Win32: Fraudo [Trj] Trojan Horse

[Chiprocks1]

My pc is infected with this Trojan Horse.

Literally the entire day, I have been trying to get rid of it. When the avast warning box pops up, its recommended action is to move to chest, which I do, but then get another pop up box saying that I can't move because it's being used by another program.

I've also run Malwarbytes to detect and delete the infected files. Upon completion it says I need to reboot computer to finish the deleting process, which I do.

And then as soon as Im back to desktop from reboot, the same problem starts all over again.

Need help please. At wits end here.

[polonus]

Hi Chiprocks1,

What was the file in which the infection was found? Can you upload that to virustotal.com because this has also been found to be a so-called false positive,

polonus

[Chiprocks1]

Thanks for the reply.

This is my first time coming here to post anything about viruses. So there's alot I don't know about posting stuff and whatnot. You may have to walk me thru this so I don't leave any info out.

As for the infected file, if I remember correctly, it was popping up from the Temporary Internet Files.

[Chiprocks1]

I also forgot to mention, every few times, I get a popup box telling me I have to enter my OS disc to get back lost files, but the first time I did this, I got a message saying that the operating system currently running is newer than the one on the disc (duh).

Not sure what to do with this.

[micky77]

Can you post ( copy/paste ) your last MBAM log

[Chiprocks1]

This is what came up after latest Reboot.

And where do I get MBAM log from? What is MBAM?

Thanks

[micky77]

MBAM is malwarebytes,open the program, click on logs, double click on the log that found the infection.This will open in txt, copy/paste that txt log

[Chiprocks1]

Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

8/13/2009 8:16:51 AM
mbam-log-2009-08-13 (08-16-51).txt

Scan type: Quick Scan
Objects scanned: 152651
Time elapsed: 1 hour(s), 45 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv391250047226.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\wpv481250008288.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv931248190332.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

[Chiprocks1]

As soon as I back from reboot, I run Malwarebytes to see if it's clean, and I seem to get even more infected files each time I do this.

[micky77]

Try running this rescue disc, read the instructions.The program is automatically burnt to cd, then insert cd into infected machine and reboot. Please report any findings/problems
http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

[Chiprocks1]

This is the only computer I have. Is it safe to go ahead and burn the CD on this infected one and run the program? Or is it all moot?

[Chiprocks1]

I keep getting message that a Rootkit has been found everytime I reboot. What is it and can I get rid of it?

[micky77]

did you try the disc ?

[Chiprocks1]

did you try the disc ?

I never heard back if it was safe to burn and then run the disc, as this is the only computer I have (which is infected).

[micky77]

I never heard back if it was safe to burn and then run the disc,

I don't think its a matter of 'safe', but whether the malware would interfere/block the download.So its well worth a try. I think this rootkit has replaced one of your system files ( beep.sys ) So you will probably need to replace this with a clean copy, if you can remove the rootkit http://www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2

So i would try the disc.

You can also post a log from rootrepeal ( i am new to this program, but its worth posting a log )

http://rootrepeal.googlepages.com/

Open the program, click on 'report' then select scan, tick all the boxes,ok, select drive,then scan. Post the log here.