CleanThis - video
Thanks to rogueamp for making this video
CleanThis masquerades as Microsoft Security Essentials alert and claims that your computer is infected with unknown Win32/Trojan. The fake security alert box does not go by clicking the "X" mark at the right top corner. Actually, it won't go unless I click "OK" or "Continue", which will install "CleanThis" and reboot your computer. After a reboot, you will see the "Windows CleanThis World's leading security solution" screen instead of your normal Windows desktop.
Fake security threat warning:
CleanThis doesn't appear in the list of "uninstall" programs. This rogue applications disables pretty much everything on your computer, Task Manager, Internet Explorer, it hides your Desktop even in safe mode. It modifies Windows registry so that the rogue programs runs automatically during system bootup. Thankfully, we've got the removal instructions to help you to remove CleanThis. Please be advised, if you pay for this phony security software, you will subjected to monetary theft, or in a worst-case example, ID Theft. There is no guarantee that your credit card details aren't going to be sold to other third parties. Do not hesitate to contact us if you need further assistance or you have questions regarding removal of CleanThis. Please leave a comment below. Good luck and be safe online!
CleanThis is a new variant of ThinkPoint and Palladium Pro scareware.
CleanThis removal instructions:
1. Restart your computer. Once the "CleanThis World's leading security solution" window comes press the "Safe Startup" button to do the safe start. It may take a few seconds to load.
2. The CleanThis scanner will show up. Click "OK" to run a full system scan. It may take a few minutes to complete. Then, select "Settings" from the menu and check a checkbox "Allow unprotected startup." Click "Safe settings" to safe the changes.
Close the CleanThis scanner by clicking the "X" mark at the right top corner.
3. Click Start -> Run or press WinKey+R. Type in cmd and press Enter key or click OK.
Type in: taskkill /f /im gog.exe and click Enter. This will stop the CleanThis malware.
4. Download the following file to your Desktop: windows-shell.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry. This step is important because if you won't fix this entry, then your Windows Desktop may not be displayed the next time you reboot. Once the new registry value has been added, you can delete the file from your computer.
5. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.
Alternate CleanThis removal instructions:
1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens.
3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.
4. Locate the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
In the righthand pane select the registry key named Shell. Right click on the registry key and choose Delete. Click Yes to confirm and exit the Registry editor.
5. Delete CleanThis files. Delete gog.exe and other files as shown in the image below.
- C:\Documents and Settings\[User Name]\Application Data\ (Windows XP/2000)
- C:\Users\[User Name]\AppData\Roaming\ (Windows Vista/7)
NOTE: By default, Application Data folder is hidden. If you can find it, please read Show Hidden Files and Folders in Windows.
6. Go back into "Normal Mode". Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.
Associated CleanThis files and registry values:
Files:
For Windows XP users:
- C:\Documents and Settings\[User Name]\Application Data\gog.exe
- C:\Documents and Settings\[User Name]\Application Data\[SET OF RANDOM CHARACTERS].bat
- C:\Documents and Settings\[User Name]\Desktop\CleanThis.lnk
- C:\Documents and Settings\[User Name]\Start Menu\Programs\CleanThis.lnk
- C:\Windows\Tasks\At[random].job
- C:\Users\[User Name]\AppData\Roaming\gog.exe
- C:\Users\[User Name]\AppData\Roaming\[SET OF RANDOM CHARACTERS].bat
- C:\Users\[User Name]\Desktop\CleanThis.lnk
- C:\Users\[User Name]\Start Menu\Programs\CleanThis.lnk
- C:\Windows\Tasks\At[random].job
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell = "%AppData%\gog.exe"
59 comments:
I'm having a problem, everytime I restart my computer as soon as the Clean This screen comes up, I've tried pressing Ctrl+Shift+Esc and Ctrl+Alt+Delete. The task manager doesn't seem to popup. I tried clicking Safe Startup on the Clean This program and then tried Pressing Ctrl+Shift+Esc and Ctrl+Alt+Delete. but it still doesn't show up. Could you please help me out?
Neither CTRL+ALT+DLT or CTRL+SHFT+ESC would bring up the task manager. The task mgr would flash up for 1 second and disappears. Seems like Clean This is blocking it. I can't get pass the Clean This screen and can't bring up task mgr. Any other way around it? Thanks!
The removal instructions have been updated.
Thanks !
When I try to delete the file gog.exe I get a message saying 'The action can't be completed because the file is open in another program.' Any ideas? I'd really appreciate the help!
Thank you very much. This helped a lot.
I also am not able to delete gog.exe
This is a lifesaver. Thank-you!!!!!!
Didn't work- none of teh instructions will get me past the Clean This screen...
Couldn't get past the Clean This screen - even in safe mode
BUT
rebooting into safe mode WITH COMMAND PROMPT
and typing explorer.exe got me into Windows.
from a thumb drive I ran:
rkill.exe (from bleepingcomputer.com)
tdss killer(it's from Karirsky-no link for this one- I already had it-but's it's easily gooogleable)
Then ran:
super antispyware PORTABLE ver.
This worked for me; however, am I going to have to do this each time I reboot? Can I delete it somehow?
No, you don't. Download Malwarebytes Antimalware or Hitman Pro and run a full system scan. Download links are given above. Then just delete found malicious files and you should be good to go. Good luck!
thank you,You saved me
thank you so much!
thanks so much.
Thanks a lot! it saved me!
It looks like this runs under the user name - I was able to easily log in as a different user ( on a domain network ) CleanThis did not launch, and was able to download and run malwarebytes and hitmanpro without any issues. Also, it's a good idea to run ccleaner to clean out temp files and old reg keys.
