Win32.Fakealert.ttam query

[Fred232]

I updated Spybot S&D today and did a full SCAN. It found 'Win32.Fakealert.ttam' and seemed to remove it OK.




I was just wondering, as a double check, what this 'Win32.Fakealert.ttam' actually is supposed to do? Is there anything else I need to look for? Does it create Reg keys for example?

I notice it was in the recent update definitions.

A full scan with Spybot now passes OK, and a full scan with AVG (updated) also passes OK, so I guess its clean again. I was just wondering what the file actually tried to do?

[Fred232]

I meant to add this extra info as a snippet to my original post:


Win32.Fakealert.ttam: [SBI $CB1B5484] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}



Taken from the Spybot logs, for info.

[drragostea]

Read this link:
http://www.ca.com/us/securityadvisor....aspx?ID=72098
-
Basically, it is part of a rogue AV, designed to trick users into handing over their wallets.

From Spybot's report, I wouldn't be worried because it appears to be a trace of the rogue, not the rogue itself actually being present on your system. A registry key cannot do much harm without their buddies (files). Like a car without an engine.

[atchiss]

In my case I think it's a false positive.
This registry entry point to a TOAD's application file (QUEST software).
And I have nothing of the others files that appear in the above url

Sorry for my english

[Fred232]

drragostea - Thanks for the info. If it was 'real' then I guess it was just a trace as you say, because I wasn't getting any nag screens etc, and haven't noticed anything funny happening.

I guess, I was a tadge concerned that as 'atchiss' said, after I deleted it I wondered if it was an False Positve, and if I've deleted a key I may need.

Is there anyway I can double check that?

I didn't check the key beforehand, so I'm not sure what it was trying to point to, or can that be established from the Spybot report?

Any thoughts?


Thanks for all replies and assistance.

[drragostea]

atchiss' case might be different...
A Google search on the entry "3F2BBC05-40DF-11D2-9455-00104BC936FF" gave me mixed results, not one of them were positive ones. The first few results came back with Trojan. entries. I found that threatexpert.com made a reference to the key that was detected on your machine.

http://www.threatexpert.com/report.a...25dbc4354c98e7

I guess, I was a tadge concerned that as 'atchiss' said, after I deleted it I wondered if it was an False Positve, and if I've deleted a key I may need.

I doubt you'll need that flagged key for anything. I doubt this is a FP.
The safest place for it to be is removed and kept in the Quarantine/Recovery area. You can always recover it just in case, but you should remove it for now.

Like I said before, the registry key is missing the big guys. Argo: No nag screens, pop ups, etc.

[Fred232]

drragostea - OK thanks for your assistance and advice.

I'll leave as is.

[Fred232]

EDIT: - Added link to this post http://forums.spybot.info/showthread.php?t=50604 for info for others who see this report. And for me to track it

The key is still in Spybot quarantine/recovery for me at the moment.

[chuckh1958]

Is it possible that a legitimate product would register the same class id as win32.fakealert.ttam? A Spybot S&D full scan today turned up this trojan in it's results, but when I jumped to the location in the registry I found LocalServer32 and ProgID subkeys under it pointing to Quest Software's Installer program (qi.exe). Coincidentally I have installed an updated version of Quest's TOAD program since the last clean full scan too.

Does this mean that:

(a) it was a false alarm because Quest has registered the same classid that the trojan uses? -or-
(b) Quests program (downloaded directly from their web site) is infected?

Win32.Fakealert.ttam: [SBI $CB1B5484] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

This is the exported data for that classid from my registry.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@="Implements DocHostUIHandler"

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@="C:\\PROGRA~1\\QUESTS~1\\QUESTI~1\\QI.exe"

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@="QI.DocHostUIHandler"

[Guest]

Read this link:
http://www.ca.com/us/securityadvisor....aspx?ID=72098
-
Basically, it is part of a rogue AV, designed to trick users into handing over their wallets.

From Spybot's report, I wouldn't be worried because it appears to be a trace of the rogue, not the rogue itself actually being present on your system. A registry key cannot do much harm without their buddies (files). Like a car without an engine.

Hi,

why do you connect THIS Class ID with this trojan? I couldn't find anything about this registry entry on the linked page.

Please see this post http://forums.spybot.info/showthread.php?t=50604

This is the whole key in my registry:
[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@="Implements DocHostUIHandler"

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@="C:\\Programme\\PhraseExpress\\phraseexpress.exe"

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@="phraseexpress.DocHostUIHandler"

Absoluteley unspectacular, as I think.

More about this program you can find here http://www.phraseexpress.com/

Thank you very much.