Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes Scan Detected Registry "Trojan.FakeAlert"


  • Please log in to reply
16 replies to this topic

#1 Justa

Justa

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:10 PM

Posted 28 October 2008 - 02:12 PM

Hello,
My PC has been running normally without any symptoms of infection. I am running XP Home SP3 on an HP 753n Pavilion with an Intel 2.53 GHz processor. As normal preventative measures I ran a full Avira Personal antivirus scan this morning with no detections then I ran Malwarebytes after first updating it and it has found two registry entries for "Trojan.FakeAlert". I allowed Malwarebytes to remove these registration entries. I believe it is unlikely that my machine is clear of infections at this point. As a minimum I am sure that I need to clear system restore settings created both by Windows and ERDNT. I installed ERDNT just a few days ago but am not confident enough in my abilities to recover my system from ERDNT yet to shut off Windows restore.

Please advise on the next recommended course of action. My Malwarebytes log is copied below.

Thanks!


Malwarebytes' Anti-Malware 1.30
Database version: 1333
Windows 5.1.2600 Service Pack 3

10/28/2008 13:28:33
mbam-log-2008-10-28 (13-28-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 171631
Time elapsed: 1 hour(s), 21 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{380f14d3-bd6f-4f5a-984a-70cc23eea61d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f4de1459-9941-48db-aeff-88a903379276} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 28 October 2008 - 02:25 PM

Hi Justa, Trojan.Fakealert is used to display false security information whenever a rogue security software is installed. I'm not an expert in this field yet but I can give you some general ideas of what to do. You might want to check this link to read up about the infection you have had and deleted.

Trojan.FakeAlert will hijack the desktop background with an image alerting the user that their computer system has been infected with spyware. It also changes some settings of windows which include:- disabling permissions for the user to change the background image and setting the active desktop to 'show web content'. It is usually installed in conjunction with a rogue anti-spyware application.


I'm not quite sure as to if the MBAM scan removed EVERYTHING. I would advise you to run a Kaspersky online scan.

Visit the link *NOTE* you must be using Internet Explorer to scan. If there are any prompts to download and install Active X controls, accept and download them. I would think that the default options should be kept but as I said I am not an expert. Let the scan run (It will take quite a while) and then post the log as a reply to this topic.

EDIT- New Kaspersky instructions :

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

* Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
* Open theKaspersky Scanner page.
* Click on Accept and install any components it needs.
* The program will install and then begin downloading the latest definition files.
* After the files have been downloaded on the left side of the page in the Scan section select My Computer
* This will start the program and scan your system.
* The scan will take a while, so be patient and let it run.
* Once the scan is complete, click on View scan report
* Now, click on the Save Report as button.
* Save the file to your desktop.
* Copy and paste that information in your next post.


This scanner will only scan. It does not remove any malware it finds.

Edited by xblindx, 28 October 2008 - 02:37 PM.


#3 Justa

Justa
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:10 PM

Posted 28 October 2008 - 02:43 PM

Thanks xglindx!

I appreciate the help very much. Malwarebytes appeared to have just removed the two registration entries and you have confirmed my fears that there is more involved than just those two registration entries. I will run the Kaspersky and post the results.

#4 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 28 October 2008 - 02:59 PM

I will be waiting for your reply.

#5 Justa

Justa
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:10 PM

Posted 28 October 2008 - 06:14 PM

Looks like the Kaspersky picked up 4 copies of “Trojan-Spy.HTML.Paylap.ev” contained in old archived Outlook back up files of the (.pst) data base files. I wonder if these are simply links to a Trojan injector site contained in individual E-mails of the archived E-mail database files. I have newer backups of the (.pst) database files including the current active (.pst) file which was not detected as being infected by the scan. Outlook was closed during the scan so the current (.pst) should have been accessible during the scan. The infected (.pst) backups were all from the August timeframe and I do remember deleting a lot of old E-mails after I had made these numerous backups. I can easily delete these old archive (.pst) database files, but…. I am thinking that it might be a good idea to run Super-Antispyware next from safe mode and see what it comes up with. This program saved by butt once before about 8 months ago when I made the mistake of clicking on the x in the upper right hand corner of a pop up created by one of the XP Antivirus variants thinking it would just close it out.
What do you think I should do next?
Thanks

Kaspersky Scan Results Log:


KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 28, 2008 18:18:16
Records in database: 1354557
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 76192
Threat name: 1
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:17:07


File name / Threat name / Threats count
C:\WINDOWS\Copy of outlook_ Backup 08-22-08.pst Infected: Trojan-Spy.HTML.Paylap.ev 1
C:\WINDOWS\outlook backup 08-25-08.pst Infected: Trojan-Spy.HTML.Paylap.ev 1
C:\WINDOWS\outlook backup 08-27-08.pst Infected: Trojan-Spy.HTML.Paylap.ev 1
C:\WINDOWS\outlook backup 08-28-08.pst Infected: Trojan-Spy.HTML.Paylap.ev 1

The selected area was scanned.


#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 28 October 2008 - 06:22 PM

(Note: I am not an expert in this field yet, and if you are uncomfortable following any of my instructions before getting a more experienced user's second opinion, that is fine)

If you would like to read up on your infection, you can do so here.

