My [very un-]clean PC

Now it’s time to see if MyCleanPC can really clean an infected PC. So here’s my test Windows XP SP3 VM – the only change I have made is the malware that I ‘accidentally’ downloaded – in reality, it was the typical ‘click-where-I-should-not-have’ and then have an IE window come up looking like the ‘My Computer’ window and being scanned….a very common scare tactic: Your computer is infected, download this program to clean it up! When in reality what you’re downloading is the malware (sounds a lot like MyCleanPC, doesn’t it?)

Can you guess what ‘pack.exe’ is? I’m guessing it’s malware. Let’s ask VirusTotal:

ageI would say so…though there were only 4 hits for this pack.exe – the other was from Fortinet – it was picked up as W32/Krypt.G!tr. Let’s see what happens when we “install” [run] this executable. Here’s what happens:

Pack.exe spawns a CMD process to do all of the work – and one of the last things it does is to spawn a taskkill.exe to kill the pack.exe and the cmd.exe. Additionally, the pack.exe that was originally on the desktop is gone. This is the most common malware on the planet – then the end result is a randomly generated process name such as this: temigl.exe (it changes every time)

As soon as you press OK in the warning window above (Warning! you just installed malware!!) the real PITA shows itself:

So I’ve got a boatload of viruses on this 100% completely clean install of XP…so what? (really?!?) If you look at disk activity during the so called “scan” there is none:

Any time you want to close a window, “download updates” you are redirected to a site asking for your credit card to “Activate” your software. 

 Any time you try to “activate”, you must send your credit card information, all your personal information, and your first born child to these people:

Obviously you don’t want to do that. On a side note, since I documented these images, the “payment” site no longer works.

At this point, I can still launch anything – regedit, cmd, procexp – but I’m betting this will change after a reboot.


Sure enough! After a reboot and a few minutes, EVERYTHING is “infected” – No admin tools are allowed to run. This is very typical for most of the malware I have seen these days – you can not open anything except an explorer window, or an internet browser…otherwise, you are met with one of the above messages. The easiest way to get around this is to know where the .exe that is running is located, or open a CMD window, or Process Explorer ASAP after a reboot.

 Now lets see if our trustee ‘MyCleanPC’ can get rid of this junk. As you recall from the first scan, there were 144 errors found:

And now after scanning when there is actually malware on the PC…:

That’s right! 143 errors!!! So not only did MyCleanPC not pick up the legitimate malware – as you can see by the message bubble, the Security Shield malware is…: still running…. – it also found FEWER errors than during the first scan!!

Long story short: Don’t waste your money on these “Clean My PC” or “Got a slow PC” gimics. Get some real protection – and the best protection of all is common sense. Oh, and also don’t give your credit card number to the malware authors….now that’s a REAL waste of money!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.