WinFixer

Printer Friendly Page

Updated: June 22, 2007 1:14:40 PM

Type: Misleading Application

Name: WinAntivirusPro; Amaena

Version: WinFixer 2005 1.0

Publisher: WinSoftware Ltd

Risk Impact: Medium

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

Behaviour
This misleading application can be manually downloaded and installed.

The program falsely reports a number of infected objects on the computer.

The program reports the following items as System threats:

Invalid explorer extensions
Invalid system files

It then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Installation
When WinFixer is executed, it creates the following files:

C:\Documents and Settings\administrator\Desktop\WinFixer 2005.lnk
C:\Documents and Settings\administrator\Local Settings\Temp\WinFixer2005ScannerSetup.exe
C:\Documents and Settings\All Users\Start Menu\Programs\WinFixer 2005\Contact customer support.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinFixer 2005\Uninstall WinFixer 2005.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinFixer 2005\WinFixer 2005 on the Web.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinFixer 2005\WinFixer 2005.lnk
%ProgramFiles%\Common Files\WinSoftware\CrXML.dll
%ProgramFiles%\Common Files\WinSoftware\PCheck.dll
%ProgramFiles%\WinFixer 2005\Activate.dat
%ProgramFiles%\WinFixer 2005\bnlink.dat
%ProgramFiles%\WinFixer 2005\compcln.dll
%ProgramFiles%\WinFixer 2005\DataBase.sav
%ProgramFiles%\WinFixer 2005\df_fixer.dll
%ProgramFiles%\WinFixer 2005\df_kmd.sys
%ProgramFiles%\WinFixer 2005\df_proxy.dll
%ProgramFiles%\WinFixer 2005\ffCom.dll
%ProgramFiles%\WinFixer 2005\FFWraper.dll
%ProgramFiles%\WinFixer 2005\FileTypeRecognizer.dll
%ProgramFiles%\WinFixer 2005\FixCore.dll
%ProgramFiles%\WinFixer 2005\flash.ini
%ProgramFiles%\WinFixer 2005\Install.exe
%ProgramFiles%\WinFixer 2005\lapv.dat
%ProgramFiles%\WinFixer 2005\License.rtf
%ProgramFiles%\WinFixer 2005\lock.dat
%ProgramFiles%\WinFixer 2005\MMFix.dll
%ProgramFiles%\WinFixer 2005\OEDrop.dll
%ProgramFiles%\WinFixer 2005\Program.sav
%ProgramFiles%\WinFixer 2005\pv.dat
%ProgramFiles%\WinFixer 2005\sr.exe
%ProgramFiles%\WinFixer 2005\sr.log
%ProgramFiles%\WinFixer 2005\StrRes.dll
%ProgramFiles%\WinFixer 2005\support.url
%ProgramFiles%\WinFixer 2005\Template.dbx
%ProgramFiles%\WinFixer 2005\trace.log
%ProgramFiles%\WinFixer 2005\unins000.dat
%ProgramFiles%\WinFixer 2005\unins000.exe
%ProgramFiles%\WinFixer 2005\up.dat
%ProgramFiles%\WinFixer 2005\update.log
%ProgramFiles%\WinFixer 2005\updater.dat
%ProgramFiles%\WinFixer 2005\Updater.exe
%ProgramFiles%\WinFixer 2005\WFX5.exe
%ProgramFiles%\WinFixer 2005\wfx5.url
%System%\drivers\df_kmd.sys
%System%\system32\df_kme.exe

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinFixer 2005" = "C:\Program Files\WinFixer 2005\WFX5.exe"

The program then creates the following registry subkeys:
HKEY_CLASSES_ROOT\AppID\CheckProduct2.DLL
HKEY_CLASSES_ROOT\AppID\compcln.dll
HKEY_CLASSES_ROOT\AppID\FFWraper.DLL
HKEY_CLASSES_ROOT\AppID\FixCore.DLL
HKEY_CLASSES_ROOT\AppID\MMFixCtrl.DLL
HKEY_CLASSES_ROOT\AppID\{25A3C995-10C8-474B-A167-99460AB4AB2B}
HKEY_CLASSES_ROOT\AppID\{287A2BAD-6590-4EFF-9BBC-494385664A73}
HKEY_CLASSES_ROOT\AppID\{290B5B73-4963-4BA1-9D2D-07CB566CB7FA}
HKEY_CLASSES_ROOT\AppID\{8C65AEF6-E413-4314-815B-82717A3F1603}
HKEY_CLASSES_ROOT\AppID\{E8928E69-C050-42A9-8884-94DE85E888A2}
HKEY_CLASSES_ROOT\CLSID\{08C71FB1-1E66-4D22-9F32-4C045A451306}
HKEY_CLASSES_ROOT\CLSID\{1CDEB41B-905A-4183-AA20-26E075419B46}
HKEY_CLASSES_ROOT\CLSID\{38EDB9E2-D7C4-4575-8905-FE65414FFEAD}
HKEY_CLASSES_ROOT\CLSID\{48349992-1402-4C67-B45B-2E619E641FDB}
HKEY_CLASSES_ROOT\CLSID\{538BC8F3-2E1E-4D2D-A261-158DF6E9B407}
HKEY_CLASSES_ROOT\CLSID\{53ABACCB-434C-4756-A02B-8C2A3F29FB7D}
HKEY_CLASSES_ROOT\CLSID\{66A9C4D0-BC54-4841-8FAA-DB98CBB77BAD}
HKEY_CLASSES_ROOT\CLSID\{84C43108-013C-4513-8578-F50080B9C9D0}
HKEY_CLASSES_ROOT\CLSID\{9CC1BE04-3B42-4442-9A46-77E8BC1108F9}
HKEY_CLASSES_ROOT\CLSID\{AA69BBFC-1D28-4960-8061-93C1BB156238}
HKEY_CLASSES_ROOT\CLSID\{B096A483-0ABD-4AF0-856A-CAD36145AF5C}
HKEY_CLASSES_ROOT\CLSID\{B5E427F9-AB38-4348-9076-86870C2BE860}
HKEY_CLASSES_ROOT\CLSID\{C0BC364F-AB33-4778-8047-5A2148E0ECDA}
HKEY_CLASSES_ROOT\CLSID\{C427B3E3-28DC-4001-9590-D99B6776119B}
HKEY_CLASSES_ROOT\CLSID\{CAE8A9B1-ABBD-4159-A485-1DA045A5D4A1}
HKEY_CLASSES_ROOT\CLSID\{F41C1430-CFDE-4AD3-B38D-7890F0843E47}
HKEY_CLASSES_ROOT\Interface\{08C71FB1-1E66-4D22-9F32-4C045A451306}
HKEY_CLASSES_ROOT\Interface\{1CE1C25B-F8B4-4974-99D2-5D4AE96B9900}
HKEY_CLASSES_ROOT\Interface\{35096C29-3507-4ABE-B6D8-C7CC881BE020}
HKEY_CLASSES_ROOT\Interface\{38F743A2-210F-49DE-9B79-DCD501CED284}
HKEY_CLASSES_ROOT\Interface\{3EEC290D-FC13-4C83-803D-4802651EEB61}
HKEY_CLASSES_ROOT\Interface\{41A5BBF6-3C9D-4CF9-9A99-32DD37CC290B}
HKEY_CLASSES_ROOT\Interface\{4E4F38D9-8736-41AE-B192-E829AE194398}
HKEY_CLASSES_ROOT\Interface\{4F79D1C5-24F9-4E59-8022-604D4B41D5CA}
HKEY_CLASSES_ROOT\Interface\{66484903-09F4-4330-927D-1F6C214221AC}
HKEY_CLASSES_ROOT\Interface\{7FA14AD6-D8E5-465F-9BD1-A37E26C1A74F}
HKEY_CLASSES_ROOT\Interface\{9E984934-CD94-4763-9DBC-618E483D4B7F}
HKEY_CLASSES_ROOT\Interface\{B115BD8E-B008-46F4-B8B6-3405EB325C3C}
HKEY_CLASSES_ROOT\Interface\{B9DFCF32-B679-4CAD-B7FC-518A48CE3922}
