Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM can't move Trojan Fake Alert?!


  • Please log in to reply
16 replies to this topic

#1 MIKI VELIKI

MIKI VELIKI

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Novi Sad, Serbia, EU
  • Local time:04:57 AM

Posted 21 December 2009 - 06:20 PM

Hi,

this is my first post and I would like to say this is a GREAT site. You have provided me with a lot of information and help.

Now to my problem.

I believe I'm infected and cannot remove Trojan Fake Alert with Malwarebytes?

Cleaning PC I found something here that MBAM will not clean even after reboot?!

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\friendlyname (Trojan.FakeAlert) -> Delete on reboot
.


Accordingly, my computer does not any typically indication (only MBAM alert), am I infected or not?

Any help will be greatly appreciated.
Miki
TRAIN WITH BRAIN

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:57 PM

Posted 21 December 2009 - 08:56 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 MIKI VELIKI

MIKI VELIKI
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Novi Sad, Serbia, EU
  • Local time:04:57 AM

Posted 22 December 2009 - 08:31 AM

HI,

1. scan with MBAM completed successfullly
2. click "show Results"

3. RESULTS:

Trojan.FakeAlert
Registry Value
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Destktop\components\0\friendlyname
Value: privacy protection
No action taken


4. Selected
5. Remove Selected
6. MBAM messages:

Certain items could not be removed!The first few are listed below.All items that couldnot be removed have been added to the delete on rebote list. Please restart your computer now. A logfile was saved to
the logd folder

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Destktop\components\0\friendlyname

Your computer needds to be restarted to complete the removal process. Would you like to continue?Y/N


7. Yes
8. Manualy restarted
9. Rescan again
10. The same problem!?

11. Please help

MBAM Logfile

Malwarebytes' Anti-Malware 1.42
Database version: 3407
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/22/2009 13:57:53
mbam-log-2009-12-22 (13-57-53).txt

Scan type: Quick Scan
Objects scanned: 108908
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\friendlyname (Trojan.FakeAlert) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by MIKI VELIKI, 22 December 2009 - 08:32 AM.

TRAIN WITH BRAIN

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:57 AM

Posted 25 December 2009 - 03:06 PM

Hi MIKIVELIKI and :thumbsup: to BleepingComputer.

This is most likely a leftover and somehow the key got locked.

Before focussing on that, I would like to know if you have any problems with your computer, except for this returning entry.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 MIKI VELIKI

MIKI VELIKI
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Novi Sad, Serbia, EU
  • Local time:04:57 AM

Posted 28 December 2009 - 07:09 AM

Thank you Elsie for your response,

My impression is that computer working good and his health is fine, speed is correct, background CPU usage is ok and browser are untouched…MBAM running in protection mode (real time protection and IP protection), also personal security firewall from Eset Smart Security 4 working pretty nice…

:thumbsup:

This is last MBAM scan result:

Posted Image


and quarantine history

Posted Image


Thanks again :flowers:
TRAIN WITH BRAIN

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:57 AM

Posted 28 December 2009 - 09:36 AM

Hello,

Lets have a look what's inside that key...

Click start > run, type notepad in the runbox and press enter.
Copy/paste the text in the codebox below and save it as export.bat to your desktop.
@echo off
regedit /e "export.txt" "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0"
start export.txt
del %0
Exite Notepad and double-click on export.bat to run it. A text file named export.txt will open.
Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 MIKI VELIKI

MIKI VELIKI
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Novi Sad, Serbia, EU
  • Local time:04:57 AM

Posted 30 December 2009 - 05:19 PM

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=""
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,90,06,00,00,f1,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:02,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,90,06,00,00,fb,03,\
00,00,02,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,90,06,00,00,fb,03,\
00,00,01,00,00,00
TRAIN WITH BRAIN

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:57 AM

Posted 31 December 2009 - 04:53 AM

Does Privacy Protection mean anything to you?

If you have such an entry in Add/Remove programs, please remove it, since its an unwanted program. I don't think it is still there, but doesn't hurt to doublecheck.

The following fix is written for this member only! Do NOT use this on your own!

