trojan.fakealert

Hi there

I have malwarebytes installed on my comuter and it detected trojan.fakealert in one of it's regurlar scans. I selected the removal option at malwarebytes removed this trojan and rebooted the computer. The computer wouldn't restart and I had to select "use last known good configuration" before Windows would reboot. After this malwarebytes again detected the trojan. I guessed that the restore point was probably dirty so I tried to restore to an earlier point but found that none existed so I am guessing that the rojan wiped the earlier points out?

I then followed the steps outlined in your READ & RUN ME FIRST post. I have attached the logs to this post and the subesquent post.

I think the computer may now be clean but I thought I would post the logs anyway and I am hoping that you may be able to check them for me and let me know if there is anything else I need to do?

Thanks for your assistance

Regards

Simon

 

MGTools logs

 

Hi and welcome to MajorGeeks


Step 1:

If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Step 2:

What is your current av-program?

Step 3:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\drivers\fwoueda.sys
c:\windows\system32\drivers\xuss.sys
c:\windows\system32\drivers\byaulqc.sys
C:\WINDOWS\[B]Qgetetetabe.dat[/B]
C:\WINDOWS\[B]Slimezejo.bin[/B]

Folder::
c:\documents and settings\All Users\Application Data\SP

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
[-HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00                       
RegNull::
[HKEY_USERS\S-1-5-21-57989841-1275210071-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88B99D05-13BC-382B-95D8-C6853A7781DC}*]

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Step 4:

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.


Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Hi schrauber

Thanks for your help.

With regard to my AV software I am currently using Norton Internet Security>

I ran combofix and getlogs.bat as you suggested and I have attached the logs for both.

My machine seems to be running quite well.

Thanks again for your help.

 

Hi,

Step 1:

Please uninstall ASK Toolbar through Add/Remove Programs

Step 2:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
c:\program files\Ask.com
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
Firefox::
FF - ProfilePath - c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\adwon880.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15157&l=dis
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15154&locale=en_US&q=
 
 

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3:

Let's do an online scan just to be sure nothing else is hiding.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan.Attach this report to your next reply.
* Click the <<Back button then click Finish.



In your next reply please attach the ESET Online Scan Log and the Combofix Logfile.

 

Hi

I ran both programs as you suggested and have attached the logs.

Is the ASK toolbar a known problem? I think it was installed when I updated Firefox. I didn't pay enough attention as I was running the install!

Thanks again for all your help.

 

Hi,

Thanks for the logfiles. Yes, ASK Toolbar is a problem. See here

http://www.benedelman.org/spyware/ask-toolbars/



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /Uninstall
     • Notes: The space between the combofix" and the /Uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!