FraudTool.win32.Antivirus2010 and its friends - Safer-Networking Forums

Foxtail · 2009-08-20, 01:39

My computer is having difficulty removing this malware due to it having no file traces on it. It depicts itself as a virus scanner, that essentially begins to run on it's own. Other malware i have plaguing my computer are as follows

Trojan.Fakeavalert
Summary Trojan.Fakeavalert is a Trojan that downloads other malware from malicious web sites.

Category TrojanTrojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
Level HighHigh risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Remove
Description Other names:
F-Secure: Trojan-Downloader.Win32.FraudLoad.dyl
Kaspersky: Trojan-Downloader.Win32.FraudLoad.dyl
McAfee: Generic Downloader.z
Microsoft: TrojanDownloader:Win32/Renos.DZ
Sophos: Mal/UnkPack-Fam
Symantec: Trojan.Fakeavalert
TrendMicro: TROJ_FAKEAVAL.FT

Registry changes:

HKEY_CURRENT_USER SOFTWARE\COLDWARE

Release Date Mar 26 2009

FraudTool.Win32.Antivirus2010 (v)
Summary FraudTool.Win32.Antivirus2010 (v) is a rogue anti-malware product installed by malicious websites through misleading advertising. It will run a system scan and report finding non-existent threats. FraudTool.Win32.Antivirus2010 (v) also displays numerous pop-up security alerts windows encouraging the user to buy the full version of the software to remove fictitious threats. It also redirects a victim’s Web browser and displays phony warning messages that the website being visited is a security threat. The fake security alerts are an attempt
Category Rogue Security ProgramA Rogue Security Program is software that purports to scan and detect malware or other problems on the computer, but which attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results. Rogue Security Programs typically use aggressive, deceptive advertising and may be installed without adequate notice and consent, often through exploits.
Level HighHigh risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Remove
Description Other names: Kaspersky: Trojan-Downloader.Win32.FraudLoad.dzm McAfee: FakeAlert-AB.dldr Microsoft: Trojan:Win32/FakeXPA Sophos: Troj/FakeAle-MV Symantec: Trojan.Fakeavalert TrendMicro: Mal_FakeAV-11
Release Date Apr 2 2009
Last Updated Apr 2 2009
File Traces - No traces available.

Trojan-Downloader.Win32.Agent.cimw
Summary Trojan-Downloader.Win32.Agent.cimw is a Trojan downloaderthat directs a victim’s browser to malicious websites to download other malware including downloader components and rogue anti-malware products.
Category Trojan DownloaderA Trojan Downloader is a program typically installed through an exploit or some other deceptive means and that facilitates the download and installation of other malware and unwanted software onto a victim's PC. A Trojan Downloader may download adware, spyware or other malware from multiple servers or sources on the internet.
Level HighHigh risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Remove
Description Other names: F-Secure: Trojan-Downloader.Win32.Agent.cimw Kaspersky: Trojan-Downloader.Win32.Agent.cimw McAfee: FakeAlert-EL Microsoft: TrojanDownloader:Win32/Renos.HU Sophos: Mal/Renos-J Symantec: Trojan Horse Registry changes: HKEY_CURRENT_USER SOFTWARE\COGNAC
Release Date Jul 16 2009
Last Updated Jul 20 2009

