Win32/Adware.RegistryCleanFix2008 [Threat Name]

Detection created2008-03-05
World activity peak 2008-03-19 (0.02 %)
Short description

Win32/Adware.RegistryCleanFix2008 is a adware that installs Win32/MonaGray.A malware.

Installation

The adware must be manually installed.


The adware creates the following files:

  • %allusersprofile%\­Start Menu\­Programs\­Startup\­SRVSPOOL.exe (Win32/MonaGray.A)
  • %programfiles%\­RegistryCleanFix2008\­RegistryCleaner2008.exe
  • %programfiles%\­RegistryCleanFix2008\­unins000.dat
  • %programfiles%\­RegistryCleanFix2008\­unins000.exe
  • %allusersprofile%\­Desktop\­RegistryCleanFix2008.lnk
  • %allusersprofile%\­Start Menu\­Programs\­RegistryCleanFix2008\­RegistryCleanFix2008.lnk
  • %allusersprofile%\­Start Menu\­Programs\­RegistryCleanFix2008\­RegistryCleanFix2008 on the Web.url
  • %allusersprofile%\­Start Menu\­Programs\­RegistryCleanFix2008\­Uninstall RegistryCleanFix2008.lnk
  • %userprofile%\­Application Data\­Microsoft\­Internet Explorer\­Quick Launch\­RegistryCleanFix2008.lnk

In order to be executed on every system start, the adware sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RegistryCleanFixMFC" = "%programfiles%\­RegistryCleanFix2008\­RegistryCleaner2008.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­FCR2008MFC]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­RegistryCleanFix2008_is1]
Other information

The adware displays warnings about possible problems detected on the compromised computer that need to be fixed.


The problems/threats are fake.


Some examples follow.


Example [1.] :


Example [2.] :


The goal of these programs is to persuade the user to purchase them.


During the registration of the adware the user may be redirected to one of the following Internet web sites:

  • http://www.registrycleanfix.com

Example [3.] :

Threat Variants with Description

Please enable Javascript to ensure correct displaying of this content and refresh this page.