Home / malwarePDF  

Program:Win32/Winfixer


First posted on 16 April 2009.
Source: SecurityHome

Aliases :

Program:Win32/Winfixer is also known as Also Known As:DriveCleaner (McAfee), W32/WinFixer.NU (Norman), DriveCleaner (Sunbelt Software), DriveCleaner (Symantec), Freeloa.8F4CBEAA (Trend Micro), Win32/Adware.WinFixer (ESET), not-a-virus:Downloader.Win32.WinFixer.o (Kaspersky), WinFixer (McAfee), Adware_Winfixer (Trend Micro), Program:Win32/DriveCleaner (other), Program:Win32/SecureExpertCleaner (other).

Explanation :

Program:Win32/Winfixer locates various registry entries, Windows prefetch content, Windows recently accessed files and other types of data, and identifies them as "Privacy Violations". Winfixer then prompts the user to purchase the product in order to remove the alleged 'violations'.

Symptoms
The following may be symptoms of a Winfixer installation:

  • Presence of an icon on the desktop such as the following:
  • Presence of an icon in the Quick Launch toolbar such as the following:
  • Presence of an entry named "DriveCleaner Free" or similar in 'Add or Remove Programs'
  • Presence of registry value names:
    DriveCleaner Free
    SDR6_Check
    UDC6cw
    PAS_Check
    Dnse
    in registry subkey:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
  • Presence of the following files:
    %ProgramFiles%DriveCleaner Freeudc.exE
    %ProgramFiles%DriveCleaner Freeudcpchk.dll
    %ProgramFiles%DriveCleaner Freeinsthelp.exe
    %ProgramFiles%DriveCleaner Freeudc6cw.exe
    %ProgramFiles%DriveCleaner Freepv.exe
    %Temp%udc6_0001_d21m1601installer.exe
    • Variants of this group of programs may exhibit other symptoms such as the following. An icon resembling a wrench on the Windows taskbarA dialog warning of severe system threats:

