6 Replies Latest reply on Oct 10, 2010 2:56 PM by ArtieRLT

    Need help removing FakeAlert-OZ

      My McAfee alerts say that it has detected and automatically removed the Trojan FakeAlert-OZ from my computer but I receive an alert every 20 seconds.  This is the only McAfee gives me, http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=268857.

       

      I have contacted tech support but they are of no help and pass me onto the virus removal service which is a paid service.  First of all I thought that I already pay them to prevent my system from these attacks but now I have to pay them to answer a single question about what I need to do? 

       

      Sorry for my rant i'm very frustrated with McAfee's service.

       

      Any help is greatly appreciated!

      Jennifer

        • 1. Re: Need help removing FakeAlert-OZ

          Hi Jennifer,

           

          Please update the McAfee programs and make sure it's up-to-date, also perform an advanced scan by following the steps below:

           

          1. In a web browser, go to the McAfee Labs Tools page at: http://vil.nai.com/vil/averttools.aspx
          2. Under Utilities, select the Stinger for the threat you want to clean.
          3. Download and save the Stinger to your desktop.
          4. McAfee Labs recommends you disable system restore before running Stinger because many threats save copies of themselves to your restore points. Disabling system restore deletes your existing restore points, so you will be unable to use Windows System Restore until you re-enable them, and new restore points are created. For instructions on disabling system restore, go to:
            http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.h tm 
          5. After disabling system restore, double-click the Stinger application you saved to your desktop.
            NOTE: If you are a Windows 7 or Windows Vista user, right-click and select Run As Administrator.
             
            If you see a security warning, click Yes or Run.
          6. By default the C: drive is scanned. If you want to add additional drives or folders, click Add or Browse.
          7. Click Scan Now. By default, Stinger repairs all infected files found.
          • 2. Re: Need help removing FakeAlert-OZ

            Jennifer,

             

            Did the solution offered help?  I could not find a stinger that was FakeAlert-OZ specific.  To me, this is McAfee's problem and I can't find a solution.

             

            Reggie

            • 3. Re: Need help removing FakeAlert-OZ
              k3tg

              McAfee has published a document which is very effective in dealing with virus and malware issues. Required Reading - Home User Assistance Malware Troubleshooting If none of these suggestions help and none that Aldrin has posted help then maybe you could try to run the free version of this program http://www.malwarebytes.org/mbam.php by downloading this onto a usb stick from a non infected pc. I suggest you rename the download and installation files to something you can easily remember as virus and malware are written to self protect themselves. When you rename the files they may no longer be seen as a threat thus allowing installation to proceed. After you install the program check for the latest updates and run the program and let it clean everything it finds and reboot the computer. Do the same procedure for this program as well www.superantispyware.com

               

               

              Let us know if this works for you

              • 4. Re: Need help removing FakeAlert-OZ
                Peter M

                Discussion moved from Home and Home Office to Security Awareness > Malware Discussion > Home User Assistance

                • 5. Re: Need help removing FakeAlert-OZ

                  I had the same issue and I got it resolved.. Plz refer this thread..

                  https://community.mcafee.com/message/151345


                  • 6. Re: Need help removing FakeAlert-OZ
                    ArtieRLT

                    Well,

                     

                    This is in the right direction anyway.  I have a similar situation but not identical.  I supposedly cleaned this FakeAlert-OZ trojan from my computer and it seemed to be gone for a while.  Then it popped back up but didn't get as far this time as I was familiar with it.  I ran McAfee again and it reported it had quarantined a file corresponding to FakeAlert.  Specifically it catches eapp32hst.dll in c:\Users\{username}\AppData\Local\Temp\ which is odd that it has caught it multiple times since it also removes and quarantines it .

                     

                    I can find just one of the referenced programs in the spywareremove.com link under c:\Users\{username}\AppData\Local\Temp\dfrgsnapnt.  I had to do a search including hidden and system files.  But, though it appears in the Task Manager as a running process when I start up I can't figure out why it's starting.  When I run msconfig I looked under the Startup, Services, and Tools tabs but couldn't find it in the list or anything I'd suspect would be it.  I did find a leftover (I think) from the first encounter with this.  Under c:\Users\{username}\AppData\Roaming there is a directory called AnVi which I believe contains some leftovers from the first encounter given their date and time.

                     

                    Further looking at the link provided to spywareremove.com,  I can't find anything in the registry as they advise.  Also I can't find the eapp32hst.dll file anywhere.

                     

                    So questions:

                     

                    1.) How could dfrgsnapnt.exe be starting up and appearing when it's not in the startup list in msconfig?  Is it safe to delete the file manually and try to reboot?  Perhaps it's existance is causing eapp32hst.dll  to return? It appears to only be known to one of the users on this PC.

                    2.)  I plan to also delete the AnVi directory and it's contents.  Both deletions will need to be from a command line prompt.  I can't see the contents or files or folders otherwise. Bad idea or good idea?

                    3.) Maybe I could just delete this user and recreate it or start another under a different name?  Deleting a user deletes all that user's files.