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Click Start > Run, in the box that opens type notepad and press enter.
Copy/paste the text in the codebox below in Notepad and save it as fixme.bat to your desktop.
Windows Registry Editor Version 5.00

; @echo off
; REGEDIT.EXE /S "%~f0"
; REGEDIT /E export.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0"
; start export.txt
; EXIT

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName"="My Current Home Page"
Exit Notepad and double-click on fixme.bat to run it.

A textfile named export.txt should open. Please posts its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 MIKI VELIKI

MIKI VELIKI
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Novi Sad, Serbia, EU
  • Local time:04:57 AM

Posted 02 January 2010 - 04:50 AM

Hello again,

The privacy protection is irrelevant form me.
I check again in Add/Remove programs, nothing find similar or same in line of this name...

The following is txt file export result:


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=""
"SubscribedURL"=""
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,90,06,00,00,f1,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:02,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,90,06,00,00,fb,03,\
00,00,02,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,90,06,00,00,fb,03,\
00,00,01,00,00,00

Edited by MIKI VELIKI, 02 January 2010 - 05:13 AM.

TRAIN WITH BRAIN

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:57 AM

Posted 02 January 2010 - 05:23 AM

Okay, now re-run MBAM, update it first, run a quick scan and see if the detection is still there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 MIKI VELIKI

MIKI VELIKI
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Novi Sad, Serbia, EU
  • Local time:04:57 AM

Posted 02 January 2010 - 01:22 PM

Hi,

Wow, no more MBAM alert, now is everything clear!

:thumbsup:


Is this now my system completes clear?

:flowers:

This is last MBAM scan:

Malwarebytes' Anti-Malware 1.43
Database version: 3480
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/2/2010 19:11:14
mbam-log-2010-01-02 (19-11-14).txt

Scan type: Quick Scan
Objects scanned: 110210
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



One more things for end…your opinion about program Uniblue Powersuit. Is this only cosmetics or realy tools for improving every day computer activity, is this safe? Will be useful to me?

http://www.liutilities.com/


Thanks for all and greetings from Novi Sad!

Edited by MIKI VELIKI, 02 January 2010 - 01:23 PM.

TRAIN WITH BRAIN

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:57 AM

Posted 02 January 2010 - 01:29 PM

Hello,

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.


http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html


In other words, Uniblue is much cosmetic talk and less usefulness....


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 MIKI VELIKI

MIKI VELIKI
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Novi Sad, Serbia, EU
  • Local time:04:57 AM

Posted 02 January 2010 - 08:47 PM

Hi,

Thanks for extra information about "reg- cleaning programs" and similar "junk"...


ESET Online Scaner finished and NO threats found!?
TRAIN WITH BRAIN

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:57 AM

Posted 03 January 2010 - 04:36 AM

Thats looking good :trumpet:

I am including some general information you might find of interest.

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :flowers:.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 MIKI VELIKI

MIKI VELIKI
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Novi Sad, Serbia, EU
  • Local time:04:57 AM

Posted 03 January 2010 - 06:17 AM

:thumbsup:

Thanks for all and some more question...

1. Now on my computer running following security software:

* ESET Smart Security 4 (Antivirus and Antispyware, Personal firewall, Antispam module)
* MBAM (full version 1.43), which is running as "boss" malware program - protection module enabled...
* Spyboot SD Resident (...inside the software "Spaybot -search & Destroy 1.6.2")

...all of this is up to date and I scan my comp time to time

Question is...

1.1 Who is the resident program "MBAM" or "Spyboot SD Resident"?
1.2 If it does work in collision?
1.3 Can I leave both or not necessarily?

2. in case if I want to add one or two more Anti-Spyware program as "SUPERAnti-Spyware" and "SpywareBlaster"

2.1 How I can arrange the MBAM, SAS, Spyboot SD Resident and Spyware Blaster to work together and who will be a "landlord" in this case?
2.2 Is this necessarily?

3. WHAT IS BEST SOLUTION FOR ME IN MY CASE?


Conclusion: "Who will be stay and who must go"?

Edited by MIKI VELIKI, 03 January 2010 - 08:13 AM.

TRAIN WITH BRAIN




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users