McAfee > Theat Center > Virus Detail Page

Overview

FakeAlert-SpywareProtect once installed on a system will generate fake messages of infection. It encourages the user to purchase a registered copy of their product in order to clean infections. Unsuspecting users may get enticed by the use of such scare tactics.

Aliases

• Rogue:W32/SpywareGuard2008.G (F-Secure)

• Troj/FakeAV-OM (Sophos)

• TROJ_FAKEAV.FXF (TrendMicro)

• Trojan:Win32/FakeSpypro (Microsoft)

Characteristics

FakeAlert-SpywareProtect is a fake Antispyware product which upon installation displays no EULA and shows fake warning messages:

Upon execution, FakeAlert-SpywareProtect copies itself in the system using following name:

    * %WinDir%\spyguard.exe

FakeAlert-SpywareProtect drops the file 'iehelper.dll' in the system. This file is detected as FakeAlert-SpywareProtect and is installed as a BHO in order to display fake "drop-down" messages within Internet Explorer.

It connects to [infected].65.127 and downloads other malware which is programmed to download new versions of FakeAlert-SpywareProtect from [infected].119.131

Symptoms

The presence of the mentioned Fake Messages.

Method of Infection

FakeAlert-SpywareProtect was observed to be installed by Conficker worm.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

FakeAlert-SpywareProtect once installed on a system will generate fake messages of infection. It encourages the user to purchase a registered copy of their product in order to clean infections. Unsuspecting users may get enticed by the use of such scare tactics.

Aliases

• Rogue:W32/SpywareGuard2008.G (F-Secure)

• Troj/FakeAV-OM (Sophos)

• TROJ_FAKEAV.FXF (TrendMicro)

• Trojan:Win32/FakeSpypro (Microsoft)

Characteristics

Characteristics -

FakeAlert-SpywareProtect is a fake Antispyware product which upon installation displays no EULA and shows fake warning messages:

Upon execution, FakeAlert-SpywareProtect copies itself in the system using following name:

    * %WinDir%\spyguard.exe

FakeAlert-SpywareProtect drops the file 'iehelper.dll' in the system. This file is detected as FakeAlert-SpywareProtect and is installed as a BHO in order to display fake "drop-down" messages within Internet Explorer.

It connects to [infected].65.127 and downloads other malware which is programmed to download new versions of FakeAlert-SpywareProtect from [infected].119.131

Symptoms

Symptoms -

The presence of the mentioned Fake Messages.

Method of Infection

Method of Infection -

FakeAlert-SpywareProtect was observed to be installed by Conficker worm.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A