Sign in to follow this  
Christian Mairoll

CleanUP Antivirus Adware Removal Instructions

Recommended Posts

The Emsi Software malware research team has discoverd a new outbreak of the CleanUP Antivirus adware. a-squared Anti-Malware detects this malware as Adware.Win32.CleanUPAntivirus.

CleanUP Antivirus is a rogue security software that show false warning messages and show misleading scan results. It will start automatically when your computer starts. The installer will also create numerous harmless files on your computer, usually at Recent folder, that are used to impersonate malware files. Once the program is running it will scan your computer and then display these files as infections, but will not allow you to remove them until you purchase the program.

Create new files:

  • %AllUsersProfile%Application Data58969CUf4c.exe
  • %AllUsersProfile%Application Data58969CUA.ico
  • %AllUsersProfile%Application DataCUQKWACUZNJUENEA.cfg
  • %UserProfile%Application DataCleanUp AntivirusInstructions.ini
  • %UserProfile%Application DataCleanUp Antiviruscookies.sqlite
  • %UserProfile%Application DataMicrosoftInternet ExplorerQuick LaunchCleanUp Antivirus.lnk
  • %UserProfile%DesktopCleanUp Antivirus.lnk
  • %UserProfile%Start MenuCleanUp Antivirus.lnk
  • %UserProfile%Start MenuProgramsCleanUp Antivirus.lnk

Create new registry entries:

  • HKEY_LOCAL_MACHINEsoftwareClassesCLSID{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_LOCAL_MACHINEsoftwareClassesCLSID{3F2BBC05-40DF-11D2-9455-00104BC936FF}LocalServer32
  • HKEY_LOCAL_MACHINEsoftwareClassesCLSID{3F2BBC05-40DF-11D2-9455-00104BC936FF}ProgID
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAdwarePrj.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsagent.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAlphaAV
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAlphaAV.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAnti-Virus Professional.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAntispywarXP2009.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAntivirusPlus
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAntivirusPlus.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAntivirusPro_2010.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAntivirusXP
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAntivirusXP.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsantivirusxppro2009.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAntiVirus_Pro.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsav360.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsAVCare.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsbrastk.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsCl.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionscsc.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsdop.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsfrmwrk32.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsgav.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsgbn976rl.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionshomeav2010.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsinit32.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsMalwareRemoval.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsozn695m5.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionspav.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionspc.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionspctsAuxs.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionspctsGui.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionspctsSvc.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionspctsTray.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsPC_Antispyware2010.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionspdfndr.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsPerAvir.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionspersonalguard
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionspersonalguard.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsprotector.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsqh.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsQuick Heal.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsQuickHealCleaner.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsrwg
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsrwg.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsSafetyKeeper.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsSave.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsSaveArmor.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsSaveDefense.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsSaveKeep.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsSecure Veteran.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionssecureveteran.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsSecurity Center.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsSecurityFighter.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionssecuritysoldier.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionssmart.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionssmartprotector.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionssmrtdefp.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsSoftSafeness.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsspywarexpguard.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionstapinstall.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsTrustWarrior.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionstsc.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution OptionsW3asbas.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionswinav.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionswindll32.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionswindows Police Pro.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsxpdeluxe.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Optionsxp_antispyware.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Options~1.exe
  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionImage File Execution Options~2.exe
  • HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionRun, “CleanUp Antivirus

Modify hosts file:

  • 127.0.0.1       localhost
  • 74.125.45.100 4-open-davinci.com
  • 74.125.45.100 securitysoftwarepayments.com
  • 74.125.45.100 privatesecuredpayments.com
  • 74.125.45.100 secure.privatesecuredpayments.com
  • 74.125.45.100 getantivirusplusnow.com
  • 74.125.45.100 secure-plus-payments.com
  • 74.125.45.100 www.getantivirusplusnow.com
  • 74.125.45.100 www.secure-plus-payments.com
  • 74.125.45.100 www.getavplusnow.com
  • 74.125.45.100 safebrowsing-cache.google.com
  • 74.125.45.100 urs.microsoft.com
  • 74.125.45.100 www.securesoftwarebill.com
  • 74.125.45.100 secure.paysecuresystem.com
  • 74.125.45.100 paysoftbillsolution.com
  • 74.125.45.100 protected.maxisoftwaremart.com

Screenshots:

Adware.Win32.CleanUPAntivirus_1-400x290.

Adware.Win32.CleanUPAntivirus_2-400x290.

How to remove the infection of CleanUP Antivirus (Adware.Win32.CleanUPAntivirus)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.



View the full article

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.