Archive for trust cleaner

Trust Cleaner, the rogue anti-spyware app that tricks you into thinking it’s Google.

June 4, 2006 at 11:42 am · Filed under Spyware, rogue anti-spyware, google, trust cleaner, intercage, spydoctor

A new rogue anti-spyware application has been released called Trust Cleaner. At first glance, this rogue anti-spyware application works the same way as the other ones that have been released lately like SpyFalcon and SpywareQuake as it uses trojans to display fake warnings that act as a goad to make you purchase the full commercial version of its software. This particular variant, though, adds some additional “features” to its installation that we will describe below. For those who are here because they are infected, and do not wish to read this entire article, you can visit our Trust Cleaner Removal Guide instead.

When the programs are installed on your computer, they are downloaded from the domain trustincash.com and trustcleaner.com. Both domains appear to use the domain registrar GoDaddy, but unfortunately, both domains are set as private so we can not determine any further information from the domain names about the people behind this malware. Both hostnames for the download sites, though, resolve to the same IP address so we know that they are running on the same web server and thus are most likely the same company. It is not surprising that we found that these IP addresses belong to the ISP Intercage who are notorious for hosting other malware and Spyware sites. We have purposely left out the specific urls that the infection uses to download its software from in order to protect our readers. If you are a security professional or security developer, please contact us to get this information.

After the malware is installed the rogue anti-spyware program Trust Cleaner is set to to start automatically when your computer starts. It then scans your computer for supposed Spyware and malware and displays a list of the items found. It is quite funny, though, as it finds its own components and labels them as Spyware as shown in the image below.

Trust Cleaner rogue anti-spyware program
Trust Cleaner Program

This infection, like all the other recent rogue anti-spyware apps, issues fake taskbar alerts by installing a DLL in your SharedTaskScheduler registry key that loads the DLL in either normal or safe mode. An example of a fake taskbar alert is below.

Trust Cleaner Fake Task Bar Alert
Fake Taskbar Alerts

This infection will also issue fake warnings on your desktop through the program C:\Program Files\TrustIn Popups\TrustInPopups.exe. This program will cause fake security warnings in the form of a Window directly on your desktop. An example of its fake desktop warning is found below. Another interesting feature of this program is it will cancel all Windows restart requests, effectively making it so you can’t restart your computer unless you kill the process first.

TrustInPopups.exe Fake Desktop Warning
Fake Desktop Warning Window

Furthermore, it will install a toolbar and other ActiveX controls in Internet Explorer that will present popups with “contextual” ads about various subjects you are searching for on other pages such as CNN, Yahoo, or Google among others. So if you go to the real Google site and search for something, this software will open a new Internet Explorer windows with its own ads that are specific to this search term. Although this malware alters the results of Yahoo and Google, it instead blocks all access to any web page in the MSN domain.

Finally and equally deceptive, it will change your Internet Explorer homepage to a html page that is loaded from a file on your local computer called C:\Windows\local.html. This page will generate a home page that looks strikingly like Google. In fact, it states at the bottom of the page that it is powered by Google. In reality, though, this page that actually uses results from the site www.mswindowssearch.com and not from Google. Below is an image of the fake home page and a real version of the Google home page so you can see the differences.

Trust Cleaner - Fake Google Homepage
Fake Google home page

Real Google Homepage
Real Google home page

Notice the copyright is significantly different from the one the Real Google homepage uses and there are different links on the main page? Let’s take a look at a search in the fake Google homepage using the search term job.

Fake Google Job Search
Fake Google search for the term Job

At first glance, the page looks a lot like a Google search result page. When you examine it close, though, you will notice quite a few differences. The main differences are that it does not allow you to go other pages in the results, has its own way of showing sponsored sites on the right side of the page, and displays very different results. Lets take a look at the same search using Google.

Real Jobs Search Using Google
Real Google search for the term Job

As you can see the format of the search results are almost identical, the page colors are the same, but the page layout is different. It is possible that this fake search engine is using the Google API to retrieve some of its results, as some of the results are legitimate and contain listing that you would think would not advertise with a Spyware company, but for the most part the results are typical for these types of hijackers.

As you can see this is a new breed of Rogue anti-spyware application. This variant is not satisfied with just try to scare you into purchasing a piece of software, now they are changing settings in Internet Explorer, displaying popups, and trying to cash in on the search engine advertisement market.

Tags: No Tags

Comments (6)


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Malware Removal Guides


© 2003-2008 All Rights Reserved Bleeping Computer LLC.

Featured Microsoft Expert Zone Community