PDA

View Full Version : Win32.Fakealert.ttam query



Fred232
2009-08-05, 19:14
I updated Spybot S&D today and did a full SCAN. It found 'Win32.Fakealert.ttam' and seemed to remove it OK.

:thanks:


I was just wondering, as a double check, what this 'Win32.Fakealert.ttam' actually is supposed to do? Is there anything else I need to look for? Does it create Reg keys for example?

I notice it was in the recent update definitions.

A full scan with Spybot now passes OK, and a full scan with AVG (updated) also passes OK, so I guess its clean again. I was just wondering what the file actually tried to do?

Fred232
2009-08-05, 21:25
I meant to add this extra info as a snippet to my original post:


Win32.Fakealert.ttam: [SBI $CB1B5484] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}



Taken from the Spybot logs, for info.

drragostea
2009-08-06, 00:36
Read this link:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=72098
-
Basically, it is part of a rogue AV, designed to trick users into handing over their wallets.

From Spybot's report, I wouldn't be worried because it appears to be a trace of the rogue, not the rogue itself actually being present on your system. A registry key cannot do much harm without their buddies (files). Like a car without an engine.

atchiss
2009-08-06, 09:53
In my case I think it's a false positive.
This registry entry point to a TOAD's application file (QUEST software).
And I have nothing of the others files that appear in the above url

Sorry for my english

Fred232
2009-08-06, 13:10
drragostea - Thanks for the info. If it was 'real' then I guess it was just a trace as you say, because I wasn't getting any nag screens etc, and haven't noticed anything funny happening.

I guess, I was a tadge concerned that as 'atchiss' said, after I deleted it I wondered if it was an False Positve, and if I've deleted a key I may need.

Is there anyway I can double check that?

I didn't check the key beforehand, so I'm not sure what it was trying to point to, or can that be established from the Spybot report?

Any thoughts?


Thanks for all replies and assistance.

drragostea
2009-08-07, 04:53
atchiss' case might be different...
A Google search on the entry "3F2BBC05-40DF-11D2-9455-00104BC936FF" gave me mixed results, not one of them were positive ones. The first few results came back with Trojan. entries. I found that threatexpert.com made a reference to the key that was detected on your machine.

http://www.threatexpert.com/report.aspx?md5=4ada781eb67b43c4ce25dbc4354c98e7

I guess, I was a tadge concerned that as 'atchiss' said, after I deleted it I wondered if it was an False Positve, and if I've deleted a key I may need.
I doubt you'll need that flagged key for anything. I doubt this is a FP.
The safest place for it to be is removed and kept in the Quarantine/Recovery area. You can always recover it just in case, but you should remove it for now.

Like I said before, the registry key is missing the big guys. Argo: No nag screens, pop ups, etc.

Fred232
2009-08-07, 11:22
drragostea - OK thanks for your assistance and advice.

I'll leave as is.

Fred232
2009-08-07, 16:12
EDIT: - Added link to this post http://forums.spybot.info/showthread.php?t=50604 for info for others who see this report. And for me to track it :)

The key is still in Spybot quarantine/recovery for me at the moment.

chuckh1958
2009-08-07, 19:33
Is it possible that a legitimate product would register the same class id as win32.fakealert.ttam? A Spybot S&D full scan today turned up this trojan in it's results, but when I jumped to the location in the registry I found LocalServer32 and ProgID subkeys under it pointing to Quest Software's Installer program (qi.exe). Coincidentally I have installed an updated version of Quest's TOAD program since the last clean full scan too.

Does this mean that:

(a) it was a false alarm because Quest has registered the same classid that the trojan uses? -or-
(b) Quests program (downloaded directly from their web site) is infected?

Win32.Fakealert.ttam: [SBI $CB1B5484] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

This is the exported data for that classid from my registry.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@="Implements DocHostUIHandler"

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@="C:\\PROGRA~1\\QUESTS~1\\QUESTI~1\\QI.exe"

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@="QI.DocHostUIHandler"

Guest
2009-08-08, 22:19
Read this link:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=72098
-
Basically, it is part of a rogue AV, designed to trick users into handing over their wallets.

From Spybot's report, I wouldn't be worried because it appears to be a trace of the rogue, not the rogue itself actually being present on your system. A registry key cannot do much harm without their buddies (files). Like a car without an engine.

Hi,

why do you connect THIS Class ID with this trojan? I couldn't find anything about this registry entry on the linked page.

Please see this post http://forums.spybot.info/showthread.php?t=50604

This is the whole key in my registry:
[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@="Implements DocHostUIHandler"

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@="C:\\Programme\\PhraseExpress\\phraseexpress.exe"

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@="phraseexpress.DocHostUIHandler"

Absoluteley unspectacular, as I think.

More about this program you can find here http://www.phraseexpress.com/

Thank you very much.

bartelsmedia
2009-08-11, 13:11
Hi,

I am with Bartels Media GmbH, the maker of PhraseExpress.

PhraseExpress includes a keyboard hook to provide the desired text replacement functionality.

Be assured that PhraseExpress does not contain any malicious code. All PhraseExpress programs including installers are digitially signed and we are a registered company based in Germany.

Please find more information at http://www.phraseexpress.com/spyware.htm (http://www.phraseexpress.com/spyware.htm)

miciotta62
2009-08-11, 21:17
Yesterday after the spybot update definitions:

--- Search result list ---

Win32.Fakealert.ttam: [SBI $CB1B5484] ID di classe (Chiave di registro, nothing done)

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---



i update and scan and spybot have try this infect key in register....

NONE with my antivirus, spywareterminator, superantispyware and Anti-MalwareBytes !

Is a FALSE / POSITIVE or a real infection ? what i to do ?


thank and kiss !!!

miciotta62
2009-08-12, 22:18
i have noT the programm...

PhraseExpress


what i to do ? help me ?

is a false positice or ???

Matt
2009-08-13, 12:08
Hi miciotta62,

did you update Spybot yesterday? If not, update it and run another scan. Does Spybot still find this entry? :thanks:

miciotta62
2009-08-13, 21:12
ok....but at last scan after this INFECT i try this

key in REPAIR (quarantine ?) !

i have update yesterady, and re-scan and no infection.

but now, this key is not in quarantine or ?

thanks and kiss !

Fred232
2009-08-13, 21:42
yer, Im not sure what to do now either?

After the previous upgrade around 5-8-09, this key was detected on my system.

I allowed Spybot to quarantene it following this thread (above), as at the time it definately looked like a real problem.

Now I'm not so sure, the key is now still in recovery.

I've also been awaiting a reply from Yodama in this thread - http://forums.spybot.info/showthread.php?t=50604 (post 9 and 13) as to what to do next?

How do I export the key from 'recovery' as per Yodama's request?
Or should I just recover the key, then update and re-scan?

miciotta62
2009-08-13, 23:34
i repeat:


scan with the old update and found this infect KEY REGISTER !

i click on REPAIR (and this KEY go to delete or in quarantine ???)

now yesterday i download the new update and re-scan

and NO INFECT KEY found.


ok ?


but this key infect is real infect or a false/positive ?

thanks

btreloar
2009-08-21, 17:06
This also seems to turns up as a false positive for users of PhraseExpress. (I've seen others report this in another thread here.) That product watches keyboard entry for shortcuts that it replaces with longer phrases. SpyBot has been turning up this item daily, and I just went into settings and checked it to be ignored. (Now I hope I don't end up with the REAL win32.fakealert.ttam somewhere else. The reason I wonder about that is that I have SpyBot set to automatically fix spyware it finds. It's been fixing this, but that doesn't seem to have disabled my PhraseExpress.

Fred232
2009-08-22, 12:35
btreloar, I beleive the false positive report for this key has been fixed in the last Spybot update, earlier the week.

Certainly, after restoring my key, the loading the new update, spybot did not re-report it for me.

TedRansen
2010-02-16, 21:21
I apologize if this should be posted in it's own thread.

Landed at Spybot because a PC is getting pop ups , fake virus alerts. "Buy our software to fix this issue", etc etc...

Booted with ERD commander, and "SA9156.exe" is in AUTORUNS. Search on file name on "C:\" locates file in hidden folder "91567FD".

Search in registry locates file name in registry key created for "implements DocHostUIHandler" with reference back to file location in hidden directory listed above in the all users program files tree.

Google searches on above file name and directory in which file reside returns nothing. I know this is the file causing the fake alerts, because after deleting it, no more pop ups.

Updated and ran Spybot. Removed over 100 Malware and Trojan entries.

The icon on the desktop that was linked to "SA1956.exe" was named ""Security Antivirus". One of the things I assume this thing did was add redirects to my HOSTS file. a lot of entries added that sent Google website requests to the ip address 74.125.45.100. Basically, looked like most major flavors of Google websites, both in the US and International, got redirected to the above ip address.

The icon was kind of cute. It looked like the head of a "Doozer" from the old TV show "Fraggle Rock". Even had a little beard and an orange hard hat. No eyes and nose. Just like a Doozer.

There were some other redirects in the host file, that gave the URL of the website. They were under the heading "Fraud Windows Protection Suite".

That was fun. No root kits, just a quick little job. Would be a good training tool for level I desktop support people. Sprinkled a little of everything everywhere, under different names, some hidden files, some HOSTS stuff.

I started the reply, before I fixed the issue. Decided to post it, because of the unique file names. And because this is where I ended up when I Googled " Implements DocHostUIHandler" .and. virus