Downloader.FraudLoad.N

Can someone help me remove this? I've run AVG 8.0 and MalWareBytes several times, neither one detects anything, but then when I restart AVG does find this and I get periodically prompted with fake Security Alerts.

Here's my HJT log:
-----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:30 PM, on 8/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.

Any help is appreciate, thanks!

 

Hello PaulyH,

Do you still have the log for the first MalwareBytes Scan?

Additionally we also require you to run trough combofix, SAS, and MGTools.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

• READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

Hi,

I've gone through the steps in the "Read & Run Me First" post and have attached the logs in a zip file. It appears that SAS found something, but after a reboot, AVG still found the Downloader.Fraud.N trojan horse and I still received the fake Security Alert (which I've included a screen shot in the zip file of too). Any ideas? It doesn't seem like this is doing any bad, but it it really annoying.

Thanks!

 

Hello PaulyH,

We need to clean your temp files again, you have an amazingly excessive amount of them still on board.

Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Hi,

I've attached my ComboFix.txt. Any idea why ccleaner wouldn't have removed all those temp files? I ran ccleaner until it couldn't remove anything else, with all the default options checked...

 

This time with the attachment...

 

Hello PaulyH,

I don't know, but ATF-Cleaner seems to have the same issues. I guess we'll just do this the old fashioned way.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Here's the log from ComboFix

 

Hello PaulyH,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe. If it asks you to overide the prvevious file with the same name, click YES.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

 

Here's the latest ComboFix log

 

Hello PaulyH,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

Save it to your drive C:\ as Kill.reg and as Type "All files"

----------------------------------------------- Step 2

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

files to delete:
C:\WINDOWS\system32\upclkpmp.exe
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\drivers\logiflt.iad
C:\WINDOWS\system32\upclkpmp.exe

folders to delete:
C:\Program Files\edcwny
C:\Documents and Settings\All Users\Application Data\ktitgpiv
C:\temp

programs to launch on reboot:
C:\Kill.reg

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

 

No messages from AVG, SAS or MalwareBytes on the last reboot so I think we're making progress, although I did receive a Windows - No Disk error similar to this:

http://www.consumingexperience.com/2007/11/windows-no-disk-exception-processing.html

Attached are a fresh HijackThis and Avenger logs.

 

Hello PaulyH,

Please let me know if you continue to recieve these messages on reboot.

Please run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

 

Hi,

I haven't received the Windows - No Disk errors anymore, guess that was a onetime thing.

Also, I haven't received the fake Security Alert and AVG, MalwareBytes or SAS haven't found anything in a few days either. Do you see anything left in the logs?

Thanks!

 

Hello PaulyH,

Your logs do look pretty good to me, but I would like to run one last full system scan to make sure nothing else is hiding out before we wrap things up here.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

 

Looks like it found something...

 

Hello PaulyH,

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
5. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
6. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
7. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
8. If we had you run Avenger, you can delete all files related to Avenger now.
9. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
10. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
11. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
12. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
13. Go to add/remove programs and uninstall HijackThis.
14. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
15. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
16. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!