For More Information:
Contact Us at: (817)320-5334
or email info@web-techservices.com
 
 
   
Inventory Management
Read More...
 
Website Management
Web Tech Services
Google Certification Partner Program
 

Virus Help


The cleanup virus - removal assistance. We have encountered this on several customers' systems lately and thought we'd post some help.

Cleanup Antivirus is a rogue from the same family as Virus Doctor. This rogue is promoted through the use of Trojans and fake online anti-malware scanners. When installed Cleanup Antivirus will be configured to start automatically when you log into Windows. When Cleanup Antivirus is installed it will also create numerous fake malware that will be detected as malware when the program scans your computer. The list of fake malware files that it installs include:

%UserProfile%\Recent\cb.tmp
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\DBOLE.dll
%UserProfile%\Recent\DBOLE.sys
%UserProfile%\Recent\eb.tmp
%UserProfile%\Recent\exec.tmp
%UserProfile%\Recent\FS.dll
%UserProfile%\Recent\grid.exe
%UserProfile%\Recent\pal.drv
%UserProfile%\Recent\pal.tmp
%UserProfile%\Recent\PE.exe
%UserProfile%\Recent\tempdoc.drv
%UserProfile%\Recent\tempdoc.tmp
%UserProfile%\Recent\tjd.sys
%UserProfile%\Recent\tjd.tmp

When Cleanup Antivirus scans your computer it will find the above files it created in the first place and state that they are infections. It will not, though, allow you to remove any of them until you first purchase the program. In reality, the above files are harmless and can cause no harm to your computer. They are only being created to try and convince you that the Cleanup Antivirus scan results are legitimate. As these infections are all fake, please do not purchase the program based upon anything that this program displays.

Cleanup Antivirus screen shot
Cleanup Antivirus screen shot

 

While the program is running it will also display numerous security warnings and alerts. These alerts will state that your computer is under attack, sending SPAM, or that your personaldata is at risk. Some of the alerts that you may see are:

An unauthorized program has been prevented from accessing your PC remotely. #Port:433 from 75.32.121.16
An unauthorized software C:\Program Files\Internet Explorer\Iexplore.exe which is potentially malicious and able to modify system files has been prevented from being installed on your PC.

Cleanup Antivirus has detected potentially harmful software in your system. It is strongly recommended that you register Cleanup Antivirus to remove all found threats immediately.

 

Potentially harmful programs have been detected in your system and need to be dealt with immediately. Click here to remove them using Cleanup Antivirus.
Your PC may still be infected with dangerous viruses. Cleanup Antivirus protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection.

 

Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Cleanup Antivirus.
Click here to remove all potentially harmful programs found immediately using Cleanup Antivirus.

 

Malicious applications, which may contain Trojans, were found on your computer and are to be removed immediately. Click here to remove these potentially harmful items using Cleanup Antivirus.
No real-time malware, spyware and virus protection was found. Click here to activate.

Just like the scan results, these fake warnings should be ignored as they are just another attempt to make you think your computer has a security problem. This infection will also hijack your web browser's default search engine and set it to findgala.com. Last, but not least, this infection will add entries to your HOSTS file so that when you visit certain sites such as Google or Bing, you will be redirected to a site under the control of the malwaredevelopers.

As you can see, you should not purchase this program regardless of what it may state. If you have already purchased the program, then please contact your credit card company and dispute the charges. Finally, please use the guide below to remove this infection and any related malware for free.

 

Threat Classification:

  • Information on Rogue Programs & Scareware

 

Advanced information:

View Cleanup Antivirus files.
View Cleanup Antivirus Registry Information.

 

Tools Needed for this fix:

 

Symptoms that may be in a HijackThis Log:

O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 217.23.15.126 www.google.com
O4 - HKCU\..\Run: [CleanUp Antivirus] "C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe" /s /d

 

Associated Cleanup Antivirus Files:

c:\Documents and Settings\All Users\Application Data\345d567\
c:\Documents and Settings\All Users\Application Data\345d567\46.mof
c:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe
c:\Documents and Settings\All Users\Application Data\345d567\CUA.ico
c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
c:\Documents and Settings\All Users\Application Data\345d567\BackUp\
c:\Documents and Settings\All Users\Application Data\345d567\CUASys\
c:\Documents and Settings\All Users\Application Data\345d567\CUASys\vd952342.bd
c:\Documents and Settings\All Users\Application Data\345d567\Quarantine Items
c:\Documents and Settings\All Users\Application Data\CUCAISTUA\
c:\Documents and Settings\All Users\Application Data\CUCAISTUA\CUEWA.cfg
c:\Program Files\Mozilla Firefox\searchplugins\search.xml
%UserProfile%\Application Data\CleanUp Antivirus
%UserProfile%\Application Data\CleanUp Antivirus\cookies.sqlite
%UserProfile%\Application Data\CleanUp Antivirus\Instructions.ini
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\CleanUp Antivirus.lnk
%UserProfile%\Desktop\CleanUp Antivirus.lnk
%UserProfile%\Recent\cb.tmp
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\DBOLE.dll
%UserProfile%\Recent\DBOLE.sys
%UserProfile%\Recent\eb.tmp
%UserProfile%\Recent\exec.tmp
%UserProfile%\Recent\FS.dll
%UserProfile%\Recent\grid.exe
%UserProfile%\Recent\pal.drv
%UserProfile%\Recent\pal.tmp
%UserProfile%\Recent\PE.exe
%UserProfile%\Recent\tempdoc.drv
%UserProfile%\Recent\tempdoc.tmp
%UserProfile%\Recent\tjd.sys
%UserProfile%\Recent\tjd.tmp
%UserProfile%\Start Menu\CleanUp Antivirus.lnk
%UserProfile%\Start Menu\Programs\CleanUp Antivirus.lnk

 

Associated Cleanup Antivirus Windows Registry Information:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\CU345d.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Library1.00195"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CleanUp Antivirus"
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"

 

 
Highlights
Auto Dealer Websites
Web Marketing