Explorer32.Hijacker
Summary Explorer32.Hijacker is a Trojan which modifies the Internet Explorer Start-Page and changes the registry. When run, the Trojan creates two helper files system32.exe and mspxs32.dll in the Windows system folder and runs system32.exe.
Category HijackerHijackers are software programs that modify users' default browser home page, search settings, error page settings, or desktop wallpaper without adequate notice, disclosure, or user consent. When the default home page is hijacked, the browser opens to the web page set by the hijacker instead of the user's designated home page. In some cases, the hijacker may block users from restoring their desired home page. A search hijacker redirects search results to other pages and may transmit search and browsing data to unknown servers. An error page hijacker directs the browser to another page, usually an advertising page, instead of the usual error page when the requested URL is not found. A desktop hijacker replaces the desktop wallpaper with advertising for products and services on the desktop.
Level ElevatedElevated risks are typically installed without adequate notice and consent, and may make unwanted changes to your system, such as reconfiguring your browser's homepage and search settings. These risks may install advertising-related add-ons, including toolbars and search bars, or insert advertising-related components into the Winsock Layered Service Provider chain. These new add-ons and components may block or redirect your preferred network connections, and can negatively impact your computer's performance and stability. Elevated risks may also collect, transmit, and share potentially sensitive data without adequate notice and consent.
Advice Remove
Description Other names: Kaspersky: Backdoor.Win32.SdBot.05.v McAfee: W32/Kwbot.worm.b Microsoft: BrowserModifier:Win32/Hijacker.D Sophos: Troj/SDBot-05A Symantec: W32.Kwbot.Worm TrendMicro: WORM_SPYBOT.CCF The following registry entries are created so that Explorer32.Hijacker may auto-start on user logon or computer restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Win32 Explorer = %SYSTEM%\explorer32.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run Win32 Explorer = %SYSTEM%\explorer32.exe Registry changes: HKEY_CURRENT_USER SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN WIN32 EXPLORER HKEY_LOCAL_MACHINE SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN WIN32 EXPLORER HKEY_CURRENT_USER SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN MICROSOFT WINDOWS UPDATES HKEY_CURRENT_USER SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN WINDOWS EXPLORER UPDATE BUILD 1142 HKEY_CURRENT_USER Software\Microsoft\Internet Explorer SearchURL http://windiwsfsearch.com HKEY_CURRENT_USER Software\Microsoft\Internet Explorer\Main SearchMigratedDefaultURL http://windiwsfsearch.com/search?q={searchTerms} HKEY_CURRENT_USER Software\Microsoft\Internet Explorer\Main Default_Search_URL http://windiwsfsearch.com HKEY_CURRENT_USER Software\Microsoft\Internet Explorer\search SearchAssistant http://windiwsfsearch.com HKEY_CURRENT_USER Software\Microsoft\Internet Explorer\SearchUrl\w @ http://windiwsfsearch.com/search?q=%s HKEY_LOCAL_MACHINE software\Microsoft\Internet Explorer SearchURL http://windiwsfsearch.com HKEY_CURRENT_USER Software\XML HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D} HKEY_LOCAL_MACHINE SOFTWARE\Classes\XML.XML.1 HKEY_LOCAL_MACHINE SOFTWARE\Classes\XML.XML HKEY_LOCAL_MACHINE SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC} HKEY_LOCAL_MACHINE SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}
Release Date Apr 12 2005
Last Updated Nov 5 2008
~tmpa.exe
~tmpb.exe
~tmpd.exe
b.exe
explorer32.exe
explorer32.exe
explorer32.exe
explorer32.exe
msxml71.dll
msxml71.dll

AntiSpywareXP2009
Summary AntiSpywareXP2009 is a purported anti-spyware application to scan for and remove spyware from users' computers.
Category Rogue Security ProgramA Rogue Security Program is software that purports to scan and detect malware or other problems on the computer, but which attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results. Rogue Security Programs typically use aggressive, deceptive advertising and may be installed without adequate notice and consent, often through exploits.
Level ElevatedElevated risks are typically installed without adequate notice and consent, and may make unwanted changes to your system, such as reconfiguring your browser's homepage and search settings. These risks may install advertising-related add-ons, including toolbars and search bars, or insert advertising-related components into the Winsock Layered Service Provider chain. These new add-ons and components may block or redirect your preferred network connections, and can negatively impact your computer's performance and stability. Elevated risks may also collect, transmit, and share potentially sensitive data without adequate notice and consent.
Advice Remove
Description AntiSpywareXP2009 may be downloaded and installed through exploits or under dubious circumstances without user consent. AntiSpywareXP2009 hijacks the user's desktop and typically displays exaggerated or false claims of spyware found to frighten the user into paying for the program.
Release Date Oct 22 2008
Last Updated May 1 2009
File Traces Show Traces - (Click to Expand) install.exe install.exe
install.exe

Please advise, and if you could keep the words simple.
Tell me if I may need professionall help on this matter.
thank you

**tashi** · 2009-08-20, 02:26

Hello Foxtail

Please see this forum's FAQ, "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Then start a new topic providing the HJT log, and I will close this one as helpers look for threads without a response.

Regards.

