Can't seem to remove a trojan - help appreciated.

[brammers]

Hi all,

Microsoft Malicious Software removal tool continually picks up this trojan on my PC:

http://www.microsoft.com/security/po...2fBancos.gen!A

Unfortunately I can't do anything about removing it.

The tool itself won't remove it and I've run the windows livescan online virus remover but neither that, Spybot SD-Resident nor AVG can detect it on their scans.

I'm not too worried about the effects of the trojan - apparantly it only keylogs a selection of brazillian banks - but I don't like having it there!

Any suggestions? Equally, any idea how it could have got there? I use firefox's latest edition and have AVG and Spybot running all the time. I'm quick to patch when there's new updates available... Maybe it arrived before I had chance to install all of that?

I'm using Windows Vista Business Edition SP1 running on a Dell laptop. Many thanks all!

[Lucio]

Try www.malwarebytes.org's tool, it's been useful in the past for removing tricky viruses.

[jem]

Try a online scanner like pandasecurity,They are normally good.When scanning remember to do scans in safe mode and clear out the temporary internet folder/cookies

[brammers]

Thanks for both of those suggestions - unfortunately neither picked up the trojan.

Reckon it could be a false positive? Does that even happen? Or should I try a manual removal? I can hardly find anything about this on the internet - google brings up a load of Chinese results, which is odd seeing as I am in China right now...

[TheAnimus]

whats the name of the trojan?

[brammers]

Hi TheAnimus.

Here's the link that microsoft sends:

http://www.microsoft.com/security/po...2fBancos.gen!A

It has a fair few names by the looks of things.

[TheAnimus]

screenshot your contents of:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

[brammers]

Here you go:

http://flickr.com/photos/35398335@N0...65699/sizes/o/

It had an optional components so I stuck that in too.

http://flickr.com/photos/35398335@N0...26398/sizes/o/

[brammers]

Sorry - should have expanded that.

The 3 you can't quite see read:

Broadcom Wireless Manager UI
SigmatelSysTrayApp
Windows Mobile Device Centre

[directhex]

[brammers]

lol - reckon it's that bad? Atm all it seems to do is cut down my options for online banking in Brazil...

[TheAnimus]

thing is acording the libs that trojan isn't that advanced. Its not got an entry in the registry to start it, apparently that was the only way it tried to start itself. Might just off been a false posative.

But sometimes nuking them from space is the only way to be sure.

[brammers]

Fair enough - I've certainly not noticed any weird behaviour - everything seems really slick and there's no weird net activity that I've noticed...

If I get another positive next time microsoft releases another malicious software removal tool I'll give this a topping - otherwise I'll leave it be.

Cheers all

[TheAnimus]

if ur really parinoid give it a run of Mark's RootKit Reliever (sysinternals). If you see anything dodgy, then panic.

[jem]

If it was me i would run every free online annti virus i could think off just to be on the safe side.

[TheAnimus]

but some of the things that masquared as free online anti-virus are just spamware themself?