Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

CleanThis Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

CleanThis scareware uses the Fake Security Essentials Alert to download itself on to the victim’s computer. Once installed, this rogue software proceeds to restart the system automatically, on restart access to the desktop is completely blocked. Taskbar is hidden, right click is disabled and the fake scan is run identifying non-existent malware. You cannot close it or kill it using the Task manager. CleanThis malware manages to run even safe mode and safe mode with networking.

Scareware like CleanThis are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed throughout the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

Image of CleanThis

Desktop hijacked by CleanThis Rogue security software

CleanThis Removal (How to remove CleanThis)

Download the following from an alternate computer and copy to a removable drive like CD, DVD or USB stick:

  • Download MalwareBytes’s Anti-Malware Free edition(mbam-setup.exe)
  • Right click and save the file shell_restore.inf, make sure that you are saving the file with a .inf extension.
  • Boot in to Windows Safe Mode with Command Prompt
  • safe-mode-with-command-prompt

  • At the command prompt type “explorer.exe” and press the Enter key, wait for Windows Explorer to open. Now from Windows start button access My Computer and browse to your removable drive.
  • Right click the downloaded file (shell_restore.inf) and choose the option for install. There will not be any visual confirmation/notification. This will restore the default Windows Shell which will prevent the scareware from running at boot.
  • Restart in normal mode.
  • Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  • Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as CleanThis. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

CleanThis Analysis

A rogue security software such as CleanThis belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan dropper file was about 619520 bytes in size. It was detected by 21/ 42 (50.0%) of the anti-virus engines available at VirusTotal.

This scareware is detected by the following aliases:

  • Trojan/Win32.FakeAV
  • Win32:Malware-gen
  • Trojan.Win32.FakeAV.bmbd
  • Rogue:Win32/FakePAV
  • a variant of Win32/Adware.FakeAntiSpy.AA

The following behavior was observed:

  • Changes the size of the desktop wallpaper, disables right click on desktop. Taskbar is hidden.
  • Drops a file named gog.exe in the application data folder of the current user ( Example: C:\Documents and Settings\\Application Data\gog.exe)
  • Tampers with Windows registry and adds itself to the Winlogon\Shell key, so that it starts with Windows even in safe mode. (Example: HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = C:\Documents and Settings\\Application Data\gog.exe)

Typical CleanThis Scare Messages

CleanThis has detected security threats on your PC. To remove please install the heuristic module. click here to install heuristic module.

Current settings don’t allow unprotected startup. Please check your settings.

Database update failed! Outdated viruses databases are not effective and can’t guarantee adequate protection and security for your PC! Click here to get the full version of the product and update the database!

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

CleanThis Associated Files and Folders

  • C:\Documents and Settings\\Application Data\1.gif
  • C:\Documents and Settings\\Application Data\completescan
  • C:\Documents and Settings\\Application Data\gog.exe
  • C:\Documents and Settings\\Application Data\install
  • C:\Documents and Settings\\Desktop\Clean This.lnk

Some of the file names may be randomly generated. The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

CleanThis Associated Registry Values and Keys

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=C:\Documents and Settings\\Application Data\gog.exe
  • HKEY_CURRENT_USER\Control Panel\Desktop\WallpaperStyle=0
  • HKEY_CURRENT_USER\Control Panel\Desktop\Pattern=
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags=0
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperStyle=0
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper=%APPDATA%\1.gif
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving=0

The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

CleanThis Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • configure-network-online .com

Note: Visiting the domains mentioned above may harm your computer system.

Malwarebytes’ Anti-Malware should take care of the scareware completely. If you have difficulty in removing any other malware that might have creeped in with CleanThis, checkout Kaspersky Virus Removal Tool and Kaspersky Rescue Disk.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

CleanThis Scareware — Screenshots

CleanThis Scareware — Video

Note: The CleanThis installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 2 comments… read them below or add one }

steve March 26, 2011 at 3:58 PM

Thanks but despite running anti-malware I am still stuck with CLEAN THIS which appears on my screen and does not go away. Control/alt/delete has no effect nor start in safe mode. still there. any ideas please?


Shanmuga March 26, 2011 at 4:24 PM

Please go through the removal steps again. Let me know where exactly are you struck?

Leave a Comment

Previous post:

Next post: