Remove Trojan FakeAlert/Renos/Dropper/msb.exe

This infection is recovered following the installation of codecs usually infected and can be transmitted via external devices (USB keys ...)



Example of infectious lines found in hijackthis:

O4 - HKUS\S-1-5-18\..\Run: [vegas] rundll32.exe C:\Windows\system32\sshnas.dll,DllWork (User 'SYSTEM')       
O4 - HKUS\.DEFAULT\..\Run: [vegas] rundll32.exe C:\Windows\system32\sshnas.dll,DllWork (User 'Default user')       
O4 - Startup: 8162231.lnk = C:\Users\Romain\AppData\Local\Temp\dwn.exe       
O4 - Startup: 9635938.lnk = C:\Users\Romain\AppData\Local\Temp\mvNat.exe 

This infection can create scheduled tasks responsible for re infection:

C:\Windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job       
C:\Windows\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job       

It is therefore advisable to delete the scheduled tasks that you have not installed

Examples of infected files and registry keys:

HKEY_CURRENT_USER\SOFTWARE\ZagrebLand (Trojan.FakeAlert)       
HKEY_CURRENT_USER\SOFTWARE\Videocan (Trojan.FakeAlert)       
HKEY_CURRENT_USER\SOFTWARE\Microsoft\HID_Layer       
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert)       
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zagrebland (Trojan.FakeAlert)       
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vegas (Trojan.FakeAlert)       
C:\Windows\Temp\b.exe (Trojan.Dropper)       
C:\Windows\Temp\d.exe (Trojan.Dropper)       
C:\Windows\System32\sshnas.dll (Trojan.FakeAlert)       
C:\Windows\Temp\sshnas.dll (Trojan.FakeAlert) 

Preliminaries

If you have Vista or 7:
You must disable UAC during disinfection.

If you have TeaTimer (Spybot resident), disable it otherwise it may impede on disinfection:

• Start Spybot, click Mode, select Advanced Mode.
• On the left, click Tools, then Resident.
• Uncheck the box to Resident "TeaTimer" then exit Spybot

Methods of disinfection

Several solutions are possible:

Method: Usbfix

The infection spread by removable drives, usbfix be able to remove a large part, however it is advisable to run Malwarebyte's Antimalware and Superantispyware afterwards.

UsbFix: Option 1

• Option 1 of Usbfix can find infections on the computer and on all removable drives that you previously connected without opening them.
• Download UsbFix (El desaparecido & C_XX) on the desktop.
• Connecting data sources external to the PC (USB, external hard drive, SD card, etc ...) without opening them.
• Double-click the program UsbFix.exe on the desktop, the software will install automatically.
• Choose Option 1 (Search).
• After completion a UsbFix.txt report is saved in the root drive (C: \ UsbFix.txt), you can post it on the appropriate forum.

"Process.exe", a component of the tool is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool. It is not a virus but a utility to terminate processes.

UsbFix: Option 2

• Option 2 Usbfix cleans infections found
• Connecting data sources external to the PC (USB, external hard drive, SD card, etc ...) without opening them.
• Double-click the program UsbFix on the desktop.
• Choose Option 2 (Delete).
• The Desktop will disappear and restart the PC.
• Upon restart, UsbFix scan your PC, let the tool work.
• Again a report will be generated, simply post it on the approriate forum.

MalwareBytes Anti-Malware

• Download and install Malwarebytes' Anti-Malware Anti-Malware
• At the end of the installation, make sure the option "update Malwarebyte's Anti-Malware" is checked
• Run program and let the update process be completed
• Then go to the "Search" tab, check "Run a quick" then "Search"
• At the end of the scan, click on "Show Results"
• Check all items found and click "Remove Selected"
• The report is saved in the Report tab-Log Malwarebytes.
• If you are prompted to restart, accept.
• Post on the forum report appearing after deletion.

SUPERAntiSpyware

• Download SUPERAntiSpyware (SAS) and then install it and update.
• Scan your Computer.
• In the new window, you can choose the items left to scan option (Drives, directories etc. ..).
• In the right side, chose the type of scan. You can use the Perform Quick Scan.

Alternate method: SmitfraudFix

SmitfraudFix can eradicate some infections caused by Renos

Finilazing cleanup procedure

To verify that nothing remains, it is preferable to make an online scan of his computer.

• Online scan BitDefender
• Online scan TrendMicro
• Online scan Computer Associates
• Online scan F-Secure
• Online scan Kapersky

Thanks to jlpjlp for this tip on CCM.

See also

Knowledge communities.

• Forum
• Viruses/security forum
• Windows forum
• Hard drive forum

This document entitled « Remove Trojan FakeAlert/Renos/Dropper/msb.exe » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.