4 Replies Latest reply on May 29, 2010 4:46 PM by mcse

    Could someone help me with this?

      Hi, I'm sorry to bother you guys.  But I'm pretty scared that my PC is infected by something serious.  Just a while ago, my on-access scan message came up and it detected several trojans.  It deleted the most of trojans, then therre was one that it could neither clean nor delete (Please look at "access scan.jpg" I attached).  So I went to the specified folder and it was totally empty.  I updated the scanner's engine and dat, and then run a full-scan but nothing was found.

       

      So I looked at the On-Access Sacn log and it noted

      "5/13/2010    8:55:48 PM    Delete failed (Clean failed)     MyName    C:\DOCUME~1\MyName\LOCALS~1\Temp\jgqO.exe    C:\Documents and Settings\MyName\Local Settings\Application Data\blwuuckgs\arlqbvhtssd.exe    FakeAlert-FakeSpy.a (Trojan)"

       

      So I searched my PC for these .exe files just to be safe.  I did not find "arlqbvhtssd.exe" nowhere in my hard drive, but sure enough, I did find "jgq0.exe" in my windows prefetch file folder (Please look at "searchresult.jpg" I attached).  Now I did research for "FakeAlert-FakeSpy.a " and it seems something really nasty.

       

      What can I do to get rid of "jgq0.exe" in my prefetch folder? (I'm assuming it'll probably replicate itself once I reboot, even if I delete it manually.)  When I did a full scan of drive, though it did not find anything, I know it's there.  Am I pretty much doomed at this point?  Could someone kind enough to direct me on what to do to remedy this?  I'd be forever grateful..... Please help.....  I'm scared to reboot the PC for this thing might completely rewites and messes up my registry or something....

        • 1. Re: Could someone help me with this?

          Hi there,

           

          I do not see anything to be scared of :-)


          Just go through the following link:

          http://vil.nai.com/vil/content/v_262813.htm

           

          best of luck. please post back the results.

           

          regards,

          1ndian

          • 2. Re: Could someone help me with this?

            This is what I have found when dealing with the "Fake Alert" infections.

             

            If you are having trouble finding that .exe file by browsing to it through Windows Explorer its normally because malware flags the file as a "Protected Operating System File".  I have found this to be the case with a lot of the "Fake-Alert XXXX" infections.  In Windows Explorer go to Tools>Folder Options>View Tab and make sure that "Show hidden files and folders" is selected in the list.  Also deselct "Hide protected operating system files".  Normally I click the "Apply to All Folders" button.  That ensures that those changes you just made will show not matter what folder you browse to.  After you find the file and delete it you can change all those settings back.

             

            Best of luck.

            • 3. Re: Could someone help me with this?

              kire98 is right. That's great advice on how to find the files marked hidden and system. But I'd like to add that in your scan results you see entries beginning with HKEY_ . As you may know, these are registry keys that the trojan created and should be removed. Frankly I'm surprised that McAfee doesn't have removal instructions or an exe that you can download that will remove this. Or maybe they do, and I just haven't seen it?

               

              HTH

              • 4. Re: Could someone help me with this?

                Found the description, removal instructions etc. for Fakealert-fakespy.a in McAfee's virus library at:

                 

                http://vil.nai.com/vil/content/v_262813.htm

                 

                However, when my McAfee software told me that it blocked installation of the trojan I found that one of the files and 2 of the registry entries had been created anyway. I deleted them myself, but I thought that it was weird that some of the trojan had been installed.

                 

                By the way, changes to the registry do not take affect until reboot.