Learn about the Trojan.Win32.FraudPack.bkhe template

When it comes to Trojans, it means we are referring to a very malicious and dangerous type of computer program that can prevent, edit, back up or delete all data of people. used, the main reason why the computer is slow or hanging frequently.

Their first activities were discovered on September 15, 2010, and then put into research and analysis on the same day. Until October 22, 2010, their official information is publicly available. Basically, this is a malicious code with many complex payload methods, cleverly disguised as a Windows dynamic link library (DLL), and has a capacity of about 361216 bytes.

Payload process:

When enabled, they will generate messages informing users that their computers have been infected by various malicious programs:

Of course, this is a fake message, if the user clicks on the message content then they will continue to display later and ask them to accept the installation of some security program:

The process takes place like a real security program:

But actually, they are downloading different types of malicious code from the following addresses:

 http://searchbad.org 
 http://searchfinddeliver.org 
 http://finderwid.org 
 http://searchannoying.org 
 http://fastoutostop.com 

(You should not click on the links above). All files they download are stored in% ProgramFiles% AnVi folder, namely:

 / avt / avt_db 
 / avt / avt_ext 
 / avt / avt_hook 
 / avt / avt_un 
 / avt / avt_main 

Like other malicious programs, they will enable the ability to boot with the operating system by creating the following registry keys:

 [HKCUSoftwareMicrosoftWindowsCurrentVersionRun] 
 "Antivirus" = "% ProgramFiles% AnViavt.exe -noscan" 

Here are some specific screenshots in the process of infection:

And then, they continue to display the following messages:

If you want to eradicate these threats on your computer, you have to pay a certain fee to activate the 'copyright' used on this fake software:

At the same time, they also lock the Windows Task Manager functionality by editing the following registry key:

 [HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem] 
 "DisableTaskMgr" = dword: 00000001 
 [HKCUSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem] 
 "DisableTaskMgr" = dword: 00000001 

and create an additional key:

 [HKLMSOFTWAREAnVi] 

Steps to remove:

If your computer has been infected with the Trojan without proper protection, apply the following manually to remedy the situation.
- First, delete all files inside % TEMP% and eapp32hst.dll directories
- Restore the status of Task Manager by editing the registry key as follows:

 [HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem] 
 "DisableTaskMgr" = dword: 00000000 
 [HKCUSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem] 
 "DisableTaskMgr" = dword: 00000000 

- Then use Windows Task Manager to turn off strange processes in the list.
- Delete all files and folders:% ProgramFiles% AnVi
- Find and delete the following Registry keys:

 [HKCUSoftwareMicrosoftWindowsCurrentVersionRun] 
 "Antivirus" = "% ProgramFiles% AnViavt.exe -noscan" 
 [HKLMSOFTWAREAnVi] 
 Delete all files in the% Temp% folder again 

Of course, to ensure absolute safety for computers against Internet dangers, users should equip themselves with a comprehensive security solution. You can refer and use products from reputable and reputable companies worldwide such as Kaspersky, BitDefender, Avira, Symantec . Wish you success!