1. /
  2. Security Response/
  3. MalwareCleaner

MalwareCleaner

Updated:
April 22, 2009 7:51:10 AM
Type:
Misleading Application
Name:
MalwareCleaner
Version:
3.0
Publisher:
MalwareCleaner Technologies
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Behavior
The program may be downloaded from www.malwarecleaner2009.com and must be manually installed.

The program reports false or exaggerated system security threats on the computer.





The user is then prompted to pay for a full license of the application in order to remove the threats.




The files that MalwareCleaner reports as being malicious are actually dropped by the program itself.

Installation
When the program is executed, it creates the following files:
  • %ProgramFiles%\Grupxb\[RANDOM NUMBERS].cfg
  • %ProgramFiles%\Grupxb\[RANDOM NUMBERS].exe
  • %UserProfile%\Desktop\Malware Cleaner.lnk
  • %UserProfile%\Start Menu\Malware Cleaner\Malware Cleaner.lnk
  • %UserProfile%\Start Menu\Malware Cleaner\Uninstall.lnk

It also creates the following files, which it subsequently reports as being malicious:
  • %ProgramFiles%\AutoHotkey\[RANDOM CHARACTERS].exe
  • %ProgramFiles%\Messenger\[RANDOM CHARACTERS].scr
  • %ProgramFiles%\MSN\[RANDOM CHARACTERS].com
  • %ProgramFiles%\Online Services\[RANDOM CHARACTERS].com
  • %ProgramFiles%\UltraEdit\[RANDOM CHARACTERS].exe
  • %ProgramFiles%\Windows NT\[RANDOM CHARACTERS].scr
  • %System%\1033\[RANDOM CHARACTERS].exe
  • %System%\2052\[RANDOM CHARACTERS].scr
  • %System%\Com\[RANDOM CHARACTERS].com
  • %System%\export\[RANDOM CHARACTERS].dll
  • %System%\Macromed\[RANDOM CHARACTERS].scr
  • %System%\PreInstall\[RANDOM CHARACTERS].scr
  • %System%\ShellExt\[RANDOM CHARACTERS].exe
  • %System%\wins\[RANDOM CHARACTERS].scr
  • %Windir%\Config\[RANDOM CHARACTERS].exe
  • %Windir%\Driver Cache\[RANDOM CHARACTERS].dll
  • %Windir%\java\[RANDOM CHARACTERS].com
  • %Windir%\mui\[RANDOM CHARACTERS].exe
  • %Windir%\Registration\[RANDOM CHARACTERS].exe
  • %Windir%\ServicePackFiles\[RANDOM CHARACTERS].com
  • %Windir%\system\[RANDOM CHARACTERS].scr
  • %Windir%\WinSxS\[RANDOM CHARACTERS].dll

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Malware Cleaner" = "%ProgramFiles%\Grupxb\[RANDOM NUMBERS].exe /startup"

It also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Cleaner
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver