Friday, March 19, 2010

CleanUp Antivirus Removal GuideCleanUp Antivirus Removal Guide

CleanUp Antivirus Removal Guide
CleanUp Antivirus is a rogue antivirus program from the same family as Security Antivirus. CleanUp Antivirus enters the system stealthily and is often installed after you click to download an update for your PC, or use a corrupt online scanner. CleanUp Antivirus will try to convince you that your PC is in danger. The hackers behind this scam want your money and will urge you to purchase a useless copy of CleanUp Antivirus.

Removal Tool: Remove Fake Antivirus. (Download it here.)

Removal Guide
Kill Process
(How to kill a process effectively?)
CU345d.exe
grid.exe
PE.exe

Unregister DLL files
%Documents and Settings%\All Users\Application Data\345d567\sqlite3.dll
%Documents and Settings%\All Users\Application Data\345d567\mozcrt19.dll
%UserProfile%\Recent\DBOLE.dll
%UserProfile%\Recent\FS.dll

Delete Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\Application Data\345d567\CU345d.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Library1.00195"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\CU345d.DocHostUIHandler
HKEY_CURRENT_USER\Software\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CleanUp Antivirus"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "App/7.00195"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\CleanUp Antivirus

Remove Folders and Files
c:\Documents and Settings\All Users\Application Data\345d567
%UserProfile%\Recent\DBOLE.dll
%UserProfile%\Recent\FS.dll

No comments:

Post a Comment