Trojan

[Lofty]

Hello,

Both Symantec and AVG have detected a Trojan on my PC which Symantec call 'Infostealer Banker' and AVG refer to as 'Trojan horse PSW.Generic7.HTW'.

The AVG software has identified that the following files are infected:

c:\calc.exe
c:\\windows\system32\pavuppad.exe

Unfortunately I removed the latter file before reading that this is actually not a good idea

The system analysis is attached. Can you please help?

[Rene-gad]

- Execute following script in Manual Cure

Код:

begin
executerepair(13);
setavzpmstatus(true);
RebootWindows(true);
end.

After reboot
- Repeat a log file.

[Lofty]

Hu there!

Script executed and log files attached. Hope I've done it all correctly

[Rene-gad]

Close/unload all the programs excepted AVZ and Internet Explorer

Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore

Fix with Hijackthis

Код:

O1 - Hosts: 194.165.4.145 eggbank.com

- Execute following script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\internat.exe','');
 QuarantineFile('C:\WINDOWS\system32\pavuppad.exe','');
 DeleteFile('C:\WINDOWS\system32\pavuppad.exe');
 DeleteFile('C:\WINDOWS\internat.exe');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After reboot:

- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Close all the programs and start only Internet Explorer!!!
- Repeat 3 log files.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the quarantine (s. appendix 2 and 3 of the Rules) here: http://virusinfo.info/upload_virus_eng.php?tid=46508
- Attach 3 logs to your new post..

[Lofty]

Hi again. 3 logs attached, one quarantine uploaded ... and fingers crossed.

[Rene-gad]

pavuppad.exe_ - Trojan-Spy.Win32.Zbot.tml

Your last logs seems to be clean. Any problem more?

[Lofty]

Great news Symantec and AVG scans also show no more issues.

Thanks very much for all your help ... und please pass on my best wishes to das Дffle und das Pferdle

[Lofty]

Morning Rene-gad,

Unfortunately I started to celebrate too soon

Symantec has detected Infostealer Banker.C once again. It also shows that constant attempts at unauthorized access are being blocked. Do you have any further ideas?

[Rene-gad]

What a file was detected as virus?
Remove the 2nd antivirus from your system: your choice - which one.
Pls. download special avz over the link in my signature and repeat 3 log files.

[Lofty]

Unfortunately Symantec doesn't give any details about the file location. I've tried to do a full system scan, but after a while it just slows down and stops. A quick scan doesn't detect any problems.

I clicked on your Special AVZ link, but that shows a page offering software to achieve faster download speeds. Is that the correct link??

[Rene-gad]

Is that the correct link??

Yepp, see into the lowest part of the page and search for the file name kill_bill.pif.

[Lofty]

OK, got it.

3 log files attached once again.

[Rene-gad]

I couldn't find any suspicious. Pls. update JavaRE - the version you're using now is ancient.

[Lofty]

Thanks Rene-gad. There have been no further instances of the Trojan being detected and I managed to run a full system virus scan overnight which suggested everything is clean

I don't know what Java is, or what it does, but I'm pleased to confirm that in the last few minutes I have become the proud owner of the very latest version

Thanks again for all your help!

[Rene-gad]

I don't know what Java is

It's a runtime environment: http://www.java.com/download/index.jsp