trojan32fraudo

Hi folks
Any suggestions. I keep getting the above plus win32:trojan gen via emails. Almosty everytime I download my emails these appear. I dont have to click on them. avast warns about them and you I move them to chest but er#everything seems to slow down and then not function a short while after:-
running avast 4.8
IE
Outlook express
Been away for a week re-installed windows before leaving for the family, all ok until I dloaded emails

Hi aslyn,

  • Download SmitfraudFix de S!Ri, from http://siri.urz.free.fr/Fix/SmitfraudFix.exe

  • Install in C

  • double clickon the exe to unpack and launch the fix.
    Use ----- option 1 - Search:

  • Double click on smitfraudfix.cmd * Select 1 to create a report of the infected files

  • Post this report as an attachment in your next posting,

polonus

Thanks for your reply, did not intend double post but asfter I posted first time, there was no sign of my query an hr later so… apologise
dloaded as suggested
option 1 report
SmitFraudFix v2.353

Scan done at 20:19:21.53, 22/09/2008
Run from C:\Documents and Settings\alun\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\alun\My Documents\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\alun

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\alun\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\alun\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“My Current Home Page”

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=“”

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=“C:\WINDOWS\system32\userinit.exe,”
“System”=“”

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 212.139.132.27
DNS Server Search Order: 212.139.132.26

HKLM\SYSTEM\CCS\Services\Tcpip..{3F499083-993B-4E7A-A96C-E85365B23A05}: NameServer=212.139.132.27 212.139.132.26
HKLM\SYSTEM\CS1\Services\Tcpip..{3F499083-993B-4E7A-A96C-E85365B23A05}: NameServer=212.139.132.27 212.139.132.26

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

No harm no foul
but getting answers in two posts can lead to confusion and trashed system- yours

I’ll let polonus follow up on the smitfraudfix

let’s check your system for other baddies
and give you something to do while waiting for a response

First
rt click the avast ball and “update programs”
then open avast and schedule a boot time scan
send any hits to Chest
post the log or say nothing found

second
go to Malwarebytes.org and navigate to the products or download page and download
update and run Rogue Remover Free post log if any hits

Malware Bytes Anti Malware
Free update scan
Check any hits
then REMOVE SELECTED a backup will be made
post the log

third
Download install update and scan Clean and send to Quarantine with
SUPER ANTI SPYWARE
post the log

after all this go to the stickie at the top of this forum and go to TrendMicro
Download and scan with log HIJACK THIS
DO NOT FIX ANYTHING till Polonus or I or another helper have looked at it
You can GOOGLE any line Item that you are not familiar with

also
Is your avast detection in the Chest?
could you create a folder
C:\suspect
then exclude it from the avast scanner
then go to the avast chest and extract to C:\suspect
then go to “Virustotal” - navigate to C:\suspect and upload the detection
post the results or link
we have to know what -gen is or we would like to

Hi again

I had all ready done some of what wormryder suggested, and then followed other instructions with nothing to report! super spyware found 67 trascking cookies and thats all. Have some prob with the last item wormryder sugested i.e dragging the virus from chest to a created folder would this not allow it to spread out into the hard drive etc???

Don’t worry that much about tracking cookies…

Well… don’t worry that much… did you let the file into Chest or did you already delete it?
From Chest, right clicking the file, you can send it to Alwil for analysis. Say it’s a false positive detection or, at least, you think it so.
Some days after, Alwil could correct the detection and you could scan the file into Chest to see if it is clean…

only 67 --sometimes people post THOUSANDS :slight_smile:

Just putting a copy into the “suspect” folder would not cause it to RUN
Avast will not get back to us on a submission unless they need more info but submitting is a good idea
you need to know how to upload to virus total anyway- good practice…

you would have to click on the hit to run it and if it is a dll even that would not run it

Glad SAS did not find anything you can just let sit on your hard drive in case you need it again- update manually every once in a while

you might pm polonus and ask him to look at your smitfraud results

just do a MBAM quick scan
let’s hope it is negative also

while you are waiting
you could run Secunia Software Inspector and get everythng up to date
if your Java is out of date it is still vulnerable so remove all old java versions

Hi,

Can anyone provide any more information on win32:fraudo? For example, what does it do, what files does it affect etc.

I’m thinking of something along the lines of the kind of information here:
http://avast.com/eng/win32blaster.html

Thanks all!
Simon

Is it not xpantivirus 2008.? Again ???
http://www.castlecops.com/t223518-MD5_24fa1122d806d2a71f9067ac7c48d93a_XPantivirus2008.html

Hi sakadava,

Avast calls it win32.fraudo…
Alias: Worm.AutoRun!sd6 [PCTools], Worm.Win32.AutoRun.nof [Kaspersky Lab], W32.SillyFDC [Symantec], Generic Downloader.ab [McAfee], Mal/EncPk-CZ [Sophos], Worm:Win32/Emold.B [Microsoft]
Here is info on it, because it also has the generic name worm.autorun.nof
http://www.k7computing.com/virusdetails.asp?virusid=46559
http://www.threatexpert.com/report.aspx?uid=7fda10d9-cc02-4033-bfba-8eb615609b39
also known as GenericDownloader.ab
http://vil.nai.com/vil/content/v_132901.htm

and always remember google is your best friend in malware fighting,

polonus

Personally I don’t believe it is anything like the Blaster (worm)

Trying to find information just using the malware name is often either very limited or misleading as there is no standardisation or naming convention for malware names. You can get some idea of the different names (aliases) by other AVs from this link, http://www.virustotal.com/analisis/47cca5caec9c2a17ba6a1fb5f4c0b5db.

So it is frequently better to search for info using the infected file name, but since you are just looking for general info you will find this hard going just looking for the malware name given. You are likely to have more success if you also look for info on some of the other aliases.

By the naming of this I would have thought it was more to do with fraud.

Win32:Fraudo is our name for the XP Antivirus, XP Antispyware etc. family…

Thanks for the clarification Maxx.