HKEY_CLASSES_ROOT\Interface\{CAE8A9B1-ABBD-4159-A485-1DA045A5D4A1}
HKEY_CLASSES_ROOT\Interface\{CBEEF194-EBC5-4758-9B51-AC34FC135E70}
HKEY_CLASSES_ROOT\Interface\{CD3604CC-2B95-43EE-AFC9-E7444C21BE1C}
HKEY_CLASSES_ROOT\Interface\{D21040FE-0A57-4FAB-8ED2-F0E653E55809}
HKEY_CLASSES_ROOT\Interface\{D7A2488E-53E4-4EDD-AEAA-F24778BEB100}
HKEY_CLASSES_ROOT\Interface\{D7A6DF8D-B6CF-4C27-8E99-ECA2CE370EA7}
HKEY_CLASSES_ROOT\Interface\{F41C1430-CFDE-4AD3-B38D-7890F0843E47}
HKEY_CLASSES_ROOT\Interface\{F6C1582E-B11C-4724-B8F6-240457EF1D2A}
HKEY_CLASSES_ROOT\Interface\{FB787D5E-0C7C-4BAB-B45D-20325FB886DB}
HKEY_CLASSES_ROOT\TypeLib\{0E9F6AC0-A21A-4591-910F-E2C6F3CA094C}
HKEY_CLASSES_ROOT\TypeLib\{30ED49A5-CA6C-4918-B5F3-5E6818C91D8B}
HKEY_CLASSES_ROOT\TypeLib\{4DCEEA42-794D-4855-9ECC-20DCF5F4FEA7}
HKEY_CLASSES_ROOT\TypeLib\{6A077841-5016-42C8-92C8-F2D6B865BCD1}
HKEY_CLASSES_ROOT\TypeLib\{AD70AC89-F460-4E7E-B5A5-7EAF7E207736}
HKEY_CLASSES_ROOT\TypeLib\{B6625280-8CD8-4632-97C0-83CEC12A49A3}
HKEY_CLASSES_ROOT\TypeLib\{F458ADAE-D53B-4859-B99F-9FA127791278}
HKEY_CLASSES_ROOT\TypeLib\{FC76A5B8-DB35-4F3E-8B9A-BF0EEA098D64}
HKEY_CLASSES_ROOT\CheckProduct2.CheckProduct.1
HKEY_CLASSES_ROOT\CompCleanCore.AppCleaner
HKEY_CLASSES_ROOT\CompCleanCore.AppCleaner.1
HKEY_CLASSES_ROOT\CompCleanCore.CCQuickScan
HKEY_CLASSES_ROOT\CompCleanCore.CCQuickScan.1
HKEY_CLASSES_ROOT\CompCleanCore.FileCleaner
HKEY_CLASSES_ROOT\CompCleanCore.FileCleaner.1
HKEY_CLASSES_ROOT\CompCleanCore.InetCleaner
HKEY_CLASSES_ROOT\CompCleanCore.InetCleaner.1
HKEY_CLASSES_ROOT\CompCleanCore.RegCleaner
HKEY_CLASSES_ROOT\CompCleanCore.RegCleaner.1
HKEY_CLASSES_ROOT\CompCleanCore.SystemCleaner
HKEY_CLASSES_ROOT\CompCleanCore.SystemCleaner.1
HKEY_CLASSES_ROOT\df_fixer.Fixer
HKEY_CLASSES_ROOT\df_fixer.Fixer.1
HKEY_CLASSES_ROOT\df_proxy.DriverManipulate
HKEY_CLASSES_ROOT\df_proxy.DriverManipulate.1
HKEY_CLASSES_ROOT\FFCom.FlFixer
HKEY_CLASSES_ROOT\FFWraper.FFEnginWraper
HKEY_CLASSES_ROOT\FFWraper.FFEnginWraper.1
HKEY_CLASSES_ROOT\FixCore.MMFixCore
HKEY_CLASSES_ROOT\FixCore.MMFixCore.1
HKEY_CLASSES_ROOT\MMFixCtrl.CoFixEngine
HKEY_CLASSES_ROOT\MMFixCtrl.CoFixEngine.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WFX5_is1
HKEY_LOCAL_MACHINE\SOFTWARE\WinSoftwareHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\SafeBoot\Minimal\df_km.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\df_kmd.sys
HKEY_CURRENT_USER\Software\WinSoftware

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}