Rogues - PCPrivacyTool family
Currently, there are 30 variants (that I know) of the rogue privacy program known as
PCPrivacyTool. They give exaggerated warnings and
label legitimate programs as privacy risks in order to goad the user into buying a full license for the application to fix these errors. The applications can be manually downloaded and
installed, or if your system is vulnerable (without current, adequate protection), they may be installed by a downloader - without the user's consent.
Please note that throughout this page I only refer to the HijackThis (or HJT) startup entries and not all
associated files - to keep in with the theme of the rest of the site. Note that if you have more than one rogue installed that uses a file common to other rogues the HJT log entry
(and maybe filename) could have a pair of () with number inside appended, i.e., HKLM\..\Run: [Salestart(1)]. See
here for an example of such a log.
PCPrivacyTool
The following image (© Symantec) shows the main screen for PCPrivacyTool (click on the image for a larger version - applies throughout):
PcPrivacyTool
HijackThis (or HJT) log startup entries identified:
- O4 - HKLM\..\Run: [PCPrivacyTool] C:\Program Files\PCPrivacyTool\GDC.exe
- O4 - HKLM\..\Run: [gdcw] C:\Programme\PCPrivacyTool\data\GDCW.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\PCPrivacyTool\mc.exe" dm=h**p://pcprivacytool.com; ad=h**p://pcprivacytool.com
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\PCPRIV~1\UGDCcw.exe" -start
The one file they all share (although a different version in each case obviously) is GDC.exe. Many of the others are also shared between the variants - but not
necessarily always the same one, as you'll see below. In addition, the entries above are from a number of different logs - presumably from different versions of the rogue.
Other registry entries identified:
- HKLM\Run, NI.GDC_0001_N111C1909 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.GDC_0001_N122C1912 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGDC_0003_N108M2407 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGDC_0003_N108M2407] "C:\Documents and Settings\test\Local Settings\Temporary Internet Files\Content.IE5\Y38BI9MN\installer_en[1].exe" -nag
- HKLM\Run, NI.UGDC_0001_N111M1909 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGDC_0001_N111M1909] "C:\documents and settings\sta2.station2\application data\installer_en[1].exe" -nag
- HKLM\Run, NI.UGDC_0001_N122M0502 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDC_0001_N122M0502] "c:\documents and settings\owner\application data\installer_en[1].exe"
- HKLM\Run, NI.UGDC_0001_N122M1912 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDC_0001_N122M1912] "C:\Documents and Settings\Owne\Application Data\pcpriv.exe"
- HKLM\Run, NI.UGDC_0001_N122M2603 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDC_0001_N122M2603] "C:\Documents and Settings\computer\Desktop\installer_en.exe"
- HKLM\Run, NI.UGDC_0001_N122M2610 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDC_0001_N122M2610] "C:\documents and settings\administrator\application data\installer_en[1].exe"
- HKLM\Run, NI.UGDC_0001_N122M2802 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDC_0001_N122M2802] "C:\Documents and Settings\Pasquale\Desktop\installer_en.exe"
- HKLM\Run, NI.UGDC_0001_N122M2811 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDC_0001_N122M2811] "C:\Documents and Settings\Owner\Application Data\installer_en[1].exe"
External links:
- Symantec - rogue description
- CA - rogue description
Any removal guide referred to below uses MalwareBytes Anti-Malware, which incorporates the functionality from their popular (but now discontinued) RogueRemover
products:
Variants
Before dealing with the individual variants, here are some screenshots from some of them (© BleepingComputer) showing the common user interface:
Index
(French → "Private Driver")
HJT log entries:
- O4 - HKCU\..\Run: [ConducteurPrive] C:\Program Files\ConducteurPrive\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\ConducteurPrive\mc.exe" dm=h**p://conducteurprive.com; ad=h**p://conducteurprive.com
HJT log entries:
- O4 - HKLM\..\Run: [ConfidentSurf] "C:\Program Files\ConfidentSurf\GDC.exe"
HJT log entries:
- O4 - HKLM\..\Run: [ContentEraser] C:\Program Files\ContentEraser\GDC.exe"
- O4 - HKLM\..\Run: [GDCW] C:\Program Files\ContentEraser\plug\GDCW.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\ContentEraser\stm.exe" dm=h**p://contenteraser.com ad=h**p://contenteraser.com sd=h**p://ilp.contenteraser.com
External links:
HJT log entries:
- O4 - HKLM\..\Run: [DefenseNetSurfage] "C:\Program Files\DefenseNetSurfage\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\DefenseNetSurfage\mc.exe" dm=h**p://defensenetsurfage.com; ad=h**p://defensenetsurfage.com
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\DEFENS~1\UGDCcw.exe" -start
HJT log entries:
- O4 - HKLM\..\Run: [DriveDefender] C:\Program Files\DriveDefender\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\DriveDefender\stm.exe" dm=h**p://drivedefender.com ad=h**p://drivedefender.com sd=h**p://ilp.drivedefender.com
(German → "Disk Cleaner")
HJT log entries:
- O4 - HKLM\..\Run: [FestplattenReiniger] C:\Programme\FestplattenReiniger\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "C:\Programme\Gemeinsame Dateien\FestplattenReiniger\mc.exe" dm=h**p://festplattenreiniger.com ad=h**p://festplattenreiniger.com sd=h**p://pkins.festplattenreiniger.com
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\FESTPL~1\UGDCcw.exe" -start
Other registry entries:
- HKLM\Run, NI.GDCDE_0001_N122C1912 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGDCDE_0001_N111M3007 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGDCDE_0001_N111M3007] "C:\Dokumente und Einstellungen\Besitzer\Desktop\installer_de.exe" -nag
- HKLM\Run, NI.UGDCDE_0001_N122M1912 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDCDE_0001_N122M1912] "c:\dokumente und einstellungen\yvonne\anwendungsdaten\installer_de[1].exe"
HJT log entries:
- O4 - HKLM\..\Run: [FilterProgram] C:\Program Files\FilterProgram\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\FilterProgram\mc.exe" dm=hxxp://filterprogram.com ad=hxxp://filterprogram.com sd=hxxp://ilp.filterprogram.com
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\FILTER~1\UGDCcw.exe" -start
Other registry entries:
- HKLM\Run, NI.UGDC1_0001_N119M0911 = ""[file and pathname of the sample #1]" -nag " → see here
External links:
HJT log entries:
- O4 - HKLM\..\Run: [HistoriaLout.] C:\Archivos de programa\HistoriaLout\GDC.exe"
HJT log entries:
- O4 - HKCU\..\Run: [MenaceFighter] C:\Program Files\MenaceFighter\GDC.exe"
(Greek)
HJT log entries:
- O4 - HKLM\..\Run: [MistikotitaTuIpologisti] C:\Program Files\MistikotitaTuIpologisti\GDC.exe"
Other registry entries:
- HKLM\Run, NI.UGDCGR_0001_N122M0307 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGDCGR_0001_N122M1812 = ""[file and pathname of the sample #1]"" → see here
HJT log entries:
- O4 - HKLM\..\Run: [MonContenuassistant] C:\Program Files\MonContenuassistant\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\MonContenuassistant\stm.exe" dm=h**p://moncontenuassistant.com ad=h**p://moncontenuassistant.com sd=h**p://paylogs.moncontenuassistant.com
HJT log entries:
- O4 - HKLM\..\Run: [MyContentAssistant] "C:\Programme\MyContentAssistant\GDC.exe"
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\MYCONT~1\UGDCcw.exe" -start
(French → "Nett PC")
HJT log entries:
- O4 - HKCU\..\Run: [Nettordinateur] C:\Program Files\Nettordinateur\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\Nettordinateur\mc.exe"
dm=h**p://nettordinateur.com; ad=h**p://nettordinateur.com
HJT log entries:
- O4 - HKCU\..\Run: [NetSurfageAssure] C:\Program Files\NettoyeurDePC\GDC.exe"
HJT log entries:
- O4 - HKLM\..\Run: [NettoyeurDePC] "C:\Program Files\NettoyeurDePC\GDC.exe"
- O4 - HKLM\..\Run: [Dist-FBGeneve] "C:\Program Files\NettoyeurDePC\GDC.exe
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\NETTOY~1\UGDCcw.exe" -start
(Dutch)
HJT log entries:
- O4 - HKLM\..\Run: [NoCompromaat] "D:\Program Files\NoCompromaat\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "D:\Program Files\Common Files\NoCompromaat\mc.exe" dm=h**p://nocompromaat.com; ad=h**p://nocompromaat.com
- O4 - HKLM\..\Run: [ugdccw] "D:\PROGRA~1\NOCOMP~1\UGDCcw.exe" -start
Other registry entries:
- HKLM\Run, NI.UGDCNL_0001_N111M3007 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.UGDCNL_0001_N122M1912 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDCNL_0001_N122M1912] "c:\documents and settings\fam. kraayenbos\application data\installer_nl[1].exe"
- HKLM\Run, NI.UGDCNL_0001_N122M3011 = ""[file and pathname of the sample #1]"" → see here
(Polish → "Computer Cleaner")
HJT log entries:
- O4 - HKLM\..\Run: [OczyszczaczKomputerza] C:\Program Files\OczyszczaczKomputerza\GDC.exe"
- O4 - HKLM\..\Run: [gdcw] C:\Program Files\OczyszczaczKomputerza\data\GDCW.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\OczyszczaczKomputerza\stm.exe" dm=h**p://oczyszczaczkomputerza.com ad=h**p://oczyszczaczkomputerza.com sd=h**p://paistutta.oczyszczaczkomputerza.com
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\OCZYSZ~1\UGDCcw.exe" -start
Other registry entries:
- HKLM\Run, NI.UGDCPL_0001_N108M0207 = ""[file and pathname of the sample #1]" -nag " → see here
- Example: O4 - HKLM\..\Run: [NI.UGDCPL_0001_N108M0207] "c:\documents and settings\ooo\dane aplikacji\installer_pl[1].exe" -nag
- HKLM\Run, NI.UGDCPL_0001_N122M2012 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDCPL_0001_N122M2012] "C:\Windows\Downloaded Program Files\UGDCPL_0001_N122M2012NetInstaller.exe"
HJT log entries:
- O4 - HKLM\..\Run: [OnlineHelpmate] E:\Program Files\OnlineHelpmate\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "E:\Program Files\Common Files\OnlineHelpmate\mc.exe" dm=h**p://onlinehelpmate.com ad=h**p://onlinehelpmate.com sd=h**p://ilp.onlinehelpmate.com
- O4 - HKLM\..\Run: [ugdccw] "E:\PROGRA~1\ONLINE~2\UGDCcw.exe" -start
External links:
HJT log entries:
- O4 - HKLM\..\Run: [PC Drive Tool] "C:\Program Files\PC Drive Tool\GDC.exe"
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\PCDRIV~1\UGDCcw.exe" -start
Other registry entries:
- HKLM\Run, NI.UGDC_0001_N108M0407 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.UGDC_0002_N108M1007 = ""[file and pathname of the sample #1]" -nag " → see here
- O4 - HKLM\..\Run: [NI.UGDC_0002_N108M1007] "c:\documents and settings\ray\application data\installer_en[1].exe" -nag
- HKLM\Run, NI.UGDCTH_0001_N122M1712 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGDCTR_0001_N108M0407 = ""[file and pathname of the sample #1]" -nag " → see here
HJT log entries:
- O4 - HKLM\..\Run: [PrivacyConductor] C:\Program Files\PrivacyConductor\GDC.exe"
- O4 - HKLM\..\Run: [gdcw] C:\Program Files\PrivacyConductor\data\GDCW.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\PrivacyConductor\stm.exe" dm=h**p://privacyconductor.com ad=h**p://privacyconductor.com sd=h**p://ilp.privacyconductor.com
External links:
Registry entries:
- HKLM\Run, PrivacyWarrior = "%ProgramFiles%\privacywarrior\gdc.exe"
- HKLM\Run, gdcw = "%ProgramFiles%\PrivacyWarrior\data\GDCW.exe"
- HKLM\Run, Salestart = ""%ProgramFiles%\Common Files\PrivacyWarrior\stm.exe" dm=h**p://privacywarrior.com ad=h**p://privacywarrior.com sd=h**p://ilp.privacywarrior.com"
External links:
(French)
HJT log entries:
- O4 - HKLM\..\Run: [ProtectionDeDriver] "C:\Program Files\ProtectionDeDriver\GDC.exe"
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\PROTEC~1\UGDCcw.exe" -start
(Romanian → "Disk Health")
Registry entries:
- HKLM\Run, SanitarDiska = "%ProgramFiles%\sanitardiska\gdc.exe"
- HKLM\Run, Salestart = ""%ProgramFiles%\Common Files\SanitarDiska\mc.exe" dm=h**p://sanitardiska.com ad=h**p://sanitardiska.com sd=h**p://dislog.sanitardiska.com"
- HKLM\Run, ugdccw = ""C:\PROGRA~1\SANITA~1\UGDCcw.exe" -start"
Other registry entries:
- HKLM\Run, NI.UGDCRU_0001_N111M0208 = ""[file and pathname of the sample #1]" -nag " → see here
- HKLM\Run, NI.UGDCRU_0001_N122M2012 = ""[file and pathname of the sample #1]"" → see here
(Dutch → "Disk Controller")
HJT log entries:
- O4 - HKCU\..\Run: [SchijfControleur] C:\Program Files\SchijfControleur\GDC.exe"
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SchijfControleur\mc.exe" dm=h**p://schijfcontroleur.com; ad=h**p://schijfcontroleur.com
HJT log entries:
- O4 - HKLM\..\Run: [SecurePCCleaner] C:\Program Files\SecurePCCleaner\GDC.exe"
- O4 - HKLM\..\Run: [gdcw] C:\Program Files\SecurePCCleaner\data\GDCW.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SecurePCCleaner\mc.exe" dm=h**p://securepccleaner.com ad=h**p://securepccleaner.com sd=h**p://ilp.securepccleaner.com
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SecurePCCleaner\stm.exe" dm=h**p://securepccleaner.com ad=h**p://securepccleaner.com sd=h**p://ilp.securepccleaner.com
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\SECURE~1\UGDCcw.exe" -start
External links:
(Czech)
HJT log entries:
- O4 - HKLM\..\Run: [SuspenzorPC] "C:\Program Files\SuspenzorPC\GDC.exe"
- O4 - HKLM\..\Run: [GDCW] C:\Program Files\suspenzorpc\plug\GDCW.exe
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\SUSPEN~1\UGDCcw.exe" -start
Other registry entries:
- HKLM\Run, NI.UGDCCZ_0001_N122M0307 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDCCZ_0001_N122M0307] "C:\Documents and Settings\Honza a Jindra\Plocha\installer_cz.exe"
- HKLM\Run, NI.UGDCCZ_0001_N122M0511 = ""[file and pathname of the sample #1]"" → see here
- HKLM\Run, NI.UGDCCZ_0001_N122M1712 = ""[file and pathname of the sample #1]"" → see here
- Example: O4 - HKLM\..\Run: [NI.UGDCCZ_0001_N122M1712] "C:\WINDOWS.0\Downloaded Program Files\CONFLICT.1\UGDCCZ_0001_N122M1712NetInstaller.exe"
(Turkish → "Clean Driver")
Registry entries:
- HKLM\Run, "TemizSurucu"="C:\\Program Files\\TemizSurucu\\GDC.exe"
- HKLM\Run, "gdcw"="C:\\Program Files\\TemizSurucu\\data\\GDCW.exe"
- HKLM\Run, "Salestart"="\"C:\\Program Files\\Common Files\\TemizSurucu\\stm.exe\" dm=h**p://temizsurucu.com ad=h**p://temizsurucu.com sd=h**p://sepad.temizsurucu.com"
(Finnish → "SecurityPC")
HJT log entries:
- O4 - HKLM\..\Run: [TurvaPC] C:\Program Files\TurvaPC\GDC.exe"
HJT log entries:
- O4 - HKLM\..\Run: [WinAnonymous] C:\Program Files\WinAnonymous\GDC.exe"
- O4 - HKLM\..\Run: [gdcw] C:\Program Files\WinAnonymous\data\GDCW.exe
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAnonymous\mc.exe" dm=h**p://winanonymous.com; ad=h**p://winanonymous.com
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAnonymous\stm.exe" dm=h**p://winanonymous.com ad=h**p://winanonymous.com sd=h**p://ilp.winanonymous.com
External links:
HJT log entries:
- O4 - HKLM\..\Run: [YourPrivacyGuard] "C:\Program Files\YourPrivacyGuard\GDC.exe"
- O4 - HKLM\..\Run: [gdccw] "C:\PROGRA~1\COMMON~1\YOURPR~1\GDCcw.exe" -start
- O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\YourPrivacyGuard\stm.exe" dm=h**p://YourPrivacyGuard.com ad=h**p://YourPrivacyGuard.com sd=h**p://ilp.YourPrivacyGuard.com
- O4 - HKLM\..\Run: [ugdccw] "C:\PROGRA~1\YOURPR~1\UGDCcw.exe" -start
External links:
Back to Rogues - Overview
Copyright ©
Pacman's Portal, 2001 - 2013
Powered by Malwarebytes
All rights reserved
