Win32.Fakealert.ttam

**Guest** · 2009-08-07, 13:43

Hi,

I couldn't find any information about this thread on your website.

Win32.Fakealert.ttam: [SBI $CB1B5484] Class ID (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

I hope it's a false positive, because it is a registry entry of the - as I think - trustworthy program "phraseexpress.exe".

This program is a global autotext tool, which tracks the keyboard entries to find matching autotexts.

What does "Win32.Fakealert.ttam" mean?
Why is this entry detected as threat?

Operating System (Windows XP Media Center Edition)
Browser and Version (Internet Explorer 8, FireFox 3.5.1)
Version of Spybot S&D 1.6.2.46
Date of the latest update 29th July 2009
where did the false positive occur
- Scan result

Thanks a lot.

**Fred232** · 2009-08-07, 14:54

I had the same - http://forums.spybot.info/showthread.php?t=50563

**Guest** · 2009-08-07, 15:52

Hi Fred232,

thank you for the link.

Strange that I didn't find that thread myself.

Unfortunately the other posts don't give a hint what program the registry entry pointed to. In my case it is - as mentioned before - a safe program, as I think.
The program is still installed, no trojan activity yet. A full AV-scan ended with no results.

**Fred232** · 2009-08-07, 16:08

I think in my case I probably had something nasty at least try to attack.

A full Spybot Scan now shows OK for me, as does my updated AV checker SCAN. I'll just follow the given advice for now and leave the key in Spybots quarantine/recovery section and see what occurs.

If I find a program complaining of a missing key or not running, I can always recovery the key and see what happens.

In the meantime, I'll keep an eye on both posts.

PCs, don't you just luv 'em

**Yodama** · 2009-08-10, 07:54

hello,

thank you for reporting this issue.
I think we need to narrow our detection rules on this since the registry key appears to be used by legit and malicious software alike.

Changes will be released with the next detection update scheduled for Wednesday 2009-08-12.

**Fred232** · 2009-08-10, 12:49

Yodama, sorry for 'butting in' to this post, but I was having a similar report http://forums.spybot.info/showthread.php?t=50563 and at the mo have followed advice to leave the key in recovery/quarantene.

How do I tell for sure if my key is part of the trojan/virus or part of a needed reg key for a genuine package?

Do I need to recover the key, if so whats the best way?

Is there a way to check for sure? (The only info I have is in the other linked post).

Thanks

**Yodama** · 2009-08-11, 07:15

hello Fred232,

I believe the best way is to send in the recovery file so we can check what was referenced. Having the referenced file for analysis would also be helpful in telling if yours is a legit or malicious case.

For instance begesp registry references this:
[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@="C:\\Programme\\PhraseExpress\\phraseexpress.exe" <- path to file we need to check.

So I am proposing 2 steps:
1. You send us the recovery file and we look into it to see what file is referenced. We will tell you the path and file we need to check.
2. You send us the file requested.

Alternatively you can extract the recovery file and use a text editor to read it, check for the referenced file yourself and send it in directly.

Send to detections@spybot.info with a link to this thread.

**bartelsmedia** · 2009-08-11, 12:07

Hi,

I am with Bartels Media GmbH, the maker of PhraseExpress.

PhraseExpress includes a keyboard hook to provide the desired text replacement functionality.

Be assured that PhraseExpress does not contain any malicious code. All PhraseExpress programs including installers are digitally signed and we are a registered company based in Germany.

Please find more information at http://www.phraseexpress.com/spyware.htm

Spybot makers, please add this file to the whitelist: http://www.phraseexpress.com/phraseexpress.exe

and all files contained in this archive: http://www.phraseexpress.com/PhraseExpress_USB.zip

**Fred232** · 2009-08-11, 12:31

Yodama - thanks for the reponse.

From my report files for the fix, this is all it reports:

Win32.Fakealert.ttam: [SBI $CB1B5484] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

If I look in recovery in Spybot itself for the key, and select it, all it shows is:

ClassID
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

Thats all.

In recovery, I can only find the option to recover, which I assume will put the key back.

How do I export it as text file to send to you? Or is the above sufficient?

Thanks.

**miciotta62** · 2009-08-11, 20:19

the same in my xp media center ...

Yesterday after the spybot update definitions:

--- Search result list ---

Win32.Fakealert.ttam: [SBI $CB1B5484] ID di classe (Chiave di registro, nothing done)

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

i update and scan and spybot have try this infect key in register....

NONE with my antivirus, spywareterminator, superantispyware and Anti-MalwareBytes !

Is a FALSE / POSITIVE or a real infection ? what i to do ?

thank and kiss !!!

i delete this is ok or ???

Thread: Win32.Fakealert.ttam

Thread Tools

Display

Win32.Fakealert.ttam

help

Posting Permissions