2009-08-20, 01:39	#1
Foxtail Junior Member Join Date: Aug 2009 Posts: 1	FraudTool.win32.Antivirus2010 and its friends My computer is having difficulty removing this malware due to it having no file traces on it. It depicts itself as a virus scanner, that essentially begins to run on it's own. Other malware i have plaguing my computer are as follows Trojan.Fakeavalert Summary Trojan.Fakeavalert is a Trojan that downloads other malware from malicious web sites. Category TrojanTrojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior. Level HighHigh risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer. Advice Remove Description Other names: F-Secure: Trojan-Downloader.Win32.FraudLoad.dyl Kaspersky: Trojan-Downloader.Win32.FraudLoad.dyl McAfee: Generic Downloader.z Microsoft: TrojanDownloader:Win32/Renos.DZ Sophos: Mal/UnkPack-Fam Symantec: Trojan.Fakeavalert TrendMicro: TROJ_FAKEAVAL.FT Registry changes: HKEY_CURRENT_USER SOFTWARE\COLDWARE Release Date Mar 26 2009 FraudTool.Win32.Antivirus2010 (v) Summary FraudTool.Win32.Antivirus2010 (v) is a rogue anti-malware product installed by malicious websites through misleading advertising. It will run a system scan and report finding non-existent threats. FraudTool.Win32.Antivirus2010 (v) also displays numerous pop-up security alerts windows encouraging the user to buy the full version of the software to remove fictitious threats. It also redirects a victim’s Web browser and displays phony warning messages that the website being visited is a security threat. The fake security alerts are an attempt Category Rogue Security ProgramA Rogue Security Program is software that purports to scan and detect malware or other problems on the computer, but which attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results. Rogue Security Programs typically use aggressive, deceptive advertising and may be installed without adequate notice and consent, often through exploits. Level HighHigh risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer. Advice Remove Description Other names: Kaspersky: Trojan-Downloader.Win32.FraudLoad.dzm McAfee: FakeAlert-AB.dldr Microsoft: Trojan:Win32/FakeXPA Sophos: Troj/FakeAle-MV Symantec: Trojan.Fakeavalert TrendMicro: Mal_FakeAV-11 Release Date Apr 2 2009 Last Updated Apr 2 2009 File Traces - No traces available. Trojan-Downloader.Win32.Agent.cimw Summary Trojan-Downloader.Win32.Agent.cimw is a Trojan downloaderthat directs a victim’s browser to malicious websites to download other malware including downloader components and rogue anti-malware products. Category Trojan DownloaderA Trojan Downloader is a program typically installed through an exploit or some other deceptive means and that facilitates the download and installation of other malware and unwanted software onto a victim's PC. A Trojan Downloader may download adware, spyware or other malware from multiple servers or sources on the internet. Level HighHigh risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer. Advice Remove Description Other names: F-Secure: Trojan-Downloader.Win32.Agent.cimw Kaspersky: Trojan-Downloader.Win32.Agent.cimw McAfee: FakeAlert-EL Microsoft: TrojanDownloader:Win32/Renos.HU Sophos: Mal/Renos-J Symantec: Trojan Horse Registry changes: HKEY_CURRENT_USER SOFTWARE\COGNAC Release Date Jul 16 2009 Last Updated Jul 20 2009 Explorer32.Hijacker Summary Explorer32.Hijacker is a Trojan which modifies the Internet Explorer Start-Page and changes the registry. When run, the Trojan creates two helper files system32.exe and mspxs32.dll in the Windows system folder and runs system32.exe. Category HijackerHijackers are software programs that modify users' default browser home page, search settings, error page settings, or desktop wallpaper without adequate notice, disclosure, or user consent. When the default home page is hijacked, the browser opens to the web page set by the hijacker instead of the user's designated home page. In some cases, the hijacker may block users from restoring their desired home page. A search hijacker redirects search results to other pages and may transmit search and browsing data to unknown servers. An error page hijacker directs the browser to another page, usually an advertising page, instead of the usual error page when the requested URL is not found. A desktop hijacker replaces the desktop wallpaper with advertising for products and services on the desktop. Level ElevatedElevated risks are typically installed without adequate notice and consent, and may make unwanted changes to your system, such as reconfiguring your browser's homepage and search settings. These