Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Win32.Fakealert.ttam

  1. #11
    Junior Member wozofoz's Avatar
    Join Date
    Aug 2009
    Posts
    1

    Default

    Hi all

    Another PhraseExpress user here.

    I did a SpyBot (fully updated) search yesterday and got this Win32.Fakealert.ttam 'Trojan' that Fred232 mentioned in Post# 9
    I 'Fixed' it and it now sits in Quarantine.

    I have since used PhraseExpress and even checked for an update for it through the program.

    Today I checked for SpyBot updates then did another search and got the same Win32.Fakealert.ttam 'Trojan'
    Using SpyBot I went to the source and found it to be:
    PhraseExpress.DocHostUIHandler

    I decided to search the web for info and here I am.

    My NetBook is running smooth, no problems that I can see.
    I do trust Bartels Media GmbH but just want to make sure some horrid nasty is not using PhraseExpress as cover
    I will check back here later to see if the issue has been resolved.

    Thanks for the fantastic SpyBot Search & Destroy (great name by the way )

    All the best, woz of oz

  2. #12
    Junior Member
    Join Date
    Apr 2009
    Posts
    26

    Default re

    but i no have this program : PhraseExpress !

    now is a false positive or real trojan ? help me ????

  3. #13
    Junior Member
    Join Date
    Nov 2008
    Posts
    22

    Default

    Yodama - sorry, but what do I do?

    Not sure if what I have is a false deleted key, or a correctly removed nasty.

  4. #14
    Junior Member
    Join Date
    Apr 2009
    Posts
    26

    Angry re

    from SYMANTEC (is a big viruses !!!):

    "VirusMelt È un’applicazione fuorviante che restituisce rapporti esagerati sul malware presente nel computer. Il file ha una lunghezza di 1880576 byte Può essere installato sui sistemi operativi Microsoft: Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Windows Server 2003. Il programma deve essere installato manualmente.

    L’applicazione mostra un’immagine di allarme su potenziali minacce installate nel sistema. L’applicazione restituisce i seguenti rapporti falsi o esagerati sul malware che minaccia la sicurezza del computer.

    BAT.Looper Packed.Win32.PolyCrypt SpamTool.Win32.Delf.h Trojan-IM.Win32.Faker.a Trojan-PSW.BAT.Cunter Trojan-PSW.VBS.Half Trojan-PSW.Win32.Antigen.a Trojan-PSW.Win32.Delf.d Trojan-PSW.Win32.Dripper Trojan-PSW.Win32.Fantast Trojan-PSW.Win32.Hooker Trojan-SMS.J2ME.RedBrowser.a Trojan-Spy.HTML.Bankfraud.ix Trojan-Spy.HTML.Bankfraud.ra Trojan-Spy.HTML.Bayfraud.hn Trojan-Spy.HTML.Citifraud Trojan-Spy.HTML.Paypal.hn Trojan-Spy.HTML.Sunfraud.a Trojan-Spy.Win32.WMPatch Trojan.BAT.AnitV.a Virus.BAT.Gray.705 Virus.BAT.IBBM.ClsV Virus.Win32.Faker.a Per rimuovere il malware viene richiesto all’utente di acquistare una licenza completa dell’applicazione. Per poter scaricare ulteriori file,

    l’applicazione si connette al seguente indirizzo [http://]updvms.cn:9666/Instruct[RIMOSSO

    Quando si esegue, il programma crea i seguenti file C:\Documents and Settings\All Users\Application Data\System Data\vd952342.bd C:\Documents and Settings\All Users\Application Data\System Data\mscfg.ini Allo scopo di essere eseguita a ogni avvio di Windows, l’applicazione crea la seguente chiave di Registro

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Virus Melt" = "[PERCORSO DEL FILE ESEGUIBILE] /s" Successivamente, il programma crea le seguenti chiavi di Registro

    HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} HKEY_CLASSES_ROOT\[NOME DEL FILE ESEGUIBILE].DocHostUIHandler

    Infine, l’applicazione crea anche le seguenti chiavi di Registro HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\"Default" = "[PERCORSO DEL FILE ESEGUIBILE]" HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\"Default" = "[NOME DEL FILE ESEGUIBILE].DocHostUIHandler" HKEY_CLASSES_ROOT\[NOME DEL FILE ESEGUIBILE].DocHostUIHandler\"Default" = "Implements DocHostUIHandler" HKEY_CLASSES_ROOT\[NOME DEL FILE ESEGUIBILE].DocHostUIHandler\Clsid\"Default" = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"CheckExeSignatures" = "no" HKEY_\Software\Microsoft\Internet Explorer\Download\"RunInvalidSignatures" = "1"



    now, is correct to delete this machine key ?????:confused:

  5. #15
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hello,

    I will try to make it short to lessen confusion

    If the following key was the only item from Win32.Fakealert.ttam that flagged, then it is a false positive and you should recover it if you previously deleted it
    Win32.Fakealert.ttam: [SBI $CB1B5484] ID di classe (Chiave di registro, nothing done)

    HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}


    If there Win32.Fakealert.ttam files detected along this, than it was not a false positive.


    @bartelsmedia
    other than the CLSID named above the rest of your software should not be picked up by Spybot S&D falsely.

    @miciotta62
    there are also other legit programs other than PhraseExpress which use this key

    I only used PhraseExpress as an example so you can find the correct location of the registry that is important for an identification wether this registry key is used for a legit or malicious software.

    @fred232, @miciotta62
    please try this:
    • click on the Windows start button
    • then on "Run..."
    • then copy and paste the following: c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
    • this will open the Spybot S&D recovery folder
    • look for a file that contains Fakealtertttam in its name
    • copy this file to your desktop and attach it to your next post or an email with a link to this thread to detections@spybot.info
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  6. #16
    Junior Member
    Join Date
    Apr 2009
    Posts
    26

    Default re

    ok i try ....

    now, this key:

    If the following key was the only item from Win32.Fakealert.ttam that flagged, then it is a false positive and you should recover it if you previously deleted it
    Win32.Fakealert.ttam: [SBI $CB1B5484] ID di classe (Chiave di registro, nothing done)

    HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}



    is a false/positive ?


    in how mode i return to this key on my pc ????

    i have click on "REPAIR" .... this key exist or delete ? THANKS

  7. #17
    Junior Member
    Join Date
    Nov 2008
    Posts
    22

    Default

    Yodama, many thanks, attachment sent by email

  8. #18
    Junior Member
    Join Date
    Apr 2009
    Posts
    26

    Exclamation log

    Yodama this my log....


    this is the folder backups:

    http://rapidshare.com/files/267385087/spybot.zip.html


    is false/positive ? i delete it or RESTORE ? in how mode ?

    thanks....

  9. #19
    Junior Member
    Join Date
    Nov 2008
    Posts
    22

    Default

    Yodama,

    Thanks for the email reply.

    I'll recover the key and update Spybot and re-scan on Thurs.


    Thanks for your assistance and info.

  10. #20
    Junior Member
    Join Date
    Nov 2008
    Posts
    22

    Default

    OK,

    I recovered the key, checked it had recovered with Regedit. Then updated Spybot and did a full scan.

    Nothing found.

    I guess thats fixed the False Positive for me.

    Thanks for your assistance.

    PS - I do still have an issue though, in that SCANs seem to have stopped finding cookies as they used to. Monitoring this post - http://forums.spybot.info/showthread.php?t=50593 which seems the same issue.


    Once again, Thanks for your help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •