Win32:FraudTool-GK [Tool] and Win32:FraudTool-GL [Tool]

I just ran Avast and it appears to have found infected files. It recommended that i move them to the chest…however, I am confused about what to do now. Any help would be much appreciated…just want to know how to get rid of them.

C:\System Volume Information_restore{ECEE5A3A-0B91-4BF4-A156-76E705835F4F}\RP188\A0030044.exe
Win32:FraudTool-GL [Tool]
Other potentially dangerous program
080828-0, 08/28/2008

C:\System Volume Information_restore{ECEE5A3A-0B91-4BF4-A156-76E705835F4F}\RP188\A0030045.exe
Win32:FraudTool-GK [Tool]
Other potentially dangerous program
080828-0, 08/28/2008

Thank you!

Hi Ivona,

If they are being moved to the chest, they are safe there, and cannot do any harm to your machine.
But you can also establish there is real virus, by uploading the files in question to virustotal.com,
and give us the details of the report it generates from their online scanning.
Also you could run a scan with DrWebCureIT, download from here: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

polonus

Thank you so much for the response, it is much appreciated. If i run Dr.web cure it do i need to extract the file from the chest or can I simply leave it as is and run the scan? as well, how would i upload the virus to have it checked if it is a real virus? …I’m sorry i am completely new to all of this…Thank you once again!

I just ran Dr.cure and it found no virus, however the virus found by avast is still in the chest…has this made a difference in the results?
Thank you…sorry for all the questions!

To upload to virus total
create a folder in a handy easy to remember place like
C:\suspicious
exclude C:\suspicious from your avast scanners so they will not prevent the upload
COPY suspect files to your new folder

go to virus total and navigate to your new folder and upload the files
report back the results or links

glad that the other AV scan did not find anything additional

we usually recommend a scan with a anti-spyware app if you have not done so
most recommend Malware Bytes Anti Malware (free) if w2k xp vista
if any hits check the baddies and click REMOVE

if w98 (or W2k Xp Vista) then Spybot search and destroy or A-squared
Super Anti Spyware
be sure to quarantine not remove/ delete in case of false positives

Sorry but how do i exclude the folder? thank you

Okay, I uploaded it to virus total and here are the results…

Antivirus Version Last Update Result
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.29 TR/Trash.Gen
Authentium 5.1.0.4 2008.08.29 -
Avast 4.8.1195.0 2008.08.29 Win32:FraudTool-GL
AVG 8.0.0.161 2008.08.29 -
BitDefender 7.2 2008.08.29 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.08.29 -
DrWeb 4.44.0.09170 2008.08.29 -
eSafe 7.0.17.0 2008.08.28 -
eTrust-Vet 31.6.6056 2008.08.29 -
Ewido 4.0 2008.08.29 -
F-Prot 4.4.4.56 2008.08.29 -
F-Secure 7.60.13501.0 2008.08.29 -
Fortinet 3.14.0.0 2008.08.29 -
GData 19 2008.08.29 Win32:FraudTool-GL
Ikarus T3.1.1.34.0 2008.08.29 Virus.Win32.Delf.CSQ
K7AntiVirus 7.10.432 2008.08.29 -
Kaspersky 7.0.0.125 2008.08.29 -
McAfee 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3399 2008.08.29 -
Norman 5.80.02 2008.08.29 -
Panda 9.0.0.4 2008.08.29 -
PCTools 4.4.2.0 2008.08.29 -
Prevx1 V2 2008.08.29 -
Rising 20.59.41.00 2008.08.29 -
Sophos 4.33.0 2008.08.29 -
Sunbelt 3.1.1592.1 2008.08.29 -
Symantec 10 2008.08.29 -
TheHacker 6.3.0.6.067 2008.08.29 -
TrendMicro 8.700.0.1004 2008.08.29 -
VBA32 3.12.8.4 2008.08.29 -
ViRobot 2008.8.29.1355 2008.08.29 -
VirusBuster 4.5.11.0 2008.08.29 -
Webwasher-Gateway 6.6.2 2008.08.29 Trojan.Trash.Gen
Additional information
File size: 31232 bytes
MD5…: ef04f34dfbbd25a34a05314574641a1b
SHA1…: 186f4e4e224d1a8cec5afab6da082867d3a78419
SHA256: 645e4e20638bfc7a421657c116eb010ce34e606897bc71ad5533ff516aa0721b
SHA512: f14e13ca4520517c0fd7ba7d44d5e921d19b32ca04a44dbc977072afbbfa2357
ae1181c535f70a1495d2fae4090c41704079b748bb61cbc9aac4479ff7b2a816
PEiD…: -
TrID…: File type identification
Autodesk FLIC Image File (extensions: flc, fli, cel) (100.0%)
PEInfo: -

AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.29 SPR/Fake.WinXDe.A.1
Authentium 5.1.0.4 2008.08.29 -
Avast 4.8.1195.0 2008.08.29 Win32:FraudTool-GK
AVG 8.0.0.161 2008.08.29 -
BitDefender 7.2 2008.08.29 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.08.29 -
DrWeb 4.44.0.09170 2008.08.29 -
eSafe 7.0.17.0 2008.08.28 -
eTrust-Vet 31.6.6056 2008.08.29 -
Ewido 4.0 2008.08.29 -
F-Prot 4.4.4.56 2008.08.29 -
F-Secure 7.60.13501.0 2008.08.29 -
Fortinet 3.14.0.0 2008.08.29 -
GData 19 2008.08.29 -
Ikarus T3.1.1.34.0 2008.08.29 -
K7AntiVirus 7.10.432 2008.08.29 -
Kaspersky 7.0.0.125 2008.08.29 -
McAfee 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3399 2008.08.29 -
Norman 5.80.02 2008.08.29 -
Panda 9.0.0.4 2008.08.29 -
PCTools 4.4.2.0 2008.08.29 -
Prevx1 V2 2008.08.29 -
Rising 20.59.41.00 2008.08.29 -
Sophos 4.33.0 2008.08.29 -
Sunbelt 3.1.1592.1 2008.08.29 -
Symantec 10 2008.08.29 -
TheHacker 6.3.0.6.067 2008.08.29 -
TrendMicro 8.700.0.1004 2008.08.29 -
VBA32 3.12.8.4 2008.08.29 -
ViRobot 2008.8.29.1355 2008.08.29 -
VirusBuster 4.5.11.0 2008.08.29 -
Webwasher-Gateway 6.6.2 2008.08.29 Riskware.Fake.PowAV2009
Additional information
File size: 1533952 bytes
MD5…: c12fa575f000f4ea572e7fb81fba36de
SHA1…: e5b043a279cfa61c88a51b05617caf73499074b2
SHA256: bb45a7389b4de2b854f214ef81813e2015db2c4416b1515ac853b1097ee817aa
SHA512: 740ebc410e3e696b22fcbf5b461eaace112bd9be0bbee4645c337ee3e15a2e55
479143e8cc25e2ecb70b4a871e0067a52e121599951d6f5e54e286d8d6354142
PEiD…: -
TrID…: File type identification
Autodesk FLIC Image File (extensions: flc, fli, cel) (100.0%)
PEInfo: -

Thnak you for your help

Sorry maybe this layout will be a little easier to understand…Thank you!

Antivirus;Version;Last Update;Result
AhnLab-V3;2008.8.29.0;2008.08.29;-
AntiVir;7.8.1.23;2008.08.29;TR/Trash.Gen
Authentium;5.1.0.4;2008.08.29;-
Avast;4.8.1195.0;2008.08.29;Win32:FraudTool-GL
AVG;8.0.0.161;2008.08.29;-
BitDefender;7.2;2008.08.29;-
CAT-QuickHeal;9.50;2008.08.29;-
ClamAV;0.93.1;2008.08.29;-
DrWeb;4.44.0.09170;2008.08.29;-
eSafe;7.0.17.0;2008.08.28;-
eTrust-Vet;31.6.6056;2008.08.29;-
Ewido;4.0;2008.08.29;-
F-Prot;4.4.4.56;2008.08.29;-
F-Secure;7.60.13501.0;2008.08.29;-
Fortinet;3.14.0.0;2008.08.29;-
GData;19;2008.08.29;Win32:FraudTool-GL
Ikarus;T3.1.1.34.0;2008.08.29;Virus.Win32.Delf.CSQ
K7AntiVirus;7.10.432;2008.08.29;-
Kaspersky;7.0.0.125;2008.08.29;-
McAfee;5373;2008.08.29;-
Microsoft;1.3807;2008.08.25;-
NOD32v2;3399;2008.08.29;-
Norman;5.80.02;2008.08.29;-
Panda;9.0.0.4;2008.08.29;-
PCTools;4.4.2.0;2008.08.29;-
Prevx1;V2;2008.08.29;-
Rising;20.59.41.00;2008.08.29;-
Sophos;4.33.0;2008.08.29;-
Sunbelt;3.1.1592.1;2008.08.29;-
Symantec;10;2008.08.29;-
TheHacker;6.3.0.6.067;2008.08.29;-
TrendMicro;8.700.0.1004;2008.08.29;-
VBA32;3.12.8.4;2008.08.29;-
ViRobot;2008.8.29.1355;2008.08.29;-
VirusBuster;4.5.11.0;2008.08.29;-
Webwasher-Gateway;6.6.2;2008.08.29;Trojan.Trash.Gen

Additional information
File size: 31232 bytes
MD5…: ef04f34dfbbd25a34a05314574641a1b
SHA1…: 186f4e4e224d1a8cec5afab6da082867d3a78419
SHA256: 645e4e20638bfc7a421657c116eb010ce34e606897bc71ad5533ff516aa0721b
SHA512: f14e13ca4520517c0fd7ba7d44d5e921d19b32ca04a44dbc977072afbbfa2357
ae1181c535f70a1495d2fae4090c41704079b748bb61cbc9aac4479ff7b2a816
PEiD…: -
TrID…: File type identification
Autodesk FLIC Image File (extensions: flc, fli, cel) (100.0%)
PEInfo: -

Antivirus;Version;Last Update;Result
AhnLab-V3;2008.8.29.0;2008.08.29;-
AntiVir;7.8.1.23;2008.08.29;SPR/Fake.WinXDe.A.1
Authentium;5.1.0.4;2008.08.29;-
Avast;4.8.1195.0;2008.08.29;Win32:FraudTool-GK
AVG;8.0.0.161;2008.08.29;-
BitDefender;7.2;2008.08.29;-
CAT-QuickHeal;9.50;2008.08.29;-
ClamAV;0.93.1;2008.08.29;-
DrWeb;4.44.0.09170;2008.08.29;-
eSafe;7.0.17.0;2008.08.28;-
eTrust-Vet;31.6.6056;2008.08.29;-
Ewido;4.0;2008.08.29;-
F-Prot;4.4.4.56;2008.08.29;-
F-Secure;7.60.13501.0;2008.08.29;-
Fortinet;3.14.0.0;2008.08.29;-
GData;19;2008.08.29;-
Ikarus;T3.1.1.34.0;2008.08.29;-
K7AntiVirus;7.10.432;2008.08.29;-
Kaspersky;7.0.0.125;2008.08.29;-
McAfee;5373;2008.08.29;-
Microsoft;1.3807;2008.08.25;-
NOD32v2;3399;2008.08.29;-
Norman;5.80.02;2008.08.29;-
Panda;9.0.0.4;2008.08.29;-
PCTools;4.4.2.0;2008.08.29;-
Prevx1;V2;2008.08.29;-
Rising;20.59.41.00;2008.08.29;-
Sophos;4.33.0;2008.08.29;-
Sunbelt;3.1.1592.1;2008.08.29;-
Symantec;10;2008.08.29;-
TheHacker;6.3.0.6.067;2008.08.29;-
TrendMicro;8.700.0.1004;2008.08.29;-
VBA32;3.12.8.4;2008.08.29;-
ViRobot;2008.8.29.1355;2008.08.29;-
VirusBuster;4.5.11.0;2008.08.29;-
Webwasher-Gateway;6.6.2;2008.08.29;Riskware.Fake.PowAV2009

Additional information
File size: 1533952 bytes
MD5…: c12fa575f000f4ea572e7fb81fba36de
SHA1…: e5b043a279cfa61c88a51b05617caf73499074b2
SHA256: bb45a7389b4de2b854f214ef81813e2015db2c4416b1515ac853b1097ee817aa
SHA512: 740ebc410e3e696b22fcbf5b461eaace112bd9be0bbee4645c337ee3e15a2e55
479143e8cc25e2ecb70b4a871e0067a52e121599951d6f5e54e286d8d6354142
PEiD…: -
TrID…: File type identification
Autodesk FLIC Image File (extensions: flc, fli, cel) (100.0%)
PEInfo: -

Hi Ivona,

I lean towards a FP, but I like also the view of the others hear on the board,

polonus

Sorry…the longer i’m on this the more computer illiterate i feel…what is an FP?

Thank you!

Sorry where do I go from here I’ve checked my computer with Dr.cure it, superantispyware and malware’ anti-malware…it seems only avast has found the infected files…is there anyway i can remove them? thank you!!

As they are in the restore then all you need to do is this

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

VISTA
To manually create a new Restore Point
[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create
Now we can purge the infected ones

[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete
You are now done

Hi Ivona,

A FP means a False Positive. But it could well be the FP will be gone when the new virus update of avast is out, False Positives are normally soon dealt with. You found nothing on scanning with the other scanners, but do as Essexboy advises and you are out of the woods,

polonus

Thank you so much I will try this now!!! And thanks to everyone for their help this forum is amazing…much appreciated!

When I ran dr.cure for the first time it was just a quick scan and it found nothing, the thorough scan found two infected files so far and I have choose to cure them which it did so by deleting them…they are both trojan swizzor based and called pifcrawl.exe and a0030210.exe… after this scan is finished i am going to take the steps outlined for cleaning restore points. Does deleting the trojans by dr.cure completely remove them? Thank you!!

http://www.castlecops.com/t211929-Is_pifCrawl_exe_a_genuine_Symantec_file.html

have you ever had a Symantec product on your machine or pre installed???
In my first post I asked you to quarantine not delete/ remove hits
manytimes even if a hit is removed it’s friends are still there and we need to have a clue as to what they might be

If you have had a symantic/norton product and have “removed it” then please go to the symantec site and run their removal tool- they have several depending on what you had

if you google pifCrawl you can see that it may cause a host of problems

keep MBAM and SAS around and updated
many new malware break internet so when you need them you would not be able to get them
they take no resources unless used
if you get a flash that “malware found” do not click anything
run the scans- lots of XP2009 Antivirus scam going around
to prevent install “no script” in Firefox using IE post back

Hi Ivona,

DrWebCureIt should remove this adequately, so do not worry. To see whether your machine is clean etc. download HijackThis from here http://www.majorgeeks.com/downloadget.php?id=5554&file=15&evp=4122712c2af084c815e5fd4f2b249d83
and post a hijackthis log.txt as an attachment to your next posting for us to analyze,

polonus

so basically. i ran dr. cure…it found two viruses and deleted them, i cleaned out my system restore as instructed and ran avast again which then found the same win32fraudtool-gk and gl again. Is there anything else that i can do???

Thank you!

was it in the same location ?

no the first two were in located in a003044 and a003045, there are four different ones and they are a0030215, a0030216, a0020217, a0030218…thank you!