Trojan that doesn't leaves the PC

Viruses and worms
1

Ok. This weird virus was reported to me by a friend of mine. It’s an .exe file named “Instalar.exe”(Install.exe). When trying to delete it, both with avast! and automatically, it failed. The trojan keep returning. I said to him to send me the virus, but his email blocked it saying it was a virus, hotmail blocked the attachment, and gmail did the same. The log on his email is the one that follows:

VIRUS ALERT

 

Our content checker found

    virus: Trojan.Bancos-8570

 

in an email to you from unknown sender:

  ?@localhost.localdomain

claiming to be: <ed.robson@enxuto.com.br>

 

Content type: Virus

Our internal reference code for your message is 29769-16/O0IPoEiOmq10

 

First upstream SMTP client IP address: [127.0.0.1] localhost.localdomain According to a 'Received:' trace, the message originated at: [127.0.0.1],

  webmail.enxuto.com.br (localhost.localdomain [127.0.0.1])

 

Return-Path: <ed.robson@enxuto.com.br>

Message-ID: <23391775.123241203441395747.JavaMail.root@webmail.enxuto.com.br>

Subject: Virus

The message has been quarantined as: virus-O0IPoEiOmq10

 

Please contact your system administrator for details.

The virus that was detected by his SMTP system(Trojan.Bancos-8570)wasn’t found on the internet, nor in the avast! database. He sent me the file by skype, but avast! doesn’t accuse anything. If you need the file, I can post it.

2

Ask him to download and run this programme - it is in brazilian though and is a generic banker fix - it might work, no promises

http://linhadefensiva.uol.com.br/dl/bankerfix

3

Ah, ok… Thanks man

4

Sorry for the bump, and for the double reply, but anyway, that solution didn’t fix our problem. If you can send me more information about those “banker fixes”, and what the virus might be, I’ll be thankful

5

Can he access this forum ? If so get him to run and post a log

Download & Run HijackThis.exe

[*]Download HJTInstall.exe to your Desktop.
[*]Doubleclick HJTInstall.exe to install it.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis .
[*]Click on Install.
[*]It will create a HijackThis icon on the desktop.
[*]Once installed, it will launch Hijackthis.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Copy/Paste the log to your next reply please.

Don’t use the Analyse This button, its findings are dangerous if misinterpreted.
Don’t have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

6

Hello essexboy, I hope you don’t mind me sending a message to you, I am currently experiencing same incident, I have a Trojan on my desktop that doesn’t leave, please help me, I dint know what to do. I followed your advise by down loading “trend micro hijack”. can I send you the notepad “Copy/Paste the log”? Please help me I dont know what to do…to give you an over view, there is a pop-up screen in the center of my desktop that says “SAY NO TO DRUGS” flashing, no matter what I do it doesn’t get off. Again…Please help me?

7

Junah, better will be opening a new thread only for your problem.
Until there, I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.