I got infected with Win32:Fakeinit-H[TRJ] and I am not sure if there is an active backdoor/keylogger. How do I know whether there is an active backdoor/keylogger?
When I first scanned my laptop, I deleted whatever that is detected (sorry, I didn’t know I was supposed to move it to the chest).
Right after being infected, I got this message ‘this windows is not original’ but now the message is gone.
I was told that I would get pop ups and stuff like that, but I didn’t get any of those.
After discovering Win32:Fakeinit-H[TRJ] I realised there are Bredolab and ZBot-MNS.
I have uninstalled P2P such as Ares and Bittorent.
Thanks in advance for those who can help me out of this mess.
Here is the report from Avast:
1/1/2010 10:22:41 AM SYSTEM 1580 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Windows\SoftwareDistribution\Download\794e187ec6eaa79a3c9915e164e61f37\BIT7457.tmp (C:\Windows\SoftwareDistribution\Download\794e187ec6eaa79a3c9915e164e61f37\BIT7457.tmp) returning error, 00000026.
2/1/2010 6:46:48 PM SYSTEM 1644 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2/1/2010 6:46:49 PM SYSTEM 1644 An error has occured while attempting to update. Please check the logs.
5/1/2010 9:54:40 AM SYSTEM 1660 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Windows\SoftwareDistribution\Download\3e300a01c97e9a02cdecdcab81762ba8\BITD4BE.tmp (C:\Windows\SoftwareDistribution\Download\3e300a01c97e9a02cdecdcab81762ba8\BITD4BE.tmp) returning error, 00000026.
5/1/2010 4:17:04 PM SYSTEM 1660 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Users\sarah\AppData\Local\Ares\My Shared Folder___ARESTRA___the sims 3 +crack.exe\MsgUpdate.dll” file.
5/1/2010 4:17:24 PM SYSTEM 1660 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Users\sarah\AppData\Local\Ares\My Shared Folder___ARESTRA___the sims 3 +crack.exe\IgfxSys.dll” file.
5/1/2010 4:18:23 PM SYSTEM 1660 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Users\sarah\AppData\Local\Ares\My Shared Folder___ARESTRA___the sims 3 +crack.exe\phuninst.dll” file.
11/1/2010 4:05:59 PM SYSTEM 1640 Sign of “HTML:Iframe-inf” has been found in “http://profiles.lovingyou.com/library/stories.php” file.
11/1/2010 4:06:06 PM SYSTEM 1640 Sign of “HTML:Iframe-inf” has been found in “C:\Users\sarah\AppData\Local\Mozilla\Firefox\Profiles\t99aolvu.default\Cache\AB0E6D9Bd01” file.
14/1/2010 12:38:17 AM SYSTEM 1572 Sign of “Win32:FakeAlert-GD [Trj]” has been found in “C:\Users\sarah\AppData\Local\Temp~TM84C7.tmp” file.
14/1/2010 12:38:31 AM SYSTEM 1572 Sign of “Win32:Zbot-MNS [Trj]” has been found in “D:\Internet\Temporary Internet Files\Content.IE5\6RXRWKBM\dfghfghgfj[1].dll” file.
14/1/2010 12:38:38 AM SYSTEM 1572 Sign of “Win32:Zbot-MNS [Trj]” has been found in “C:\Windows\System32\helper32.dll” file.
14/1/2010 8:52:59 AM SYSTEM 1592 Sign of “Win32:Fakeinit-H [Trj]” has been found in “C:\Windows\System32\smss32.exe” file.
14/1/2010 8:58:52 AM sarah 2912 Sign of “Win32:Fakeinit-H [Trj]” has been found in “c:\windows\system32\smss32.exe” file.
14/1/2010 8:59:08 AM sarah 2912 Sign of “Win32:Fakeinit-H [Trj]” has been found in “c:\windows\system32\winlogon32.exe” file.
14/1/2010 8:50:57 PM SYSTEM 1620 Sign of “Win32:Bredolab-BM [Trj]” has been found in “C:\Users\sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rarype32.exe” file.
14/1/2010 9:23:53 PM SYSTEM 1620 Sign of “Win32:Bredolab-BM [Trj]” has been found in “Incoming email ‘UPS Tracking Number 5430399.’ From: “UPS Manager Shauna Browning” tracking.support@ups.com, To: sarah@writingconsultation.com\UPS_invoice_NR8745.zip#1249735697\UPS_invoice_NR8745.exe” file.
14/1/2010 9:29:26 PM sarah 4656 Sign of “Win32:Bredolab-BM [Trj]” has been found in “c:\users\sarah\appdata\roaming\microsoft\windows\start menu\programs\startup\rarype32.exe” file.
I have also done DDS. Please fine the attachment for Avast report. Thanks.
Thanks Pondus. I did scanned my laptop with MalwareBytes and removed everything that is detected. I am just not sure whether the virus is totally removed.
Files Infected:
C:\Windows\System32\sdra64.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
No specific symptoms. It just that every time I on my laptop, I would run Avast, Windows Defender and MalwareBytes to scan my laptop and sometimes, I do get an alert about a certain virus. Sometimes Windows Defender would alert me about a change being made to a file (I have no idea why / what kind of changes).
OBS: your Malwarebytes is very old, you have 1.40 the new is 1.44 and database 3580, update and scan again, and post the log
MBAM is designed to be run in normal mode, ( i see in the log you run it in safe mode )
@ vista87
Yes that file sdra64.exe found by MBAM would have been responsible for the other fake alert detections by avast, but now it is gone too.
From your prior posts (My Shared Folder___ARESTRA___the sims 3 +crack.exe), it isn’t surprising that from time to time you get alerts. Cracks are high risk, aside from any legal and moral issues, they are generally accompanied with other malware.
BTW, when I try the regular SUPERAntiSpyware way, about half-way down the instructions it says to relaunch SAS after it reboots your computer after the main scan. But do I launch it in safe mode again to retrieve the logs?