As for what I would do next, it seems that the trojan you have attempts to steal banking/financial information. It would be wise to check your bank and credit card statements for any unknown purchases. It would probably also be wise to contact your credit card provider and bank. Change all online passwords from a known clean computer.

As to remove the threat, SAS is an amazing program. If that is program you wish to run then:

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Now that you know where the infected files are, would it be possible to safely manually delete them? As stated before, I am not an expert in this field but am providing what knowledge I have. As for now however, run the SAS scan and post the log.

Edited by xblindx, 28 October 2008 - 06:23 PM.


#7 Justa

Justa
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:10 PM

Posted 28 October 2008 - 06:42 PM

Thanks once again xblindx my friend for the fast response. I am going to go ahead with the Super-Antispyware scan. I already have this program installed and have been running it about once a week as a preventative measure and it has been shown my system to be clean since the August timeframe but I have yet to run it in the safe mode. I will do so immediately. Hey you may not be expert yet but I am only expert enough to know to come here for help! I will post my results. I am sure that the elite class of experts will post here if need be. I will post the results of the scan when completed.

#8 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 28 October 2008 - 06:44 PM

I will again be waiting. If another member doesn't come and check this thread and there needs to be someone with more experience to check it, you are welcomed to give them a PM, I will most likely PM a member if I get stuck in trying to repair your problem =). So far, however, it seems to be pretty straight forward.

And regarding the expert thing, I only came here about a 1 month ago when I had a nasty infection, its amazing how much you can learn just by reading through people's problems. :thumbsup:

Edited by xblindx, 28 October 2008 - 06:48 PM.


#9 Justa

Justa
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:10 PM

Posted 28 October 2008 - 09:59 PM

Hello,
I completed the Super Antispyware scan in safe mode and it has come up with no detections. I am puzzled as I think it is unlikely that the two "Trojan.FakeAlert" registry entries flagged by Malwarebyte would be the only changes to my system from an attack. I think the Kaspersky online detection of “Trojan-Spy.HTML.Paylap.ev” on the old backup archive Outlook (.pst) files have probably been there since the backups were created in August. This was the first time I ran a Kaspersky online scan; perhaps Kaspersky is the only scan that identifies this infection. I rescanned the suspect files with both Avira and Avast and they both say they are clean. Why a recent infection would infect old archive (.pst) files and not the more recent archives or current active (.pst) file does not seem logical. I am going to create a new system backup by ERDNT, a new restore point in Windows and delete the old system backups of both as they almost certainly contain the registry infection identified by Malwarebyte.

I am at a loss as to what else I can do to verify that my system is now clean of infection. Do you have any ideas? Perhaps I will PM a Moderator or one of the members that seems to have a lot of experience with this type of problem..

Thanks

#10 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 29 October 2008 - 06:52 AM

I would PM a moderator or someone with more experience than me. It seems that it may be a deeper infection. Again, I'm not quite sure what we could do next.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:10 PM

Posted 29 October 2008 - 08:19 AM

Troj/BkFraud-A attempts to deceive users into revealing personal banking information.


It would be wise to check your bank and credit card statements for any unknown purchases. It would probably also be wise to contact your credit card provider and bank. Change all online passwords from a known clean computer.

I agree. Better to err on the side of caution even if the infected files appear to be old.

I am puzzled as I think it is unlikely that the two "Trojan.FakeAlert" registry entries flagged by Malwarebyte would be the only changes to my system from an attack. I think the Kaspersky online detection of “Trojan-Spy.HTML.Paylap.ev” on the old backup archive Outlook (.pst) files have probably been there since the backups were created in August.

That sounds plausable. It is not unusual for updated anti-virus definitions to find items that were missed by a previous scan which used older definitions.

With MBAM only finding two infected registry keys, SAS not finding anything and Kaspersky only finding these old Outlook .pst files you are probably ok now. If you were infected with something more serious, there would most likely be other signs or symptoms.

If that's the case, now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#12 Justa

Justa
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:10 PM

Posted 29 October 2008 - 08:59 AM

Xblankx and quietman7,

Thank you so much for taking the time to review my thread and help. I am very appreciative. I have already created a new restore point and removed the old ones. Ironically I got infected after having a greatly heightened awareness from reading the posts here. I have been running a much better firewall, AV scanner, run 2 malware programs on a regular basis, and have been much more careful surfing the net and I still got infected!

I do have an external hard drive that has not been on the last couple of days that has been used for backup purposes only. I did mirror my internal drive just a few days ago. I may wait a day or two to see if I have any other issues show up then reformat the external and created a new mirror image and begin making data backups.

Thanks again!!

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:10 PM

Posted 29 October 2008 - 09:16 AM

You're welcome on behalf of the Bleeping Computer community.

Tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".
• "Use Task Manager to close pop-up messages to safely exit malware attacks"

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#14 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 29 October 2008 - 02:34 PM

You are very welcomed Justa! If you ever would like more help, you can always post here. We are happy to help =) Stay safe.

Quietman: I'm glad I could help him almost entirely on my own. Now I know that I am at least doing something correct =) It is such a learning experience here at BC.

Justa: Again, you are very welcomed for my/Quietman's help

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:10 PM

Posted 29 October 2008 - 02:41 PM

And thank you xblindx for sharing some of what you have learned with others. That's what the BC community is all about. :thumbsup:
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users