Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for Content Cleaner

- - - - -

  • Please log in to reply
No replies to this topic

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,134 posts
Content is republished with permission from Malwarebytes.

What is Content Cleaner?

The Malwarebytes research team has determined that Content Cleaner is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue. You are strongly advised to follow our removal instructions below.

How do I know if I am infected with Content Cleaner?

This is how the main screen of the rogue application looks:

Posted Image

You will find these icons on your desktop and in your taskbar:

Posted Image

And see this kind of warnings:

Posted Image

How did Content Cleaner get on my computer?

Rogue programs use different methods for spreading themselves. This particular one was downloaded from their site.

How do I remove Content Cleaner?

Our program Malwarebytes' Anti-Malware can detect and remove this rogue application.
  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:

    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected. Reboot your computer if prompted.
  • When completed, a log will open in Notepad. The rogue application should now be gone.

Is there anything else I need to do to get rid of Content Cleaner?
  • The shortcut called Shop eBay and save! on the desktop can be deleted if it belonged to the rogue.

How would the full version of Malwarebytes' Anti-Malware help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes' Anti-Malware for additional protection.

As you can see below the full version of Malwarebytes' Anti-Malware would have protected you against the Content Cleaner rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

Posted Image

Posted Image

Technical details for experts

Signs in a HijackThis log:
C:\Program Files\Content Cleaner\ContentCleaner.exe

Alterations made by the installer:
File System
  ===============
	 In the existing folder C:\Documents and Settings\{username}\Application Data
	  Adds the file ebay.ico"="01:43 30/01/10 9662 bytes
	In the existing folder C:\Documents and Settings\{username}\Desktop
	  Adds the file Content Cleaner.lnk"="15:19 30/01/10 761 bytes
	  Adds the file Shop Ebay and Save!.url"="15:19 30/01/10 146 bytes
	In the existing folder C:\Documents and Settings\{username}\Start Menu
	  Adds the file Shop Ebay and Save!.url"="15:19 30/01/10 146 bytes
	Adds the folder C:\Documents and Settings\{username}\Start Menu\Programs\Content Cleaner
	  Adds the file Uninstall.lnk"="15:19 30/01/10 555 bytes
	  Adds the file Content Cleaner.lnk"="15:19 30/01/10 773 bytes
	Adds the folder C:\Program Files\Content Cleaner
	  Adds the file uninst.exe"="15:19 30/01/10 76343 bytes
	  Adds the file RegAlert.exe"="01:43 30/01/10 151552 bytes
	  Adds the file new_Delete_animated.gif"="01:43 30/01/10 8895 bytes
	  Adds the file infected.wav"="01:43 30/01/10 136480 bytes
	  Adds the file ContentCleaner.exe"="01:43 30/01/10 4973056 bytes
	  Adds the file CCleaner.dll"="01:43 30/01/10 425472 bytes
	  Adds the file cc.lnk"="15:19 30/01/10 687 bytes
	  Adds the file aff.txt"="01:43 30/01/10 49 bytes

