Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SuperAntiSpyware detected Trojan.Agent/Gen-Fakealert[Local]


  • Please log in to reply
3 replies to this topic

#1 Lishy

Lishy

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 09 March 2012 - 03:12 AM

Title: SuperAntiSpyware detected Trojan.Agent/Gen-Fakealert[Local]

Hey guys. I downloaded a friend's rar recently. I did my daily scan with Avast's Boot-Scan (With PUP-scanning enabled), and MBAM on Full Scan. However, when I tried out SuperAntiSpyware, it picked up Trojan.Agent/Gen-Fakealert[Local] on the exe, located inside C:\Users\Lishy\AppData\Local\Temp\Rar$DRa0.677\????? ~ Kioh Gyoku

So MBAM picked up nothing, and neither did Avast's Boot-Scan. but SuperAntiSpyware picked it up (Along with a bunch of adware.tracking cookie)

I did some googling, and I don't see any fake antivirus things yet.. So either I have a false sense of security, or it's a small-fry.

I use SUper-Antispyware to remove it, and SAS asks for a reboot. However, it appears again if I rescan the directory!

I manually deleted the directory of the trojan, and it does not pick it up again, however, I am worried I am still not clean. So then I scanned with GMER.

After running GMER, since all my other programs were disconnected anyways, I decided to perform another complete scan with SAS and it detected nothing. So...WTF is going on? Am I still infected or not? Was the trick simply to delete the file?

And why is it the "temp" directory containing the game's contents were infected, but not the actual game directory itself? I can run the game, re-scan with everything, and not be infected. So... WTF is going on!?


Here are my Super-AntiSpyware logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/09/2012 at 01:06 AM

Application Version : 5.0.1144

Core Rules Database Version : 8295
Trace Rules Database Version: 6107

Scan type       : Complete Scan
Total Scan Time : 01:40:44

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 600
Memory threats detected   : 0
Registry items scanned    : 68553
Registry threats detected : 0
File items scanned        : 295640
File threats detected     : 21

Adware.Tracking Cookie
	C:\Users\Lishy\AppData\Roaming\Microsoft\Windows\Cookies\lishy@invitemedia[2].txt [ /invitemedia ]
	C:\USERS\LISHY\AppData\Roaming\Microsoft\Windows\Cookies\Low\lishy@serving-sys[1].txt [ Cookie:lishy@serving-sys.com/ ]
	C:\USERS\LISHY\AppData\Roaming\Microsoft\Windows\Cookies\Low\lishy@bs.serving-sys[1].txt [ Cookie:lishy@bs.serving-sys.com/ ]
	.gametracker.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.mediafire.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	www.mediafire.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	media.mercola.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	media.mercola.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.dmtracker.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.tripod.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.youtube.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.youtube.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.2o7.net [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.google.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	accounts.google.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.mediafire.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.getclicky.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]
	.static.getclicky.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CPYNNY3O.DEFAULT\COOKIES.SQLITE ]

Trojan.Agent/Gen-FakeAlert[Local]
	C:\USERS\LISHY\APPDATA\LOCAL\TEMP\RAR$DRA0.677\????? ~ KIOH GYOKU\???.EXE

This is my SAS scan of the file isolated, specifically

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/09/2012 at 01:12 AM

Application Version : 5.0.1144

Core Rules Database Version : 8295
Trace Rules Database Version: 6107

Scan type       : Complete Scan
Total Scan Time : 00:00:18

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 0
Memory threats detected   : 0
Registry items scanned    : 0
Registry threats detected : 0
File items scanned        : 283
File threats detected     : 1

Trojan.Agent/Gen-FakeAlert[Local]
	C:\USERS\LISHY\APPDATA\LOCAL\TEMP\RAR$DRA0.677\????? ~ KIOH GYOKU\???.EXE


And this is GMER after I deleted it (Err, something I must note is even though I disabled all other Avast services, I accidentally left behavior shield on. I hope that didn't impact anything too much...):

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-09 01:41:40
Windows 6.1.7601 Service Pack 1 
Running: h0fitxtn.exe


---- Registry - GMER 1.0.15 ----

Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e                      
Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485d6021838a                      
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet)  
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485d6021838a (not active ControlSet)  

---- EOF - GMER 1.0.15 ----

And this is SAS scan #2:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/09/2012 at 03:04 AM

Application Version : 5.0.1144

Core Rules Database Version : 8295
Trace Rules Database Version: 6107

Scan type       : Complete Scan
Total Scan Time : 01:21:39

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 581
Memory threats detected   : 0
Registry items scanned    : 68553
Registry threats detected : 0/
File items scanned        : 295617
File threats detected     : 0

Now, I realize I'm not allowed to post HijackThis logs here yet.. SO *shrug*

Anyways, it SEEMS like it's gone.. So how can I make sure I'm clean before I change all my passwords? Or should I go grab my Linux Live-CD, port all my precious documents to my external USB, and format? It's a BIG pain for me to format you know.. So how can I make absolute sure I'm clean?

edit: I think I'm just going to format. I'm going to boot into Ubuntu, backup some files, then use my recovery CD. Wish me luck!

edit #2:

However, though I formatted... I would appreciate if you could possibly investigate just WHAT this was, and if formatting was necessary in the end, for future reference... Thanks!

Edited by Lishy, 09 March 2012 - 06:35 AM.


BC AdBot (Login to Remove)

 


#2 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 09 March 2012 - 07:27 PM

Hey guys. POTENTIALLY a followup to my other thread:
http://www.bleepingcomputer.com/forums/topic445574.html

Today I received a strange email sent to my YMAIL account:

FULL HEADER OF EMAIL ON YMAIL:
From Windows Live Team Fri Mar  9 08:52:14 2012
X-Apparently-To: LISHY'SEMAIL@ymail.com via 98.136.167.125; Fri, 09 Mar 2012 08:52:15 -0800
Return-Path: <postmaster@windowslivemail.com>
Received-SPF: pass (domain of windowslivemail.com designates 65.55.238.140 as permitted sender)
 IHlvdXIgV2luZG93cyBMaXZlIGFjY291bnQgKG1lZ2FtYW4wNzdAaG90bWFp
 bC5jb20pLiBZb3UgY2FuIHVzZSB0aGlzIGNvbXB1dGVyIHRvIHJlc2V0IHlv
 dXIgcGFzc3dvcmQgaWYgeW91IGZvcmdldCBpdC4KICAgICAtICBUcnVzdGVk
 IFBDOiBMSVNIWS1QQwoKSWYgeW91IGFkZGVkIHRoaXMgY29tcHV0ZXIsIGdy
 ZWF0ISBVc2UgdGhpcyBsaW5rIHRvIGNvbmZpcm0gTElTSFktUEMBMAEBAQE-
X-YMailISG: 5EIOi3IWLDsgVlNLUgTPw6ccMmNNCoSRm1N1zj7RdQMQ.EqJ
 zTjP7oSMXDHwZERTME4h9cSCkNwMQatkJzrEHwkN8UUdzNdZEgxWJVhiQI5m
 r2YOmdqX0R52JcK3UALzoqIDy7PyLF.ABzQNlZaDtnWjrK0OkynKfCExLTka
 1jDlRqS1hwu0.hiDx3s4LDBgnnb0TVKH2cJNG4Y3dcrpZz9sRD2qCTbNP_uJ
 mX.jfUP2AA9F620ixRfNxS0zVBwmxXAkPP.nGSaq6Qo5C.W_.GlpMkVCy2Uk
 FJKMgidrsJ0zyPlNqzNC.GJnwc84M2vYtV50LweFWN5MdtD9aQ7V8SqaHNLT
 ekaA8sXTMghWwM16.MeCyK6tM2LGldrh_cRDSHcNuMyDhYUa9ioOisMOmP.y
 VMatpSx_6x8Yt_ADyVCn5.TKWNg9xfIRPRbWwuPHoJv5JxWBYBJd4sJrNBZ0
 9PXNCS.M3Geq1EYrGdVfWASKbIn9nCPQqigXUJKXvRnaiVKMrYr0IWkD8Zgr
 9sF6zq.4LtT8DzoVWPolSUbO3hcHTAU5Ggi8BQszcfX1KKHTGPXkM2wdZLX.
 Y7EB5oIMKoFLs15ozjhjj0eglVzAKnj.52r03MlrAZ18SaZ4bdsec___MT8x
 oXUdW_XHRH.cvx6ydTyPoQoOVAKgmtp4KEWUCJoAA2hp.GZs0.c0avPr_w9q
 rlvyTD6mJT7imLhdF4DUNPHcqa7U0MjBjr37N3sl9sLEdzN4vkj8Ubc7MNcs
 be5EnX.K_gWl7TA0BIK3dFYdlt898AymsBAgfLFclZ1MYsFMH.uyca7KWpMt
 Q8EVonRXj2Npl7nqW.NGBAH3UwPvz_90NAM6G1xXmcRsmiKGhjA8UC8le52D
 kKcVJVDynNUYFstyh4zDWvMXQO0.R7BvcgzKiEjp_14v3JSi6i6ik46kksGw
 V7.vDBDHnoMawZLh3Yw3lUiRhTkm4_G4tKsjNyaJKWFtXVjR5apuBWatPze.
 iz2VM4ABVXuIyR0CcwCiZbzCz8cmt7bGUy9Jn1U5sZ8BEwDGWaoXaHlXv_cc
 A6xdcpbojtdbv_wZ_l2DO.Ey2IcE71GsB6J2kCSRdk5vuIA6rwZH3yYbd2Fm
 qYhHXVym
X-Originating-IP: [65.55.238.140]
Authentication-Results: mta1261.mail.ac4.yahoo.com  from=windowslivemail.com; domainkeys=neutral (no sig);  from=windowslivemail.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO servera01.blusmtpg.msn.com) (65.55.238.140)
  by mta1261.mail.ac4.yahoo.com with SMTP; Fri, 09 Mar 2012 08:52:15 -0800
Received: from BAYIDSTOOL1B03 ([64.4.12.10]) by servera01.blusmtpg.msn.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Fri, 9 Mar 2012 11:52:14 -0500
Date: Fri, 9 Mar 2012 08:52:14 -0800
From: Windows Live Team <postmaster@windowslivemail.com>
Subject: Windows Live Account Security Confirmation
To: <LISHY'SEMAIL@ymail.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 8bit
Content-Length: 1146






