high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | May 2008 (4.29) |
| Protection available since | 4 April 2008 23:45:57 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/FakeAv-J is fake anti-spyware software for the Windows platform.
Troj/FakeAv-J creates dummy installations of known adware/spyware such as "180solutions" and changes the computer wallpaper to display the following message:
'Warning: Spyware threat has been detected on your PC.
Your computer has several fatal errors due to spyware activity.
It is strongly recommended to install an antispyware software to close all security vulnerabilities.
Antispyware software helps protect your PC against spyware and other security threats.
CLICK HERE TO SCAN YOUR PC FOR SPYWARE...'
When the user clicks the link a web page is opened containing links to download / buy fake antispyware software.
When first run Troj/FakeAv-J copies itself to the Windows system folder as:
<System>\sbwltbxa.exe
and changes/sets the following registry entries to run itself on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
,<pathname of the Troj/FakeAv-J executable>,
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<pathname of the Troj/FakeAv-J executable>,
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Troj/FakeAv-J drops the file <Windows>\default.htm and uses it to set the wallpaper by setting the registry entry:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
Wallpaper
<Windows>\default.htm
|
