Troj/FakeAv-G is fake anti-spyware software for the Windows platform.
Troj/FakeAv-G creates dummy installations of known adware/spyware such as "180solutions" and changes the computer wallpaper to display the following message:
'Warning: Spyware threat has been detected on your PC.
Your computer has several fatal errors due to spyware activity.
It is strongly recommended to install an antispyware software to close all security vulnerabilities.
Antispyware software helps protect your PC against spyware and other security threats.
CLICK HERE TO SCAN YOUR PC FOR SPYWARE...'
When the user clicks the link a web page is opened containing links to download / buy fake antispyware software.
When first run Troj/FakeAv-G copies itself to the Windows system folder and changes/sets the following registry entries to run itself on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
,<pathname of the Troj/FakeAv-G executable>,
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<pathname of the Troj/FakeAv-G executable>,
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Troj/FakeAv-G drops the file <Windows>\default.htm and uses it to set the wallpaper by setting the registry entry:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
Wallpaper
<Windows>\default.htm