Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Frethog!rar


  • Please log in to reply
16 replies to this topic

#1 rustyrusty

rustyrusty

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 06 March 2009 - 08:47 PM

My computer has a trojan that is detected by CA anti-virus all the time. It finds it and cleans it, but it just keeps coming back. It says it is called Frethog!rar.

Well I really need some help thank you

Rusty

BC AdBot (Login to Remove)

 


#2 rustyrusty

rustyrusty
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 06 March 2009 - 08:51 PM

CA says it is under this path name: win32/frethog!rar

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:25 PM

Posted 06 March 2009 - 11:35 PM

Hi and welcome to BleepingComputer :thumbsup:

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 rustyrusty

rustyrusty
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 07 March 2009 - 03:42 AM

Thank you for your help. Nothing was found though when I used MBAM, but my CA anti-virus keeps saying there is something there. Here is the log:Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 2

3/7/2009 1:40:55 AM
mbam-log-2009-03-07 (01-40-55).txt

Scan type: Quick Scan
Objects scanned: 82420
Time elapsed: 12 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by rustyrusty, 07 March 2009 - 03:43 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:25 PM

Posted 07 March 2009 - 08:54 AM

Win32/Frethog is a family of password-stealing trojans that target confidential data from Massive Multiplayer Online Games such as World of Warcraft and send the information to a remote computer. Password Stealing Trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use Trojans and rootkits as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Please download Flash_Disinfector by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Please download MsnCleaner.zip by ElPiedra and save to you Desktop. (in addition to removing infected files, it will remove certain restrictions on your system often disabled by malware.)
  • Extract (unzip) the file to your desktop. (click here if you're not sure how to do this) but DO NOT use it yet.
  • Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Double-click MsnCleaner.exe to run the tool.
  • Click the "Analyze" button.
  • If an infection is found, click the "Deleted" button.
  • A report with the results will be created automatically after the scan and will be saved to C:\MsnCleaner.txt.
  • Reboot normally and post the contents of MsnCleaner.txt in your next reply.

Edited by quietman7, 07 March 2009 - 08:56 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 rustyrusty

rustyrusty
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 07 March 2009 - 03:29 PM

Ok, I just went ahead and restored my computer back to when I got it from the store, because I saw a feature on my computer that allowed me to do that. When it fiished, I installed MBAM again and this is the log file that it gave me when I ran it: (Sorry that I did this instread of what you asked me to do, I'm still gonna do what you asked me to do).

Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 2

3/7/2009 1:26:22 PM
mbam-log-2009-03-07 (13-26-22).txt

Scan type: Quick Scan
Objects scanned: 79459
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-6-9-77-100016558-100003212-100025911-3099.com (Trojan.Agent) -> Quarantined and deleted successfully.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:25 PM

Posted 07 March 2009 - 04:50 PM

Go ahead and follow the instructions for using Flash_Disinfector.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 rustyrusty

rustyrusty
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 07 March 2009 - 04:53 PM

Here is what it gave me. Thank You

- Logfile MSNCleaner 1.7.1 by www.forospyware.com
- Created Logfile: 3/7/2009 on 2:36:01 PM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 1
Deleted file: 1
Undeleted Files: 0

C:\log.txt <--- Deleted

Host file Restored

#9 rustyrusty

rustyrusty
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 07 March 2009 - 07:30 PM

Is there anything else I should do?

Thanks

Rusty

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:25 PM

Posted 07 March 2009 - 11:57 PM

How is your computer running now? Are there ny more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 rustyrusty

rustyrusty
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 08 March 2009 - 06:12 PM

I ran my CA anti-virus once again, and now the two trojans that it keeps picking up at the following:

D:\2fiy.bat - Win32/frethog.dad
D:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99]\rp8\a0004985.bat Win32/Frethgof. DAD

My scanner says it is deleting them, but they keep coming back.

Could you help me out some more. Very much appreciated all the hard work you have given me so far.

Thank You

Rusty

#12 rustyrusty

rustyrusty
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 08 March 2009 - 06:17 PM

I wanted to edit my post up there, but for some reason it would let me click on edit. I wanted to tell you that D:\ is where all my recovery files are, this allows me to restore my computer to when it was bought from the store and the trojans are in there too.

#13 rustyrusty

rustyrusty
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 08 March 2009 - 06:19 PM

Also, Im running my CA anti-spyware and I'm gonna post the results when it is done. But right now I can tell you that it is finding a trojan already, and alot of spyware.

Rusty

#14 rustyrusty

rustyrusty
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 08 March 2009 - 08:03 PM

This is what my CA Anti-virus found, by the way "D:\" is where my system restore files are, so that I can restore my computer to the way it was when I bought it from the store

D:\2fiy.bat - Win32/frethog.dad
D:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99]\rp8\a0004985.bat Win32/Frethgof. DAD
C:\System Volume Information\_restore{106cf321-99a3-4e3a0-9103-1bd027606a99}rp1\a001000.bat is win32/Frethog.DAD worm
C:\System Volume Information\_restore{106cf321-99a3-4e3a0-9103-1bd027606a99}rp1\a001001.cmd is win32/Frethog.DAG worm
C:\System Volume Information\_restore{106cf321-99a3-4e3a0-9103-1bd027606a99}rp1\a001003.inf is INF/Frethog worm
C:\System Volume Information\_restore{106cf321-99a3-4e3a0-9103-1bd027606a99}rp1\a001004.com is win32/Frethog.cnv worm
C:\System Volume Information\_restore{106cf321-99a3-4e3a0-9103-1bd027606a99}rp1\a001005.cmd is win32/Frethog.cxj worm
C:\System Volume Information\_restore{106cf321-99a3-4e3a0-9103-1bd027606a99}rp1\a001007.bat is win32/Frethog.cxj worm

C:\System Volume Information\_restore{106cf321-99a3-4e3a0-9103-1bd027606a99}rp1\a001008.com is win32/Frethog.dab worm
C:\System Volume Information\_restore{106cf321-99a3-4e3a0-9103-1bd027606a99}rp1\a001009.cmd is win32/Frethog.cwe worm
C:\System Volume Information\_restore{106cf321-99a3-4e3a0-9103-1bd027606a99}rp1\a0010022.exe is win32/Pcclient.BH trojan

also my CA spyware scanner found this:

Trojan.win32.FTP Attack - file name: run - in location: hkey_local_machine\software\microsoft\windows\currentversion
Frethog DAI - file name: a001006.exe - in location: c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp1
Frethog DAI - file name: g1vn1.exe - in location: D:

This is everything that keeps popping up. This is frustrating.

Rusty

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:25 PM

Posted 09 March 2009 - 08:55 AM

IMPORTANT NOTE: One or more of the identified infections (2FIY.BAT) is related to a rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

MBAM has a built-in FileAssassin feature for removing stubborn malware files.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
    • D:\2fiy.bat <- this file
  • When you find the file(s), click "Open".
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • Repeat the above steps to find and remove: D:\g1vn1.exe <- this file
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.


The infected RP***\A00*****.exe/.dll file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a malicious file was found in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users