  Registry
  ===============
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6]
	  "Blob"
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36863563FD5128C7BEA6F005CFE9B43668086CCE]
	  "Blob"
<snipped list of certificates>
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ContentCleaner.exe]
	  "(Default)"="'C:\Program Files\Content Cleaner\Content Cleaner.exe'"
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Content Cleaner]
	  "Publisher"="'Content Cleaner'"
	  "URLInfoAbout"="'http://www.contentcleaner.com'"
	  "DisplayVersion"="'3.1.0'"
	  "DisplayIcon"="'C:\Program Files\Content Cleaner\Content Cleaner.exe'"
	  "UninstallString"="'C:\Program Files\Content Cleaner\uninst.exe'"
	  "DisplayName"="'Content Cleaner 3.1.0'"
	[HKEY_CURRENT_USER\Software\ContentCleaner]
	  "ttf"="'162'"
	  "tts"="'10182'"
	  "fthd"="'0'""
	  "sthd"="'0'""
	  "feml"="'1'""
	  "seml"="'0'""
	  "ffil"="'0'""
	  "sfil"="'0'""
	  "fmlt"="'0'""
	  "smlt"="'0'""
	  "fmso"="'0'""
	  "smso"="'0'""
	  "fins"="'0'""
	  "sins"="'0'""
	  "fint"="'140'"
	  "sint"="'9702'"
	  "fwnd"="'21'"
	  "swnd"="'480'"
	  "Scantime"="'30- 1-2010 15:19'"
	  "Poco Mail Draft folder"="'0'""
	  "Eudora Logs"="'0'""
	  "ACDSee 3 Search history"="'0'""
	  "ACDSee 3 Last opened folder"="'0'""
	  "FrontPage all"="'0'""
	  "Voice & Chat history"="'0'""
	  "ICQ5.1 Contact list"="'0'""
	  "ICQ5.1 Received files"="'0'""
	  "Paging file"="'0'""
	  "ACDSee Pro Copy & move"="'0'"
	  "History & temp files"="'0'"
	  "AOL Index"="'0'"
	  "WDS Logs"="'0'"
	  "WDS Index"="'0'"
	  "YDS Logs"="'0'"
	  "Saved searches"="'0'"
	  "YDS Index"="'0'"
	  "Dont search these items"="'0'"
	  "Tool bar search history"="'0'"
	  "Temporary folder"="'0'"
	  "Links folder"="'0'"
	  "Index and data folder"="'0'"
	  "Acrobat 7"="'0'"
	  "Acrobat 6"="'0'"
	  "Acrobat 5"="'0'"
	  "Acrobat 4"="'0'"
	  "IM Deleted mails"="'0'"
	  "History of email users"="'0'"
	  "PocoMail Trash folder"="'0'"
	  "History of email used"="'0'"
	  "Cache data"="'0'"
	  "Eduora Logs"="'1'"
	  "Temporary data"="'0'"
	  "Eudora Cache"="'0'"
	  "History of email address"="'0'"
	  "Trash folder"="'0'"
	  "Trash mails"="'0'"
	  "Deleted mails"="'1'"
	  "Last User ID"="'1'"
	  "Shortcuts"="'1'"
	  "Database folder"="'0'"
	  "Cache folder"="'0'"
	  "BitCommet Download history"="'0'"
	  "BitCommet Torrents"="'0'"
	  "Channels"="'0'"
	  "Shared files information"="'0'"
	  "Azureus Logs"="'0'"
	  "Azureus Shared files"="'0'"
	  "Azureus Download history"="'0'"
	  "Azureus Torrents"="'0'"
	  "Torrent history"="'0'"
	  "BT Logs"="'0'"
	  "BT Torrents"="'0'"
	  "Incomplete folder"="'0'"
	  "Kazaa Filters"="'0'"
	  "Search Agents"="'0'"
	  "Kazaa Search information"="'0'"
	  "Personal files"="'0'"
	  "Kazaa Recent file list"="'0'"
	  "User details information"="'0'"
	  "File transfer inforamtion"="'0'"
	  "Morpheus logs"="'0'"
	  "Morpheus Cache"="'0'"
	  "Tool Cache"="'0'"
	  "Morpheus Search history"="'0'"
	  "Recent play audio"="'0'"
	  "Recent play video"="'0'"
	  "Morpheus Torrents"="'0'"
	  "Pod casts"="'0'"
	  "Play list"="'0'"
	  "Morpheus Search information"="'0'"
	  "Partial download folder"="'0'"
	  "Morpheus Temp folder"="'0'"
	  "DivX Recent file list"="'0'"
	  "Qucik time Recent URL list"="'0'"
	  "Qucik Time Player Recent file list"="'0'"
	  "Real Player History"="'0'"
	  "VLC Cache"="'0'"
	  "Last saved folder"="'0'"
	  "Winamp Recent file list"="'0'"
	  "Windows Media Player Cache"="'0'"
	  "Windows Media Player Recent URL list"="'0'"
	  "Windows Media Player Recent file list"="'0'"
	  "ACDSee Pro Search history"="'0'"
	  "ACDSee Pro Last opened folder"="'0'"
	  "ACD See Pro Coopy & move"="'1'"
	  "ACDSee Pro Path history"="'0'"
	  "ACDSee Pro Search simple history"="'0'"
	  "ACDSee 9 Search history"="'0'"
	  "ACDSee 9 Last opened folder"="'0'"
	  "ACDSee 9 Copy & move"="'0'"
	  "ACDSee 9 Path histroy"="'0'"
	  "ACDSee 9 Search simple history"="'0'"
	  "ACDSee 8 Search history"="'0'"
	  "ACDSee 8 Last opened folder"="'0'"
	  "ACDSee 8 Copy & move"="'0'"
	  "ACDSee 8 Path history"="'0'"
	  "ACDSee 8 Search simple history"="'0'"
	  "ACDSee 7 Search history"="'0'"
	  "ACDSee 7 Last opened folder"="'0'"
	  "ACDSee 7 Copy & move"="'0'"
	  "ACDSee 7 Path history"="'0'"
	  "ACDSee 7 Search Simple history"="'0'"
	  "ACDSee 6 Search history"="'0'"
	  "ACDSee 6 Last opened folder"="'0'"
	  "ACDSee 6 Copy & move"="'0'"
	  "ACDSee 6 Path History"="'0'"
	  "ACDSee 5 Search history"="'0'"
	  "ACDSee 5 Last opened folder"="'0'"
	  "ACDSee 5 Copy & move"="'0'"
	  "ACDSee 5 Path history"="'0'"
	  "ACD See 3 Search history"="'1'"
	  "ACD See 3 Last opened folder"="'1'"
	  "ACDSee 3 Copy & move"="'0'"
	  "ACDSee 3 Path history"="'0'"
	  "Front page all"="'1'"
	  "Shared Resources Search history"="'0'"
	  "Internet server Cache"="'0'"
