Hi,

I couldn't find any information about this thread on your website.

Win32.Fakealert.ttam: [SBI $CB1B5484] Class ID (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

I hope it's a false positive, because it is a registry entry of the - as I think - trustworthy program "phraseexpress.exe".

This program is a global autotext tool, which tracks the keyboard entries to find matching autotexts.

What does "Win32.Fakealert.ttam" mean?
Why is this entry detected as threat?



Operating System (Windows XP Media Center Edition)
Browser and Version (Internet Explorer 8, FireFox (http://forums.spybot.info/vbglossar.php?do=showentry&item=FireFox) 3.5.1)
Version of Spybot S&D 1.6.2.46
Date of the latest update 29th July 2009
where did the false positive occur

Scan result



Thanks a lot.

I had the same - http://forums.spybot.info/showthread.php?t=50563

Hi Fred232,

thank you for the link.

Strange that I didn't find that thread myself.

Unfortunately the other posts don't give a hint what program the registry entry pointed to. In my case it is - as mentioned before - a safe program, as I think.
The program is still installed, no trojan activity yet. A full AV-scan ended with no results.

I think in my case I probably had something nasty at least try to attack.

A full Spybot Scan now shows OK for me, as does my updated AV checker SCAN. I'll just follow the given advice for now and leave the key in Spybots quarantine/recovery section and see what occurs.

If I find a program complaining of a missing key or not running, I can always recovery the key and see what happens.

In the meantime, I'll keep an eye on both posts.


PCs, don't you just luv 'em :)

hello,

thank you for reporting this issue.
I think we need to narrow our detection rules on this since the registry key appears to be used by legit and malicious software alike.

Changes will be released with the next detection update scheduled for Wednesday 2009-08-12.

Yodama, sorry for 'butting in' to this post, but I was having a similar report http://forums.spybot.info/showthread.php?t=50563 and at the mo have followed advice to leave the key in recovery/quarantene.

How do I tell for sure if my key is part of the trojan/virus or part of a needed reg key for a genuine package?

Do I need to recover the key, if so whats the best way?

Is there a way to check for sure? (The only info I have is in the other linked post).

Thanks

hello Fred232,

I believe the best way is to send in the recovery file so we can check what was referenced. Having the referenced file for analysis would also be helpful in telling if yours is a legit or malicious case.

For instance begesp registry references this:
[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@="C:\\Programme\\PhraseExpress\\phraseexpress.exe" <- path to file we need to check.

So I am proposing 2 steps:
1. You send us the recovery file and we look into it to see what file is referenced. We will tell you the path and file we need to check.
2. You send us the file requested.

Alternatively you can extract the recovery file and use a text editor to read it, check for the referenced file yourself and send it in directly.

Send to detections@spybot.info with a link to this thread.

Hi,

I am with Bartels Media GmbH, the maker of PhraseExpress.

PhraseExpress includes a keyboard hook to provide the desired text replacement functionality.

Be assured that PhraseExpress does not contain any malicious code. All PhraseExpress programs including installers are digitally signed and we are a registered company based in Germany.

Please find more information at http://www.phraseexpress.com/spyware.htm (http://www.phraseexpress.com/spyware.htm)

Spybot makers, please add this file to the whitelist: http://www.phraseexpress.com/phraseexpress.exe

and all files contained in this archive: http://www.phraseexpress.com/PhraseExpress_USB.zip

Yodama - thanks for the reponse.

From my report files for the fix, this is all it reports:

Win32.Fakealert.ttam: [SBI $CB1B5484] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

If I look in recovery in Spybot itself for the key, and select it, all it shows is:

ClassID
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

Thats all.

In recovery, I can only find the option to recover, which I assume will put the key back.

How do I export it as text file to send to you? Or is the above sufficient?


Thanks.

the same in my xp media center ...

Yesterday after the spybot update definitions:

--- Search result list ---

Win32.Fakealert.ttam: [SBI $CB1B5484] ID di classe (Chiave di registro, nothing done)

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---



i update and scan and spybot have try this infect key in register....

NONE with my antivirus, spywareterminator, superantispyware and Anti-MalwareBytes !

Is a FALSE / POSITIVE or a real infection ? what i to do ?


thank and kiss !!!


i delete this is ok or ???

Hi all :)

Another PhraseExpress user here.

I did a SpyBot (fully updated) search yesterday and got this Win32.Fakealert.ttam 'Trojan' that Fred232 mentioned in Post# 9
I 'Fixed' it and it now sits in Quarantine.

I have since used PhraseExpress and even checked for an update for it through the program.

Today I checked for SpyBot updates then did another search and got the same Win32.Fakealert.ttam 'Trojan'
Using SpyBot I went to the source and found it to be:
PhraseExpress.DocHostUIHandler

I decided to search the web for info and here I am.

My NetBook is running smooth, no problems that I can see.
I do trust Bartels Media GmbH but just want to make sure some horrid nasty is not using PhraseExpress as cover ;)
I will check back here later to see if the issue has been resolved.

Thanks for the fantastic SpyBot Search & Destroy (great name by the way :D: )

All the best, woz of oz

but i no have this program : PhraseExpress !

now is a false positive or real trojan ? help me ????

Yodama - sorry, but what do I do?

Not sure if what I have is a false deleted key, or a correctly removed nasty.

from SYMANTEC (is a big viruses !!!):

"VirusMelt È un’applicazione fuorviante che restituisce rapporti esagerati sul malware presente nel computer. Il file ha una lunghezza di 1880576 byte Può essere installato sui sistemi operativi Microsoft: Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Windows Server 2003. Il programma deve essere installato manualmente.

L’applicazione mostra un’immagine di allarme su potenziali minacce installate nel sistema. L’applicazione restituisce i seguenti rapporti falsi o esagerati sul malware che minaccia la sicurezza del computer.

BAT.Looper Packed.Win32.PolyCrypt SpamTool.Win32.Delf.h Trojan-IM.Win32.Faker.a Trojan-PSW.BAT.Cunter Trojan-PSW.VBS.Half Trojan-PSW.Win32.Antigen.a Trojan-PSW.Win32.Delf.d Trojan-PSW.Win32.Dripper Trojan-PSW.Win32.Fantast Trojan-PSW.Win32.Hooker Trojan-SMS.J2ME.RedBrowser.a Trojan-Spy.HTML.Bankfraud.ix Trojan-Spy.HTML.Bankfraud.ra Trojan-Spy.HTML.Bayfraud.hn Trojan-Spy.HTML.Citifraud Trojan-Spy.HTML.Paypal.hn Trojan-Spy.HTML.Sunfraud.a Trojan-Spy.Win32.WMPatch Trojan.BAT.AnitV.a Virus.BAT.Gray.705 Virus.BAT.IBBM.ClsV Virus.Win32.Faker.a Per rimuovere il malware viene richiesto all’utente di acquistare una licenza completa dell’applicazione. Per poter scaricare ulteriori file,

l’applicazione si connette al seguente indirizzo [http://]updvms.cn:9666/Instruct[RIMOSSO

Quando si esegue, il programma crea i seguenti file C:\Documents and Settings\All Users\Application Data\System Data\vd952342.bd C:\Documents and Settings\All Users\Application Data\System Data\mscfg.ini Allo scopo di essere eseguita a ogni avvio di Windows, l’applicazione crea la seguente chiave di Registro

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Virus Melt" = "[PERCORSO DEL FILE ESEGUIBILE] /s" Successivamente, il programma crea le seguenti chiavi di Registro

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} HKEY_CLASSES_ROOT\[NOME DEL FILE ESEGUIBILE].DocHostUIHandler

Infine, l’applicazione crea anche le seguenti chiavi di Registro HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\"Default" = "[PERCORSO DEL FILE ESEGUIBILE]" HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\"Default" = "[NOME DEL FILE ESEGUIBILE].DocHostUIHandler" HKEY_CLASSES_ROOT\[NOME DEL FILE ESEGUIBILE].DocHostUIHandler\"Default" = "Implements DocHostUIHandler" HKEY_CLASSES_ROOT\[NOME DEL FILE ESEGUIBILE].DocHostUIHandler\Clsid\"Default" = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"CheckExeSignatures" = "no" HKEY_\Software\Microsoft\Internet Explorer\Download\"RunInvalidSignatures" = "1"



now, is correct to delete this machine key ?????:confused:

hello,

I will try to make it short to lessen confusion ;)

If the following key was the only item from Win32.Fakealert.ttam that flagged, then it is a false positive and you should recover it if you previously deleted it
Win32.Fakealert.ttam: [SBI $CB1B5484] ID di classe (Chiave di registro, nothing done)

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}


If there Win32.Fakealert.ttam files detected along this, than it was not a false positive.


@bartelsmedia
other than the CLSID named above the rest of your software should not be picked up by Spybot S&D falsely.

@miciotta62
there are also other legit programs other than PhraseExpress which use this key

I only used PhraseExpress as an example so you can find the correct location of the registry that is important for an identification wether this registry key is used for a legit or malicious software.

@fred232, @miciotta62
please try this:

click on the Windows start button
then on "Run..."
then copy and paste the following: c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
this will open the Spybot S&D recovery folder
look for a file that contains Fakealtertttam in its name
copy this file to your desktop and attach it to your next post or an email with a link to this thread to detections@spybot.info

ok i try ....

now, this key:

If the following key was the only item from Win32.Fakealert.ttam that flagged, then it is a false positive and you should recover it if you previously deleted it
Win32.Fakealert.ttam: [SBI $CB1B5484] ID di classe (Chiave di registro, nothing done)

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}


is a false/positive ?


in how mode i return to this key on my pc ????

i have click on "REPAIR" .... this key exist or delete ? THANKS:confused:

Yodama, many thanks, attachment sent by email

Yodama this my log....


this is the folder backups:

http://rapidshare.com/files/267385087/spybot.zip.html


is false/positive ? i delete it or RESTORE ? in how mode ?

thanks....:)

Yodama,

Thanks for the email reply.

I'll recover the key and update Spybot and re-scan on Thurs.


Thanks for your assistance and info.

OK,

I recovered the key, checked it had recovered with Regedit. Then updated Spybot and did a full scan.

Nothing found.

I guess thats fixed the False Positive for me.

Thanks for your assistance.

PS - I do still have an issue though, in that SCANs seem to have stopped finding cookies as they used to. Monitoring this post - http://forums.spybot.info/showthread.php?t=50593 which seems the same issue.


Once again, Thanks for your help.