THE MESSAGE ITSELF:
From: Windows Live Team <postmaster@windowslivemail.com>
To: LISHY'SEMAIL@ymail.com
Sent: Friday, March 9, 2012 8:52:14 AM
Subject: Windows Live Account Security Confirmation

It looks like you added a trusted PC to your Windows Live account (LISHY'SEMAIL@hotmail.com). You can use this computer to reset your password if you forget it.
    -  Trusted PC: LISHY-PC

If you added this computer, great! Use this link to confirm LISHY-PC:
https://account.live.com/Proofs/AddConfirm?otc=*CuscW4moAP!XPlCUWQpndyV3MGTO6aocsBuasNqBZQWOaiUmu*iDgt9UteFB*oMjoKUJksImRMdWZDhcoQPdn0E$&proofid=00187FFEA39F0276&prooftype=DeviceId&mn=LISHY'SEMAIL%40hotmail.com

If you didn't add this computer, cancel the request by using this link:
https://account.live.com/Proofs/Remove?otc=*CuscW4moAP!XPlCUWQpndyV3MGTO6aocsBuasNqBZQWOaiUmu*iDgt9UteFB*oMjoKUJksImRMdWZDhcoQPdn0E$&proofid=00187FFEA39F0276&prooftype=DeviceId&mn=LISHY'SEMAIL%40hotmail.com

You may be receiving this message if you recently installed Windows Live Essentials on one of your computers, or added a trusted PC to your account via https://account.live.com.

Thank you,
Windows Live

Microsoft respects your privacy. To learn more, please read our online privacy statement:
http://go.microsoft.com/fwlink/?LinkId=74170

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

I do use ymail to remember forgotten passwords for windows live and vise versa for certain accounts. But I've never seen such am email like this before?

I received it at 08:52 am, while my computer was recently formatted just hours before. This is a half hour after I downloaded a Linux Mint 12 live CD and installed it.

Is it possible this is due to the effects of a virus? According to my friend, "looks like the virus got a hold of your permissions under your computer account earlier, where it changed your email settings around sounds like a rootkit to me."

Granted, I DID format.. So is it just possible I received the email late?

I'm going to be formatting again tonight, but due to other reasons than viruses. But what is your input on all this? Did some very serious with a virus happen involving my email addresses? Or is it simply due to Windows Live and hotmail being paranoid about Linux?

#3 Animal

Animal

    Bleepin' Animinion


  • Members
  • 35,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:30 AM

Posted 09 March 2012 - 10:57 PM

I have merged your topics to avoid confusion and to keep all information in one place.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:30 AM

Posted 09 March 2012 - 11:04 PM

Trojan.Agent/Gen-Fakealert is a broad category by SuperAntispyware that includes various .dlls and .exe files added to their database definitions. Each security vendor uses their own naming conventions to identify various types of malware. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is.
Most likely it was related to a Rogue security program. Without knowing more information, it's difficult to say which particular rogue it was related too.

Since you choose to reformat, you may want to How Malware Spreads - How did I get infected which explains the most common ways malware is contracted and spread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users