8 Replies Latest reply on Jun 6, 2011 11:44 AM by Peter M

    FakeAlert-FAB!A41845451FA6

      Gentlemen - -

       

      On 4/10/2011 I received an indication of a Trojan message via McAffee AV softrware, and that it had been quarantined.

       

      Upon clicking on "More" information I received the following message on 4/10/2011:

       

                     "FakeAlert-FAB!A41845451A6 (Trojan)".

       

      Following this event, the Windows background changed automatically from my setting of dark green to black.  Resetting to

      the original dark green color causes a "round robin" event going back to black.

       

      A few weeks prior to this event, I did get a full blue screen that indicated a flaw in the hard drive, with an instruction to re-boot.

       

      The re-boot was accomplished without difficulty and the computer ran fine for another two weeks, then, another full blue screen appeared

      with a message about memory failure.

       

      At this point I am not sure if the problem is a hard-drive failure, (likely since it is 6 plus years old), or a virus/trojan infection.

      (The drive is a Western Digital 160 GB unit).

       

      I am currently scanning with Stinger and nothing found so far.

       

      The plan is to scan next with GetSusp as soon as the Stinger completes its task.

       

      Any thought and replies will be appreciated.

       

      Thank you,

      Jim

        • 1. Re: FakeAlert-FAB!A41845451FA6
          Peter M

          Moved provisionally to Malware Discussion > Home User Assistance.

           

          GetSusp is a good tool to try but any discussion on that is in a separate area that you have to join here:  https://community.mcafee.com/groups/getsusp30-beta-feedback

           

          Meanwhile there is something you can try in "Safe Mode with Networking" which is reached by tapping F8 repeatedly while booting up and selecting the second item on the ensuing menu.

           

          All of the following can be done in that mode.

           

           

          Download, install, update (important) and run a full scan using the FREE version of THIS software.

           

          Let it remove anything it finds and reboot if asked to, to remove all traces of what it finds (if anything).

           

          It's hard to say if a 6 year old hard drive is failing.  If you know the brand go the manufacturer's website and look to a utility that tests the hard drive.   They all have them freely available.

           

          That said, I've had hard drives fail on me after only a few months and others after 5 or more years of heavy use.   I've found that paying for a good brand is wise, preferring Western Digital 'Caviar' myself.

           

          The usual signs are slowness, drop-outs etc., and often loud noises.

          • 2. Re: FakeAlert-FAB!A41845451FA6

            Thank you Peter - - I have already done those things, also ran GetSusp after running Stinger.

             

            Also ran trial version of Malwarebytes - - it found errors, etc.

             

            Stinger provided the following printed report:

             

            C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe Found the FakeAleert!fakealert-REP trojan!!!

            C:|WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe is infected with the FakeAlert!fakealert-REP virus!!!

             

            C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe has been deleted.

            C:\WINDOWS\system32\sethc.exe found the FakeAlert!fakealert-REP trojan !!!

            C:\WINDOWS\system32\sethc.exe is infected with the FakeAlert!fakealert-REP virus !!!

            C:\WINDOWS\system32\sethc.exe has been deleted.

             

            Number of infected files:  2

            Number of files cleaned:  2

             

            Apparently Stinger found and cleaned the virus from the system. 

             

            My question now is, are the Windows files mentioned above deleted and will XP need to be re-installed, or are the files that were deleted just a part of normal activity that occurs when surfing the web?

             

            I also started receiving a "Hard Drive Failure" notification when this virus was detected.

             

            All this may be strictly coincidental - - my only experience with hard drive failure occurred before I

            retired.

             

            Thanks for you help.

             

            Regards,

            Jim

            • 3. Re: FakeAlert-FAB!A41845451FA6
              Peter M

              You shouldn't be running the trial version of Malwarebytes as that version (the paid one) may clash with regular A/V.   The FREE version is what I recommended and can be kept for future use, as long as you update it periodically.

               

              sethc is a Windows process - have you downloaded anything to do with high contrast lately?    Mind you it could be genuinely an infection and in any case, those files are deleted so no longer should be of concern.

               

              I think you should be OK now.

              1 of 1 people found this helpful
              • 4. Re: FakeAlert-FAB!A41845451FA6

                Thank you Peter - -

                 

                Yes I ran the Malwarebytes free software last night and it found somewhere in the neighborhood of 4,500+ errors on the drive.

                 

                After you mentioned doing a diagnostics check with the Western Digital Diagnostics software, I rembered that I used it years ago when installing the 160 GB drive.

                 

                Following the instructions, it was run in the extended scan mode and finally stopped with a statement that there are too man bad sectors for it to continue.

                 

                My main concern is that I want to recover as much data as possible from this old unit and install it on the new 64 bit machine we purchased last week.

                 

                I don't want to pull a "bug" across and go through this again.

                 

                Regards,

                Jim

                • 5. Re: FakeAlert-FAB!A41845451FA6
                  Peter M

                  Back up whatever you can or check with a professional about getting information off a damaged hard drive.  It can be rather expensive.

                   

                  You could simply ask Windows to check the disk for errors.  It may take a while but it may be worth the delay.

                   

                  What operating system/service pack is this?

                   

                  Message was edited by: Ex_Brit on 16/04/11 2:42:12 EDT PM
                  • 6. Re: FakeAlert-FAB!A41845451FA6
                    Peter M

                    If XP go to Start/Run and type in cmd.exe

                     

                    If Vista/Windows 7 go to Start and type cmd in the Search box just above the button

                     

                    Cmd.exe should appear in a list above.  Right-click and select 'Run as Administrator and OK any prompts.

                     

                    In the Command Prompt type       chkdsk C: /r       with the spaces and alter C: to whatever disk drive letter it is if different.

                     

                    Hit the Enter key and OK any prompts.

                     

                    it may say that it cannot run because the volume is in use, run at next boot Y/N?   Enter Y and hit the Enter key.

                     

                    Reboot and let it run.  It will take a long time but may fix the disk errors but I can't obviously guarantee it.

                     

                    Message was edited by: Ex_Brit on 16/04/11 3:03:15 EDT PM
                    • 7. Re: FakeAlert-FAB!A41845451FA6

                      Although the Trojan was caught & deleted, it seems that things were already changed that didn't get backtracked with the deletion, so these annoying "warning type" FAKE popups still continued to appear regarding HDD, & memory.

                      A RESTORE to a previous date that was "clean" got rid of the black screen & the popups, after that !!

                      • 8. Re: FakeAlert-FAB!A41845451FA6
                        Peter M

                        System Restore is always a good choice if there is a restore point available that's guaranteed to be clean.  If successful it's a good idea to temporarily disable System Restore to clean the infected restore point(s).

                         

                        All the best.