Threat Profile: Winfixer

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 9/1/2005
Date Added: 9/1/2005
Origin: Unknown
Length: Varies
Type: Program
Subtype: Win32
DAT Required: 4572
Removal Instructions
   
 
 
   

Description

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Symptoms

N/A This is not a virus or trojan.

Method

N/A This is not a virus or trojan.
   

Virus Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It purports to be an system repair/maintenance application, but requires paid registration before any issues found can be fixed. Many of the "invalid" items found appear suspect. For example, a cookie from the winfixer.com domain was detected, along with several shortcuts that were pointing to valid existing targets. Although some detected items may be legitimate, the fact that clearly benign items are cited as problems is questionable. The primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections.

Other incarnations of this software exist with the same model and similar web presences, coming from the same IP address range. For example, ErrorSafe (www.errorsafe.com, 66.244.254.63) claims to protect a user from system errors, corrupt data, and crashes.

Winfixer has been known to get installed silently through code exploiting Microsoft Internet Explorer vulnerabilities.

Privacy

No privacy policy is displayed during installation. However, a policy can be accessed online: http://www.winfixer.com/privacy.html .

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
"*" - Denotes files that, though installed along with the software, are by themselves innocent and not included in detection.

Files Added

  • Installer Downloader: WinFixerScannerInstall.exe (112 KB)
    MD5: F848DAA50454ED968593F898CFE9C003
  • Installer: WinFixer2005ScannerSetup.exe (2.30 MB)
    MD5: 39177055ADA112A06E09A1FB92C7A46E
  • %SystemDir%\mfc71.dll* (1036 KB)
  • %SystemDir%\dfe1.exe (29 KB)
    MD5: DD5F65E52A449FE637530EB5007A3512
  • %SystemDir%\atl71.dll* (87 KB)
  • %SystemDir%\drivers\df_u42.sys (6 KB)
    MD5: E249350B14DEA2FA605DCCA688D25526
  • c:\program files\winfixer 2005\wfx5.url (1 KB)
  • c:\program files\winfixer 2005\uwfx5.exe (7916 KB)
    MD5: 81B5C8274A8CFE1C029716E5DBDDCC3E
  • c:\program files\winfixer 2005\updater.exe (680 KB)
    MD5: 584FACFF8F9528A721646B6FCACBEF6F
  • c:\program files\winfixer 2005\updater.dat (1 KB)
  • c:\program files\winfixer 2005\up.dat (1 KB)
  • c:\program files\winfixer 2005\unins000.exe (653 KB)
    MD5: 6831E53C1F7AAA8F5F0104E0E0CD6A9E
  • c:\program files\winfixer 2005\unins000.dat (5 KB)
  • c:\program files\winfixer 2005\trace.log (1 KB)
  • c:\program files\winfixer 2005\template.dbx (58 KB)
  • c:\program files\winfixer 2005\support.url (1 KB)
  • c:\program files\winfixer 2005\strrs.dll (14 KB)
  • c:\program files\winfixer 2005\str.exe (44 KB)
    MD5: 41808E512C828881862E229A0D31E7D7
