Trojan Banker and adwares on PC

[jefferson sant]

I'm on a computer from a client that this extremely slow in loading applications, the download folder files with extension CPL.MSE antivirus has detected as Trojan Downloader: Win32 / Hormelex.B but can not remove,detected the uncompressed file, zipped files it did not find anything. I uninstalled MSE antivirus and installed avast that detected as Win32:Banker-KRY [Trj] and moved to vírus chest.

In an analysis of  virus total shows a variant of the families Trojan ChePro

Extrato_1563-2013.cpl

https://www.virustotal.com/en/file/bf8f4877e89cae088c0f7004a70b1b2209e823c03ed1a3cfbb71a75fde9526c2/analysis/1452729854/

Extrato_1563-2013.exe

https://www.virustotal.com/en/file/21f9cfb38665af5789628feee9555eba82d8e9c65c32e0f7aa4642e36bdc4911/analysis/1452730080/

When finished hold a boot time scan and found 3 adware Adwcleaner in the folder quarantine

A scan with malwarebytes and FRST attached

[essexboy]

I am curious about these two folders as the location is wrong.. Does he have Office ?

2016-01-13 17:33 - 2016-01-13 17:33 - 00000000 ____D C:\Users\Todos os Usuários\Office Genuine Advantage
2016-01-13 17:33 - 2016-01-13 17:33 - 00000000 ____D C:\ProgramData\Office Genuine Advantage


CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-3497994235-2194516085-4034558022-1000\...\Run: [backup] => C:\Users\Genice\AppData\Local\isertimagem.exe
HKU\S-1-5-21-3497994235-2194516085-4034558022-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATENÇÃO
OPR StartupUrls: "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggbc10NB1gTRRgXJApZTA1EEgUOIl9bBBQTFgATcV0JAlxIEQQFIk0FA1oDB0VXfV5bFElXTwh3MlxZEkwDRGFRIVpT"
OPR Session Restore: -> está habilitado.
C:\Users\Genice\AppData\Local\isertimagem.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[jefferson sant]

I am curious about these two folders as the location is wrong.. Does he have Office ?

2016-01-13 17:33 - 2016-01-13 17:33 - 00000000 ____D C:\Users\Todos os Usuários\Office Genuine Advantage
2016-01-13 17:33 - 2016-01-13 17:33 - 00000000 ____D C:\ProgramData\Office Genuine Advantage

She has in the system Office 2007,perhaps these folder belonging to tool MGADiag tool that tells you that the Key 103 blocked VLK. It must have been installed by a technical.

I disabled avast, because FRST is detected with Win32:Evo-gen [susp] and moved to virus chest

Attached the Fixlog

[essexboy]

I believe I have now killed the main malware file.  How is the system

[jefferson sant]

Humm I have noticed strange entries in the registry
see attached

[jefferson sant]

I remember that the system that came pre installed Windows Vista Business OEM, because after a power outage caused at the time was installed Windows XP SP3,on the side of the CPU that the marked label Windows Vista Starter (OEM) LATAM.

But the current system is Windows 7 Ultimate ,which I can not determine whether the system is Genuine or not.

Another thing I notice is that the machine is that information system has 2GB of Ram, but to see the properties computer  only 1GB of RAM with this system that must be installed by someone.


It is not possible to check for updates in windows update

The windows can not update important files and services while the system is using.Salves open files, reboot the computer and try to look for new updates.

[essexboy]

Do you have the windows 7 disc ? Or the licence number

[jefferson sant]

Do you have the windows 7 disc ? Or the licence number

I do not own this DVD installation version
nor have the license key

[essexboy]

It could be a pirated version hence no updates

Please run the MGA Diagnostic Tool and post the report it produces:

[list=1]

• Download MGADiag to your desktop.
  
• Double-click on MGADiag.exe to launch the program.
• Click Continue.
  
• Ensure that the Windows tab is selected. (It should be by default.)
  
• Click the Copy button to copy the MGA Diagnostic Report to the Windows clipboard.
  
• Paste the MGA Diagnostic Report into your next reply.

[jefferson sant]

Done successfully

attached

[essexboy]

Use magicjellybean to find the full key
Then download a fresh copy of 7 ultimate from here https://www.microsoft.com/en-gb/software-download/home

Then try a repair install to fix the errors http://www.sevenforums.com/tutorials/3413-repair-install.html

[jefferson sant]

Use magicjellybean to find the full key

I installed and check the same key is to find on the internet and much used,this blacklisted by Microsoft

Validating your request. This may take several minutes. Do not refresh the page or select back – doing so will cancel the request.

Error

We've encountered a problem with the product key you provided. Please try again or visit the Microsoft Support Contact Us page for assistance.

[jefferson sant]

I will have to replace the power supply
the computer is shutting down due to power not achieved the strength, dates and times are wrong plumb adjusting after off, the windows clock back stay late.
remove the tools used and thank you for the work it has provided so far 

[essexboy]

OK