Possible False Positive for WIN32.FraudLoad.Edt
Hello! I've been working with Blade81 on a malware problem, and he or she thought that I might be getting a false positive reading with Spybot, and that I should submit it to this forum. I have Windows Vista, and use Firefox (I am unsure which version).
You can find the logs and screenshots on the second page of this thread, beginning with post #12: http://forums.spybot.info/showthread.php?p=361326.
Thank you so much!
hello,
thank you for reporting this issue.
However this does not appear to be a false positive.
The detection of Win32.FraudLoad.Edt does not show that the wininit.ini itself gets targeted but a rename operation within it.
Since the rename operation appears to get added again, it can be assumed that the infection causing this is still in place, at least partly.
Take a look at the following folder:
c:\windows\tasks
This will very likely contain job files, if you check the properties of these job files you can see which files get started by them and how they are scheduled.
If you are unsure if a job is legitimate or not, you are welcome to post the "Run:" entry for each job file. We may then request some of the files referenced for analysis.
Hello! I've opened the Tasks folder, and it contains three files: SA.DAT, SCHEDLGU.TXT and Spybot - Search & Destroy - Scheduled Task. Are any of these job files? If so, how would I check to see which jobs are started by them?
Thank you so much!
To check the properties of a job file right click the file and choose "properties" from the context menu.
On the first tab, named Task, you will find "Run" which specifies the file and the parameters which will be executed.
It is possible that some of the tasks are hidden using the file property hidden. To see files hidden in this manner do the following:
- within the windows explorer click on "tools"
- select "folder options"
- open the "view" tab
- select to activate "show hidden files and folders"
- disable "hide extensions for known file types" (this is more practical)
- disable "hide protected operating system files"
- restart your computer
Also look for a files on drive c: which are named like this: c:\tempjunk*.tmp
where the * stands for any kind and number of characters.
If you find one or more files like this, please send them to detections@spybot.info for analysis.
Thanks, Yodama! I found "tempjunk" in the wininit.ini file, and send that info to the email address as you suggested.
Posting Permissions
Reply With Quote