  • c:\program files\winfixer 2005\sr.log (1 KB)
  • c:\program files\winfixer 2005\pv.dat (1 KB)
  • c:\program files\winfixer 2005\program.sav (1 KB)
  • c:\program files\winfixer 2005\mfix.dll (112 KB)
    MD5: 00F34F0C4EA298D0F6CD7FFB2CDA1A0F
  • c:\program files\winfixer 2005\lock.dat (1 KB)
  • c:\program files\winfixer 2005\license.rtf (67 KB)
  • c:\program files\winfixer 2005\lapv.dat (1 KB)
  • c:\program files\winfixer 2005\install.exe (40 KB)
    MD5: BFF71D7D0468C81D93866C04E79738BA
  • c:\program files\winfixer 2005\idletrc.dll (4 KB)
    MD5: B79585B61AF0E34703F2E661C1FF466B
  • c:\program files\winfixer 2005\fxcr.dll (54 KB)
    MD5: 881B1C5629D4273C4EDE20C0DCC1AAEF
  • c:\program files\winfixer 2005\ftr.dll (48 KB)
    MD5: 590F888FE6058C09CEC96170ED8FCB9A
  • c:\program files\winfixer 2005\flfxr_3.dll (517 KB)
    MD5: 961703B5D8C1A01B8D1B11658793B541
  • c:\program files\winfixer 2005\flash.ini (1 KB)
  • c:\program files\winfixer 2005\ffwrapr.dll (100 KB)
    MD5: A02FAE95AD63E78B8891CF8A643C9EF9
  • c:\program files\winfixer 2005\df_u42.sys (6 KB)
    MD5: E249350B14DEA2FA605DCCA688D25526
  • c:\program files\winfixer 2005\df_prox.dll (40 KB)
    MD5: 0C5EE6DE80BCD3DB1877CC6AE005B9AE
  • c:\program files\winfixer 2005\df_fix.dll (88 KB)
    MD5: 2AC9F97F51D6F3E9DDFE453E0E95F031
  • c:\program files\winfixer 2005\database.sav (1 KB)
  • c:\program files\winfixer 2005\compclr.dll (268 KB)
    MD5: CD4BF8221AA4009EC318E4BF08093852
  • c:\program files\winfixer 2005\bnlink.dat (1 KB)
  • c:\program files\winfixer 2005\activate.dat (1 KB)
  • c:\program files\winfixer 2005\scan tasks\
  • c:\program files\winfixer 2005\repaired files\
  • c:\program files\winfixer 2005\files backup\
  • c:\program files\common files\winfixer 2005\uwappchk.dll (33 KB)
    MD5: A07AA678FEAD4FD13CCB4F448DD0B454
  • c:\program files\common files\winfixer 2005\fcrxml.dll (100 KB)
    MD5: F9EFEA4EE347CACEC7293C2DB714E012
  • c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005.lnk (1 KB)
  • c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005 on the web.lnk (1 KB)
  • c:\documents and settings\all users\start menu\programs\winfixer 2005\uninstall winfixer 2005.lnk (1 KB)
  • c:\documents and settings\all users\start menu\programs\winfixer 2005\contact customer support.lnk (1 KB)
  • c:\documents and settings\(username)\local settings\temp\winfixer2005setup.exe (2346 KB)
    MD5: 6EF6B447DC3379AC6C296DC35CA4D603
  • c:\documents and settings\(username)\desktop\winfixer 2005.lnk (1 KB)
  • c:\documents and settings\(username)\cookies\(username)@winfixer[1].txt (1 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\df_u42
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
    LEGACY_DF_U42
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
    Network\df_u42.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
    Minimal\df_u42.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\df_u42
    "DisplayName"="df_u42"
    "ImagePath"="\??\C:\WINDOWS\system32\drivers\df_u42.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_U42
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\df_u42.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\df_u42.sys
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinFixer 2005
    "ActivationCode"="49425899-D4F7-46D6-BDF3-048ED4A560EE" (may vary)
    "InstallPath"="C:\Program Files\WinFixer 2005\"
    "Abbr"="UWFX5"
    "ProductCode"="UWFX5-0001-8882-7773"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\UWFX_5_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    SharedDLLs
    "C:\Program Files\Common Files\WinFixer 2005\uwappchk.dll"="1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    SharedDLLs
    "C:\Program Files\Common Files\WinFixer 2005\FCrXML.dll"="1"
  • HKEY_CURRENT_USER\Software\WinFixer 2005
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "WinFixer 2005"="C:\Program Files\WinFixer 2005\uwfx5.exe /scan"
  • HKEY_CLASSES_ROOT\UWFXCheck.UWFXCheck.1
  • HKEY_CLASSES_ROOT\UWFXCheck.UWFXCheck
  • HKEY_CLASSES_ROOT\TypeLib\{D49C1A5F-26CF-482E-81EE-1D4C9B057BD2}
  • HKEY_CLASSES_ROOT\TypeLib\{8D67C4E4-AAD6-46A1-812F-D7D21BBB4624}
  • HKEY_CLASSES_ROOT\TypeLib\{6F9DB588-66C5-4904-A2C7-423961358E8C}
  • HKEY_CLASSES_ROOT\TypeLib\{5F638503-4F2E-48F8-9210-9865AF4AD020}
  • HKEY_CLASSES_ROOT\TypeLib\{371EFE75-C183-4D0C-B8CD-2DFAFEEB34D7}
  • HKEY_CLASSES_ROOT\TypeLib\{25BAE2A9-DF54-4927-AF6F-9963146D11D8}
  • HKEY_CLASSES_ROOT\TypeLib\{248FDD41-4E0A-4138-9086-6CF5D6FA8179}
  • HKEY_CLASSES_ROOT\TypeLib\{17E55F3A-20AB-4668-A75F-DC96377AE16C}
  • HKEY_CLASSES_ROOT\MMFx.CoFxEngin.1
  • HKEY_CLASSES_ROOT\MMFx.CoFxEngin
  • HKEY_CLASSES_ROOT\Interface\{FE899520-E9F9-4CD9-AABB-E9074815CF50}
  • HKEY_CLASSES_ROOT\Interface\{F3067DE7-3DBA-4DF8-9FA0-6B0200BAA324}
  • HKEY_CLASSES_ROOT\Interface\{DB064061-95F1-4BAF-BEC9-F70792E01094}
  • HKEY_CLASSES_ROOT\Interface\{D4EA0C00-3BC8-4B26-8D2E-C5512B07A211}
  • HKEY_CLASSES_ROOT\Interface\{D3390AE7-6F1D-464F-8921-AF9A85EED316}
  • HKEY_CLASSES_ROOT\Interface\{CADCB2CC-0B7E-45B1-A689-A0AD9CE5932D}
  • HKEY_CLASSES_ROOT\Interface\{B36E6241-4D02-41FF-A16D-9B57E67D7B15}
  • HKEY_CLASSES_ROOT\Interface\{B26CA1F6-2D46-49AE-9897-9C5B7CCAB9FB}
  • HKEY_CLASSES_ROOT\Interface\{B0725565-2694-43EC-B1AB-0245762C9860}
  • HKEY_CLASSES_ROOT\Interface\{92B92664-32D6-4FCE-B2CE-C8519BAEFC4E}
  • HKEY_CLASSES_ROOT\Interface\{86786BEC-544D-473F-8D93-8E7AC0685361}
  • HKEY_CLASSES_ROOT\Interface\{81A7D75C-9768-41C3-AE0F-8B108D802B62}
  • HKEY_CLASSES_ROOT\Interface\{7F208C01-1FB1-4BC8-B918-82E287B0BB79}
  • HKEY_CLASSES_ROOT\Interface\{7D9DFDB3-5135-4279-B365-3CEEA4AC1EAC}
  • HKEY_CLASSES_ROOT\Interface\{7A66E632-E262-4986-A936-CC636282F138}
  • HKEY_CLASSES_ROOT\Interface\{74ECF6F4-62C5-48BA-945E-B20A97239A5E}
  • HKEY_CLASSES_ROOT\Interface\{68A7506D-DF03-4DF0-BE96-02BCB918EA7D}
  • HKEY_CLASSES_ROOT\Interface\{490E59CC-F6D5-4987-BBC8-E1A6D599C3F8}
  • HKEY_CLASSES_ROOT\Interface\{471D3AEF-F18C-4626-A7DB-320732ACC763}
  • HKEY_CLASSES_ROOT\Interface\{3C2656F4-8601-42B6-BDC3-DEC901E21C80}
  • HKEY_CLASSES_ROOT\Interface\{3BB63444-FD94-4C31-9D6F-0DA76CB11D70}
  • HKEY_CLASSES_ROOT\Interface\{24F3E817-2C07-4CB5-975D-F23FCFAEDE51}
  • HKEY_CLASSES_ROOT\FlFxr3.FlFixer3
  • HKEY_CLASSES_ROOT\FixCor.MMFxCor.1
  • HKEY_CLASSES_ROOT\FixCor.MMFxCor
  • HKEY_CLASSES_ROOT\FFWrap.FEnginWrape.1
  • HKEY_CLASSES_ROOT\FFWrap.FEnginWrape
  • HKEY_CLASSES_ROOT\df_prx.DriverManipulat.1
  • HKEY_CLASSES_ROOT\df_prx.DriverManipulat
  • HKEY_CLASSES_ROOT\df_fix.Fix.1
  • HKEY_CLASSES_ROOT\df_fix.Fix
  • HKEY_CLASSES_ROOT\ComCleanCore.FileClean.1
  • HKEY_CLASSES_ROOT\ComCleanCor.SystemCleane.1
  • HKEY_CLASSES_ROOT\ComCleanCor.SystemCleane
  • HKEY_CLASSES_ROOT\ComCleanCor.RegCleane.1
  • HKEY_CLASSES_ROOT\ComCleanCor.RegCleane
  • HKEY_CLASSES_ROOT\ComCleanCor.InetCleane.1
  • HKEY_CLASSES_ROOT\ComCleanCor.InetCleane
  • HKEY_CLASSES_ROOT\ComCleanCor.FileCleane
  • HKEY_CLASSES_ROOT\ComCleanCor.CQuickScan.1
  • HKEY_CLASSES_ROOT\ComCleanCor.CQuickScan
  • HKEY_CLASSES_ROOT\ComCleanCor.AppCleane.1
  • HKEY_CLASSES_ROOT\ComCleanCor.AppCleane
  • HKEY_CLASSES_ROOT\CLSID\{F0ED6398-E5F8-4ef8-BAB9-FE9BBCE7EF3E}
  • HKEY_CLASSES_ROOT\CLSID\{EAB5DB02-08F5-4e7d-81F9-75B9462FAAE3}
  • HKEY_CLASSES_ROOT\CLSID\{D4EA0C00-3BC8-4B26-8D2E-C5512B07A211}
  • HKEY_CLASSES_ROOT\CLSID\{C08FA317-C152-4fea-AC0B-2EA68D2B1C84}
  • HKEY_CLASSES_ROOT\CLSID\{B8CA1E6C-87E2-4435-9E56-8B791EC459D8}
  • HKEY_CLASSES_ROOT\CLSID\{B36E6241-4D02-41FF-A16D-9B57E67D7B15}
  • HKEY_CLASSES_ROOT\CLSID\{B296F12B-48A9-45fb-A860-4B98707B47AE}
  • HKEY_CLASSES_ROOT\CLSID\{ABC72615-4FB0-4689-AED9-AA6B89CEBC2C}
  • HKEY_CLASSES_ROOT\CLSID\{A99498D2-56E1-4e27-AC88-2328C6A87C7C}
  • HKEY_CLASSES_ROOT\CLSID\{9F3D2A3C-D537-482b-A91B-44EE29F09C4B}
  • HKEY_CLASSES_ROOT\CLSID\{8E3A1531-F462-4628-ADD8-D32984637641}
  • HKEY_CLASSES_ROOT\CLSID\{861D5757-3A7E-4c46-966E-8CD53A0D0013}
  • HKEY_CLASSES_ROOT\CLSID\{7F208C01-1FB1-4BC8-B918-82E287B0BB79}
  • HKEY_CLASSES_ROOT\CLSID\{72D597C4-2312-4116-BED4-4F9A2B2F710E}
  • HKEY_CLASSES_ROOT\CLSID\{6F85DDE5-A2DE-4217-A05D-0A7CD3C04DC2}
  • HKEY_CLASSES_ROOT\CLSID\{5A1C8180-2A52-470c-938C-BFB4E63AA32D}
  • HKEY_CLASSES_ROOT\AppID\{E11FF09D-39AF-4613-86AD-F3217E576571}
  • HKEY_CLASSES_ROOT\AppID\{DED71DE6-0575-4556-8311-A506B116A1A9}
  • HKEY_CLASSES_ROOT\AppID\{AAB0BA34-6D48-425f-B4B4-98F158CB61F1}
  • HKEY_CLASSES_ROOT\AppID\{3C132D19-6103-4fc3-8326-34E13EE9E2C0}
  • HKEY_CLASSES_ROOT\AppID\MFix.DLL
  • HKEY_CLASSES_ROOT\AppID\FxCr.DLL
  • HKEY_CLASSES_ROOT\AppID\FFWrapr.DLL
  • HKEY_CLASSES_ROOT\AppID\compclr.dll

Network Impact

Additional overhead in bandwidth due to possible download of updates or other content.