Win32: Fraudo [Trj] Trojan Horse

My pc is infected with this Trojan Horse.

Literally the entire day, I have been trying to get rid of it. When the avast warning box pops up, its recommended action is to move to chest, which I do, but then get another pop up box saying that I can’t move because it’s being used by another program.

I’ve also run Malwarbytes to detect and delete the infected files. Upon completion it says I need to reboot computer to finish the deleting process, which I do.

And then as soon as Im back to desktop from reboot, the same problem starts all over again.

Need help please. At wits end here.

Hi Chiprocks1,

What was the file in which the infection was found? Can you upload that to virustotal.com because this has also been found to be a so-called false positive,

polonus

Thanks for the reply.

This is my first time coming here to post anything about viruses. So there’s alot I don’t know about posting stuff and whatnot. You may have to walk me thru this so I don’t leave any info out.

As for the infected file, if I remember correctly, it was popping up from the Temporary Internet Files.

I also forgot to mention, every few times, I get a popup box telling me I have to enter my OS disc to get back lost files, but the first time I did this, I got a message saying that the operating system currently running is newer than the one on the disc (duh).

Not sure what to do with this.

Can you post ( copy/paste ) your last MBAM log

http://i74.photobucket.com/albums/i266/Chiprocks1/Misc/MalwareWarning001.jpg

http://i74.photobucket.com/albums/i266/Chiprocks1/Misc/SuspiciousFilesFound001.jpg

http://i74.photobucket.com/albums/i266/Chiprocks1/Misc/WindowsFileProtection001.jpg

This is what came up after latest Reboot.

And where do I get MBAM log from? What is MBAM?

Thanks

MBAM is malwarebytes,open the program, click on logs, double click on the log that found the infection.This will open in txt, copy/paste that txt log

Malwarebytes’ Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

8/13/2009 8:16:51 AM
mbam-log-2009-08-13 (08-16-51).txt

Scan type: Quick Scan
Objects scanned: 152651
Time elapsed: 1 hour(s), 45 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\Application Data\wiaserva.log (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv391250047226.exe (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\Temp\wpv481250008288.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv931248190332.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) → Quarantined and deleted successfully.

As soon as I back from reboot, I run Malwarebytes to see if it’s clean, and I seem to get even more infected files each time I do this.

Try running this rescue disc, read the instructions.The program is automatically burnt to cd, then insert cd into infected machine and reboot. Please report any findings/problems
http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

This is the only computer I have. Is it safe to go ahead and burn the CD on this infected one and run the program? Or is it all moot?

I keep getting message that a Rootkit has been found everytime I reboot. What is it and can I get rid of it?

did you try the disc ?

I never heard back if it was safe to burn and then run the disc, as this is the only computer I have (which is infected).

I don’t think its a matter of ‘safe’, but whether the malware would interfere/block the download.So its well worth a try. I think this rootkit has replaced one of your system files ( beep.sys ) So you will probably need to replace this with a clean copy, if you can remove the rootkit http://www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2

So i would try the disc.

You can also post a log from rootrepeal ( i am new to this program, but its worth posting a log )

http://rootrepeal.googlepages.com/

Open the program, click on ‘report’ then select scan, tick all the boxes,ok, select drive,then scan. Post the log here.