Home Malware Programs Browser Hijackers Www1.setupclean-softpc.in

Www1.setupclean-softpc.in

Posted: February 22, 2010

Www1.setupclean-softpc.in is a fake scanner website providing support to the rogue anti-virus program Security Antivirus. Technically Www1.setupclean-softpc.in is an HTML script. Security Antivirus uses Trojans to enter the PC and hijack the browser so users are redirected to Www1.setupclean-softpc.in even though they have no intention of ending up there. These Trojans change the browser settings. Www1.setupclean-softpc.in will then produce a fake scan which warns that the system is full of various threats. Www1.setupclean-softpc.in will then tell you to buy Security Antivirus to remove these alleged threats. Get rid of Www1.setupclean-softpc.in hijacker by removing the Trojans from your PC with a reliable anti-virus program.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %Documents and Settings%\[UserName]\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Antivirus.lnk
    2 %Documents and Settings%\[UserName]\Application Data\Security Antivirus
    3 %Documents and Settings%\[UserName]\Application Data\Security Antivirus\cookies.sqlite
    4 %Documents and Settings%\[UserName]\Desktop\Security Antivirus.lnk
    5 %Documents and Settings%\[UserName]\Recent\ANTIGEN.drv
    6 %Documents and Settings%\[UserName]\Recent\ANTIGEN.exe
    7 %Documents and Settings%\[UserName]\Recent\cid.dll
    8 %Documents and Settings%\[UserName]\Recent\CLSV.drv
    9 %Documents and Settings%\[UserName]\Recent\DBOLE.sys
    10 %Documents and Settings%\[UserName]\Recent\ddv.dll
    11 %Documents and Settings%\[UserName]\Recent\ddv.sys
    12 %Documents and Settings%\[UserName]\Recent\energy.tmp
    13 %Documents and Settings%\[UserName]\Recent\FS.drv
    14 %Documents and Settings%\[UserName]\Recent\gid.drv
    15 %Documents and Settings%\[UserName]\Recent\PE.drv
    16 %Documents and Settings%\[UserName]\Recent\PE.exe
    17 %Documents and Settings%\[UserName]\Recent\PE.sys
    18 %Documents and Settings%\[UserName]\Recent\PE.tmp
    19 %Documents and Settings%\[UserName]\Recent\runddlkey.dll
    20 %Documents and Settings%\[UserName]\Recent\std.exe
    21 %Documents and Settings%\[UserName]\Recent\tjd.drv
    22 %Documents and Settings%\[UserName]\Recent\tjd.sys
    23 %Documents and Settings%\[UserName]\Start Menu\Programs\Security Antivirus.lnk
    24 %Documents and Settings%\[UserName]\Start Menu\Security Antivirus.lnk
    25 %Documents and Settings%\All Users\Application Data\345d567
    26 %Documents and Settings%\All Users\Application Data\345d567\72.mof
    27 %Documents and Settings%\All Users\Application Data\345d567\BackUp
    28 %Documents and Settings%\All Users\Application Data\345d567\BackUp\Adobe Reader Speed Launch.lnk
    29 %Documents and Settings%\All Users\Application Data\345d567\BackUp\Adobe Reader Synchronizer.lnk
    30 %Documents and Settings%\All Users\Application Data\345d567\mozcrt19.dll
    31 %Documents and Settings%\All Users\Application Data\345d567\Quarantine Items
    32 %Documents and Settings%\All Users\Application Data\345d567\SA345d.exe
    33 %Documents and Settings%\All Users\Application Data\345d567\SAV.ico
    34 %Documents and Settings%\All Users\Application Data\345d567\SAVSys
    35 %Documents and Settings%\All Users\Application Data\345d567\SAVSys\vd952342.bd
    36 %Documents and Settings%\All Users\Application Data\345d567\sqlite3.dll
    37 %Documents and Settings%\All Users\Application Data\SADFIOPODIV\SAAKDUPV.cfg
    38 %Program Files%\Mozilla Firefox\searchplugins\search.xml

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\3HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" ="http://127.0.0.1:27777/?inj=%ORIGINAL%"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "App/7.00195"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Antivirus"HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\SA345d.DocHostUIHandler
Loading...