Thursday, March 11, 2010

Remove CleanUp Antivirus fake antivirus program (Free removal)

CleanUp Antivirus is a fake antivirus program. As a typical rogue program, CleanUpAntivirus reports false threats and prompts you to pay for a full version of the program to remove the infections which don't actually exist. It's promoted and installed through the use of trojan viruses. As you may know, trojans usually come from fake online scanners, fake video/warez sites or bundled with other malicious software. Recently cyber criminals also use infected PDF files and online advertisements to distribute their bogus products.



So, what CleanUp Antivirus is all about? Well, basically this fake program creates many fake files filled with junk data and later detects those files as serious system security threats. Please note that the rogue program detects absolutely harmless files as infections. The scan results are false so you shouldn't worry much about those non-existing threats. The only thing you should worry about is the CleanUp Antivirus itself.

CleanUpAntivirus will probably replace Security Antivirus and My Security Wall malware. We wrote about these malicious programs one month ago. Of course, all three rogue programs can be promoted and the same time too. The home page of this misleading program is cleanupantivirus.com. Please avoid it!



Another very annoying thing about this fake program is that it constantly displays fake warnings, popups and error messages with absolutely ridiculous statements. Some of the fake CleanUpAntivirus alerts will claim that:

"System alert!
CleanUp Antivirus has detected potentially harmful software in
your system. It is strongly recommended that you register
CleanUp Antivirus to remove all found threats immediately."

"Warning! Virus detected
Warning! Identity theft attempt detected"





“Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Cleanup Antivirus. Click here to remove all potentially harmful programs found immediately using Cleanup Antivirus.”

Furthermore, the rogue program modifies Windows registry so that CleanUpAV.exe runs every time Windows starts. It also modifies Windows HOSTS file so you will have to fix it too (read the instructions below how to do that).

Last, but definitely not least, CleanUp Antivirus blocks legitimate anti-virus and anti-spyware programs and security sites. It hijacks Internet Explorer and displays search results from findgala.com instead of your default search engine. In some cases you will have to end its processes first in order to download and install anti-malware software. You may also try to reboot your PC in Safe Mode with Networking and download removal tool from there.

As you can see, this program is absolutely needless. First of all, don't buy it! If you already did that then contact your credit card company immediately and dispute the charges. Then use the removal instructions below to remove CleanUp Antivirus from your PC for free using legitimate anti-malware programs. If you have any questions please don't hesitate and leave a comment. Useful additional information is always welcome. Good luck and be safe!


CleanUp Antivirus removal instructions (method #1):

Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.
NOTE1: if you can't run any of the above programs you must rename the installer of selected program before saving it on your PC. For example: if you choose MalwareBytes then you have to rename mbam-setup.exe to iexplore.exe, explorer.exe or any random name like test123.exe before saving it.

NOTE2: if you still can't run the renamed file then you need to change file extension too not only the name.
1. Go to "My Computer".
2. Select "Tools" from menu and click "Folder Options".
3. Select "View" tab and uncheck the checkbox labeled "Hide file extensions for known file types". Click OK.
4. Rename mbam-setup.exe to either test123.com or test123.pif
5. Double-click to run renamed file.


Removing CleanUp Antivirus in Safe Mode with Networking (method #2):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
If you can't reboot your PC in Safe Mode with Networking, download SafeBootKeyRepair and run it. If the rogue program blocks it then download and run this file RenamedSBKRepair. Follow the prompts. Then reboot your PC in Safe Mode with Networking.

2.Download one of the following legitimate anti-malware applications and run a quick system scan. Don’t forget to update it first. All programs a free.


CleanUp Antivirus files and registry values:

Folders and files:
  • C:\Documents and Settings\All Users\Application Data\345d567\
  • C:\Documents and Settings\All Users\Application Data\345d567\46.mof
  • C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe
  • C:\Documents and Settings\All Users\Application Data\345d567\CUA.ico
  • C:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
  • C:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
  • C:\Documents and Settings\All Users\Application Data\345d567\BackUp\
  • C:\Documents and Settings\All Users\Application Data\345d567\CUASys\
  • C:\Documents and Settings\All Users\Application Data\345d567\CUASys\vd952342.bd
  • C:\Documents and Settings\All Users\Application Data\345d567\Quarantine Items
  • C:\Documents and Settings\All Users\Application Data\CUCAISTUA\
  • C:\Program Files\Mozilla Firefox\searchplugins\search.xml
  • %UserProfile%\Application Data\CleanUp Antivirus
Registry values:
  • HKEY_CURRENT_USER\Software\3
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\CU345d.DocHostUIHandler
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Library1.00195"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CleanUp Antivirus"
  • HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"


Share this information with other people:

No comments:

Post a Comment