Jump to content

FakeAlert Trojan Recurring


markz1

Recommended Posts

Hello, I seem to have the FakeAlert Trojan, I keep getting thousands of Symantec Endpoint Notifications, and many of my files were hidden. I ran the Malwarebytes software, and it didn't find anything (for reference, I had run the Mcafee Stinger program previously, and it had apparently found and quarantined the virus. However, I'm still getting these Endpoint popups. I've attached the DDS text files. Thanks for your help.

DDS.txt

Attach.txt

Link to post
Share on other sites

Welcome to the forum.

Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

--------------------------------

Next...

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Thanks for your reply. I've attached the 3 requested files.

Also of note, I restarted the computer, and then I wasn't able to run any executable files, or use the internet. I started in safe mode with networking and now I can function.

-Mark

Welcome to the forum.

Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

--------------------------------

Next...

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

FSS.txt

Extras.Txt

OTL.Txt

Link to post
Share on other sites

Look through this guide and you'll see several ways to correct the .exe file problem.

any .exe file that won't run can be renamed to .com and it should now run.

---------------------------------

Please download and run TDSSKiller as outlined in the post below:

http://forums.malwarebytes.org/index.php?showtopic=100665&view=findpost&p=499595

Post back the log, MrC

Link to post
Share on other sites

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

unhide.exe should make some of the files, etc visible, try to download and run it.

http://download.bleepingcomputer.com/grinler/unhide.exe

----------------

Do you have any good restore points to use before all these problems started?

-------------

Are you familiar with the registry?

Here's a link that basically explains the same procedure as the video:

http://support.microsoft.com/kb/947215

ComboFix makes a backup of the registry just before it runs here:

Windows\ERDNT\hiv-backup\erdnt.exe<---double click on this to restore the registry.

Make sure it's present incase something goes wrong.

If you're unsure on the registry...don't mess with it.

MrC

Link to post
Share on other sites

I tried unhide.exe, didn't do anything. Still no files.

I found a restore point from 12/14, called a "critical update". I performed it, and now I can login to windows in normal (not safe) mode, and my files are present.

My first question is: can I back up my files on a network drive around here? I have some very important files here that I want to backup badly, but I'm afraid of infecting the network.

The following problems are now occurring:

1) I'm frequently getting an error about a missing "dciman32.dll" file.

2) I can't use the search function. It pops up the error message "windows cannot find 'search:query=[what i searched for]' ".

3) I am still getting the Symantec Endpoint protection popups in large numbers.

Thanks for your assistance thus far, it's much appreciated.

Link to post
Share on other sites

My first question is: can I back up my files on a network drive around here? I have some very important files here that I want to backup badly, but I'm afraid of infecting the network.

Put them on a usb pen drive.

-------------------------

Please download SystemLook from one of the links below and save it to your Desktop.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    dciman32.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    C:\Windows\System32\dciman32.dll|C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_05c80a1f743763f3\dciman32.dll /replace

  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

Copied below is the log requested. I am still getting the same error.

========== FILES ==========

Unable to replace file: C:\Windows\System32\dciman32.dll with C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_05c80a1f743763f3\dciman32.dll without a reboot.

OTL by OldTimer - Version 3.2.31.0 log created on 12162011_204935

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.