Answered by:
Virus trojan.fakeavalert now unvalidated
Question
-
I was using a frree antivirus and got a couple trojan horses trojan.fakeavalert and two other trojan virus. Now i get the message that my windows does not pass validation. I alas passed before and I ran the MGA diag and get this.
Microsoft Genuine Advantage Diagnostic Results
Passed Active scripting allowed Passed Display images enabled Passed Computer time and date correct Passed Cookies enabled Passed ActiveX enabled Passed Windows validation ActiveX loaded Passed Office validation ActiveX loaded Passed Validation Self-help ActiveX loaded Passed Validation Self-help: Data.dat Corruption check Passed Validation Self-help: Cryptography check Passed Validation Self-help: Product Activation check
virus info
Discovered: October 10, 2007Updated: October 10, 2007 5:08:11 PMType: TrojanInfection Length: 7,680 bytesSystems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000When the Trojan is executed it creates the following files:
- %UserProfile%\Start Menu\Programs\Startup\system.exe
- C:\Documents and Settings\All Users\ Start Menu\Programs\Startup\autorun.exe
- %System%\printer.exe
- %System%\WinAvXX.exe
Next, the Trojan creates the following registry entries so that it executes whenever Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinAVX" = "%System%\WinAvXX.exe"
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinAVX" = "%System%\WinAvXX.exe"
It also modifies the following registry entries so that it executes whenever Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe %System%\printer.exe"
The Trojan then modifies the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1200" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1201" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1208" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1608" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"1804" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\"2500" = "3"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1200" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1201" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1208" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1608" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"1804" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1\"2500" = "3"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1200" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1201" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1208" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1608" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"1804" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2\"2500" = "3"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1200" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1201" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1208" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1608" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"1804" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3\"2500" = "3"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1200" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1201" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1208" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1608" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"1804" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4\"2500" = "3"
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
It creates the following registry entries in order to bypass the Windows firewall:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\system32\"winav.exe" = "%Windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
It creates the following registry entries so that it makes Internet Explorer the default handler for .htm, .html, .shtml, .xht, and .xhtml files:
- HKEY_CLASSES_ROOT\.htm\"(Default Value)" = "htmlfile"
- HKEY_CLASSES_ROOT\.html\"(Default Value)" = "htmlfile"
- HKEY_CLASSES_ROOT\.shtml\"(Default Value)" = "htmlfile"
- HKEY_CLASSES_ROOT\.xht\"(Default Value)" = "htmlfile"
- HKEY_CLASSES_ROOT\.xhtml\"(Default Value)" = "htmlfile"
Next, the Trojan modifies the following registry entries in order to disable certain system utilities:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = "1"
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = "1"
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = "1"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoControlPanel" = "1"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoControlPanel" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableRegistryTools" = "1"
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableRegistryTools" = "1"
- HKEY_CURRENT_USER\Software\Policies\Microsoft\windows\Windows Update\"NoAutoUpdate" = "1"
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\"NoAutoUpdate" = "1"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoWindowsUpdate" = "1"
It then creates the following registry entries so that it makes Internet Explorer the default application for the protocols gopher, http, and https:
- HKEY_CLASSES_ROOT\gopher\shell\open\command\:""C:\Program Files\Internet Explorer\"iexplore.exe" = "-nohome"
- HKEY_CLASSES_ROOT\gopher\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "%1"
- HKEY_CLASSES_ROOT\HTTP\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "-nohome"
- HKEY_CLASSES_ROOT\HTTP\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "%1"
- HKEY_CLASSES_ROOT\https\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "-nohome"
- HKEY_CLASSES_ROOT\https\shell\open\command\: ""C:\Program Files\Internet Explorer\"iexplore.exe" = "%1"
The Trojan modifies the following registry entries so that it changes the Internet Explorer Start and Search defaults:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Search_URL" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Search_URL" = "http://www.google.com/ie"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Search Page" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Search Page" = "http://www.google.com"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.google.com"
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.google.com/"
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.google.com"
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page" = "http://www.google.com"
- Changed type RickImAPC Thursday, September 18, 2008 2:37 PM Security Question
Thursday, September 18, 2008 3:56 AM
Answers
-
R36613,
Thank you for visiting the Windows Genuine Advantage (WGA) program forum. The purpose of this forum is the support of the Windows Genuine Advantage (WGA) program. Virus questions are off topic.
There are two things I'd like to share with you. First, backing up and saving your data, then doing a clean installation as Dan indicated is normally the best way to resolve an issue regarding Malware. Once an attack has commenced, if you antimalware scanner was unable to deal with the situation at first, it is impossible to identify the aftermath of the matter.
Second, if you need further assistance, please feel free to call <removed by Moderator: Phone number no longer in use>. This phone number is for virus and other security-related support free of charge. It is available 24 hours a day for the U.S. and Canada.Detailed information including selecting various regions for support can be located at:
http://www.microsoft.com/protect/support/default.mspx .
The following link regarding Cleaning a Compromised System can be found here:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
The following link regarding Computer Viruses: Description, Prevention, and Recovery can be found here:
http://support.microsoft.com/kb/129972/en-us
The best way for eradicating malware and virus infections is to re-image your computer. Reinstallation does take time. It may provide you with a better peace of mind overall. Should you take this route and need assistance please reference the following How to Install or Upgrade to Windows XP article here:
http://support.microsoft.com/kb/316941/en-us
The following article How to Install Windows XP may also be helpful for you:
http://www.microsoft.com/windowsxp/using/setup/winxp/install.mspx
Now you will need HELP for fighting spyware and keeping a newly re-formatted system free from malware and viruses. Please always ensure critical updates are updated by visiting the Windows Update site located here:
http://www.update.microsoft.com/
Next you may want to download Windows Defender for free. Windows Defender will help thwart malware infestations. It can be found here:
http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
Next, the Microsoft Security Center has many links providing customers assistance for arming themselves against malicious activities which lurk around the Internet. It can be found here:
http://www.microsoft.com/security/default.mspx .
