Rogues - ErrClean family
Currently, there are 29 variants (that I know) of the rogue system error and cleaning utility known as
ErrClean. They make exaggerated reports
of errors on the computer in order to goad the user into buying a full license for the application to fix these errors. The applications can
be manually downloaded and installed, or if your system is vulnerable (without current, adequate protection), they may be installed by a
downloader - without the user's consent.
Please note that throughout this page I only refer to the
HijackThis (or HJT) startup entries and
not all associated files - to keep in with the theme of the rest of the site. Note that if you have more than one rogue installed that uses a
file common to other rogues the HJT log entry (and maybe filename) could have a pair of () with number inside appended, i.e.,
HKLM\..\Run: [Salestart(1)]. See here for an example of such
a log.
ErrClean
The following image (© Symantec) shows the main screen for ErrClean (click on the image for a larger version - applies throughout):
ErrClean
HijackThis (or HJT) log startup entries identified:
- O4 - HKLM\..\Run: [ErrClean] C:\Program Files\ErrClean\SysRep.exe
- O4 - HKLM\..\Run: [cookw] "C:\PROGRA~1\FELLES~1\ErrClean\cookw.exe" -start
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\ErrClean\ucookw.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\ErrClean\strpmon.exe" dm=h**p://errclean.com; ad=h**p://errclean.com
- O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\ErrClean\ucookw.exe" -start
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\ErrClean\ugescw.exe" -start
The one file they all share (although a different version in each case obviously) is
SysRep.exe. Many of the others are also shared
between the variants - but not neccesarily always the same one, as you'll see below. In addition, the entries above are from a number of
different logs - presumably from different versions of the rogue.
Other registry entries identified:
- HKLM\Run, NI.UGES_0001_N122M2610 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGES_0001_N122M2610] "C:\Documents and Settings\Libuše Pilarová\Dokumenty\setup_en.exe"
- HKLM\Run, NI.UGES_0001_N122M2111 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGES_0001_N122M2111] "c:\documents and settings\owne\application data\setup_en[1].exe"
- HKLM\Run, NI.GES_0001_N122C2610 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGES_0002_N108M1607 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGES_0002_N108M1607] "C:\Documents and Settings\Owner\Desktop\setup_en.exe" -nag
- HKLM\Run, NI.UGES_0001_N122M0502 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGES_0001_N122M0502] "c:\documents and settings\eugene\application data\setup_en[1].exe"
- HKLM\Run, NI.UGES_0001_N122M2602 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGES_0001_N122M2602] "c:\dokumente und einstellungen\from autumn to ashes\anwendungsdaten\setup_en[1].exe"
- HKLM\Run, NI.UGES_0001_N122M2603 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGES_0001_N122M2603] "c:\documents and settings\pedro\application data\setup_en[1].exe"
External links:
Any removal guide referred to below uses MalwareBytes Anti-Malware, which incorporates the functionality from their popular (but now discontinued) RogueRemover
products:
Variants
Before dealing with the individual variants, here are some screenshots from some of them (© BleepingComputer) showing the common user
interface:
Index
HJT log entries:
- O4 - HKLM\..\Run: [AhorreMemoria] "C:\Archivos de programa\AhorreMemoria\SysRep.exe
- O4 - HKLM\..\Run: [ucookw] "C:\ARCHIV~1\AHORRE~1\ucookw.exe" -start
- O4 - HKLM\..\Run: [Salestart] "C:\Archivos de programa\Archivos comunes\AhorreMemoria\strpmon.exe" dm=h**p://ahorrememoria.com ad=h**p://ahorrememoria.com sd=h**p://payin.ahorrememoria.com
(Dutch → "Conservation Tool")
HJT log entries:
