Trojan.FakeAV.3510
Manipulate the Windows HOSTS file and block antivirus
Fake antivirus this one has a hobby of doing a block on segambreng security software and Windows hosts file redirects the victim computer so successful in the infection can not access the sites security services provider. Transfer of Hosts file is a need to watch out by comptuer users, especially users of internet banking due to the transfer of hosts, phishing websites and the right social engineering techniques, it has the potential to cause break-ins on internet banking account. Although already equipped with a protection calculator PIN / Token (two-factor authentication). Because that's important for those of you who use Internet Banking to use anti virus protection features the Hosts file as given by Dr Web Security Space.
The characteristics and symptoms of the virus
The virus is made using Visual Basic programming language with a size of about 62 KB by using Visual Basic icon. One characteristic that can be recognized is that each user opens Internet Explorer will display a website [http://www.qseach.com/?ref=kzCXow ==] resembling a website search engine www.google.com
File parent virus
When the user runs the file parent virus, it will display an error message, then he will make a master file that will be run automatically when the computer boots.
Function Block Windows
In order for the user difficulty in doing the cleaning, it will do block some functions of Windows, such as Task Manager, MSCONFIG, CMD (Command Prompt), Regedit or Folder Options to make changes to the registry
Security Software Blocks
In addition to the Windows function block, he will do blocks of tools / software security including antivirus programs by reading the "caption text Windows" and by doing debugger (transfer) to run a virus file in the directory [C: \ Documents and Settings \% username % \ 132616c4 \ winlogon.exe]. To make a debugger (transfer), it will create a string in the registry
Changing the USB Flash icon
This virus will also change the icon into the icon Folder USB Flash and USB Flash block access if a user access by double click on the USB Flash. By doing double click on the USB Flash it will automatically activate the virus.
Hide files/folders
Again USB Flash be victims, this time he will hide all files / folders in USB Flash and instead it will create a duplicate file that has the same name as the file / folder that is hidden in the form of a shortcut file
For each shortcut file created will have a target to run a virus file (Ua3kmh73O3jyut4Iok.exe) which had been prepared when on the run, the target file would normally be stored on the USB Flash.
Change the Windows Hosts file
He also will make changes to the Windows Hosts file [C:\Windows\System32\Drivers\Etc\Hosts] which resulted in a number of websites can not be accessed. Here are some website addresses that will be on the block.
How to purge Trojan.FakeAV.3510
1. For cleaning, you can use the Tools Dr.Web CureIt! of the Dr.Web antivirus. Please download these tools at the following address:
http://www.freedrweb.com/cureit/?lng=en
Once these tools successfully downloaded, run the tools with the way double click on the file Dr.Web CureIt!. When the prompt appears "DrWeb CureIt! - Enhanced Protection Mode ", click the [OK], when you select this mode you will not be able to do activities on the computer this is done for the cleaning process can be performed more optimally.
This will bring up the screen scan "Dr.Web Scanner for Windows - Express Scan", leave until the scan is completed. If it appears the cleaning process when the scan is done, click the [Yes to All).
For optimal cleaning, scans all drives including USB flash / external HDD by selecting option [Scan complete].
Note:
Dr.Web anti-virus will also automatically restore the HOSTS file in Windows that has been changed by Trojan.fakeAV.3510 to the initial setting. If a prompt appears the Windows fixes to the HOSTS file has been modified by a virus, click the [Yes].
Click Restart, if a prompt appears restart of Dr.Web antivirus.
2. Fix Windows Registry that has been changed by the virus, to accelerate the repair process copy the script below in Notepad and save it as repair.inf, run the file in the following way
Right-click repair.inf
Click INSTALL
[Version]
Signature="$Chicago$"
Provider=Vaksincom
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKCU, Software\Microsoft\Internet Explorer\main, Start Page,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Search Page,0,"about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Local Page,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Default_Search_URL,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Default_Page_URL,0, "about:blank"
[del]
HKCU, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Associations
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFile
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM, SOFTWARE\Policies\Microsoft\WindowsFirewall
HKCU, Software\Policies\Microsoft\Internet Explorer\Control Panel, HomePage
HKLM, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414
HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\System, EnableLUA
3. Manually delete the following registy locations:
click menu [Start]
Click [RUN]
Type Regedit.exe, then Click the [OK]
Then delete the following registry string
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN
HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
Note:
% user% is the name of the user / acount that is used during Windows logonManipulate the Windows HOSTS file and block antivirus
Fake antivirus this one has a hobby of doing a block on segambreng security software and Windows hosts file redirects the victim computer so successful in the infection can not access the sites security services provider. Transfer of Hosts file is a need to watch out by comptuer users, especially users of internet banking due to the transfer of hosts, phishing websites and the right social engineering techniques, it has the potential to cause break-ins on internet banking account. Although already equipped with a protection calculator PIN / Token (two-factor authentication). Because that's important for those of you who use Internet Banking to use anti virus protection features the Hosts file as given by Dr Web Security Space.