Windows Live OneCare is a great tool for providing the following services: Antivirus & Antispyware, Online ID Protection, Firewall, Multi-PC Management, Printer Sharing, and Backup and Restore features. Information for OneCare can be found here:
OneCare will help detect and eradicate both malware and viruses from your system while silently running behind the scenes. OneCare may be purchased inexpensively from Microsoft Marketplace at the following link:
http://www.windowsmarketplace.com/showcase.aspx?ctid=5&WT.mc_id=point_it_store_microsoft_a_G
I encourage regular visits to The Microsoft Security Response Center (MSRC)blog located at the following link:
http://blogs.technet.com/msrc/default.aspx.
Microsoft provides a real-time way for communicating with customers as well as helping customers understand Microsoft's security response efforts. The following link is for the Security at home website:
http://www.microsoft.com/protect/default.mspx
The following link is for the Security Guidance Center:
http://www.microsoft.com/smallbusiness/support/computer-security-overview.aspx - BulletinsAndAlerts
These sites provide many links with detailed information covering PC Safety and Security. Please take the time and review the various links because there is a wealth of information for protecting families while using the computer.
Thank you again for contacting the Windows Genuine Advantage (WGA) program forums.
Rick, MS- Marked as answer by RickImAPC Thursday, September 18, 2008 2:37 PM
- Edited by Darin Smith MS Tuesday, April 10, 2012 6:58 PM Removed phone number no longer in use
Thursday, September 18, 2008 2:36 PM
All replies
-
R36613,
Backup and offload your data, and do a clean installation after repartitioning and reformatting the hard disk drive; or if you have a manufacturer supplied recovery method, employ that recovery method.
The above actions offer the best chance of ridding your system of the trojan and its remnants.
Once the computer is operational again, STOP operating the computer with a Computer Administrator-level account.
For great advice on all topics XP, visit http://www.annoyances.org/exec/forum/winxpThursday, September 18, 2008 4:10 AM -
i was able to remove them with norton internet secuirty 08 and I am operating just fine. except for the validtation problem. Can I cut out the clean install?Thursday, September 18, 2008 5:00 AM
-
R36613,
Thank you for visiting the Windows Genuine Advantage (WGA) program forum. The purpose of this forum is the support of the Windows Genuine Advantage (WGA) program. Virus questions are off topic.
There are two things I'd like to share with you. First, backing up and saving your data, then doing a clean installation as Dan indicated is normally the best way to resolve an issue regarding Malware. Once an attack has commenced, if you antimalware scanner was unable to deal with the situation at first, it is impossible to identify the aftermath of the matter.
Second, if you need further assistance, please feel free to call <removed by Moderator: Phone number no longer in use>. This phone number is for virus and other security-related support free of charge. It is available 24 hours a day for the U.S. and Canada.Detailed information including selecting various regions for support can be located at:
http://www.microsoft.com/protect/support/default.mspx .
The following link regarding Cleaning a Compromised System can be found here:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
The following link regarding Computer Viruses: Description, Prevention, and Recovery can be found here:
http://support.microsoft.com/kb/129972/en-us
The best way for eradicating malware and virus infections is to re-image your computer. Reinstallation does take time. It may provide you with a better peace of mind overall. Should you take this route and need assistance please reference the following How to Install or Upgrade to Windows XP article here:
http://support.microsoft.com/kb/316941/en-us
The following article How to Install Windows XP may also be helpful for you:
http://www.microsoft.com/windowsxp/using/setup/winxp/install.mspx
Now you will need HELP for fighting spyware and keeping a newly re-formatted system free from malware and viruses. Please always ensure critical updates are updated by visiting the Windows Update site located here:
http://www.update.microsoft.com/
Next you may want to download Windows Defender for free. Windows Defender will help thwart malware infestations. It can be found here:
http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
Next, the Microsoft Security Center has many links providing customers assistance for arming themselves against malicious activities which lurk around the Internet. It can be found here:
http://www.microsoft.com/security/default.mspx .
Windows Live OneCare is a great tool for providing the following services: Antivirus & Antispyware, Online ID Protection, Firewall, Multi-PC Management, Printer Sharing, and Backup and Restore features. Information for OneCare can be found here:
OneCare will help detect and eradicate both malware and viruses from your system while silently running behind the scenes. OneCare may be purchased inexpensively from Microsoft Marketplace at the following link:
http://www.windowsmarketplace.com/showcase.aspx?ctid=5&WT.mc_id=point_it_store_microsoft_a_G
I encourage regular visits to The Microsoft Security Response Center (MSRC)blog located at the following link:
http://blogs.technet.com/msrc/default.aspx.
Microsoft provides a real-time way for communicating with customers as well as helping customers understand Microsoft's security response efforts. The following link is for the Security at home website:
http://www.microsoft.com/protect/default.mspx
The following link is for the Security Guidance Center:
http://www.microsoft.com/smallbusiness/support/computer-security-overview.aspx - BulletinsAndAlerts
These sites provide many links with detailed information covering PC Safety and Security. Please take the time and review the various links because there is a wealth of information for protecting families while using the computer.
Thank you again for contacting the Windows Genuine Advantage (WGA) program forums.
Rick, MS- Marked as answer by RickImAPC Thursday, September 18, 2008 2:37 PM
- Edited by Darin Smith MS Tuesday, April 10, 2012 6:58 PM Removed phone number no longer in use
Thursday, September 18, 2008 2:36 PM