- O4 - HKLM\..\Run: [BeschermingsTool] C:\Program Files\BeschermingsTool\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\BeschermingsTool\ucookw.exe
- O4 - HKLM\..\Run: [gescw] "C:\PROGRA~1\COMMON~1\BESCHE~1\gescw.exe" -start
HJT log entries:
- O4 - HKLM\..\Run: [BugsDestroyer] C:\Program Files\BugsDestroyer\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\BugsDestroyer\ucookw.exe
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\BUGSDE~1\ugescw.exe" -start
- O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\BugsDestroyer\strpmon.exe" dm=h**p://bugsdestroyer.com ad=h**p://bugsdestroyer.com sd=h**p://inspaid.bugsdestroyer.com
External links:
HJT log entries:
- O4 - HKLM\..\Run: [CleanPCTool] C:\Program Files\CleanPCTool\SysRep.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\CleanPCTool\strpmon.exe" dm=h**p://cleanpctool.com ad=h**p://cleanpctool.com sd=h**p://inspaid.cleanpctool.com
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\CleanPCTool\ucookw.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\CleanPCTool\strpmon.exe" dm=h**p://cleanpctool.com ad=h**p://cleanpctool.com sd=h**p://inspaid.cleanpctool.com
- O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\CLEANP~1\ucookw.exe" -start
External links:
HJT log entries:
- O4 - HKLM\..\Run: [CleanupTool] C:\Program Files\CleanupTool\SysRep.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\CleanupTool\strpmon.exe" dm=h**p://cleanuptool.com ad=h**p://cleanuptool.com sd=h**p://inspaid.cleanuptool.com
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\CleanupTool\ucookw.exe
(German → "Disk Saviour")
HJT log entries:
- O4 - HKLM\..\Run: [DiskRetter] C:\Programme\DiskRetter\SysRep.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Programme\Gemeinsame Dateien\DiskRetter\strpmon.exe" dm=h**p://diskretter.com ad=h**p://diskretter.com sd=h**p://painst.diskretter.com
- O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\DISKRE~1\ucookw.exe" -start
(Dutch → "Doctor Fix")
HJT log entries:
- O4 - HKLM\..\Run: [DokterFix] C:\Program Files\DokterFix\SysRep.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\DokterFix\strpmon.exe" dm=h**p://dokterfix.com; ad=h**p://dokterfix.com
- O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\DOKTER~1\ucookw.exe" -start
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\DOKTER~1\ugescw.exe" -start
Other registry entries:
- HKLM\Run, NI.UGESM_0001_N122M0303 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGESM_0001_N122M0303] "c:\users\d&v\appdata\roaming\setup_nl[1].exe"
(French → "Error Hunter")
HJT log entries:
- O4 - HKLM\..\Run: [ErreurChasseur] C:\Program Files\ErreurChasseur\SysRep.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Fichiers communs\ErreurChasseur\strpmon.exe" dm=h**p://erreurchasseur.com ad=h**p://erreurchasseur.com sd=h**p://repay.erreurchasseur.com
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\ErreurChasseur\ucookw.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\ErreurChasseur\strpmon.exe" dm=h**p://erreurchasseur.com ad=h**p://erreurchasseur.com sd= h**p://repay.erreurchasseur.com
- O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\ERREUR~1\ucookw.exe" -start
(German → "Disk Cleaner")
HJT log entries:
- O4 - HKLM\..\Run: [FestPlattenCleaner] C:\Programme\FestPlattenCleaner\SysRep.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Programme\Gemeinsame Dateien\FestPlattenCleaner\strpmon.exe" dm=h**p://festplattencleaner.com; ad=h**p://festplattencleaner.com
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\FESTPL~1\ugescw.exe" -start
HJT log entries:
- O4 - HKLM\..\Run: [HardDriveGuard] C:\Program Files\HardDriveGuard\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\HardDriveGuard\ucookw.exe
- O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\HardDriveGuard\strpmon.exe" dm=h**p://harddriveguard.com ad=h**p://harddriveguard.com sd=h**p://inspaid.harddriveguard.com
External links:
(Turkish → "Error ??")
Registry entries:
- HKLM\..\Run, "HataDuzelticisi"="C:\\Program Files\\HataDuzelticisi\\SysRep.exe"
- HKLM\..\Run, "Salestart"="\"C:\\Program Files\\Common Files\\HataDuzelticisi\\strpmon.exe\" dm=h**p://hataduzelticisi.com ad=h**p://hataduzelticisi.com sd=h**p://paid.hataduzelticisi.com"
Other registry entries:
- HKLM\Run, NI.UGESF_0001_N122M0201 = ""[file and pathname of the sample #1]"" → see here
(French → "Free System")
HJT log entries:
- O4 - HKLM\..\Run: [LibreSystem] C:\Program Files\LibreSystem\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\LibreSystem\ucookw.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\LibreSystem\strpmon.exe" dm=h**p://libresystem.com ad=h**p://libresystem.com sd=h**p://repay.libresystem.com
- O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\LIBRES~1\ucookw.exe" -start
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\LIBRES~1\ugescw.exe" -start
HJT log entries:
- O4 - HKLM\..\Run: [PCToolPro] C:\Program Files\PCToolPro\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\PCToolPro\ucookw.exe
- O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\PCToolPro\strpmon.exe" dm=h**p://pctoolpro.com ad=h**p://pctoolpro.com sd=h**p://inspaid.pctoolpro.com
External links:
HJT log entries:
- O4 - HKLM\..\Run: [ProtectingTool] C:\Program Files\ProtectingTool\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\ProtectingTool\ucookw.exe
- O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\ProtectingTool\strpmon.exe" dm=h**p://protectingtool.com ad=h**p://protectingtool.com sd=h**p://inspaid.protectingtool.com
External links:
HJT log entries:
- O4 - HKLM\..\Run: [ProtejaseuDrive] C:\Arquivos de programas\ProtejaseuDrive\SysRep.exe
- O4 - HKLM\..\Run: [ucookw] "C:\ARQUIV~1\PROTEJ~1\ucookw.exe" -start
(Italian → "Soft Protection")
HJT log entries:
- O4 - HKLM\..\Run: [ProtezioneSoft] C:\Programmi\ProtezioneSoft\SysRep.exe
- O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\PROTEZ~1\ucookw.exe" -start
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\PROTEZ~1\ugescw.exe" -start
(French → "System Repairs")
HJT log entries:
- O4 - HKCU\..\Run: [reparateurdesysteme] C:\Program Files\ReparateurDeSysteme\SysRep.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Fichiers communs\ReparateurDeSysteme\strpmon.exe"
dm=h**p://reparateurdesysteme.com ad=h**p://reparateurdesysteme.com sd=h**p://repay.reparateurdesysteme.com
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\ReparateurDeSysteme\ucookw.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\ReparateurDeSysteme\strpmon.exe"
dm=h**p://reparateurdesysteme.com ad=h**p://reparateurdesysteme.com sd=h**p://repay.reparateurdesysteme.com
HJT log entries:
- O4 - HKLM\..\Run: [SafeHardDrive] C:\Program Files\SafeHardDrive\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\SafeHardDrive\ucookw.exe
- O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\SafeHardDrive\strpmon.exe" dm=h**p://safeharddrive.com ad=h**p://safeharddrive.com sd=h**p://inspaid.safeharddrive.com
External links:
HJT log entries:
- O4 - HKLM\..\Run: [SafePCTool] "C:\Program Files\SafePCTool\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\SafePCTool\ucookw.exe
- O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\SafePCTool\strpmon.exe" dm=h**p://safepctool.com ad=h**p://safepctool.com sd=h**p://inspaid.safepctool.com
External links:
(Dutch → "DiscGuard")
HJT log entries:
- O4 - HKLM\..\Run: [SchijfBewaker] C:\Program Files\SchijfBewaker\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\SchijfBewaker\ucookw.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SchijfBewaker\strpmon.exe" dm=h**p://schijfbewaker.com; ad=h**p://schijfbewaker.com
- O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\SchijfBewaker\strpmon.exe" dm=h**p://schijfbewaker.com; ad=h**p://schijfbewaker.com
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\SCHIJF~1\ugescw.exe" -start
(Dutch → "Security Tool")
HJT log entries:
- O4 - HKLM\..\Run: [SicherheitsTool] C:\Programme\SicherheitsTool\SysRep.exe
- O4 - HKLM\..\Run: [BMN] "C:\Programme\Gemeinsame Dateien\SicherheitsTool\strpmon.exe" dm=h**p://sicherheitstool.com ad=h**p://sicherheitstool.com sd=h**p://painst.sicherheitstool.com
- O4 - HKLM\..\Run: [cwriter] C:\Programme\SicherheitsTool\ucookw.exe
HJT log entries:
- O4 - HKLM\..\Run: [SolutionReg] C:\Program Files\SolutionReg\SysRep.exe
HJT log entries:
- O4 - HKLM\..\Run: [StorageProtector] C:\Program Files\StorageProtector\SysRep.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\StorageProtector\strpmon.exe" dm=h**p://storageprotector.com ad=h**p://storageprotector.com sd=h**p://inspaid.storageprotector.com
- O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\STORAG~1\ucookw.exe" -start
External links:
(French)
HJT log entries:
- O4 - HKLM\..\Run: [SysDepannage] C:\Program Files\SysDepannage\SysRep.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Fichiers communs\SysDepannage\strpmon.exe" dm=h**p://sysdepannage.com ad=h**p://sysdepannage.com sd=h**p://repay.sysdepannage.com
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\SysDepannage\ucookw.exe
- O4 - HKLM\..\Run: [gescw] "C:\PROGRA~1\COMMON~1\SYSDEP~1\gescw.exe" -start
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\SYSDEP~1\ugescw.exe" -start
Other registry entries:
- HKLM\Run, NI.UGESV_0001_N108M2006 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGESV_0001_N108M2006] "C:\Documents and Settings\nolwen boucher\Bureau\setup_fr.exe" -nag
- HKLM\Run, NI.UGESV_0001_N122M0303 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGESV_0001_N122M0303] "c:\documents and settings\marion m\application data\setup_fr[1].exe"
- HKLM\Run, NI.UGESV_0001_N122M2811 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGESV_0001_N122M2811] "C:\Users\nanie\AppData\Roaming\setup_fr[1].exe"
- HKLM\Run, NI.UGESV_0001_N122M3010 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGESV_0001_N122M3010] "c:\documents and settings\lacraz\application data\setup_fr[1].exe"
HJT log entries:
- O4 - HKLM\..\Run: [SystemErrorFixer] C:\Program Files\SystemErrorFixer\SysRep.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe" dm=h**p://systemerrorfixer.com ad=h**p://systemerrorfixer.com sd=h**p://inspaid.systemerrorfixer.com
- O4 - HKLM\..\Run: [ucookw] "C:\PROGRA~1\SYSTEM~1\ucookw.exe" -start
(Swedish → "Ancillary System")
HJT log entries:
- O4 - HKLM\..\Run: [SystemOrdnare] C:\Program\SystemOrdnare\SysRep.exe
Other registry entries:
- HKLM\Run, NI.UGESL_0001_N105M0405 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.UGESL_0001_N122M0303 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGESL_0001_N122M2911 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGESL_0001_N122M2911] "c:\documents and settings\calle\application data\setup_se[1].exe"
(Italian)
HJT log entries:
- O4 - HKCU\..\Run: [toolsicuro] C:\Programmi\ToolSicuro\SysRep.exe
- O4 - HKLM\..\Run: [BMN] "C:\Programmi\File comuni\ToolSicuro\strpmon.exe" dm=h**p://toolsicuro.com ad=h**p://toolsicuro.com sd=h**p://napa.toolsicuro.com
- O4 - HKLM\..\Run: [Salestart] "C:\Programmi\File comuni\ToolSicuro\strpmon.exe" dm=h**p://toolsicuro.com; ad=h**p://toolsicuro.com
- O4 - HKLM\..\Run: [ugescw] "C:\PROGRA~1\TOOLSI~1\ugescw.exe" -start
(French → "On User")
HJT log entries:
- O4 - HKLM\..\Run: [UtilisateurSur] C:\Program Files\UtilisateurSur\SysRep.exe
- O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\UtilisateurSur\strpmon.exe" dm=h**p://utilisateursur.com ad=h**p://utilisateursur.com sd=h**p://repay.utilisateursur.com
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\UtilisateurSur\ucookw.exe
HJT log entries:
- O4 - HKLM\..\Run: [WinPCDoctor] C:\Program Files\WinPCDoctor\SysRep.exe
- O4 - HKLM\..\Run: [cwriter] C:\Program Files\WinPCDoctor\ucookw.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=h**p://winpcdoctor.com ad=h**p://winpcdoctor.com sd=h**p://inspaid.winpcdoctor.com
- O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=h**p://winpcdoctor.com ad=h**p://winpcdoctor.com sd=h**p://inspaid.winpcdoctor.com
External links:
Back to Rogues - Overview
Copyright © Paul Collins, 2001 - 2010
Pacman's Portal
All rights reserved
