MyCleanerPC

Printer Friendly Page

Updated: May 28, 2007 2:59:38 PM

Type: Misleading Application

Infection Length: 131,872 bytes

Risk Impact: Medium

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

When MyCleanerPC is installed on the computer, it creates the following files:

%UserProfile%\Cookies\administrator@ads.mybetterpc[1].txt
%UserProfile%\Local Settings\Temp\GLB2E.tmp
%UserProfile%\Local Settings\Temp\~[6 RANDOM HEX DIGITS].tmp
%UserProfile%\Start Menu\Programs\myCleanerPC\About myCleanerPC.lnk
%UserProfile%\Start Menu\Programs\myCleanerPC\MyCleanerPC.lnk
%UserProfile%\Start Menu\Programs\myCleanerPC\Uninstall myCleanerPC.lnk
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\1.jpg
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\2.jpg
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\3.jpg
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\4.jpg
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\5.jpg
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\CleanerDefs.css
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\error.log
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\history.dat
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\schedule.dat
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\Signatures.dat
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\stats.log
%SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\user.dat
%ProgramFiles%\myCleanerPC\clean.swf
%ProgramFiles%\myCleanerPC\clean1.swf
%ProgramFiles%\myCleanerPC\DNRProject.dll
%ProgramFiles%\myCleanerPC\myCleanerPC.exe
%ProgramFiles%\myCleanerPC\Setup.INI

It may also create the following files, which are related to legitimate software:

%System%\Flash.ocx
%System%\mcpcuninstaller1_25.EXE
%System%\Msinet.ocx
%System%\MSVBVM60.DLL
%System%\msxml3.inf
%System%\msxml3a.dll
%System%\TabCtl32.ocx
%System%\vbar332.dll
%System%\zlib.dll

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Run\"myCleanerPC" = "C:\PROGRA~1\MYCLEA~1\myCleanerPC.exe"

The program also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\Program Files\myCleanerPC\DNRProject.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\comdlg32.ocx" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\vbar332.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\Msinet.ocx" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\zlib.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\msxml3r.dll" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\msxml3a.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\msxml3.dll" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\scrrun.dll" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\Flash.ocx" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\TabCtl32.ocx" = "1"

The program then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41765812-F0D1-4837-9662-5FBCD9CC2DEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F81B064-E53B-48CD-98DD-84ABD18D4CBE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72556741-56FD-45A8-93DA-EE5EE41B908A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BD6A9A7-7D88-4658-8BE4-1AA69174F8AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A582B627-CE65-4BA7-B44F-8B9609193C32}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB9F5DD2-427A-4CE3-9522-3756BF2F0048}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE94BD95-408C-4506-BA90-2FAACB173927}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6B86368-2787-49B2-9054-F32B4B839AF1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F30973B1-DD06-4885-8C39-EE3CED95061F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1295E3D3-FDC8-4A3E-8E60-C6031601D08D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{14627BD3-6C96-4B5F-AA47-941CB370BB94}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244DB87B-7310-46DB-A7B8-651B8AEC8648}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26953A7A-BC68-496E-A479-AE975B0BFC6A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7265B88D-C685-4290-8B25-3659F8626031}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{908099C8-E0C7-4787-B084-96F915383598}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF6015BD-186A-4E60-A08E-0FC1C53324D9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BC978724-6C36-4F11-9A63-E85834BA344F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC03D597-A404-4B95-8544-FD215925B677}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBA4C028-544C-4D46-8D96-87E12B655CDD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FA6EEA37-5D54-490F-801E-DC0AD91C1045}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC912F2E-A101-4015-B822-7D2D71D15545}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{472FA6ED-4A44-49BA-8241-7CA38806C618}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cCookie
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cErrorLog
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cHistory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cRegistryRoutines
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cScheduler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cThreatLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.DNRDirector
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\myCleanerPC

It also creates the following registry subkeys, which are related to legitimate software:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mfp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sor
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InetCtls.Inet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InetCtls.Inet.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TabDlg.SSTab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TabDlg.SSTab.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C

The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}