	  "Recent folders"="'0'"
	  "Power point 97"="'0'"
	  "Access 97"="'0'"
	  "Excel 97"="'0'"
	  "Word 97"="'0'"
	  "FrontPage 2000"="'0'"
	  "Power Point 2000"="'0'"
	  "Access 2000"="'0'"
	  "Excel 2000"="'0'"
	  "Word 2000"="'0'"
	  "FrontPage XP"="'0'"
	  "Power point XP"="'0'"
	  "Access XP"="'0'"
	  "Excel XP"="'0'"
	  "Word XP"="'0'"
	  "Saved settings"="'0'"
	  "SnapShot viewer"="'0'"
	  "Picture Manager"="'0'"
	  "Clip Organizer"="'0'"
	  "Info Path 2003"="'0'"
	  "Project 2003"="'0'"
	  "FrontPage 2003"="'0'"
	  "Publisher 2003"="'0'"
	  "Power Point 2003"="'0'"
	  "Vision 2003"="'0'"
	  "Excel 2003"="'0'"
	  "Access 2003"="'0'"
	  "Word 2003"="'0'"
	  "Gaim Chat logs"="'0'"
	  "GoolgleTalk Chat logs"="'0'"
	  "Chat log & received files"="'0'"
	  "Trillian Chat logs"="'0'"
	  "File Transfer history"="'0'"
	  "Recent Screen name"="'0'"
	  "AOL Chat history"="'0'"
	  "Program logs"="'0'"
	  "Chat & Voice history"="'0'"
	  "Yahoo Cache"="'0'"
	  "Browser Cache"="'0'"
	  "Log files"="'0'"
	  "ICQ 5.1 Chat history"="'0'"
	  "Cache & cookies"="'0'"
	  "FireFox cookies"="'0'"
	  "FireFox download history"="'0'"
	  "FireFox cache"="'0'"
	  "Saved forms history"="'0'"
	  "Browse history"="'0'"
	  "Transfer history"="'0'"
	  "Opera cookies"="'0'"
	  "Opera address bar history"="'0'"
	  "Visited sites"="'0'"
	  "Opera cache"="'0'"
	  "Saved form history"="'0'"
	  "Netscape download history"="'0'"
	  "Search history"="'0'"
	  "Netscape cookies"="'0'"
	  "Netscape address bar history"="'0'"
	  "Netscape cache"="'0'"
	  "IE Address bar history"="'0'"
	  "Download program files"="'0'"
	  "Update log files"="'0'"
	  "Saved dir memory"="'0'"
	  "Download dir memory"="'0'"
	  "Auto complete data"="'0'"
	  "Index.dat"="'0'"
	  "IE cookies"="'0'"
	  "IE Visited sites"="'0'"
	  "Temp Internet Folder"="'0'"
	  "WordPad recent history"="'1'"
	  "Last Registry key viewed"="'1'"
	  "Printer connections"="'1'"
	  "Network connections"="'1'"
	  "Paint recent file list"="'1'"
	  "Common dialog histroy"="'1'"
	  "Debug histroy"="'1'"
	  "Burn storage folder"="'1'"
	  "Memory Dump file"="'1'"
	  "Temp windows update folder"="'1'"
	  "Download temp folder"="'1'"
	  "Run command Histroy"="'1'"
	  "Win Temp folder"="'1'"
	  "Windows Log file"="'1'"
	  "Flush Recycle bin"="'1'"
	  "Temp folder"="'1'"
	  "Find Search History"="'1'"
	  "Document History"="'1'"
	  "Draft folder"="'0'"
	  "Sent folder"="'0'"
	  "IM Out folder"="'0'"
	  "PocOMail Draft folder"="'0'"
	  "Poco Mail Sent folder"="'0'"
	  "Out folder"="'0'"
	  "PocoMail Attachments"="'0'"
	  "Eudora Attachments"="'0'"
	  "Nick names used"="'0'"
	  "Edoura Out Folder"="'0'"
	  "Download news"="'0'"
	  "Unsent mails"="'0'"
	  "Draft"="'0'"
	  "Thunderbird Sent mails"="'0'"
	  "Key database"="'0'"
	  "Thunderbird Saved passwords"="'0'"
	  "Outbox mails"="'0'"
	  "Sent mails"="'0'"
	  "Reference to addins"="'0'"
	  "Dictionary"="'0'"
	  "Templates"="'0'"
	  "Stationary"="'0'"
	  "Signatures"="'0'"
	  "Macros & VBA programs"="'0'"
	  "System folders view"="'0'"
	  "Tool bar settings"="'0'"
	  "Rules wizard"="'0'"
	  "Nick names"="'0'"
	  "BitCommet Download folder"="'0'"
	  "Lime Wire Shared folder"="'0'"
	  "uTorrent Download folder"="'0'"
	  "Bit Torrent Download folder"="'0'"
	  "Kazaa Shared folder"="'0'"
	  "Morhpeus Shared folders"="'0'"
	  "Completed Download folder"="'0'"
	  "Movie folder"="'0'"
	  "Qucik time Favorites"="'0'"
	  "ACDSee Shared Favorites"="'0'"
	  "Media lib view"="'0'"
	  "Winamp Bookmarks"="'0'"
	  "ACDSee Pro Image cache"="'0'"
	  "ACDSee Pro Image Database"="'0'"
	  "ACDSee 9 Image Database"="'0'"
	  "ACDSee 8 Image Database"="'0'"
	  "ACDSee 7 Image database"="'0'"
	  "ACDSee 6 Image Database"="'0'"
	  "ACDSee 5 Image Database"="'0'"
	  "ACDSee 3 Image database"="'0'"
	  "Trillian Received files"="'0'"
	  "Skype Received files"="'0'"
	  "Voice mail history"="'0'"
	  "Received & Shared files"="'0'"
	  "ICQ1 Contact list"="'0'"
	  "ICQ1 Received files"="'0'"
	  "Pictures"="'0'"
	  "ICQ2003b Shared files"="'0'"
	  "ICQ2003b Contact list"="'0'"
	  "ICQ2003b Downloads"="'0'"
	  "ICQ2003b Book Marks"="'0'"
	  "ICQ2003b Received files"="'0'"
	  "Key passwords"="'0'"
	  "FireFox Saved passwords"="'0'"
	  "Cache and Password"="'0'"
	  "AOL Cookies"="'0'"
	  "AOL History"="'0'"
	  "Internet cache folder"="'0'"
	  "AOL Address bar history"="'0'"
	  "Address bar passcard history"="'0'"
	  "Data card history"="'0'"
	  "IE Saved passwords"="'0'"
	  "Start Page"="'0'"
	  "IE favorites"="'0'"
	  "Recent log user"="'0'"
	  "Disk Error log file"="'0'"
	  "Start Menu Order Histroy"="'0'"
	  "Start Menu Click Histroy"="'0'"
	  "di1"="'1'"
	  "di0"="'1'"
	  "di7"="'1'"
	  "di25"="'1'"
	  "di23"="'1'"
	  "di24"="'1'"
	  "di2"="'1'"
	  "di3"="'1'"
	  "di10"="'1'"
	  "di8"="'1'"
	  "di6"="'1'"

