(aka Application/ErrorSafe, Trojan.Downloader.Winfixer.O, Win32/Winfixer )
[Description]
This is a program designed to trick the user that the computer has errors and in order to fix them he/she needs to buy it.
When it is first launched it shows a message to inform the you that it will download and install a program called ErrorSafe.
After the download is finished, the program is automatically installed and a system scan is made.
When the scan is finished a fake report will be shown with the result that the system has many critical errors.
If you click on the Repair button, you will be redirected to a website in order to purchase the full version of the program
The errors that are presented in the report do not exists and are shown only to convice you that you need to buy the program
After the program is installed, it will automatically set to run on every startup, by creating the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
UERScw - C:\Program Files\ErrorSafe Free\UERScw.exe
was_check - C:\Program Files\ErrorSafe Free\PASmon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ErrorSafeFree - C:\Program Files\ErrorSafe Free\uers.exe
Also it will add the following CLSID's in the registry:
{25F43076-32B8-4828-A88C-8288EEE53396}
{3EB15ED2-15A6-4E1A-B84A-ACFAE64583E1}
{53D5C0AF-1B61-44A1-8739-31ABD4117D8D}
{6EF91405-4FCB-4633-BAB3-FA5B3DC40C3B}
{703BDF83-2C12-4d20-8BB0-106DDAB01B59}
{7300F6AF-78E6-4167-845A-6089879F1DB0}
{C5531D07-22C2-418B-85B9-D829AF1498B0}
{E0767047-9D25-4a3a-B905-852CDA087E86}
{E7296F98-6668-419c-AE1D-04ED641E7C3E}
{F585CB1F-F17D-4007-A573-B663197EF500}
[Clean]
In order to clean the program you can go to Control Panel->Add remove programs.
Then select ErrorSafe and click on the Remove button
After that is best if you open regedit and run a search for the CLSID's that were listed in the
description of this trojan. If you find any of those keys you can delete it
It is recommended that before you do any modification, you back up your registry or your system.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment