Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Saturday, March 19, 2011

How to Remove CleanThis (Uninstall Guide)

Tell your friends:
CleanThis is a fake anti-virus application that claims to be a Microsoft product and wants to get you to upgrade to the full version in order to remove the threats which do not even exist on your computer. It constantly displays fake security warnings and pop-up windows saying that your computer is infected with malicious software. This rogue AV application is a complete scam. If your computer is being infected by CleanThis malware, please follow the removal instructions below.



CleanThis - video

Thanks to rogueamp for making this video

CleanThis masquerades as Microsoft Security Essentials alert and claims that your computer is infected with unknown Win32/Trojan. The fake security alert box does not go by clicking the "X" mark at the right top corner. Actually, it won't go unless I click "OK" or "Continue", which will install "CleanThis" and reboot your computer. After a reboot, you will see the "Windows CleanThis World's leading security solution" screen instead of your normal Windows desktop.



Fake security threat warning:


CleanThis doesn't appear in the list of "uninstall" programs. This rogue applications disables pretty much everything on your computer, Task Manager, Internet Explorer, it hides your Desktop even in safe mode. It modifies Windows registry so that the rogue programs runs automatically during system bootup. Thankfully, we've got the removal instructions to help you to remove CleanThis. Please be advised, if you pay for this phony security software, you will subjected to monetary theft, or in a worst-case example, ID Theft. There is no guarantee that your credit card details aren't going to be sold to other third parties. Do not hesitate to contact us if you need further assistance or you have questions regarding removal of CleanThis. Please leave a comment below. Good luck and be safe online!

CleanThis is a new variant of ThinkPoint and Palladium Pro scareware.


CleanThis removal instructions:

1. Restart your computer. Once the "CleanThis World's leading security solution" window comes press the "Safe Startup" button to do the safe start. It may take a few seconds to load.



2. The CleanThis scanner will show up. Click "OK" to run a full system scan. It may take a few minutes to complete. Then, select "Settings" from the menu and check a checkbox "Allow unprotected startup." Click "Safe settings" to safe the changes.



Close the CleanThis scanner by clicking the "X" mark at the right top corner.

3. Click Start -> Run or press WinKey+R. Type in cmd and press Enter key or click OK.



Type in: taskkill /f /im gog.exe and click Enter. This will stop the CleanThis malware.



4. Download the following file to your Desktop: windows-shell.reg. Double-click to run it. Click "Yes" when it asks if you want to add the information to the registry. This file will fix the Windows Shell entry. This step is important because if you won't fix this entry, then your Windows Desktop may not be displayed the next time you reboot. Once the new registry value has been added, you can delete the file from your computer.

5. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

6. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.


Alternate CleanThis removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

In the righthand pane select the registry key named Shell. Right click on the registry key and choose Delete. Click Yes to confirm and exit the Registry editor.



5. Delete CleanThis files. Delete gog.exe and other files as shown in the image below.
  • C:\Documents and Settings\[User Name]\Application Data\ (Windows XP/2000)
  • C:\Users\[User Name]\AppData\Roaming\ (Windows Vista/7)


NOTE: By default, Application Data folder is hidden. If you can find it, please read Show Hidden Files and Folders in Windows.

6. Go back into "Normal Mode". Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe, explorer.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus 4.


Associated CleanThis files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\[User Name]\Application Data\gog.exe
  • C:\Documents and Settings\[User Name]\Application Data\[SET OF RANDOM CHARACTERS].bat
  • C:\Documents and Settings\[User Name]\Desktop\CleanThis.lnk
  • C:\Documents and Settings\[User Name]\Start Menu\Programs\CleanThis.lnk
  • C:\Windows\Tasks\At[random].job
For Windows Vista and Windows 7 users:
  • C:\Users\[User Name]\AppData\Roaming\gog.exe
  • C:\Users\[User Name]\AppData\Roaming\[SET OF RANDOM CHARACTERS].bat
  • C:\Users\[User Name]\Desktop\CleanThis.lnk
  • C:\Users\[User Name]\Start Menu\Programs\CleanThis.lnk
  • C:\Windows\Tasks\At[random].job
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell = "%AppData%\gog.exe"
Share this information with other people:

59 comments:

absar18 said...