On a regular computer - not on a domain - you could try to log in as administrator with no password - the default windows setup - and run the cleanup tools suggested.
THANK YOU SO MUCH!! IM ALREADY freaking out in here on what I am supposed to do..I started to research on how to format my laptop..and there it is! I learned I can delete it all the way,! I followed the instructions carefully and my laptop acts n0rmal again..thank you so much.. Btw Im Arvi from the Philippines..I thought my laptop would crash, but no it isn't!!
THANK YOU SO MUCH!! IM ALREADY freaking out in here on what I am supposed to do..I started to research on how to format my laptop..and there it is! I learned I can delete it all the way,! I followed the instructions carefully and my laptop acts n0rmal again..thank you so much.. Btw Im Arvi from the Philippines..I thought my laptop would crash, but no it isn't!!
Thank you so much for this, it happened to me, and this way to remove it worked.
Btw, the video cracked me up, very funny narrator. I was so annoyed with the whole situation, but the video actually made me laugh out loud. So double thanks! ;)
Thank u for the help
Thanks a lot to this forum!!It really helped me!!!
I would like to thank you too. I had called Best Buy Geek Squad and they quoted me a price of 199.99 to remove CleanThis! I wish that MicroSoft would sue the creators who use the MS logos in this vicious virus! Your instructions were great. It took me a couple of tries but in the end it worked.
Ok I know this virus is on my pc I've had all those problems but I have full access to my pc... This scares me more then anything I can't find anything on clean this to even attempt getting rid of it! I'm running malwarebytes now but it's not finding anything yet, I tried stopzilla and it found the cleanthis problem is stopzilla worth getting? Input please!!! I'm 2 seconds away from a format!!!
...just have this CleanThis virus stuff on my pc and i found ways to remove it... i used the Advanced Windows Care V2..this is what i did
1.let the virus do its usual startup..then waited for a while so i could close the dialog box
2.i clicked the Advanced Windows Care icon on the taskbar on the side near the clock..at first i thought it wouldnt work but it did!
3.the Advnced Windows Care opened
4.cliked "tools" then sartup manager there i found the "shell"
5.then i clicked the "tools" again and found there the "gog" process...there i terminated it..
..thank the LORD i have Advanced WindowsCare V2..it worked people!!!
Thank you very much .all problem resolved.best wishes for your future life.
Thank you for providing excellent instructions for removing CleanThis. It worked just fine which is very pleasing, especially as PC Tools Spyware Doctor failed to detect it.
Thank you. Excellent solution. Best on-line. My greetings.
Vista Users..,
it will get remove with "Safe mode with Command Prompt"
restart ur computer with "safe mode with command prompt"
them command prompt will open..
type "taskmgr.exe", Task Manager will open...
there create new task, and write"explorer.exe"..so ur taskbar and start menu will come.
goto c:\users\ [User Name] \Appdata\ Roaming..
there delete 3 files
1) gog.exe
2) install
3) complete scan.
restart ur computer and u r done...
thanks
it work!!
thanks a lot man...
Thanks...was really helpful...
So helpful, I thought my computer was a gonner and then this walkthrough fixed it in 5 minutes. Much appreciated :D
thank you sooooooooo much, really i dont know what i'd do with out my compy.
I HAD SAME PROBLEM,BUT I SOLVED MY PROBLEM THROUGH THIS STEP:
1)AFTER LOGIN INTO YOUR SYSTEM(after step2 mention above) OPEN RUN COMMAND AND TYPE taskmgr(TASK MANAGER) AND SEARCH FOR GOG.EXE
2)CLICK ON GOG.EXE AND END PROCESS
3)GOTO "C:\Documents and Settings\Administrator\Application Data" AND DELETE GOG.EXE AND OTHER 3 FILES(INSTALL,COMPLETEINSTALL,SCAN)
4)FROM DESKTOP DELETE SHORTCUT OF "CLEANTHIS"
5)pROBLEM RESOLVED
thank you for this guidence...it help me alot.
thankyou so much, great work, you saved my computer
how to i get rid of the shorcut for the clean this virus do i just put it in the recycling bin? oh and that video was a lot of help thank you
Thanks alot guys...
how come this thing will happen?
what kind of malware is it?
It's a fake anti-virus program.
Thank you very much !
THANK YOU ^^ IM FINE
you rock...thanks
When I type in taskmgr it won't let the list come up. The Clean This thing comes up instead.
YOU SAVED MY LIFE T_T
thank you so much!
Before I could try this site's proposed solution, the mouse and keyboard have stopped responding. Any ideas? Thanks. :)
Thank you guys! Life saver. *bows down*
great help, thanks buddy
yeah..
this worked..
i was so afraid coz i was installing adobe and it was all gone...
Thanks Dude..U have make me free from re installing windows.
nice info...
thank's a lot...
Just Great - Thanx a lot for this great walkthrough!
you are my pc savior.....i could'n imagine what happene with my data if without this trick....thanks so loot
Thank you. It helps a lot. you save my pc from re-installing new windows
I dont know what all the fuss is about, I just paid the 69 bucks and I got back to windows just fine :)
thank you very much..that was a close call
I already had eset NOD32 antivirus 4 and this clean this virus still got thru....I am having trouble getting on as an administrator to run the new spybot.
thanks this was good help. Another tip is you can make a copy of taskmgr.exe and rename it to for example test.exe. then u can run test.exe as taskmanager it looks like it does not block that. And then kill gog.exe. After that i was able to take me out on the internet and found this great info. Works to rename the exe file for Firefox and IE as well.