SecurityHome.eu Misleading:Win32/WinMaximizer

Home / malware PDF

Misleading:Win32/WinMaximizer

First posted on 04 September 2013.
Source: Microsoft
Aliases :
There are no other names known for Misleading:Win32/WinMaximizer.
Explanation :
Threat behavior

Program:Win32/WinMaximizer is a program that is promoted as a system optimization tool. Some versions of this program may display deceptive or fraudulent claims about files, registry entries and/or other items on the computer. These versions are detected by Microsoft security products.

Installation

This program may be installed as one of two application names - "WinMaximizer" or "SLOW-PCfighter", and represented by the following icons:

When installed as WinMaximizer, its presence is marked by the creation of the following registry subkeys:

HKCU\Software\WinMaximizer

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{6C4BA010-69C2-46C7-B559-DC513EEB0B5F}_is1

The following scheduled job, file folders and files are created:

%WinDir%\Tasks\WinMaximizer-Administrator-Startup.job

%AllUsersProfile%\Start Menu\programs\winmaximizer\WinMaximizer.lnk

%AllUsersProfile%\Start Menu\programs\winmaximizer\WinMaximizer on the Web.url

%AllUsersProfile%\Start Menu\programs\winmaximizer\Uninstall WinMaximizer.lnk

%AllUsersProfile%\Desktop\WinMaximizer.lnk

%APPDATA%\Microsoft\Internet Explorer\Quick Launch\WinMaximizer.lnk

%ProgramFiles%\WinMaximizer\WinMaximizerLicense.rtf

%ProgramFiles%\WinMaximizer\WinMaximizer.exe

%ProgramFiles%\WinMaximizer\UpDates.exe

%ProgramFiles%\WinMaximizer\unins000.msg

%ProgramFiles%\WinMaximizer\unins000.exe

%ProgramFiles%\WinMaximizer\unins000.dat

%ProgramFiles%\WinMaximizer\OEMData.pkt

%ProgramFiles%\WinMaximizer\Languages\Language_ZH.xml

%ProgramFiles%\WinMaximizer\Languages\Language_TW.xml

%ProgramFiles%\WinMaximizer\Languages\language_TR.xml

%ProgramFiles%\WinMaximizer\Languages\Language_TH.xml

%ProgramFiles%\WinMaximizer\Languages\Language_SV.xml

%ProgramFiles%\WinMaximizer\Languages\Language_RU.xml

%ProgramFiles%\WinMaximizer\Languages\Language_PT.xml

%ProgramFiles%\WinMaximizer\Languages\Language_PL.xml

%ProgramFiles%\WinMaximizer\Languages\Language_NO.xml

%ProgramFiles%\WinMaximizer\Languages\Language_NL.xml

%ProgramFiles%\WinMaximizer\Languages\language_JA.xml

%ProgramFiles%\WinMaximizer\Languages\Language_IT.xml

%ProgramFiles%\WinMaximizer\Languages\Language_HU.xml

%ProgramFiles%\WinMaximizer\Languages\Language_FR.xml

%ProgramFiles%\WinMaximizer\Languages\Language_FI.xml

%ProgramFiles%\WinMaximizer\Languages\Language_ES.xml

%ProgramFiles%\WinMaximizer\Languages\Language_EN.xml

%ProgramFiles%\WinMaximizer\Languages\language_EN-US.xml

%ProgramFiles%\WinMaximizer\Languages\Language_EL.xml

%ProgramFiles%\WinMaximizer\Languages\Language_DE.xml

%ProgramFiles%\WinMaximizer\Languages\Language_DA.xml

%ProgramFiles%\WinMaximizer\Languages\Language_CS.xml

%ProgramFiles%\WinMaximizer\Languages\language_BG.xml

%ProgramFiles%\WinMaximizer\CommonToolkitSuiteLight.dll

%ProgramFiles%\WinMaximizer\CommonToolkitSuite.cts

When installed as SLOW-PCfighter, its presence is marked by the creation of the following registry subkeys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{F6FCC591-A21B-47C7-BCB3-F535FBA210E2}

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SLOW-PCfighter

HKLM\Software\Fighters

HKLM\Software\Common Toolkit Suite

HKCU\Software\Fighters

The following scheduled jobs, file folders and files are created:

%WinDir%\Tasks\SLOW-PCfighter-Administrator-Startup.job

%WinDir%\Tasks\SLOW-PCfighter-Administrator-Notification.job

%AllUsersProfile%\Start Menu\Programs\Fighters\SLOW-PCfighter\Uninstall.lnk

%AllUsersProfile%\Start Menu\Programs\Fighters\SLOW-PCfighter\SLOW-PCfighter.lnk

%AllUsersProfile%\Desktop\SLOW-PCfighter.lnk

%WinDir%\installer\{f6fcc591-a21b-47c7-bcb3-f535fba210e2}\UninstallIcon.exe

%WinDir%\installer\{f6fcc591-a21b-47c7-bcb3-f535fba210e2}\MainExeIcon.exe

%WinDir%\installer\{f6fcc591-a21b-47c7-bcb3-f535fba210e2}\MainExe32Shortcut_B53671B5D9A445549437680533116875.exe

%WinDir%\installer\{f6fcc591-a21b-47c7-bcb3-f535fba210e2}\ARPPRODUCTICON.exe

%WinDir%\installer\{f6fcc591-a21b-47c7-bcb3-f535fba210e2}\1033.MST

%ProgramFiles%\Fighters\Tray\Translations\Language_ZH.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_VI.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_TW.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_TR.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_TH.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_SV.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_RU.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_RO.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_PT.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_PL.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_NO.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_NL.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_KO.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_JA.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_IT.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_ID.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_HU.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_HR.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_HE.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_FR.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_FI.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_ES.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_EN.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_EL.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_DE.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_DA.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_CS.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_BG.xml

%ProgramFiles%\Fighters\Tray\Translations\Language_AR.xml

%ProgramFiles%\Fighters\Tray\sfhtml.dll

%ProgramFiles%\Fighters\Tray\MsgSys.exe

%ProgramFiles%\Fighters\Tray\HTML\whitelabel.css

%ProgramFiles%\Fighters\Tray\HTML\uptodate_lightbox.html

%ProgramFiles%\Fighters\Tray\HTML\Update_Manager.html

%ProgramFiles%\Fighters\Tray\HTML\update_manager.css

%ProgramFiles%\Fighters\Tray\HTML\restart_lightbox.html

%ProgramFiles%\Fighters\Tray\HTML\gfx\unipb_install.gif

%ProgramFiles%\Fighters\Tray\HTML\gfx\unipb.gif

%ProgramFiles%\Fighters\Tray\HTML\gfx\spinner.gif

%ProgramFiles%\Fighters\Tray\HTML\gfx\Icon_virus.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\Icon_TKTRAYAPP.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\Icon_TKTRAY-UPD-RCPRO.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\icon_support_active.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\icon_support.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\Icon_spy.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\Icon_spam.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\Icon_slow.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\icon_shield.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\icon_productname.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\icon_info_active.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\icon_info.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\Icon_fdf.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\icon_error.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\Icon_done.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\icon_complete.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\done_btn_down.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\done_btn.png

%ProgramFiles%\Fighters\Tray\HTML\gfx\bg_stretch.png

%ProgramFiles%\Fighters\Tray\HTML\error_lightbox.html

%ProgramFiles%\Fighters\Tray\HTML\done_lightbox.html

%ProgramFiles%\Fighters\Tray\FightersTray.exe

%ProgramFiles%\Fighters\SLOW-PCfighter\UpDates.zip

%ProgramFiles%\Fighters\SLOW-PCfighter\UpDates.exe

%ProgramFiles%\Fighters\SLOW-PCfighter\Uninstall.exe

%ProgramFiles%\Fighters\SLOW-PCfighter\Sync.exe

%ProgramFiles%\Fighters\SLOW-PCfighter\SLOW-PCfighter.exe

%ProgramFiles%\Fighters\SLOW-PCfighter\sfhtml.dll

%ProgramFiles%\Fighters\SLOW-PCfighter\MsgSys.exe

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_ZH.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_TW.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\language_TR.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_TH.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_SV.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_RU.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_RO.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_PT.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_PL.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_NO.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_NL.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_KO.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\language_JA.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_IT.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_ID.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_HU.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_HR.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_FR.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_FI.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_ES.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_EN.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\language_EN-US.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_EL.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_DE.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_DA.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\Language_CS.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\Languages\language_BG.xml

%ProgramFiles%\Fighters\SLOW-PCfighter\CommonToolkitSuiteLight.dll

%ProgramFiles%\Fighters\SLOW-PCfighter\CommonToolkitSuite.cts

%AllUsersProfile%\Application Data\Fighters\Tray\Menu\vfpro.ico

%AllUsersProfile%\Application Data\Fighters\Tray\Menu\swpro.ico

%AllUsersProfile%\Application Data\Fighters\Tray\Menu\sfpro.ico

%AllUsersProfile%\Application Data\Fighters\Tray\Menu\rcpro.ico

%AllUsersProfile%\Application Data\Fighters\Tray\Menu\products_list.xml

%AllUsersProfile%\Application Data\Fighters\Tray\Menu\fdpro.ico

%AllUsersProfile%\Application Data\Fighters\Tray\Logs\CommonTrayInstaller.log.txt

%AllUsersProfile%\Application Data\Fighters\Tray\Configurations\TKTRAY.xml

%AllUsersProfile%\Application Data\Fighters\Tray\Configurations\RCPRO.xml

%AllUsersProfile%\Application Data\Fighters\SLOW-PCfighter\wxfdata.wxf

%AllUsersProfile%\Application Data\Fighters\SLOW-PCfighter\TipofDay_EN.xml

%AppData%\Fighters\Tray\Updates\TKTRAYINFO.list_new

%AppData%\Fighters\Tray\Updates\TKTRAYINFO.list

%AppData%\Fighters\Tray\Updates\TKTRAY-UPD-RCPRO\install_manifest.tus

%AppData%\Fighters\Tray\Menu\vfpro.ico

%AppData%\Fighters\Tray\Menu\swpro.ico

%AppData%\Fighters\Tray\Menu\sfpro.ico

%AppData%\Fighters\Tray\Menu\rcpro.ico

%AppData%\Fighters\Tray\Menu\products_list.xml

%AppData%\Fighters\Tray\Menu\fdpro.ico

%AppData%\Fighters\Tray\Logs\Tray.log.txt

The registry is modified to run Win32/WinMaximizer at each Windows start.

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "CommonToolkitTray"
With data: "%ProgramFiles%\Fighters\Tray\FightersTray.exe"

During installation, it adds the following values in the registry subkey "HKLM\Software\Windows\CurrentVersion\SharedDLLs":

%ProgramFiles%\Fighters\Tray\Translations\Language_EN.xml

%ProgramFiles%\Fighters\Tray\sfhtml.dll

%ProgramFiles%\Fighters\Tray\MsgSys.exe

%ProgramFiles%\Fighters\Tray\FightersTray.exe

%ProgramFiles%\Fighters\SLOW-PCfighter\sfhtml.dll

%ProgramFiles%\Fighters\SLOW-PCfighter\MsgSys.exe

%AllUsersProfile%\Application Data\Fighters\Tray\Menu\products_list.xml

%AllUsersProfile%\Application Data\Fighters\Tray\Configurations\TKTRAY.xml

Analysis by Aaron Hulett

Symptoms

When installed as WinMaximizer, its presence is marked by the creation of the following registry subkeys:

HKCU\Software\WinMaximizer

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{6C4BA010-69C2-46C7-B559-DC513EEB0B5F}_is1

The following scheduled job, file folders and files are created:

%WinDir%\Tasks\WinMaximizer-Administrator-Startup.job

%ProgramFiles%\WinMaximizer\WinMaximizer.exe

%AllUsersProfile%\Start Menu\Programs\WinMaximizer\WinMaximizer.lnk

When installed as SLOW-PCfighter, its presence is marked by the creation of the following registry subkeys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{F6FCC591-A21B-47C7-BCB3-F535FBA210E2}

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SLOW-PCfighter

HKLM\Software\Fighters

HKLM\Software\Common Toolkit Suite

HKCU\Software\Fighters

The following scheduled job, file folders and files are created:

%WinDir%\Tasks\SLOW-PCfighter-Administrator-Startup.job

%WinDir%\Tasks\SLOW-PCfighter-Administrator-Notification.job

%ProgramFiles%\Fighters\SLOW-PCfighter\Sync.exe

%ProgramFiles%\Fighters\SLOW-PCfighter\SLOW-PCfighter.exe

%ProgramFiles%\Fighters\SLOW-PCfighter\sfhtml.dll

%ProgramFiles%\Fighters\SLOW-PCfighter\MsgSys.exe

%AllUsersProfile%\Start Menu\Programs\Fighters\SLOW-PCfighter\SLOW-PCfighter.lnk

Last update 04 September 2013

TOP

Malware :

Last 20