I'm having a problem, everytime I restart my computer as soon as the Clean This screen comes up, I've tried pressing Ctrl+Shift+Esc and Ctrl+Alt+Delete. The task manager doesn't seem to popup. I tried clicking Safe Startup on the Clean This program and then tried Pressing Ctrl+Shift+Esc and Ctrl+Alt+Delete. but it still doesn't show up. Could you please help me out?

Anonymous said...

Neither CTRL+ALT+DLT or CTRL+SHFT+ESC would bring up the task manager. The task mgr would flash up for 1 second and disappears. Seems like Clean This is blocking it. I can't get pass the Clean This screen and can't bring up task mgr. Any other way around it? Thanks!

Admin said...

The removal instructions have been updated.

Anonymous said...

Thanks !

Anonymous said...

When I try to delete the file gog.exe I get a message saying 'The action can't be completed because the file is open in another program.' Any ideas? I'd really appreciate the help!

Anonymous said...

Thank you very much. This helped a lot.

Melissa said...

I also am not able to delete gog.exe

Anonymous said...

This is a lifesaver. Thank-you!!!!!!

Anonymous said...

Didn't work- none of teh instructions will get me past the Clean This screen...

Anonymous said...

Couldn't get past the Clean This screen - even in safe mode
BUT
rebooting into safe mode WITH COMMAND PROMPT
and typing explorer.exe got me into Windows.

from a thumb drive I ran:
rkill.exe (from bleepingcomputer.com)

tdss killer(it's from Karirsky-no link for this one- I already had it-but's it's easily gooogleable)

Then ran:
super antispyware PORTABLE ver.

Anonymous said...

This worked for me; however, am I going to have to do this each time I reboot? Can I delete it somehow?

Admin said...

No, you don't. Download Malwarebytes Antimalware or Hitman Pro and run a full system scan. Download links are given above. Then just delete found malicious files and you should be good to go. Good luck!

nmishin said...

thank you,You saved me

ron said...

thank you so much!

Hao said...

thanks so much.

Anonymous said...

Thanks a lot! it saved me!

florky said...

It looks like this runs under the user name - I was able to easily log in as a different user ( on a domain network ) CleanThis did not launch, and was able to download and run malwarebytes and hitmanpro without any issues. Also, it's a good idea to run ccleaner to clean out temp files and old reg keys.
On a regular computer - not on a domain - you could try to log in as administrator with no password - the default windows setup - and run the cleanup tools suggested.

Anonymous said...

THANK YOU SO MUCH!! IM ALREADY freaking out in here on what I am supposed to do..I started to research on how to format my laptop..and there it is! I learned I can delete it all the way,! I followed the instructions carefully and my laptop acts n0rmal again..thank you so much.. Btw Im Arvi from the Philippines..I thought my laptop would crash, but no it isn't!!

Anonymous said...

THANK YOU SO MUCH!! IM ALREADY freaking out in here on what I am supposed to do..I started to research on how to format my laptop..and there it is! I learned I can delete it all the way,! I followed the instructions carefully and my laptop acts n0rmal again..thank you so much.. Btw Im Arvi from the Philippines..I thought my laptop would crash, but no it isn't!!

carla said...

Thank you so much for this, it happened to me, and this way to remove it worked.
Btw, the video cracked me up, very funny narrator. I was so annoyed with the whole situation, but the video actually made me laugh out loud. So double thanks! ;)

Anonymous said...

Thank u for the help

Anonymous said...

Thanks a lot to this forum!!It really helped me!!!

Anonymous said...

I would like to thank you too. I had called Best Buy Geek Squad and they quoted me a price of 199.99 to remove CleanThis! I wish that MicroSoft would sue the creators who use the MS logos in this vicious virus! Your instructions were great. It took me a couple of tries but in the end it worked.

Anonymous said...

Ok I know this virus is on my pc I've had all those problems but I have full access to my pc... This scares me more then anything I can't find anything on clean this to even attempt getting rid of it! I'm running malwarebytes now but it's not finding anything yet, I tried stopzilla and it found the cleanthis problem is stopzilla worth getting? Input please!!! I'm 2 seconds away from a format!!!

Anonymous said...

