PDA

View Full Version : FakeAlert-B


roketa
2006-05-21, 19:49
Hello. I got FakeAlert-B (McAfee says so) troyan and a lot of popups with it. I tried to get rid of it myself but I obviously failed. I would appreciate some help:

SmitFraudFix v2.45

Scan done at 19:09:34,23, ned 21.05.2006
Run from C:\Documents and Settings\korosec\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End
roketa
2006-05-21, 19:51
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:55:27, 21.5.2006
+ Report-Checksum: D5E24294

+ Scan result:

:mozilla.9:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.10:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.13:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.14:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.15:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.17:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.18:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.19:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.20:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.45:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.46:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.47:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.56:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\korosec\Application Data\Mozilla\Firefox\Profiles\fbonep4r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Program Files\Hijackthis\backups\backup-20060520-003955-294.dll -> Downloader.Zlob.ov : Cleaned with backup
C:\WINDOWS\system32\atmclk.exe -> Trojan.Small : Cleaned with backup


::Report End
roketa
2006-05-21, 19:52
Logfile of HijackThis v1.99.1
Scan saved at 19:17:38, on 21.5.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\QuickTime\qttask.exe
D:\Tilen\Daemon tools\daemon.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\TypingMaster\KBOOST.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Tilen\Daemon tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [TypingSatellite] "D:\Program Files\TypingMaster\KBOOST.EXE"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
roketa
2006-05-22, 10:51
It looks like everything is OK now. You have
made instructions that work fine. Thanks.
LonnyRJones
2006-05-26, 06:13
Hi

Just to check, Re-download (its updated often)smithfraudfix unzip and run option 1 then post that log please.
roketa
2006-05-28, 21:24
SmitFraudFix v2.49b

Scan done at 21:18:48,39, ned 28.05.2006
Run from D:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\korosec\Application Data

C:\Documents and Settings\korosec\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyFalcon 3.1.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\korosec\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
LonnyRJones
2006-05-29, 04:22
Hi

Either delete that shorcut yourself or run smithfraudfix option two
C:\Documents and Settings\korosec\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyFalcon 3.1.lnk

You can just rightclick on it (in the quicklaunch) and choose delete

Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
roketa
2006-05-29, 11:26
Thank you for your time.
tashi
2006-06-04, 06:48
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.

Glad we could help. :)