Hi,
I am with Bartels Media GmbH, the maker of PhraseExpress.
PhraseExpress includes a keyboard hook to provide the desired text replacement functionality.
Be assured that PhraseExpress does not contain any malicious code. All PhraseExpress programs including installers are digitially signed and we are a registered company based in Germany.
Please find more information at http://www.phraseexpress.com/spyware.htm
help
Yesterday after the spybot update definitions:
--- Search result list ---
Win32.Fakealert.ttam: [SBI $CB1B5484] ID di classe (Chiave di registro, nothing done)
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
i update and scan and spybot have try this infect key in register....
NONE with my antivirus, spywareterminator, superantispyware and Anti-MalwareBytes !
Is a FALSE / POSITIVE or a real infection ? what i to do ?
thank and kiss !!!
re
i have noT the programm...
PhraseExpress
what i to do ? help me ?
is a false positice or ???
Hi miciotta62,
did you update Spybot yesterday? If not, update it and run another scan. Does Spybot still find this entry?
Best regards - Beste Grüße,
Matt
re
ok....but at last scan after this INFECT i try this
key in REPAIR (quarantine ?) !
i have update yesterady, and re-scan and no infection.
but now, this key is not in quarantine or ?
thanks and kiss !
yer, Im not sure what to do now either?
After the previous upgrade around 5-8-09, this key was detected on my system.
I allowed Spybot to quarantene it following this thread (above), as at the time it definately looked like a real problem.
Now I'm not so sure, the key is now still in recovery.
I've also been awaiting a reply from Yodama in this thread - http://forums.spybot.info/showthread.php?t=50604 (post 9 and 13) as to what to do next?
How do I export the key from 'recovery' as per Yodama's request?
Or should I just recover the key, then update and re-scan?
Last edited by Fred232; 2009-08-13 at 20:44.
re
i repeat:
scan with the old update and found this infect KEY REGISTER !
i click on REPAIR (and this KEY go to delete or in quarantine ???)
now yesterday i download the new update and re-scan
and NO INFECT KEY found.
ok ?
but this key infect is real infect or a false/positive ?
thanks
This also seems to turns up as a false positive for users of PhraseExpress. (I've seen others report this in another thread here.) That product watches keyboard entry for shortcuts that it replaces with longer phrases. SpyBot has been turning up this item daily, and I just went into settings and checked it to be ignored. (Now I hope I don't end up with the REAL win32.fakealert.ttam somewhere else. The reason I wonder about that is that I have SpyBot set to automatically fix spyware it finds. It's been fixing this, but that doesn't seem to have disabled my PhraseExpress.
Last edited by btreloar; 2009-08-21 at 16:08.
btreloar, I beleive the false positive report for this key has been fixed in the last Spybot update, earlier the week.
Certainly, after restoring my key, the loading the new update, spybot did not re-report it for me.
I apologize if this should be posted in it's own thread.
Landed at Spybot because a PC is getting pop ups , fake virus alerts. "Buy our software to fix this issue", etc etc...
Booted with ERD commander, and "SA9156.exe" is in AUTORUNS. Search on file name on "C:\" locates file in hidden folder "91567FD".
Search in registry locates file name in registry key created for "implements DocHostUIHandler" with reference back to file location in hidden directory listed above in the all users program files tree.
Google searches on above file name and directory in which file reside returns nothing. I know this is the file causing the fake alerts, because after deleting it, no more pop ups.
Updated and ran Spybot. Removed over 100 Malware and Trojan entries.
The icon on the desktop that was linked to "SA1956.exe" was named ""Security Antivirus". One of the things I assume this thing did was add redirects to my HOSTS file. a lot of entries added that sent Google website requests to the ip address 74.125.45.100. Basically, looked like most major flavors of Google websites, both in the US and International, got redirected to the above ip address.
The icon was kind of cute. It looked like the head of a "Doozer" from the old TV show "Fraggle Rock". Even had a little beard and an orange hard hat. No eyes and nose. Just like a Doozer.
There were some other redirects in the host file, that gave the URL of the website. They were under the heading "Fraud Windows Protection Suite".
That was fun. No root kits, just a quick little job. Would be a good training tool for level I desktop support people. Sprinkled a little of everything everywhere, under different names, some hidden files, some HOSTS stuff.
I started the reply, before I fixed the issue. Decided to post it, because of the unique file names. And because this is where I ended up when I Googled " Implements DocHostUIHandler" .and. virus
Last edited by TedRansen; 2010-02-16 at 20:23.
Posting Permissions
Reply With Quote