Help with recurring Frethog worm

  • Thread starter Thread starter JD
  • Start date Start date
J

JD

Every time I boot my computer, within seconds I get a pop up from CA
Anti-virus informing me that "2 threats have been identified and removed."
The real time scanner log shows the same thing every time. The F drive is
associated with my Maxtor external drive, which I connect once a week to do
backups.
I wonder why this is happening--and whether there is anything that I could
or should do to prevent it.
Here is the log from the real time scanner:

5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
Deleted
5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:26 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog worm.
5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog worm.

Thanks for any advice.
 
JD said:
Every time I boot my computer, within seconds I get a pop up from CA
Anti-virus informing me that "2 threats have been identified and removed."
The real time scanner log shows the same thing every time. The F drive is
associated with my Maxtor external drive, which I connect once a week to do
backups.
I wonder why this is happening--and whether there is anything that I could
or should do to prevent it.
Here is the log from the real time scanner:

5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
Deleted
5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:26 PM File infection: F:\Autorun.inf is INF/Frethog worm.
5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog worm.
5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog worm.

Thanks for any advice.
Click to expand...

If you keep CA from deleting the file, upload to:

<https://www.virustotal.com/>

Post the URL for the analysis in a reply. If it's not a false
positive, CA is doing its job and the problem needs to be pursued
further.

Pete
 
From: "JD" <[email protected]>

| Every time I boot my computer, within seconds I get a pop up from CA
| Anti-virus informing me that "2 threats have been identified and removed."
| The real time scanner log shows the same thing every time. The F drive is
| associated with my Maxtor external drive, which I connect once a week to do
| backups.
| I wonder why this is happening--and whether there is anything that I could
| or should do to prevent it.
| Here is the log from the real time scanner:

| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| Deleted
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:26 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog worm.
| 5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog worm.

| Thanks for any advice.


You have to remove the EXE or DLL that is creating the .INF file !

So your PC is infected and the backup drive is infected and probably any/all USB mass
storage devices are also infected.

Start with the Sophos module of the below Multi AV Scanning Tool and clean the computer
and *ALL* USB connected mass storage devices.


Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.



* * * Please report back your results * * *
 
Many thanks to both responders. I am overwhelmed by the seriousness of the
issue--and the proposed solution.
I wonder why neither CA Anti-virus nor Windows Defender are able to identify
or remove the worm. Both are run several times a week and always come up
clean.
Do you suppose that if I had the external hard drive connected while running
the AV and/or WinDefend, they would find and eliminate the infection?
David H. Lipman said:
From: "JD" <[email protected]>

| Every time I boot my computer, within seconds I get a pop up from CA
| Anti-virus informing me that "2 threats have been identified and
removed."
| The real time scanner log shows the same thing every time. The F drive
is
| associated with my Maxtor external drive, which I connect once a week to
do
| backups.
| I wonder why this is happening--and whether there is anything that I
could
| or should do to prevent it.
| Here is the log from the real time scanner:

| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| Deleted
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:26 PM File infection: F:\Autorun.inf is INF/Frethog worm.
| 5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog worm.
| 5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog worm.

| Thanks for any advice.


You have to remove the EXE or DLL that is creating the .INF file !

So your PC is infected and the backup drive is infected and probably
any/all USB mass
storage devices are also infected.

Start with the Sophos module of the below Multi AV Scanning Tool and clean
the computer
and *ALL* USB connected mass storage devices.


Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file.



* * * Please report back your results * * *
Click to expand...
 
I've discovered that my Maxtor external hard drive runs on drive E, NOT F.
The CD drive is D. I do not have an F drive.
Windows search confirms that there is no F drive on this computer. This is
very much a mystery.
BTW, I ran WinDefend and CA Anti-virus on the E drive and they both came up
clean.

JD said:
Many thanks to both responders. I am overwhelmed by the seriousness of the
issue--and the proposed solution.
I wonder why neither CA Anti-virus nor Windows Defender are able to
identify or remove the worm. Both are run several times a week and always
come up clean.
Do you suppose that if I had the external hard drive connected while
running the AV and/or WinDefend, they would find and eliminate the
infection?
David H. Lipman said:
From: "JD" <[email protected]>

| Every time I boot my computer, within seconds I get a pop up from CA
| Anti-virus informing me that "2 threats have been identified and
removed."
| The real time scanner log shows the same thing every time. The F drive
is
| associated with my Maxtor external drive, which I connect once a week
to do
| backups.
| I wonder why this is happening--and whether there is anything that I
could
| or should do to prevent it.
| Here is the log from the real time scanner:

| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog
worm.
| Deleted
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog
worm.
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog
worm.
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog
worm.
| 5/2/2009 22:24:25 PM File infection: F:\Autorun.inf is INF/Frethog
worm.
| 5/2/2009 22:24:26 PM File infection: F:\Autorun.inf is INF/Frethog
worm.
| 5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog
worm.
| 5/2/2009 22:24:26 PM File infection: F:\AutoRun.inf is INF/Frethog
worm.

| Thanks for any advice.


You have to remove the EXE or DLL that is creating the .INF file !

So your PC is infected and the backup drive is infected and probably
any/all USB mass
storage devices are also infected.

Start with the Sophos module of the below Multi AV Scanning Tool and
clean the computer
and *ALL* USB connected mass storage devices.


Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file.



* * * Please report back your results * * *
Click to expand...
Click to expand...
 
From: "JD" <[email protected]>

| Many thanks to both responders. I am overwhelmed by the seriousness of the
| issue--and the proposed solution.
| I wonder why neither CA Anti-virus nor Windows Defender are able to identify
| or remove the worm. Both are run several times a week and always come up
| clean.
| Do you suppose that if I had the external hard drive connected while running

Windows Defender targets adware/spyware NOT viruses and worms.

You NEED to scan the drives.
 
I have run the A-V scans on C, D, and E. They always report no viruses
found.
The interesting thing is that CA A-V reports identifying and deleting
Autorun.INF shortly after booting the computer. A thorough search of the
computer finds no instance of Autorun.INF, presumably because it has been
"deleted."
More interesting is that the file is reported as being deleted from Drive
F--and I have no Drive F. So how can I identify what is loading this worm
upon booting the computer?
 
From: "JD" <[email protected]>

| I have run the A-V scans on C, D, and E. They always report no viruses
| found.
| The interesting thing is that CA A-V reports identifying and deleting
| Autorun.INF shortly after booting the computer. A thorough search of the
| computer finds no instance of Autorun.INF, presumably because it has been
| "deleted."
| More interesting is that the file is reported as being deleted from Drive
| F--and I have no Drive F. So how can I identify what is loading this worm
| upon booting the computer?

Did you use the Multi-AV Scanning Tool as I suggested ?
 
Back
Top