The characteristics and symptoms of the virus
The virus is made using Visual Basic programming language with a size of about 62 KB by using Visual Basic icon. One characteristic that can be recognized is that each user opens Internet Explorer will display a website [http://www.qseach.com/?ref=kzCXow ==] resembling a website search engine www.google.com
File parent virus
When the user runs the file parent virus, it will display an error message, then he will make a master file that will be run automatically when the computer boots.
Function Block Windows
In order for the user difficulty in doing the cleaning, it will do block some functions of Windows, such as Task Manager, MSCONFIG, CMD (Command Prompt), Regedit or Folder Options to make changes to the registry
Security Software Blocks
In addition to the Windows function block, he will do blocks of tools / software security including antivirus programs by reading the "caption text Windows" and by doing debugger (transfer) to run a virus file in the directory [C: \ Documents and Settings \% username % \ 132616c4 \ winlogon.exe]. To make a debugger (transfer), it will create a string in the registry
Changing the USB Flash icon
This virus will also change the icon into the icon Folder USB Flash and USB Flash block access if a user access by double click on the USB Flash. By doing double click on the USB Flash it will automatically activate the virus.
Hide files/folders
Again USB Flash be victims, this time he will hide all files / folders in USB Flash and instead it will create a duplicate file that has the same name as the file / folder that is hidden in the form of a shortcut file
For each shortcut file created will have a target to run a virus file (Ua3kmh73O3jyut4Iok.exe) which had been prepared when on the run, the target file would normally be stored on the USB Flash.
Change the Windows Hosts file
He also will make changes to the Windows Hosts file [C:\Windows\System32\Drivers\Etc\Hosts] which resulted in a number of websites can not be accessed. Here are some website addresses that will be on the block.
How to purge Trojan.FakeAV.3510
1. For cleaning, you can use the Tools Dr.Web CureIt! of the Dr.Web antivirus. Please download these tools at the following address:
http://www.freedrweb.com/cureit/?lng=en
Once these tools successfully downloaded, run the tools with the way double click on the file Dr.Web CureIt!. When the prompt appears "DrWeb CureIt! - Enhanced Protection Mode ", click the [OK], when you select this mode you will not be able to do activities on the computer this is done for the cleaning process can be performed more optimally.
This will bring up the screen scan "Dr.Web Scanner for Windows - Express Scan", leave until the scan is completed. If it appears the cleaning process when the scan is done, click the [Yes to All).
For optimal cleaning, scans all drives including USB flash / external HDD by selecting option [Scan complete].
Note:
Dr.Web anti-virus will also automatically restore the HOSTS file in Windows that has been changed by Trojan.fakeAV.3510 to the initial setting. If a prompt appears the Windows fixes to the HOSTS file has been modified by a virus, click the [Yes].
Click Restart, if a prompt appears restart of Dr.Web antivirus.
2. Fix Windows Registry that has been changed by the virus, to accelerate the repair process copy the script below in Notepad and save it as repair.inf, run the file in the following way
Right-click repair.inf
Click INSTALL
[Version]
Signature="$Chicago$"
Provider=Vaksincom
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKCU, Software\Microsoft\Internet Explorer\main, Start Page,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Search Page,0,"about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Local Page,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Default_Search_URL,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\main, Default_Page_URL,0, "about:blank"
[del]
HKCU, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Associations
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFile
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM, SOFTWARE\Policies\Microsoft\WindowsFirewall
HKCU, Software\Policies\Microsoft\Internet Explorer\Control Panel, HomePage
HKLM, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414
HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\System, EnableLUA
3. Manually delete the following registy locations:
click menu [Start]
Click [RUN]
Type Regedit.exe, then Click the [OK]
Then delete the following registry string
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN
HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401
Note:
Fix Image File Execution Files. Please download files at the address FixImageFile http://rapidshare.com/files/446070146/FixImageFile.zip FixImageFile_XP.reg then import that file (Windows XP) or FixImageFile_Vista_Win7.reg (Windows Vista / 7) by: (see figure 15)
Click [Start]
Click [Run]
Type Regedit.exe and click the [OK]
Once the screen appears "Registry Editor", click [File] menu
Click [Import]
Then navigate to the file FixImageFile.reg, then click the [Open]
If the confirmation screen appears, click the [OK]
4. Show files that have been hidden by the virus in the USB Flash, how:
Click [Start]
Click [Run]
Type CMD and click the [OK]
After the application of the Command Prompt (CMD), move the cursor position to the USB Flash by typing% USB Flash%: then press the Enter key.
Note:
% USB Flash drive% is different, for example if you are USB Flash E then type the command E:
Then type the command attrib-s-h-r / s / d and then click the Enter key (see figure 18)
Wait a while until the process is completed.
5. For optimal cleaning, uses anti-virus scan with up-to-date.
No comments:
Post a Comment