risks may install advertising-related add-ons, including toolbars and search bars, or insert advertising-related components into the Winsock Layered Service Provider chain. These new add-ons and components may block or redirect your preferred network connections, and can negatively impact your computer's performance and stability. Elevated risks may also collect, transmit, and share potentially sensitive data without adequate notice and consent. Advice Remove Description Other names: Kaspersky: Backdoor.Win32.SdBot.05.v McAfee: W32/Kwbot.worm.b Microsoft: BrowserModifier:Win32/Hijacker.D Sophos: Troj/SDBot-05A Symantec: W32.Kwbot.Worm TrendMicro: WORM_SPYBOT.CCF The following registry entries are created so that Explorer32.Hijacker may auto-start on user logon or computer restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Win32 Explorer = %SYSTEM%\explorer32.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run Win32 Explorer = %SYSTEM%\explorer32.exe Registry changes: HKEY_CURRENT_USER SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN WIN32 EXPLORER HKEY_LOCAL_MACHINE SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN WIN32 EXPLORER HKEY_CURRENT_USER SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN MICROSOFT WINDOWS UPDATES HKEY_CURRENT_USER SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN WINDOWS EXPLORER UPDATE BUILD 1142 HKEY_CURRENT_USER Software\Microsoft\Internet Explorer SearchURL http://windiwsfsearch.com HKEY_CURRENT_USER Software\Microsoft\Internet Explorer\Main SearchMigratedDefaultURL http://windiwsfsearch.com/search?q={searchTerms} HKEY_CURRENT_USER Software\Microsoft\Internet Explorer\Main Default_Search_URL http://windiwsfsearch.com HKEY_CURRENT_USER Software\Microsoft\Internet Explorer\search SearchAssistant http://windiwsfsearch.com HKEY_CURRENT_USER Software\Microsoft\Internet Explorer\SearchUrl\w @ http://windiwsfsearch.com/search?q=%s HKEY_LOCAL_MACHINE software\Microsoft\Internet Explorer SearchURL http://windiwsfsearch.com HKEY_CURRENT_USER Software\XML HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D} HKEY_LOCAL_MACHINE SOFTWARE\Classes\XML.XML.1 HKEY_LOCAL_MACHINE SOFTWARE\Classes\XML.XML HKEY_LOCAL_MACHINE SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC} HKEY_LOCAL_MACHINE SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D} Release Date Apr 12 2005 Last Updated Nov 5 2008 ~tmpa.exe ~tmpb.exe ~tmpd.exe b.exe explorer32.exe explorer32.exe explorer32.exe explorer32.exe msxml71.dll msxml71.dll AntiSpywareXP2009 Summary AntiSpywareXP2009 is a purported anti-spyware application to scan for and remove spyware from users' computers. Category Rogue Security ProgramA Rogue Security Program is software that purports to scan and detect malware or other problems on the computer, but which attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results. Rogue Security Programs typically use aggressive, deceptive advertising and may be installed without adequate notice and consent, often through exploits. Level ElevatedElevated risks are typically installed without adequate notice and consent, and may make unwanted changes to your system, such as reconfiguring your browser's homepage and search settings. These risks may install advertising-related add-ons, including toolbars and search bars, or insert advertising-related components into the Winsock Layered Service Provider chain. These new add-ons and components may block or redirect your preferred network connections, and can negatively impact your computer's performance and stability. Elevated risks may also collect, transmit, and share potentially sensitive data without adequate notice and consent. Advice Remove Description AntiSpywareXP2009 may be downloaded and installed through exploits or under dubious circumstances without user consent. AntiSpywareXP2009 hijacks the user's desktop and typically displays exaggerated or false claims of spyware found to frighten the user into paying for the program. Release Date Oct 22 2008 Last Updated May 1 2009 File Traces Show Traces - (Click to Expand) install.exe install.exe install.exe Please advise, and if you could keep the words simple. Tell me if I may need professionall help on this matter. thank you

2009-08-20, 02:26	#2
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,454 Rated LASSHes: 16	Hello Foxtail Please see this forum's FAQ, "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) Then start a new topic providing the HJT log, and I will close this one as helpers look for threads without a response. Regards. __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode