Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

SpywareCleaner

SpywareCleaner

Updated:
13 February 2007
Publisher:
SpywareCleaner
Risk Impact:
Medium
File Names:
%UserProfile%\Desktop\Spyware Cleaner.lnk %UserProfile%\Start Menu\Programs\Spyware Cleaner\Spywa
Systems Affected:
Windows

Behavior


SpywareCleaner is a security risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Symptoms


Your Symantec program detects SpywareCleaner.

Behavior


This security risk is manually downloaded and installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 18 January 2006
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 18 January 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When ScanandRepair is installed, it performs the following actions:
  1. Creates the following folder:

    %ProgramFiles%\Spyware Cleaner

    Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files:

    • %UserProfile%\Desktop\Spyware Cleaner.lnk
    • %UserProfile%\Start Menu\Programs\Spyware Cleaner\Spyware Cleaner Help.lnk
    • %UserProfile%\Start Menu\Programs\Spyware Cleaner\Spyware Cleaner.lnk
    • %UserProfile%\Start Menu\Programs\Spyware Cleaner\Uninstall Spyware Cleaner.lnk
    • %UserProfile%\Start Menu\Programs\Spyware Cleaner\Visit our Website.lnk
    • %ProgramFiles%\Spyware Cleaner\ActivityLogs.txt
    • %ProgramFiles%\Spyware Cleaner\Backup\11-4-2006-11-24-35.reg
    • %ProgramFiles%\Spyware Cleaner\CurrentHwnd.opt
    • %ProgramFiles%\Spyware Cleaner\help.chm
    • %ProgramFiles%\Spyware Cleaner\InfectionFound.wav
    • %ProgramFiles%\Spyware Cleaner\Options Files\CustomSet.opt
    • %ProgramFiles%\Spyware Cleaner\Options Files\FolderScanSet.opt
    • %ProgramFiles%\Spyware Cleaner\Options Files\Ignored.opt
    • %ProgramFiles%\Spyware Cleaner\Options Files\ListItems.opt
    • %ProgramFiles%\Spyware Cleaner\Options Files\QuarantineOptions.opt
    • %ProgramFiles%\Spyware Cleaner\Options Files\ScanHist.opt
    • %ProgramFiles%\Spyware Cleaner\Options Files\Settings.opt
    • %ProgramFiles%\Spyware Cleaner\Options Files\results.opts
    • %ProgramFiles%\Spyware Cleaner\referencefile.dat
    • %ProgramFiles%\Spyware Cleaner\SCService.exe
    • %ProgramFiles%\Spyware Cleaner\Spyware Cleaner.url
    • %ProgramFiles%\Spyware Cleaner\SpywareCleaner.exe
    • %ProgramFiles%\Spyware Cleaner\uninst.exe
    • %ProgramFiles%\Spyware Cleane\backup - This folder contains numerous files with the format [date-time].reg
    • C:\WINDOWS\hosts
    • C:\WINDOWS\system32\dllcache\scrrun.dll - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\system32\dllcache\wshom.ocx - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\system32\ccrpftv6.ocx - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\system32\Mci32.ocx - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\system32\mscomct2.ocx - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\system32\mscomctl.ocx - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\system32\msinet.ocx - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\system32\NTSVC.ocx - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\system32\OLD101.tmp - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\system32\OLD104.tmp - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\LastGood\system32\scrrun.dll - This is a non-malicious component that may be used by other applications.
    • C:\WINDOWS\LastGood\system32\wshom.ocx - This is a non-malicious component that may be used by other applications.

      Notes:
      • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
      • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
      • Note: The legitimate files dropped also drop a lot of legitimate key associated with the legitimate files.

  3. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpywareCleaner.exe
    HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Cleaner
    HKEY_LOCAL_MACHINE%\SOFTWARE\Spyware Cleaner
    HKEY_LOCAL_MACHINE%\SYSTEM\ControlSet001\Services\Eventlog\Application\SpywareCleanerService
    HKEY_LOCAL_MACHINE%\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SpywareCleanerService
    HKEY_LOCAL_MACHINE%\SYSTEM\ControlSet001\Services\SpywareCleanerService
    HKEY_LOCAL_MACHINE%\SYSTEM\CurrentControlSet\Services\SpywareCleanerService

  4. Adds the following value:

    "Spyware Cleaner" = "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe /boot"

    to the registry subkeys:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk is executed every time Windows starts.



The following instructions pertain to all Symantec antivirus products that support security risk detection.
  1. Update the definitions.
  2. Uninstall the security risk.
  3. Run the scan.
  4. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.
  1. To update the definitions
    To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

  2. To remove the risk
    This security risk includes an uninstallation applet. In order to uninstall this security risk, complete the following instructions:

    a. Delete the following files and folders if they exist:

    %ProgramFiles%\Spyware Cleaner\
    %UserProfile%\Start Menu\Programs\Spyware Cleaner\
    %UserProfile%\Desktop\Spyware Cleaner.lnk

  3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry .
  1. Click Start > Run.

  2. Type regedit

    Then click OK.

    Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  3. Navigate to and delete the following registry entries if they exist:

    HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpywareCleaner.exe
    HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Cleaner
    HKEY_LOCAL_MACHINE%\SOFTWARE\Spyware Cleaner
    HKEY_LOCAL_MACHINE%\SYSTEM\ControlSet001\Services\Eventlog\Application\SpywareCleanerService
    HKEY_LOCAL_MACHINE%\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SpywareCleanerService
    HKEY_LOCAL_MACHINE%\SYSTEM\ControlSet001\Services\SpywareCleanerService
    HKEY_LOCAL_MACHINE%\SYSTEM\CurrentControlSet\Services\SpywareCleanerService

  4. Navigate to the following registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Delete the following value if it exists:

    "Spyware Cleaner" = "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe /boot"

  5. Exit the Registry Editor.