Encyclopedia entry
Updated:
Apr 17, 2011
| Published:
Nov 07, 2008
Aliases
Program:Win32/Pccleaner
(other)
-
Win32/Adwrae.PCClean
(ESET)
-
Backdoor.Win32.UltimateDefender.hu
(Kaspersky)
-
PCClean
(Symantec)
-
Program:Win32/UltimateCleaner
(other)
Alert Level
(?)
High
Antimalware protection details
Microsoft recommends that you download the
latest definitions
to get protected.
Detection last updated:
Definition: 1.125.1553.0
Released: May 10, 2012
|
|
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008
|
Summary
Program:Win32/FakePccleaner is a program that displays false and misleading alerts regarding malware, in order to convince users to purchase the rogue security software.
Symptoms
Symptoms vary among different distributions of Program:Win32/FakePccleaner, however, the presence of the following system changes (or similar) may indicate the presence of this program:
-
Presence of the following files, or similar (for example):
%USERPROFILE%\Desktop\pc-cleaner.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\uninstall pc-cleaner.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\register pc-cleaner.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\start pc-cleaner.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\pc-cleaner uninstall.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\pc-cleaner.lnk
%APPDATA%\pc-cleaner\settings.dat
%ProgramFiles%\pc-cleaner\pc-cleaner.db
%ProgramFiles%\pc-cleaner\program.info
%ProgramFiles%\pc-cleaner\uninstall.exe
%ProgramFiles%\pc-cleaner\pc-cleaner.exe
%ProgramFiles%\pc-cleaner\pccleaner.pkg
%ProgramFiles%\pc-cleaner\com\pcsd.dll
-
Display of the following image (for example)
Technical Information (Analysis)
Program:Win32/FakePccleaner is a program that displays false and misleading alerts regarding malware, in order to convince users to purchase the rogue security software.
Installation
Program:Win32/FakePccleaner may be installed by the
TrojanDownloader:Win32/Renos family, or manually installed by a computer user. The installer may create the following folders, files, desktop and application shortcuts:
%USERPROFILE%\Desktop\pc-cleaner.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\uninstall pc-cleaner.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\register pc-cleaner.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\start pc-cleaner.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\pc-cleaner uninstall.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\pc-cleaner\pc-cleaner.lnk
%APPDATA%\pc-cleaner\
%APPDATA%\pc-cleaner\settings.dat
%ProgramFiles%\pc-cleaner\
%ProgramFiles%\pc-cleaner\pc-cleaner.db
%ProgramFiles%\pc-cleaner\program.info
%ProgramFiles%\pc-cleaner\uninstall.exe
%ProgramFiles%\pc-cleaner\pc-cleaner.exe
%ProgramFiles%\pc-cleaner\pccleaner.pkg
%ProgramFiles%\pc-cleaner\com\
%ProgramFiles%\pc-cleaner\com\pcsd.dll
The installer may create the following registry subkeys:
HKCU\Software\PC-Cleaner
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC-Cleaner
HKLM\Software\PC-Cleaner
HKLM\Software\Classes\clsid\{7289E7FB-18EE-4223-A2BC-3F620C4477D8}
The registry is modified to run Win32/FakePccleaner at Windows start.
Adds value: "PC-Cleaner"
With data: "%ProgramFiles%\pc-cleaner\pc-cleaner.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Once installed, Win32/FakePccleaner displays false alerts suggesting computer errors or malware exists. Below is an example false report displayed on a clean machine:
Examples of Win32/FakePccleaner variants:
Analysis by Chris Jones
Prevention
Recovery
