Win32:Oficla-AA

[charlie155]

Hi all,

The ADNM console is reporting that the above is present on our SBS 2008 server. When looking at the logs for the server, there are loads of Warning entries (every few minutes) similar to the below:

22/09/2010 16:50:58   SYSTEM   1204   Sign of "Win32:Oficla-AA [Trj]" has been found in "Outgoing email 'New Facebook password.' From: "Facebook, Edda Jaouen" <deplores@facebook.com>, To: <user@address.com>\PartNo_1#1696520269\New_Password_Nr7783.zip#571582170\FaceBookDOC.exe" file.

I cannot see any tracking logs in Exchange that relate to any of the messages that Avast reports on.

I can't quite figure out what is going on - it looks like Avast is detecting the messages and preventing them from reaching Exchange but how do I find out where they are originating from and get rid of it? All other PCs on the network are listed as clean in the ADNM.

Any help much appreciated.

Charlie.

[polonus]

Hi charlie155,

It apparently came from here: http://support.clean-mx.de/clean-mx/viruses?virusname=Win32:Oficla-AA  0,1 % infected
Full description of the virus here: http://www.avira.com/en/threats/section/fulldetails/id_vir/5283/tr_oficla.aa.html
It is a Trojan and can be removed as such,
1. Temporarily Disable System Restore .
2. Update the virus definitions. Reboot computer in SafeMode;
3. Delete the IE temp files,

polonus

[Pondus]

3. Delete the IE temp files,

can also be done with this

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.