Content
FakeAlert-SpywareProtect
- Type
- Trojan
- SubType
- Discovery Date
- 03/20/2009
- Length
- Minimum DAT
- 5559 (03/20/2009)
- Updated DAT
- 5874 (01/27/2010)
- Minimum Engine
- 5.2.00
- Description Added
- 03/20/2009
- Description Modified
- 04/13/2009 12:23 PM (PT)
Tab Navigation
Characteristics
FakeAlert-SpywareProtect is a fake Antispyware product which upon installation displays no EULA and shows fake warning messages:


Upon execution, FakeAlert-SpywareProtect copies itself in the system using following name:
* %WinDir%\spyguard.exe
FakeAlert-SpywareProtect drops the file 'iehelper.dll' in the system. This file is detected as FakeAlert-SpywareProtect and is installed as a BHO in order to display fake "drop-down" messages within Internet Explorer.
It connects to [infected].65.127 and downloads other malware which is programmed to download new versions of FakeAlert-SpywareProtect from [infected].119.131
Symptoms
The presence of the mentioned Fake Messages.
Method of Infection
FakeAlert-SpywareProtect was observed to be installed by Conficker worm.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
FakeAlert-SpywareProtect once installed on a system will generate fake messages of infection. It encourages the user to purchase a registered copy of their product in order to clean infections. Unsuspecting users may get enticed by the use of such scare tactics.
Aliases
- Rogue:W32/SpywareGuard2008.G (F-Secure)
- Troj/FakeAV-OM (Sophos)
- TROJ_FAKEAV.FXF (TrendMicro)
- Trojan:Win32/FakeSpypro (Microsoft)
Characteristics
Characteristics -
FakeAlert-SpywareProtect is a fake Antispyware product which upon installation displays no EULA and shows fake warning messages:


Upon execution, FakeAlert-SpywareProtect copies itself in the system using following name:
* %WinDir%\spyguard.exe
FakeAlert-SpywareProtect drops the file 'iehelper.dll' in the system. This file is detected as FakeAlert-SpywareProtect and is installed as a BHO in order to display fake "drop-down" messages within Internet Explorer.
It connects to [infected].65.127 and downloads other malware which is programmed to download new versions of FakeAlert-SpywareProtect from [infected].119.131
Symptoms
Symptoms -
The presence of the mentioned Fake Messages.
Method of Infection
Method of Infection -
FakeAlert-SpywareProtect was observed to be installed by Conficker worm.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A