CleanUp Antivirus Description

 

 

[+] Click Image to Enlarge

 

 

CartCartCartCartCartCartCartCart

CleanUp Antivirus or Clean Up Antivirus is a fake anti-virus application created by the authors of rogueware such as Security Antivirus. Trojans help in the distribution of CleanUp Antivirus by surreptitiously placing it into users’ systems. These Trojans will also create harmless files which will be detected as dangerous malware when CleanUp Antivirus runs a fake online system scan on a compromised PC. The said scan will produce a fabricated report indicating that the system is badly infected with numerous computer threats that can only be removed with the “full” version of CleanUp Antivirus. Purchasing CleanUp Antivirus is the last thing you should do; instead use a recognized security tool to completely remove CleanUp Antivirus.

Type: Rogue Anti-Virus Program

How Can You Detect CleanUp Antivirus?

CleanUp Antivirus Technical Report

As new CleanUp Antivirus details are reported by our customers and findings from our Threat Research Center, we will update this section.

The following CleanUp Antivirus files with its MD5s were created in the system:

CleanUp Antivirus has typically the following processes in memory:

• %UserProfile%\Recent\grid.exe
• %UserProfile%\Recent\DBOLE.sys
• c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
• %UserProfile%\Recent\FS.dll
• %UserProfile%\Recent\DBOLE.dll
• c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
• %UserProfile%\Recent\PE.exe
• %UserProfile%\Recent\tjd.sys
• c:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe

CleanUp Antivirus created the following directories, files, paths:

• %AppData%\CleanUp Antivirus

CleanUp Antivirus creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “App/7.00195″
• HKEY_CLASSES_ROOT\CU345d.DocHostUIHandler
• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=195&q={searchTerms}”
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PRS” = “http://127.0.0.1:27777/?inj=%ORIGINAL%”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe”
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
• HKEY_CURRENT_USER\Software\3
• HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=195&q={searchTerms}”
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “no”
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe”
• HKEY_CURRENT_USER\Software\CleanUp Antivirus
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “CleanUp Antivirus”
• HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=195&q={searchTerms}”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “Library1.00195″

Important Article Disclaimer