses linking to the below-mentioned hosts when you type “netstat -a -n -f” in your command prompt.
Distribution MethodVia PUPs, installed by bundling (Browser Hijackers) or by visiting a suspicious third-party site that is advertising it.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Banprox Infostealer
User Experience Join our forum to discuss Banprox Infostealer.

Banprox Trojan – How Is It Spread

Similar to Banload Infostealer, this Trojan is mostly distributed via malicious macros in e-mail attachments and what is worse is that most users get caught while opening them. Since a user tends to trust documents with .docx, .doc, .pdf, .ppt and other Microsoft Office documents, they often lack the knowledge that such documents may have malicious macros. And often the emails may resemble an important subjects such as:

  • Your PayPal receipt.
  • Your Amazon gift card has arrived.
  • The funds have been transferred to your eBay account.

After the document is opened and the user chooses the “Enable” editing option, the malicious macro may execute a script that may either directly deploy the payload of the Trojan or connect to a remote host and download the obfuscated payload.

Banprox Trojan – How Does It Work

The concept of banking Trojans is not a new thing when we are talking about cyber-security. Symantec researchers have reported that after it has been started, the Trojan immediately attacks the registry entries, creating several new ones in these locations:

→ `HKEY_ALL_USERS\S-1-5-21-3889344330-28187927-3519877804-1000\Software\Microsoft\Internet Explorer\Privacy\”CleanTIF” = “1”
HKEY_ALL_USERS\S-1-5-21-3889344330-28187927-3519877804-1000\Software\Microsoft\Internet Explorer\Privacy\”ClearBrowsingHistoryOnExit” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\”AutoConfigUrl” = “[LOCATION OF CONFIGURATION SCRIPT]”
HKEY_ALL_USERS\S-1-5-21-3889344330-28187927-3519877804-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\”AutoConfigURL” = “[LOCATION OF CONFIGURATION SCRIPT]”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\”AutoConfigURL” = “[LOCATION OF CONFIGURATION SCRIPT]”

The registry values that have the location of configuration scrips directly point out to keys configured to connect and transfer web traffic via custom created web links from two main hosts:

  • Systruster(.)com
  • Retsback(.)com

An example of a custom host may be the following:

  • “”

These scripts of the hosts contain a list of websites that are set as parameters to collect data from and it is activated every time the user visits the website from that list. Here are several examples of websites the traffic to which may be redirected to another server and hence the user-entered information may be stolen:

  • *

Furthermore, this cyber-threat may also establish connection to a remote location. Locations that it may connect could be the following:

  • Msupdcheck(.)com
  • Retsback(.)com

Remove Banprox Infostealer Trojan Completely

In case your antivirus software has detected this or any other infostealer variants, we strongly advise to immediately change all of your credentials – financial data, usernames, passwords and other information, since there is a good possibility it may already be compromised.

Then you should backup the data on your computer. Experts also advise using an anti-malware software to assist you with scanning and detecting any other malware besides this that may be downloaded via the connected hosts. We have prepared a methodological instructions below that may assure you the maximum effectiveness to deal with Banprox infostealer.

1. Boot Your PC In Safe Mode to isolate and remove Banprox Infostealer
2. Remove Banprox Infostealer with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections by Banprox Infostealer in the future
Optional: Using Alternative Anti-Malware Tools

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share