none
Virus trojan.fakeavalert now unvalidated

    질문

  • I was using a frree antivirus and got a couple trojan horses  trojan.fakeavalert and two other trojan virus. Now i get the message that my windows does not pass validation. I alas passed before and I ran the MGA diag and get this.

    Microsoft Genuine Advantage Diagnostic Results

    Passed Active scripting allowed
    Passed Display images enabled
    Passed Computer time and date correct
    Passed Cookies enabled
    Passed ActiveX enabled
    Passed Windows validation ActiveX loaded
    Passed Office validation ActiveX loaded
    Passed Validation Self-help ActiveX loaded
    Passed Validation Self-help: Data.dat Corruption check
    Passed Validation Self-help: Cryptography check
    Passed Validation Self-help: Product Activation check


    virus info

    Discovered: October 10, 2007
    Updated: October 10, 2007 5:08:11 PM
    Type: Trojan
    Infection Length: 7,680 bytes
    Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

    When the Trojan is executed it creates the following files:
    • %UserProfile%\Start Menu\Programs\Startup\system.exe
    • C:\Documents and Settings\All Users\ Start Menu\Programs\Startup\autorun.exe
    • %System%\printer.exe
    • %System%\WinAvXX.exe


    Next, the Trojan creates the following registry entries so that it executes whenever Windows starts:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinAVX" = "%System%\WinAvXX.exe"
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinAVX" = "%System%\WinAvXX.exe"



    It also modifies the following registry entries so that it executes whenever Windows starts:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe %System%\printer.exe"


    The Trojan then modifies the following registry entries:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1200" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1201" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1208" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1608" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1804" = "1"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"2500" = "3"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1200" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1201" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1208" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1608" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1804" = "1"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"2500" = "3"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1200" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1201" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1208" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1608" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1804" = "1"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"2500" = "3"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1200" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1201" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1208" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1608" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1804" = "1"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"2500" = "3"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1200" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1201" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1208" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1608" = "0"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1804" = "1"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"2500" = "3"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"


    It creates the following registry entries in order to bypass the Windows firewall:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"


    It creates the following registry entries so that it makes Internet Explorer the default handler for .htm, .html, .shtml, .xht, and .xhtml files:
    • HKEY_CLASSES_ROOT\.htm\"(Default Value)" = "htmlfile"
    • HKEY_CLASSES_ROOT\.html\"(Default Value)" = "htmlfile"
    • HKEY_CLASSES_ROOT\.shtml\"(Default Value)" = "htmlfile"
    • HKEY_CLASSES_ROOT\.xht\"(Default Value)" = "htmlfile"
    • HKEY_CLASSES_ROOT\.xhtml\"(Default Value)" = "htmlfile"


    Next, the Trojan modifies the following registry entries in order to disable certain system utilities:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = "1"
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = "1"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = "1"
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = "1"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoControlPanel" = "1"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoControlPanel" = "1"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableRegistryTools" = "1"
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableRegistryTools" = "1"
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\windows\Windows Update\"NoAutoUpdate" = "1"
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\"NoAutoUpdate" = "1"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoWindowsUpdate" = "1"


    It then creates the following registry entries so that it makes Internet Explorer the default application for the protocols gopher, http, and https:
    • HKEY_CLASSES_ROOT\gopher\shell\open\command\:""C:\Program Files\Internet Explorer\"iexplore.exe" = "-nohome"
    • HKEY_CLASSES_ROOT\gopher\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "%1"
    • HKEY_CLASSES_ROOT\HTTP\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "-nohome"
    • HKEY_CLASSES_ROOT\HTTP\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "%1"
    • HKEY_CLASSES_ROOT\https\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "-nohome"
    • HKEY_CLASSES_ROOT\https\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "%1"


    The Trojan modifies the following registry entries so that it changes the Internet Explorer Start and Search defaults:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Search_URL" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Search_URL" = "http://www.google.com/ie"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Search Page" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Search Page" = "http://www.google.com"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.google.com"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.google.com/"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.google.com"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page" = "http://www.google.com"
    • 유형 변경됨 RickImAPC 2008년 9월 18일 목요일 오후 2:37 Security Question
    2008년 9월 18일 목요일 오전 3:56

답변

모든 응답