TRJ_FAKEAV.ORT

TRJ_FAKEAV.ORT

Came across this warning and pasted as is.

TROJ_FAKEAV.ORT is a rogue system optimisation program that has no effect on the state of your PC’s performance, but forces the user of an infected PC to pay for a full version of the software to remove non-existent problems. It creates the following files on infected systems: • %Desktop%\Windows Recovery.lnk • %Start Menu%\Programs\Windows Recovery\Uninstall Windows Recovery.lnk • %Start Menu%\Programs\Windows Recovery\Windows Recovery.lnk In addition to creating these files, it also creates the following registry entries: • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run \{random file name} = "%System Root%\Documents and Settings\All Users\Application Data\{random file name}.exe" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr = "1" Finding these files and registry settings is an indication that you are infected with this Trojan. Before removing the infection, backup your registry

1. Press [Windows Key] + [R], type REGEDIT and click OK. 2. Navigate to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 3. Delete the registry entry: {random file name} = "C:\Documents and Settings\All Users\Application Data\{random file name}.exe" 4. Delete the registry key: HKEY_CURRENT_USER\Software\75fa38b7-8b94-4995-ad32-52e938867954 5. Navigate to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop 6. Delete the registry entry: NoChangingWallPaper = "1" 7. Navigate to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System 8. Delete the registry entry: DisableTaskMgr = "1" 9. Navigate to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system 10. Delete the registry entry: DisableTaskMgr = "1" 11. Navigate to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations 12. Delete the registry entry: LowRiskFileTypes = "/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/ fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:" 13. Navigate to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments 14. Delete the registry entry: SaveZoneInformation = "1" 15. Navigate to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 16. Delete the registry entry: NoDesktop = "1" 17. Exit the Registry Editor.  