5 Replies Latest reply: Feb 18, 2009 5:25 PM by Wuggy RSS

    Trojan.FakeAlert scriptsn.dll EASIER FIX (I think)

      Hey Everybody! I think I found a way to save pain for those who tried to remove the FakeAlert trojan with Malwarebytes' Free Anti-Maleware program and found their system behaving strangely afterward. I downloaded and ran the program earlier this evening, scanned for the first time and removed the following (as pasted from the log file):


      Registry Keys Infected:[/B]
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7db2d5a0-7241-4e79-b68d-6309f01c5231} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      HKEY_CLASSES_ROOT\CLSID\{7db2d5a0-7241-4e79-b68d-6309f01c5231} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

      Files Infected:
      C:\Program Files\McAfee\VirusScan\scriptsn.dll (Trojan.FakeAlert) -> Delete on reboot.

      It then occurred to me to do some research (!) on this pesky Trojan.FakeAlert. Apparently it gets in the way of Windows Update and louses up McAfee SecurityCenter so you can't update that either. Sure enough,

      • My SecurityCenter panel came up blank when I attempted to open it from the Task Bar,
      • The window to Add/Remove McAfee SecurityCenter Program came up blank, and
      • Even the buttons at the McAfee Support web page didn't work anymore when I accessed the main McAfee Support window via my web browser. So I couldn't even access McAfee Technical Support.

      So I came here to the McAfee Community Forum and found some recent advice here:

      and here:

      That all seemed labor intensive, and I'm a lazy bum, so instead of following instructions I clicked START...RUN and ran "Windows System File Checker" by typing the text inside the following brackets but without the brackets --> (sfc /scannow). That took about five minutes to finish by itself. Then I used good ol' Google to locate McAfee Virtual Technician:

      1. https://us.mcafee.com/root/ProductUpdate.asp?cid=35172

      If the link to MVT doesn't work from that page, open the following link #2 instead to bring up Virtual Technician by itself:

      2. https://us.mcafee.com/root/mvtapp.exe

      Follow the instructions as per the usual prompts. McAfee Virtual Technician found a whack of problems and fixed some of them the first time. But here's the beauty of it: web buttons worked properly again! So I then returned to McAfee Virtual Technician through the proper path via the following link #3,

      3. http://home.mcafee.com/Root/Support.aspx?page=Support

      ...And McAfee Virtual Technician no longer finds any problems! Hiphip Hooray!

      So here's my question for the McAfee Meisters on this board: Should I do anything else? My inclination is just to thank my lucky stars and leave Malwarebytes' software alone from now on. And if this helps others to get back on their feet a little quicker, it's worth it.

      Thanks and regards, 'Wuggy'

      Forgot to mention that the machine in question has McAfee Internet Security Suite 9.2.095 / VirusScan 13.0.232 / Firewall 10.0.209 running on XPSP2. I downloaded and ran MBAM as part of a security sweep with the intention of subsequently backing up the entire system and then upgrading to XPSP3. MBAM is now uninstalled and I am proceeding with the backup.
        • 1. Groan
          No good. Users who are not Administrators on this machine are getting those creepy fake spyware protection messages. So I have to go the long route... Maybe. The fake ads don't appear under the Admin account, for some reason.

          - Successfully uninstalled and reinstalled entire McAfee suite as per link #1 above, including MCPR.exe.
          - Haven't upgraded to SP3 yet. I want to be clear of garbage first.
          - Ran full scans of Superantispyware, Spybot, F-Protect and McAfee (updated). Nothing found.
          - Reinstalled & ran full system scan with Malwarebytes' Anti-Malware:


          Registry Data Items Infected:[/b]
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\St art_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

          - McAfee Virtual Technician found and fixed a "registry error."
          - Initiated another full McAfee scan.

          No idea where this stuff comes from, although I suspect an email contact running some outdated home-baked security software supplied by Telus. I'm running some more scans and will make another update tomorrow afternoon.
          • 2. RE: Groan
            You appear to be talking to yourself here Wuggy.

            I suggest that you or anyone with this issue download Hijackthis and post its log on one of the following forums for expert free guidance:

            Do not post the log here, we can't help!


            Post the logs at a specialist Forum:

            AUMHA FORUM



            GEEKS TO GO FORUM





            WHAT THE TECH FORUM (Formerly Tom Coyote)

            Be sure to read all the sticky announcements/instructions at the top of each malware forum!

            Don't try repairing anything yourself as mistakes can be made & don't let Hijackthis repair anything either. Those forums have experts in the field who will advise the best course of action.
            • 3. Yeah...
              Roger that, Ex_Brit. Thanks. (sigh)
              • 4. Update
                I was mistaken. The advertisement that I referenced on February 7 was the result of an unexpected "allowed pop-up" from a trusted site -- NOT adware.

                My system remains clean as a result of the actions taken previously -- particularly the repeated scans by fully-updated MBAM. I hope this thread helps others.

                Regards, 'Wuggy'
                • 5. RE: Trojan.FakeAlert scriptsn.dll EASIER FIX (I think)
                  Glad it's OK now.