    Program:Win32/Winfixer locates various registry entries, Windows prefetch content, Windows recently accessed files and other types of data, and identifies them as "Privacy Violations". Winfixer then prompts the user to purchase the product in order to remove the alleged 'violations'. There are two methods of installing Program:Win32/Winfixer. A user can install it manually by downloading it intentionally from the product Web site, or it may be installed unknowingly when the user visits Web sites using suspicious installation methods. Once Program:Win32/Winfixer is installed, it will perform the following actions:
  • Creates new folders
    %APPDATA%DriveCleaner Free
    %CommonProgramFiles%DriveCleaner Free
    %ProgramFiles%DriveCleaner Free
    %Temp%udc6_0001_d21m1601
  • Drops files into newly created folders
    %ProgramFiles%DriveCleaner Freeudc.exe
    %ProgramFiles%DriveCleaner Freeudcpchk.dll
    %ProgramFiles%DriveCleaner Freeinsthelp.exe
    %ProgramFiles%DriveCleaner Freeudc6cw.exe
    %ProgramFiles%DriveCleaner Freepv.exe
    %Temp%udc6_0001_d21m1601installer.exe
  • Creates a shortcut on the user's desktop
  • May create an icon in the Quick Launch toolbar
  • Creates an entry in 'Add/Remove Programs' named "DriveCleaner Free [version number]" where [version number] is the product version, for example: "DriveCleaner Free 1.0.89.0"
  • Modifies the registry to load Program:Win32/Fixer when Windows is started:
    Adds values:
    DriveCleaner Free
    SDR6_Check
    UDC6cw
    PAS_Check
    Dnse
    With data: udc.exe
    To subkey:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    • Other variants of this program may perform the following actions:
  • Create folders:
    %ProgramFiles%winfixer <year>
    %ProgramFiles%common fileswinsoftware
    %ProgramFiles%common fileswinfixer <year>
    %ALLUSERSPROFILE%Start Menuprogramswinfixer <year>
  • Drop files into created folders:
    df_fixer.dll
    df_proxy.dll
    fixcore.dll
    mmfix.dll
  • May add any or all of the following values to the registry:
    HKEY_CLASSES_ROOTclsid{08C71FB1-1E66-4D22-9F32-4C045A451306}
    HKEY_CLASSES_ROOTclsid{1CDEB41B-905A-4183-AA20-26E075419B46}
    HKEY_CLASSES_ROOTclsid{2D8C4BF1-05FB-44D2-B6A1-CE7D740FC755}
    HKEY_CLASSES_ROOTclsid{38EDB9E2-D7C4-4575-8905-FE65414FFEAD}
    HKEY_CLASSES_ROOTclsid{48349992-1402-4C67-B45B-2E619E641FDB}
    HKEY_CLASSES_ROOTclsid{538BC8F3-2E1E-4D2D-A261-158DF6E9B407}
    HKEY_CLASSES_ROOTclsid{53ABACCB-434C-4756-A02B-8C2A3F29FB7D}
    HKEY_CLASSES_ROOTclsid{5A1C8180-2A52-470c-938C-BFB4E63AA32D}
    HKEY_CLASSES_ROOTclsid{66A9C4D0-BC54-4841-8FAA-DB98CBB77BAD}
    HKEY_CLASSES_ROOTclsid{72D597C4-2312-4116-BED4-4F9A2B2F710E}
    HKEY_CLASSES_ROOTclsid{7F208C01-1FB1-4BC8-B918-82E287B0BB79}
    HKEY_CLASSES_ROOTclsid{84C43108-013C-4513-8578-F50080B9C9D0}
    HKEY_CLASSES_ROOTclsid{861D5757-3A7E-4c46-966E-8CD53A0D0013}
    HKEY_CLASSES_ROOTclsid{8E3A1531-F462-4628-ADD8-D32984637641}
    HKEY_CLASSES_ROOTclsid{9CC1BE04-3B42-4442-9A46-77E8BC1108F9}
    HKEY_CLASSES_ROOTclsid{A99498D2-56E1-4e27-AC88-2328C6A87C7C}
    HKEY_CLASSES_ROOTclsid{AA69BBFC-1D28-4960-8061-93C1BB156238}
    HKEY_CLASSES_ROOTclsid{ABC72615-4FB0-4689-AED9-AA6B89CEBC2C}
    HKEY_CLASSES_ROOTclsid{B096A483-0ABD-4AF0-856A-CAD36145AF5C}
    HKEY_CLASSES_ROOTclsid{B36E6241-4D02-41FF-A16D-9B57E67D7B15}
    HKEY_CLASSES_ROOTclsid{B5E427F9-AB38-4348-9076-86870C2BE860}
    HKEY_CLASSES_ROOTclsid{B8CA1E6C-87E2-4435-9E56-8B791EC459D8}
    HKEY_CLASSES_ROOTclsid{C08FA317-C152-4fea-AC0B-2EA68D2B1C84}
    HKEY_CLASSES_ROOTclsid{C0BC364F-AB33-4778-8047-5A2148E0ECDA}
    HKEY_CLASSES_ROOTclsid{C427B3E3-28DC-4001-9590-D99B6776119B}
    HKEY_CLASSES_ROOTclsid{CAE8A9B1-ABBD-4159-A485-1DA045A5D4A1}
    HKEY_CLASSES_ROOTclsid{D4EA0C00-3BC8-4B26-8D2E-C5512B07A211}
    HKEY_CLASSES_ROOTclsid{EAB5DB02-08F5-4e7d-81F9-75B9462FAAE3}
    HKEY_CLASSES_ROOTclsid{F0ED6398-E5F8-4ef8-BAB9-FE9BBCE7EF3E}
    HKEY_CLASSES_ROOTclsid{F41C1430-CFDE-4AD3-B38D-7890F0843E47}
    HKEY_CURRENT_USERSoftwareWinFixer <year>
    HKEY_CURRENT_USERSoftwareWinSoftware

    • Last update 16 April 2009

     

    TOP

    Malware :