Trojan Banker and adwares on PC

I’m on a computer from a client that this extremely slow in loading applications, the download folder files with extension CPL.MSE antivirus has detected as Trojan Downloader: Win32 / Hormelex.B but can not remove,detected the uncompressed file, zipped files it did not find anything. I uninstalled MSE antivirus and installed avast that detected as Win32:Banker-KRY [Trj] and moved to vírus chest.

In an analysis of virus total shows a variant of the families Trojan ChePro

Extrato_1563-2013.cpl

https://www.virustotal.com/en/file/bf8f4877e89cae088c0f7004a70b1b2209e823c03ed1a3cfbb71a75fde9526c2/analysis/1452729854/

Extrato_1563-2013.exe

https://www.virustotal.com/en/file/21f9cfb38665af5789628feee9555eba82d8e9c65c32e0f7aa4642e36bdc4911/analysis/1452730080/

When finished hold a boot time scan and found 3 adware Adwcleaner in the folder quarantine

A scan with malwarebytes and FRST attached

I am curious about these two folders as the location is wrong… Does he have Office ?

2016-01-13 17:33 - 2016-01-13 17:33 - 00000000 ____D C:\Users\Todos os Usuários\Office Genuine Advantage
2016-01-13 17:33 - 2016-01-13 17:33 - 00000000 ____D C:\ProgramData\Office Genuine Advantage

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3497994235-2194516085-4034558022-1000\...\Run: [backup] => C:\Users\Genice\AppData\Local\isertimagem.exe HKU\S-1-5-21-3497994235-2194516085-4034558022-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATENÇÃO OPR StartupUrls: "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggbc10NB1gTRRgXJApZTA1EEgUOIl9bBBQTFgATcV0JAlxIEQQFIk0FA1oDB0VXfV5bFElXTwh3MlxZEkwDRGFRIVpT" OPR Session Restore: -> está habilitado. C:\Users\Genice\AppData\Local\isertimagem.exe Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

She has in the system Office 2007,perhaps these folder belonging to tool MGADiag tool that tells you that the Key 103 blocked VLK. It must have been installed by a technical.

I disabled avast, because FRST is detected with Win32:Evo-gen [susp] and moved to virus chest

Attached the Fixlog

I believe I have now killed the main malware file. How is the system

Humm I have noticed strange entries in the registry
see attached

I remember that the system that came pre installed Windows Vista Business OEM, because after a power outage caused at the time was installed Windows XP SP3,on the side of the CPU that the marked label Windows Vista Starter (OEM) LATAM.

But the current system is Windows 7 Ultimate ,which I can not determine whether the system is Genuine or not.

Another thing I notice is that the machine is that information system has 2GB of Ram, but to see the properties computer only 1GB of RAM with this system that must be installed by someone.

It is not possible to check for updates in windows update

The windows can not update important files and services while the system is using.Salves open files, reboot the computer and try to look for new updates.

Do you have the windows 7 disc ? Or the licence number

I do not own this DVD installation version
nor have the license key

[list]It could be a pirated version hence no updates

Please run the MGA Diagnostic Tool and post the report it produces:

[]Download MGADiag to your desktop.
[*]Double-click on MGADiag.exe to launch the program.
[*]Click Continue.
[*]Ensure that the Windows tab is selected. (It should be by default.)
[*]Click the Copy button to copy the MGA Diagnostic Report to the Windows clipboard.
[
]Paste the MGA Diagnostic Report into your next reply.

Done successfully

attached

Use magicjellybean to find the full key
Then download a fresh copy of 7 ultimate from here https://www.microsoft.com/en-gb/software-download/home

Then try a repair install to fix the errors http://www.sevenforums.com/tutorials/3413-repair-install.html

I installed and check the same key is to find on the internet and much used,this blacklisted by Microsoft

Validating your request. This may take several minutes. Do not refresh the page or select back – doing so will cancel the request.

Error

We’ve encountered a problem with the product key you provided. Please try again or visit the Microsoft Support Contact Us page for assistance.

I will have to replace the power supply
the computer is shutting down due to power not achieved the strength, dates and times are wrong plumb adjusting after off, the windows clock back stay late.
remove the tools used and thank you for the work it has provided so far :slight_smile:

OK :slight_smile: