Author Topic: Win32: Fraudo [Trj] Trojan Horse  (Read 13422 times)

0 Members and 1 Guest are viewing this topic.

Chiprocks1

  • Guest
Win32: Fraudo [Trj] Trojan Horse
« on: August 13, 2009, 05:53:34 AM »
My pc is infected with this Trojan Horse.

Literally the entire day, I have been trying to get rid of it. When the avast warning box pops up, its recommended action is to move to chest, which I do, but then get another pop up box saying that I can't move because it's being used by another program.

I've also run Malwarbytes to detect and delete the infected files. Upon completion it says I need to reboot computer to finish the deleting process, which I do.

And then as soon as Im back to desktop from reboot, the same problem starts all over again.

Need help please. At wits end here.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33996
  • malware fighter
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #1 on: August 13, 2009, 02:25:03 PM »
Hi Chiprocks1,

What was the file in which the infection was found? Can you upload that to virustotal.com because this has also been found to be a so-called false positive,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Chiprocks1

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #2 on: August 13, 2009, 03:43:41 PM »
Thanks for the reply.

This is my first time coming here to post anything about viruses. So there's alot I don't know about posting stuff and whatnot. You may have to walk me thru this so I don't leave any info out.

As for the infected file, if I remember correctly, it was popping up from the Temporary Internet Files.

Chiprocks1

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #3 on: August 13, 2009, 03:47:54 PM »
I also forgot to mention, every few times, I get a popup box telling me I have to enter my OS disc to get back lost files, but the first time I did this, I got a message saying that the operating system currently running is newer than the one on the disc (duh).

Not sure what to do with this.

micky77

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #4 on: August 13, 2009, 05:16:17 PM »
Can you post ( copy/paste ) your last MBAM log

Chiprocks1

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #5 on: August 13, 2009, 05:42:37 PM »






This is what came up after latest Reboot.

And where do I get MBAM log from? What is MBAM?

Thanks


micky77

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #6 on: August 13, 2009, 05:45:39 PM »
MBAM is malwarebytes,open the program, click on logs, double click on the log that found the infection.This will open in txt, copy/paste that txt log

Chiprocks1

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #7 on: August 13, 2009, 05:53:26 PM »
Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

8/13/2009 8:16:51 AM
mbam-log-2009-08-13 (08-16-51).txt

Scan type: Quick Scan
Objects scanned: 152651
Time elapsed: 1 hour(s), 45 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv391250047226.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\wpv481250008288.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv931248190332.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

Chiprocks1

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #8 on: August 13, 2009, 05:55:45 PM »
As soon as I back from reboot, I run Malwarebytes to see if it's clean, and I seem to get even more infected files each time I do this.

micky77

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #9 on: August 13, 2009, 06:12:07 PM »
Try running this rescue disc, read the instructions.The program is automatically burnt to cd, then insert cd into infected machine and reboot. Please report any findings/problems
http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

Chiprocks1

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #10 on: August 13, 2009, 06:26:08 PM »
This is the only computer I have. Is it safe to go ahead and burn the CD on this infected one and run the program? Or is it all moot?

Chiprocks1

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #11 on: August 13, 2009, 08:07:20 PM »
I keep getting message that a Rootkit has been found everytime I reboot. What is it and can I get rid of it?

micky77

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #12 on: August 13, 2009, 08:23:59 PM »
did you try the disc ?

Chiprocks1

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #13 on: August 13, 2009, 08:26:24 PM »
did you try the disc ?

I never heard back if it was safe to burn and then run the disc, as this is the only computer I have (which is infected).

micky77

  • Guest
Re: Win32: Fraudo [Trj] Trojan Horse
« Reply #14 on: August 13, 2009, 09:40:37 PM »
I never heard back if it was safe to burn and then run the disc,

I don't think its a matter of 'safe', but whether the malware would interfere/block the download.So its well worth a try. I think this rootkit has replaced one of your system files ( beep.sys ) So you will probably need to replace this with a clean copy, if you can remove the rootkit http://www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2

So i would try the disc.

You can also post a log from rootrepeal ( i am new to this program, but its worth posting a log )

http://rootrepeal.googlepages.com/

Open the program, click on 'report' then select scan, tick all the boxes,ok, select drive,then scan. Post the log here.