Malwarebytes' Anti-Malware log:
Malwarebytes' Anti-Malware 1.44
Database version: 3663
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/30/2010 8:32:08 PM
mbam-log-2010-01-30 (20-32-08).txt

Scan type: Quick Scan
Objects scanned: 98119
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 11

Memory Processes Infected:
C:\Program Files\Content Cleaner\ContentCleaner.exe (Rogue.ContentCleaner) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Content Cleaner\CCleaner.dll (Rogue.ContentCleaner) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\content cleaner (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\ContentCleaner (Rogue.ContentCleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\{username}\Start Menu\Programs\Content Cleaner (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Program Files\Content Cleaner (Rogue.ContentCleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Content Cleaner\ContentCleaner.exe (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Program Files\Content Cleaner\CCleaner.dll (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Start Menu\Programs\Content Cleaner\Content Cleaner.lnk (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Start Menu\Programs\Content Cleaner\Uninstall.lnk (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Program Files\Content Cleaner\aff.txt (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Program Files\Content Cleaner\cc.lnk (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Program Files\Content Cleaner\infected.wav (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Program Files\Content Cleaner\new_Delete_animated.gif (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Program Files\Content Cleaner\RegAlert.exe (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Program Files\Content Cleaner\uninst.exe (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Desktop\Content Cleaner.lnk (Rogue.ContentCleaner) -> Quarantined and deleted successfully.

As mentioned before the full version of Malwarebytes' Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0

Advertisements





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.