...just have this CleanThis virus stuff on my pc and i found ways to remove it... i used the Advanced Windows Care V2..this is what i did
1.let the virus do its usual startup..then waited for a while so i could close the dialog box
2.i clicked the Advanced Windows Care icon on the taskbar on the side near the clock..at first i thought it wouldnt work but it did!
3.the Advnced Windows Care opened
4.cliked "tools" then sartup manager there i found the "shell"
5.then i clicked the "tools" again and found there the "gog" process...there i terminated it..
..thank the LORD i have Advanced WindowsCare V2..it worked people!!!

Riyas kallikkandy said...

Thank you very much .all problem resolved.best wishes for your future life.

Anonymous said...

Thank you for providing excellent instructions for removing CleanThis. It worked just fine which is very pleasing, especially as PC Tools Spyware Doctor failed to detect it.

Anonymous said...

Thank you. Excellent solution. Best on-line. My greetings.

pats.fun said...

Vista Users..,
it will get remove with "Safe mode with Command Prompt"
restart ur computer with "safe mode with command prompt"
them command prompt will open..
type "taskmgr.exe", Task Manager will open...
there create new task, and write"explorer.exe"..so ur taskbar and start menu will come.
goto c:\users\ [User Name] \Appdata\ Roaming..
there delete 3 files
1) gog.exe
2) install
3) complete scan.

restart ur computer and u r done...

Maurya Ajaykumar said...

thanks

Anonymous said...

it work!!

thanks a lot man...

Toshik said...

Thanks...was really helpful...

Anonymous said...

So helpful, I thought my computer was a gonner and then this walkthrough fixed it in 5 minutes. Much appreciated :D

zombie_hearts said...

thank you sooooooooo much, really i dont know what i'd do with out my compy.

MOHAMMAD ILIYAS said...

I HAD SAME PROBLEM,BUT I SOLVED MY PROBLEM THROUGH THIS STEP:
1)AFTER LOGIN INTO YOUR SYSTEM(after step2 mention above) OPEN RUN COMMAND AND TYPE taskmgr(TASK MANAGER) AND SEARCH FOR GOG.EXE
2)CLICK ON GOG.EXE AND END PROCESS
3)GOTO "C:\Documents and Settings\Administrator\Application Data" AND DELETE GOG.EXE AND OTHER 3 FILES(INSTALL,COMPLETEINSTALL,SCAN)
4)FROM DESKTOP DELETE SHORTCUT OF "CLEANTHIS"

5)pROBLEM RESOLVED

AnkiT said...

thank you for this guidence...it help me alot.

digital_green said...

thankyou so much, great work, you saved my computer

Anonymous said...

how to i get rid of the shorcut for the clean this virus do i just put it in the recycling bin? oh and that video was a lot of help thank you

ANG3L said...

Thanks alot guys...
how come this thing will happen?
what kind of malware is it?

Admin said...

It's a fake anti-virus program.

iuliantataru said...

Thank you very much !

Anonymous said...

THANK YOU ^^ IM FINE

Anonymous said...

you rock...thanks

Anonymous said...

When I type in taskmgr it won't let the list come up. The Clean This thing comes up instead.

Anonymous said...

YOU SAVED MY LIFE T_T

long said...

thank you so much!

Anonymous said...

Before I could try this site's proposed solution, the mouse and keyboard have stopped responding. Any ideas? Thanks. :)

NotSoBadLit said...

Thank you guys! Life saver. *bows down*

Anonymous said...

great help, thanks buddy

Anonymous said...

yeah..
this worked..
i was so afraid coz i was installing adobe and it was all gone...

Anonymous said...

Thanks Dude..U have make me free from re installing windows.

Anonymous said...

nice info...
thank's a lot...

Anonymous said...

Just Great - Thanx a lot for this great walkthrough!

Anonymous said...

you are my pc savior.....i could'n imagine what happene with my data if without this trick....thanks so loot

Anonymous said...

Thank you. It helps a lot. you save my pc from re-installing new windows

Anonymous said...

I dont know what all the fuss is about, I just paid the 69 bucks and I got back to windows just fine :)

Anonymous said...

thank you very much..that was a close call

ron said...

I already had eset NOD32 antivirus 4 and this clean this virus still got thru....I am having trouble getting on as an administrator to run the new spybot.

Anonymous said...

thanks this was good help. Another tip is you can make a copy of taskmgr.exe and rename it to for example test.exe. then u can run test.exe as taskmanager it looks like it does not block that. And then kill gog.exe. After that i was able to take me out on the internet and found this great info. Works to rename the exe file for Firefox and IE as well.