Jump to content

Problem with Trojan Fraudpack malware


Recommended Posts

I've encountered an issue I hope you can help with.

Background

During research for my agriculture news service, I visit hundreds of web pages daily. This Friday past, when loading one of the Asian news sites on my regular daily review list, my firewall (ZoneAlarm} issued a couple of quick warnings concerning suspicious behaviour.. I declined access in both instances, but something else must have gotten through as, about a minute later, my computer suddenly re-booted as I was typing an e-mail.

Observations

i) After the re-boot, the computer was performing noticeably slower, and on occasion would freeze (windows, taskbars, etc could not be accessed, but mouse cursor could be moved around freely.)

ii) I started to get an MS Outlook alert window that "Either there is no default e-mail client or the e-mail client cannot fulfill the messaging request, please install Outlook...." [Note: MS Outlook has never been installed on this computer. I use another e-mail client]. This MS Outlook alert window appears right after a re-boot and every time I submit a web based form using either IE or Firefox (such as entering an ID and password, registering for this site, etc... the Post action appears to trigger a request to access Outlook.. someone trying to get my access info delivered to their in-box?)

iii) Since Friday, I have had 3 BSOD events... the first identified the problem as IRQL-not-equal-or-less-than [or something to that effect] while the other two gave Stop 0x0000008e 0xC0000005 0x805B1547 0x9354DC30 0x00000000 as the error code. To eliminate the possibility of ram issues, I ran memtest for four hours: no errors were found.

With frustrating frequency, the computer continues to freeze, with no consistent obvious cause.

iv) I noticed Sunday that my fax modem would no longer initialize (agere USB fax modem). I also discovered that a link's in control panel was corrupted (generic icon present but no description or path associated with it) and that in hardware devices there were no com ports to be found (one of which was previously associated with the fax modem)

Actions taken to date;

Confirmed Zone Alarm and Windows XP are up-to-date with latest resource files and security patches.

Performed a deep scan using Zone Alarm: no infections found.

Performed a 4 hour test of the RAM using memtest: no errors found.

Downloaded and ran Malwarebytes' Anti-Malware quick scan: no errors found

Rebooted windows into safe mode and did a full scan using Malwarebytes' Anti-Malware: trojan fraudpack found in registry. I had the program fix the problem.

Rebooted windows in Normal mode: warning concerning the default e-mail client appeared again. Computer seemed to be faster than earleir. After about an hour, however, the computer froze again as before [often, but not always, when 3 or more IE and or Firefox tabs are loading pages (a Java issue??), but freezes have also occurred when using file manager, sending an e-mail, and even once while writing this message in notepad whih no other applications running.]

Re-installed modem driver: modem will still not initialize

Deleted java and re-installed the latest version available at Sun Microsytems website: no change in computer's behaviour (still get default email notice, periodic freeze-ups and unable to initialize modem.

Ran Malwarebytes' Anti-Malware quick scan: no errors found

Any help or direction would be appreciated.

Here is the HikjackThis report created this morning (I am about to perform another full scan using Malwarebytes' Anti-Malware while in safe mode. It takes about 2.5 hours to complete.)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:09:33 AM, on 3/30/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\FaxTalk Communicator\FTCtrl32.exe

C:\Program Files\Logitech\G-series Software\LGDCore.exe

C:\Program Files\Logitech\G-series Software\LCDMon.exe

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\vVX3000.exe

C:\Program Files\Motorola\Software Update\mumservice.exe

C:\Program Files\FaxTalk Communicator\FAPIEXE.EXE

C:\Program Files\Nuance\PDF Create! 5\pdfcreate5hook.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Quicken\bagent.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\notepad.exe

C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canadagrain.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll

O3 - Toolbar: Nuance PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Create! 5\bin\ZeonIEFavClient.dll

O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe

O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\AI Booster\OverClk.exe"

O4 - HKLM\..\Run: [CallControl 4.7] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [bCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe

O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [mumservice] C:\Program Files\Motorola\Software Update\mumservice.exe

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [PDFHook] C:\Program Files\Nuance\PDF Create! 5\pdfcreate5hook.exe

O4 - HKLM\..\Run: [PDF5 Registry Controller] C:\Program Files\Nuance\PDF Create! 5\RegistryController.exe

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [Nuance PDF Create! 5-reminder] "C:\Program Files\Nuance\PDF Create! 5\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\PDF Create! 5\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NCProTray.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1240200632109

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15107/CTPID.cab

O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe

O23 - Service: Google Update Service (gupdate1c9cfeded8a9190) (gupdate1c9cfeded8a9190) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 11611 bytes

PS: The web site I suspect was the source of this problem has been narrowed down to one of 6 to 8 (they were the pages loading into IE tabs at the time of the ZoneAlarm alert. They are all agriculture information and/or government news sites based in asia I have visted on a daily basis for the past copiule of years without issue. I can forward these links if you would like to test them on a protected machine (I have not tried accessing any of them again since Friday.)

Link to post
Share on other sites

It appears my first posting a few days ago may have been overlooked. Given the number of requests for help that I see this site getting and the fact I am fortunate to have a current back-up of all my files on a separate hard drive, I decided this past weekend to bite-the-bullet and re-install windows rather than direct further effort towards removing the malware.

In closing, some observations about the malware infecting my system:

1) The malware appears to have affected one or more of the network resource files; as mentioned in my earlier post, since becoming infected on the 26th of March, I have been getting a MS Outlook application pop-up stating

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.