"Trojan Horse Downloader.FraudLoad.N" - help

Discussion in 'Malware Help (A Specialist Will Reply)' started by ballth5, Sep 2, 2008.

  1. ballth5

    ballth5 Private E-2

    I've got the Trojan Horse Downloader FraudLoad.N virus. Currently I've run AVG, Spybot, Ad-Aware, Registry Booster 2 and Vundofix.
    Spybot and AVG were even run in safe mode. Still got the thing on the computer. I need help.
    I'm new to this, but if it is appropriate to add already, here is a copy of my hijackthis file which I copied right after completing AVG again and hooking my computer back up online:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:50:19 PM, on 9/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.


    Thanks for any assistance!
    ballth5
     
    Last edited by a moderator: Sep 4, 2008
    ballth5, Sep 2, 2008
    #1
  2. ballth5

    ballth5 Private E-2

    Never mind this post!
    Sorry, I didn't read the "READ & RUN ME FIRST" post until after I posted this. I am going to go through all the required steps there first, then I'll come back and ask for help (if needed).
    ballth5 :eek:
     
    ballth5, Sep 2, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Just attach your logs to this thread when you finish.
     
    chaslang, Sep 4, 2008
    #3
  4. ballth5

    ballth5 Private E-2

    still infected after "Read & Run Me First". help please!

    Hi,
    I'm new here. Got infected with the Trojan Horse Downloader.FraudLoad.N. I went through the "Read & Run Me First" post. I followed all directions and was hopeful that my problem would be solved. After completing all tests, I ran Spybot, Ad-Aware & AVG to check. I still have the Trojan Downloader.Fraud.Load.N and the Windows Security alerts pops up occasionally warning that I have Trojan-Downloader.Win32.Agent.bq, Trojan-Spy.Win32.GreenScreen, and others. Not sure what to do from here. I guess I could keep trying things, but it's best to just stop and let the experts help. So, help me please...Thanks so much!
    ballth

    I've attached my log files.
     

    Attached Files:

    ballth5, Sep 4, 2008
    #4
  5. ballth5

    ballth5 Private E-2

    Re: still infected after "Read & Run Me First". help please!

    Here's my fourth logfile.
    ballth
     

    Attached Files:

    ballth5, Sep 4, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First you need to disable Spybot's Teatimer as requested in the READ & RUN ME. It more than likely got in the way of some of the cleaning steps. See this: How to disable Spybot's TeaTimer


    Uninstall the below old versions of Sun Java as requested in step 1 of the READ & RUN ME:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 5
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) SE Runtime Environment 6 Update 1

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 5, 2008
    #6
  7. ballth5

    ballth5 Private E-2

    I've completed everything here.
    The two requested files are attached. I'm not totally sure everything is cleared up yet. Numerous times during this cleaning process, I had the "fake security" window pop up to say I was infected withTrojan-Spy.HTML.Bankfraud.dq and Trojan-Spy.Win32.GreenScreen.

    Yes, I did receive a success message to this procedure.

    I was wondering...could my copy of AVG be infected? I noticed almost all the way through the process when your webpage was open that the mini Major Geeks icon in the address bar and Windows tab had changed into an AVG icon. Also, I pulled a copy of my Major Geeks bookmark onto my desktop during this operation and the shortcut icon was an AVG icon rather than your icon. Even after I went into the shortcut properties and changed the icon, it changed back to the AVG icon. Finally during one of the final procedures it changed from the AVG icon to the vBulletin symbol, to which it has remained.
    Just something weird.

    I just had the fake security window pop up with Trojan-Downloader.Win32.Agent.bq. So I guess we're not out of the woods yet. Please let me know what to do next. Thanks for the assistance so far...

    ~ballth5
     

    Attached Files:

    ballth5, Sep 5, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is it possible that AVG is infected... of course. But I don't think it is. I just think you are seeing some fairly typical strange behavior with Windows and icons. This would be a topic for the Software Fourm.

    You are not clean yet.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
    O4 - HKCU\..\Run: [UiMnt] C:\WINDOWS\system32\navifane.exe

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    You did not reinstall the current version of Sun Java as requested in my last fix. You need to do this before you run into issues on various websites that require Java to work.
    Now doubleclick the fixme.reg save to your desktop in the previous fix. And allow it to be added to the registry again.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!

    After attaching the above logs DO NOT reboot or power down until I get back to you. I think your malware has been spreading/renaming at reboots.
     
    chaslang, Sep 6, 2008
    #8
  9. ballth5

    ballth5 Private E-2

    I've run through the lastest set of helps. Here are the requested files:

    I reinstalled the current version of Sun Java (again) as requested. I'm not sure why it did not appear as installed. I'm sure I did it in the previous fix.

    The computer is staying on. I'll not reboot or power down until I hear from you.

    As for the AVG, I noticed in my toolbar it appears that after combofix rebooted the computer, that AVG is running scans. I haven't clicked to open the control panel to see if it is actually running any scans or not. This happened before and I let it go for 16 hours and it wasn't really scanning, it just appeared to be scanning. As long as it has nothing to do with the virus, I'm not too worried about it now.

    Thanks for the continuing assistance!
     

    Attached Files:

    ballth5, Sep 6, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome. You are in good shape now.

    We just have one more minor registry fix to make.

    Copy the bold text below to notepad. Save it as fixme2.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix.
    3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Sep 8, 2008
    #10
  11. ballth5

    ballth5 Private E-2

    chaslang,
    Major Geeks has been great! And you especially have been a great help. Thanks so much for all your assistance. I've completed the last "fixme2.reg" and received a successful message. I've went through the "removal" list you said to do and did the "disable/enable restore" step. I'm working my way thru the "protect yourself..." link and I have a few more questions.
    1. I've heard some people having problems with Win XP SP3. Is it safe to use or should I stick with SP2?
    2. I have currently been using AVG8, but I see it's not your personal favorite. Would you recommend I switch to Avast?
    3. Finally, at the beginning of your "Read & Run Me First" article, you told me to set msconfig for "Normal Startup Mode". Should this be left as is or should I change it back?
    Thanks again for all your help. Everything seems to be running OK now.
     
    ballth5, Sep 8, 2008
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    1. SP3 is better discussed in the Software Forum. At some point though, you really should update to be sure to have the most secure OS.
    2. If you are happy with it then stick with it. AVG8 does also include their antispyware program so you don't have to install a separate realtime antispyware blocker.
    3. Normal Startup = Normal ;) Did you read the other link given in the READ & RUN ME? This one Dealing with Startup Processes
    You're welcome. Surf safely.
     
    chaslang, Sep 10, 2008
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds