The executables associated with this scareware scam are signed with a digital signature that makes the programs appear more legitimate. This signature, though, is not one owned by Xplode the creator of AdwCleaner. Instead this signature is associated with a company called WAT Software Rotterdam. Whether this is the actual developer of the scareware or if the certificate was stolen is currently unknown. Other clues found in the executable indicate that the real name for this scamware is AdwareBooc. The programming project name was also able to be retrieved and is called c:\Users\PresFox\Documents\Visual Studio 2013\Projects\AdwareBooC\AdwareBooC\obj\Release\AdwareBooC.pdb.
The scam begins when you are browsing the web and are shown a popup that states your computer is infected with adware. This popup contains scary language about how you have adware on your computer and then prompts you to download AdwCleaner to scan your computer and clean these threats:
Once you download and run the program it will install the fake AdwCleaner in C:\Users\<login name>\AppData\Local\6AdwCleaner.exe and execute it. It will also create an autorun entry called AdwCleaner in the Windows Registry so that it is started every time you login to Windows. Once executed the program will perform a scan of your computer and display a variety of detected adware programs. In reality these results are built into the program and everyone who runs this scareware will see the same exact results. If a user clicks on the Clean button, they will be presented with a prompt to purchase the program.
If you click on the Buy Now button, you will be brought to a PayPal page where you can purchase the scamware for $59.99 USD. This PayPal purchase page shows that the owner of the account is going by name of Mardel Innovations.
When anyone purchases the program they will then be shown a page where they can download the full purchased version of the AdwCleaner. In fact, the program they will be downloading is the normal and legitimate AdwCleaner wrapped in the scammers own installer. This is the same program that anyone can download and use for free. Notice the similarities between the legitimate one below and the fake one shown at the top of this page.
This scareware is fairly easy to remove. Simply terminate the 6AdwCleaner.exe process in Task Manager to end the program. Once the program is terminated, delete the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner Registry key via Msconfig or Autoruns and then delete the C:\Users\<login name>\AppData\Local\6AdwCleaner.exe file. If you would prefer to use a program to remove this infection, Emsisoft Anti-Malware and Malwarebytes both detect this scareware.
Due to a misconfigured website we were able to get access to a detailed report showing how many people have installed the program, clicked on the Scan button, clicked on the Clean button, and have purchased it. From this report we show that this scam has been successful and has generated thousands of dollars for these scammers.
This report only shows activity since February 1st, 2015, but we have found this same scareware on VirusTotal ranging as far back as January 1st, 2015. Therefore it is likely that they have made much more revenue than we know about.
Once again, AdwCleaner should only be downloaded from ToolsLib.net and BleepingComputer.com. If you download it from any other location then you run the risk of becoming infected with adware or possibly something worse.
Known AdwCleaner Scareware Files:
C:\Users\User\AppData\Local\6AdwCleaner.exeKnown AdwCleaner Scareware Registry keys:
HKCU\Software\AdwCleaner HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner "C:\Users\User\AppData\Local\6AdwCleaner.exe" -auto