We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Contact Forum Editor

Send an email to our Forum Editor:


PLEASE NOTE: Your name is used only to let the Forum Editor know who sent the message. Both your name and email address will not be used for any other purpose.

Tech Helproom


It's free to register, to post a question or to start / join a discussion


 

removing trojan fakealert.H


ami

Likes # 0

Hi all, Running a fully patched Windows XP Pro on a Toshiba laptop, with fully up-dated Panda Anti-Virus Pro and Malwarebytes. I've started getting Panda pop-up alerts of a virus, variously identified as W32/cosmu.L or Trj/Ramnit.A and that it has been neutralised and the file disinfected. This happens at approx 1 minute intervals and the file and the virus is different each time. A full scan with Panda after disabling system restore reveals no infection but Malwarebytes finds the trojan fakealert.H. It reports that it has been removed and the registry values will be deleted on re-boot, but no deletion takes place and the problem remains. Malwarebytes support says it can fully remove fake alert - but it would seem it can't. Does anyone have any suggestions? It may or may not be connected but safe mode has also become inaccessable, giving a BSOD instead.

Like this post
Fruit Bat /\0/\

Likes # 0

Search and kill the following processes

press, “Alt+Ctrl+Delete“, then click on “Task Manager” processes tab

Now select the file name and then click on “End Task” to kill the process.

ckvo.exe, yfezaxup.exe

Remove Trojan.FakeAlert.H .exe & dlls files

“Start” then “Run” in the Run command box, type “cmd“, and then click on “OK” Type

“regsvr32 /u filename.dll” where “filename” is the name of the file that you like to Unregister.

ckvo.exe,
yfezaxup.exe,
ckvo0.dll,
ckvo1.dll,
otyh.cmd

Remove/Modify corrupt Registry Values

“Start” then “Run“ in the Run command box, type “regedit“, and then click on “OK”

Use the search option of Registry Editor, just Press “Ctrl + F” to locate the key that contain the value you want to delete or modify.

cmdutilsys
ibunstcj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser
HKEY_CLASSES_ROOT\CLSID\{5F184E8C-1DDF-BDA4-4F44-056737D25E25}
Like this post
ami

Likes # 0

Thanks fruit bat for those very clear instructions. Just one small querry, which mat be down to the posting window, where is cmdutilsys and ibunstcj?

Like this post
Fruit Bat /\0/\

Likes # 0

You will need to Ctrl F search the registry for them.

Like this post
buteman

Likes # 0

If no luck with above maybe go to this Forum and sign in.

http://www.bleepingcomputer.com/forums/topic172575.html

They are very good at getting your computer clean but are always busy so may take a couple of days.

Like this post
ami

Likes # 0

Ok, latest news on Fake Alert trojan, if that's what it is. None of the entries listed by Fruit Bat are present - Sorry Fruit Bat. A full scan with the latest Panda Anti-Virus Pro 2012 reveals 14 infected files, says is has deleted them but it doesn't. Trojan Remover 6.8.2 finds lots of dodgy reistry entries and suspect files, says it has deleted them and hasn't. Malwarebytes finds just two infections, C:\Docs and settings\username\local settings\application data\rigphigg\aoxcvwou.exe and HKEYCURRENTUSER_SOFTWARE\microsoft\windows\current version\run\aoxcvwou, says is has deleted both but doesn't. A manual try at deleting the above registry entry results in it magically reappearing before your very eyes. As I couldn't access any security web pages I downloaded the Panda 2012 and Trojan remover onto a memory stick in another computer. As soon as the memory stick was plugged into the laptop a folder called Recycler installed itself, inside this folder are numerous .exe files, all unknown to me, and which multiply each time a fake virus warning pops up. The 'fake' viruses are, amongst others, Trj/Starter.G, Trj/Ramnit.A, and W32/Cosmu.L Oh and aoxcvwou.exe does not appear as a running process in Task Manager and none of the above files or folders can be deleted manually. Wow! Lot of infothere, can anyone hepl decyper it?

Like this post
Fruit Bat /\0/\

Likes # 0

  1. switch off system restore

  2. reboot the machine into safemode

  3. run your virus and antimalware programs delete what they find

  4. reboot the machine

5 rescan and see what comes up.

Like this post
ami

Likes # 0

I'm afraid the computer won't boot into safe mode, I get a BSOD when I try, I assume the virus/trojon is stopping safe mode opening. I switched off System Restore when I first tried to deal with this problem but it hasn't helped.

Like this post
buteman

Likes # 0

Maybe go to this forum and sign in and wait for instructions.

Like I said before it may take a few days but they will clean your computer for you if possible.

http://www.malwareremoval.com/forum/viewforum.php?f=11

Or go to the other forum that I mentioned.Both are very good.

You can also carry on here until one of the forums contact you then you have to follow their advice.

Like this post

Reply to this topic

This thread has been locked.



IDG UK Sites

Black Friday 2014 tech deals UK Live: Best Black Friday deals from Apple, Amazon, Argos, eBay,...

IDG UK Sites

Black Friday feeding frenzy infects the UK

IDG UK Sites

VAT MOSS: Will I be affected by the EU VAT changes? Here are the facts for designers and artists

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & Black Friday tech offers