Trojan.Fakeavalert
Trojan.Fakeavalert is a detection for a Trojan that will dropped a rogue security application on computer that will modify settings on compromised computer to mislead computer users. Trojan.Fakeavalert will display fake alert messages and pop-up security alerts and tries to convince user to purchase the registered version of the rogue program. Trojan.Fakeavalert can also end security-related process that will lessen security settings of the infected computer.
Technical Information:
Alias: Generic FakeAlert.b, TROJ_FAKEAV.UF, Troj/FakeVir-KY, Trojan.Fakeavalert!sd6, Mal/FakeVirPk-A, Mal/TibsPk-A
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Trojan.Fakeavalert Removal Tool
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on the file to install the application.
3. Follow the prompts and install as “default” only
4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart the computer.
Note: MALWARE may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
Manual Removal of Trojan.Fakeavalert:
1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate anti-virus and security provider.
Technical Details and Additional Information:
Malicious Files Added by Trojan.Fakeavalert:
%UserProfile%\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\ Start Menu\Programs\Startup\autorun.exe
%System%\printer.exe
%System%\WinAvXX.exe
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”WinAVX” = “%System%\WinAvXX.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run\”WinAVX” = “%System%\WinAvXX.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”Shell” = “Explorer.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”Shell” = “Explorer.exe %System%\printer.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\InternetSettings\Zones\0\”1200″³ = “0″³
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Enable Browser Extensions” = “yes”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Shared Access\Parameters\FirewallPolicy\DomainProfile\Authorized Applications\List\%Windir%\system32\”winav.exe” = “%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019″³
HKEY_CLASSES_ROOT\.htm\”(Default Value)” = “htmlfile”
HKEY_CLASSES_ROOT\.html\”(Default Value)” = “htmlfile”
HKEY_CLASSES_ROOT\.shtml\”(Default Value)” = “htmlfile”
HKEY_CLASSES_ROOT\.xht\”(Default Value)” = “htmlfile”
HKEY_CLASSES_ROOT\.xhtml\”(Default Value)” = “htmlfile”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\Advanced\”EnableBalloonTips” = “1″³
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Explorer\Advanced\”EnableBalloonTips” = “1″³
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\policies\system\”DisableTaskMgr” = “1″³
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\policies\system\”DisableTaskMgr” = “1″³
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\”NoControlPanel” = “1″³
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer\”NoControlPanel” = “1″³
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\policies\system\”DisableRegistryTools” = “1″³
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\policies\system\”DisableRegistryTools” = “1″³
HKEY_CURRENT_USER\Software\Policies\Microsoft\windows\Windows Update\”NoAutoUpdate” = “1″³
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Update\AU\”NoAutoUpdate” = “1″³
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\”NoWindowsUpdate” = “1″³
HKEY_CLASSES_ROOT\gopher\shell\open\command\:””C:\Program Files\Internet Explorer\”iexplore.exe” = “-nohome”
HKEY_CLASSES_ROOT\gopher\shell\open\command\: “”C:\Program Files\Internet Explorer\”iexplore.exe” = “%1″³
HKEY_CLASSES_ROOT\HTTP\shell\open\command\: “”C:\Program Files\Internet Explorer\”iexplore.exe” = “-nohome”
HKEY_CLASSES_ROOT\HTTP\shell\open\command\: “”C:\Program Files\Internet Explorer\”iexplore.exe” = “%1″³
HKEY_CLASSES_ROOT\https\shell\open\command\: “”C:\Program Files\Internet Explorer\”iexplore.exe” = “-nohome”
HKEY_CLASSES_ROOT\https\shell\open\command\: “”C:\Program Files\Internet Explorer\”iexplore.exe” = “%1″³
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\”Default_Search_URL” = “http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\”Default_Search_URL” = “http://www.google.com/ie”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\”Search Page” = “http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\”Search Page” = “http://www.google.com”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\”Start Page” = “http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\”Start Page” = “http://www.google.com”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Start Page” = “http://www.google.com/”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Start Page” = “http://www.google.com”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Search Page” = “http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Search Page” = “http://www.google.com”
John
Sep 11, 2008 @ 14:12:46
These are good instructions, but for my instance of this problem, the registry key was HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”braviax” instead of:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”WinAVX”
I’m guessing the Trojan will name itself different things. We should start a vigilante group that beats up hackers.
Jelle
Oct 03, 2008 @ 13:24:33
Can you just put your PC back in time? I usually do that whenever I am infected with viruses.