Cart
Application.Winfixer.J( WinFixer, ErrorSafe,WinAntiSpyware )
SYMPTOMS: A downloader screen when you run the application which informs you of the progress downloading the application installerPopup messenges when you start windows and from time to time after that that say you have serious threats that needs fixing and take you to the registration page if you want to fix them. TECHNICAL DESCRIPTION: Application.Winfixer.J is a name given to a set of 3 similar applications: Winfixer,ErrorSafe and WinAntiSpyware that have aproximately the same strategy:They get installed either by the user or by some other application like a downloader. They start scanning the system as soon as you install them and then report to you a series of system critical errors that need fixing and tell you to buy the application if you want it to fix your errors. Even on a clean windows installation these programs report threats and errors. and WinAntiSpyware detects Winfixer as being a threat. Depending on the program installed these files and registry keys will appear in your computer: For Winfixer: Files and folders: %DocumentsandSettings%\All Users\Desktop\Win Fixer 2006.lnk %DocumentsandSettings%\All Users\Desktop\Install WinFixer 2006.lnk %DocumentsandSettings%\All Users\Start Menu\Programs\WinFixerFree\ %ProgramFiles%\WinFixerFree\ Registry keys: HKEY_CLASSES_ROOT\FFxr_21.FFixr21 HKEY_CLASSES_ROOT\FWrape_r.FFEnginWrape_r.1 HKEY_CLASSES_ROOT\FWrape_r.FFEnginWrape_r HKEY_CLASSES_ROOT\FxCor_e.MMFixCor_e.1 HKEY_CLASSES_ROOT\FxCor_e.MMFixCor_e HKEY_CLASSES_ROOT\MMFxCtr_l.CoFixEngin_e.1 HKEY_CLASSES_ROOT\MMFxCtr_l.CoFixEngin_e HKEY_CLASSES_ROOT\UWFX6PCheck.UWFX6PCheck.2 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Win_Fixer_Free HKEY_CURRENT_USER\Software\WinFixer_Free HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NI.UWFX6_0001_N68M2301 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UWinFX6_is1 HKEY_LOCAL_MACHINE\SOFTWARE\WinFixer_2006 HKEY_LOCAL_MACHINE\SOFTWARE\WinFixer_Free HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}\Control\DeviceReference HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0 For ErrorSafe: Files and folders: %DocumentsandSettings%\Noob Saibot\Desktop\Error Safe.lnk %DocumentsandSettings%\All Users\Start Menu\Programs\Error Safe Unregistered Version %ProgramFiles%\Error Safe Free Registry keys: HKEY_CLASSES_ROOT\ESSPChck.ESSPChck.1 HKEY_CLASSES_ROOT\ESSPChck.ESSPChck HKEY_CLASSES_ROOT\FlFxr15.FlFixer15 HKEY_CLASSES_ROOT\FWraper.FFEnginWraper.1 HKEY_CLASSES_ROOT\FWraper.FFEnginWraper HKEY_CLASSES_ROOT\FxCore.MMFixCore.1 HKEY_CLASSES_ROOT\FxCore.MMFixCore HKEY_CLASSES_ROOT\MMFxCtrl.CoFixEngine.1 HKEY_CLASSES_ROOT\MMFxCtrl.CoFixEngine HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Error Safe with value ""%ProgramFiles%\Error Safe Free\ERS.exe" /scan" HKEY_LOCAL_MACHINE\SOFTWARE\Error Safe Free HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Error Safe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Error Safe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"%ProgramFiles%\Error Safe Free\ESSPChck.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UERS_is1 For WinAntiSpyware: Files and folders: %DocumentsandSettings%\All Users\Desktop\WinAntiSpyware 2006 Scanner.lnk %DocumentsandSettings%\All Users\Local Settings\Temp\WinAntiSpyware2006Setup.exe %DocumentsandSettings%\All Users\Start Menu\Programs\WinAntiSpyware 2006 Scanner\ %ProgramFiles%\WinAntiSpyware 2006 Scanner\ %System%\drivers\uwasfsd.sys Registry keys: HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ExplorerUWAS HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\ExplorerUWAS HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\ExplorerUWAS HKEY_CLASSES_ROOT\UWAS6.UWAS6 HKEY_CLASSES_ROOT\uwasfsd.CreationNotifier.1 HKEY_CLASSES_ROOT\uwasfsd.CreationNotifier HKEY_CLASSES_ROOT\uwashellext.ShellHook.1 HKEY_CLASSES_ROOT\uwashellext.ShellHook HKEY_CLASSES_ROOT\uwashellext.WASContextMenu.1 HKEY_CLASSES_ROOT\uwashellext.WASContextMenu HKEY_CURRENT_USER\Software\WinAntiSpyware 2006 Scanner HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\%programfiles%\WinAntiSpyware 2006 Scanner\uwasffNT.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\%system%\drivers\uwasfsd.sys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinAntiSpyware 2006 Scanner with value "C:\Program Files\WinAntiSpyware 2006 Scanner\was6.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1230649B-B980-44A5-B259-9B09EBEA6331} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAntiSpyware 2006 Scanner_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinAntiSpyware 2006 Scanner" HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiSpyware 2006 Scanner HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uwasfsd where: %DocumentsandSettings% is the current Documents and Settings folder %ProgramFiles% is the current Program Files folder %System% is the current System folder Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: George Nechifor ,virus researcher |
