||||
Symantec.com > Business > Security Response > PrivacyRedeemer
PRINT THIS PAGE

PrivacyRedeemer

Printer Friendly Page

Updated: March 31, 2008 5:05:32 PM
Type: Misleading Application
Infection Length: 630,784 Bytes
Name: Privacy Redeemer
Version: 1.00.0034
Publisher: File Depot
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Behavior
The program must be manually installed.

The program reports false or exaggerated system security threats on the computer.





The program connects to www.PrivacyRedeemer.com, which prompts the user to pay for a full license of the application in order to remove the errors.


Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Privacy Redeemer.lnk
  • %UserProfile%\Application Data\Privacy Redeemer\BugReport.html.tpl
  • %UserProfile%\Application Data\Privacy Redeemer\comdlg32.ocx
  • %UserProfile%\Application Data\Privacy Redeemer\copy.gif
  • %UserProfile%\Application Data\Privacy Redeemer\Debug.log
  • %UserProfile%\Application Data\Privacy Redeemer\IEHistoryClear.cmd
  • %UserProfile%\Application Data\Privacy Redeemer\left_bg.jpg
  • %UserProfile%\Application Data\Privacy Redeemer\left_bg1.gif
  • %UserProfile%\Application Data\Privacy Redeemer\logo1.jpg
  • %UserProfile%\Application Data\Privacy Redeemer\msvbvm60.dll
  • %UserProfile%\Application Data\Privacy Redeemer\openlocation.exe
  • %UserProfile%\Application Data\Privacy Redeemer\PrivacyRedeemer.exe
  • %UserProfile%\Application Data\Privacy Redeemer\PrivacyRedeemer.exe.manifest
  • %UserProfile%\Application Data\Privacy Redeemer\PrivacyRedeemerMonitor.exe
  • %UserProfile%\Application Data\Privacy Redeemer\right_bg.jpg
  • %UserProfile%\Application Data\Privacy Redeemer\right_bg1.gif
  • %UserProfile%\Application Data\Privacy Redeemer\snd.wav
  • %UserProfile%\Application Data\Privacy Redeemer\style.css
  • %UserProfile%\Application Data\Privacy Redeemer\title1_bg.gif
  • %UserProfile%\Application Data\Privacy Redeemer\top.jpg
  • %UserProfile%\Application Data\Privacy Redeemer\unins000.dat
  • %UserProfile%\Application Data\Privacy Redeemer\unins000.exe
  • %UserProfile%\Application Data\Privacy Redeemer\winhttp.dll
  • %UserProfile%\Application Data\Privacy Redeemer\wmsrc.exe
  • %UserProfile%\Application Data\Privacy Redeemer\mscomctl.ocx
  • %UserProfile%\Desktop\Privacy Redeemer.lnk
  • %UserProfile%\Local Settings\Temp\[RANDOM FILE NAME].tmp
  • C:\Documents and Settings\All Users\Start Menu\Programs\Privacy Redeemer\Privacy Redeemer.lnk

The program creates the following registry entry so that it runs when Windows starts:
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run\"wmsrc.exe" = "C:\Documents and Settings\Administrator\Application Data\Privacy Redeemer\wmsrc.exe"

Next, the program creates the following registry entries:
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"SaveMyAss"
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"WindowsVersion" = "Major" =5 Minor" =1 Build" =2600 ServicePack" =2.0"
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"AffiliateID" = "100"
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"RegisterURL" = "http" =//privacyredeemer.com/order.php"
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"CheckLicenseURL" = "https" =//secure.sweeptransact.com/Billing/API/CheckLicense.aspx"
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"FirstLaunchURL" = ""
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"ActivationSuccessURL" = "http" =//privacyredeemer.com/activate-ok.php"
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"FeedbackURL" = "http" =//privacyredeemer.com/bug-report.php"
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"BuildVersion" = "8z s titlom"
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"isApplicationRunning" = "true"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"Inno Setup" = Setup Version" = "5.1.14"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"Inno Setup" = App Path" = "C" =\Documents and Settings\Administrator\Application Data\Privacy Redeemer"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"InstallLocation" = "C" =\Documents and Settings\Administrator\Application Data\Privacy Redeemer\"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"Inno Setup" = Icon Group" = "Privacy Redeemer"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"Inno Setup" = User" = "Administrator"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"DisplayName" = "Privacy Redeemer"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"UninstallString" = ""C" =\Documents and Settings\Administrator\Application Data\Privacy Redeemer\unins000.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"QuietUninstallString" = ""C" =\Documents and Settings\Administrator\Application Data\Privacy Redeemer\unins000.exe" /SILENT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"NoModify" = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"NoRepair" = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"InstallDate" = "20080310"

It also creates the following registry subkeys:
  • HKEY_ALL_USERS\Software\PrivacyRedeemer
  • HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy Redeemer_is1
It also modifies registry entries under the following subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9043C85F6F2-101A-A3C9-08002B2F49FB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}
Search by name
Example: W32.Beagle.AG@mm
Symantec DeepSight Screensaver
©1995 - 2010 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS