Win32:FakeAlert-FC [Trj]

View previous topic View next topic Go down

Win32:FakeAlert-FC [Trj]

Post by nuklor on 10th December 2009, 11:29 am

Dear people,

My avast! Home Edition is alerting me to the presence of Win32:FakeAlert-FC [Trj]. It finds this in C:\Windows\Temp\xxxx.tmp\svchost.exe (where xxxx is a random alphabetical string). I can delete/quarantine the file, but new xxx.tmps are generated every so many minutes.

I've run a TrojanHunter scan with no results. Below is my HJT.log, I hope you can help! :-) :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:39, on 10/12/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\TrojanHunter 5.2\TrojanHunter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Patrick Jansen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.2\THGuard.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8105 bytes

nuklor
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-10
OS OS : 7
Points Points : 25663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by Belahzur on 10th December 2009, 7:57 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by nuklor on 10th December 2009, 8:35 pm

Thank you Belahzur, I've run MBAB (one problem removed), and restarted the computer. Here is the log:

Malwarebytes' Anti-Malware 1.42
Database version: 3340
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/12/2009 21:26:49
mbam-log-2009-12-10 (21-26-49).txt

Scan type: Quick Scan
Objects scanned: 98650
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\spool\prtprocs\w32x86\F2D.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

nuklor
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-10
OS OS : 7
Points Points : 25663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by Belahzur on 11th December 2009, 10:34 pm

Hello.
Update MBAM and run it again, make sure you have the newest database.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by nuklor on 12th December 2009, 11:27 am

[You must be registered and logged in to see this link.] wrote:Hello.
Update MBAM and run it again, make sure you have the newest database.

Done and done. No malware found. I no longer have the original FakeAlert alerts, however one day later I'm getting the following:

12/12/2009 12:15:13 SYSTEM 1608Sign of "Win32:Malware-gen" has been found in "\GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074\\L\max++.00.x86" file.

and I'm unable to quarantine or delete the file.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.42
Database version: 3349
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/12/2009 12:21:13
mbam-log-2009-12-12 (12-21-13).txt

Scan type: Quick Scan
Objects scanned: 98373
Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

nuklor
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-10
OS OS : 7
Points Points : 25663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by Belahzur on 12th December 2009, 8:40 pm

Is this machine some kind of server possibly?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by nuklor on 12th December 2009, 9:39 pm

Not by my doing, as far as I'm aware. The only willfully installed server type software is an httpd library for Haskell... Other than that it's a simple win7 install with a number of everyday applications.

nuklor
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-10
OS OS : 7
Points Points : 25663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by simonteunis on 12th December 2009, 10:58 pm

I had the same problem and i fixed with Norton Antivirus 2010 trial for 30 day . Before i tryed a lot of programs only Norton fixed it.
But you have stoped Avast before you instal Norton.

Sim

simonteunis
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2009-12-11
OS OS : vista
Points Points : 25575
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by Belahzur on 13th December 2009, 1:52 am

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by nuklor on 13th December 2009, 10:15 am

Hi Belahzur,

I happened across the Kaspersky online scanner earlier, but then, just as now:

"The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience."

I took the liberty of doing a full MBAM scan last night, with 0 infections as a result. The Malware-gen alert seems to pop up whenever I start up my browser (IE8) after it has been closed entirely. Edit: Not whenever, but it does occur sometimes when I start up the browser.

nuklor
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-10
OS OS : 7
Points Points : 25663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by Belahzur on 13th December 2009, 8:43 pm

Try this online scanner instead.
Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by nuklor on 13th December 2009, 10:58 pm

Now here's what's happening: My Avast systray (ashdisp) is no longer starting up with windows, and my mousepad is no longer scrolling, so something weird has changed in the startup processes. However, the last alert I've had was about 7 hours ago...
I've run the online scanner, here's the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=158a2c282d68a94f9c8a1e65627f9497
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-13 10:54:49
# local_time=2009-12-13 11:54:49 (+0100, W. Europe Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775165 100 76 3893 197022810 26874 0
# compatibility_mode=5893 16776573 100 94 267675 13194247 0 0
# compatibility_mode=8192 67108863 100 0 3689 3689 0 0
# scanned=121133
# found=0
# cleaned=0
# scan_time=3233


Last edited by nuklor on 13th December 2009, 11:08 pm; edited 1 time in total (Reason for editing : False information; did have alerts today)

nuklor
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-10
OS OS : 7
Points Points : 25663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32:FakeAlert-FC [Trj]

Post by nuklor on 14th December 2009, 1:34 pm

Just got another alert for a Trojan Downloader (this time from Windows Defender). I've decided that the quicker and more thorough approach is to Format C:, given that it's obviously not a very clear and distinct culprit.
Thanks for the help, Belahzur, I'll come back if I ever have another problem :-)

Brgds, Pat

nuklor
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-10
OS OS : 7
Points Points : 25663
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum