What is Content Cleaner?
The Malwarebytes research team has determined that Content Cleaner is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue. You are strongly advised to follow our removal instructions below.
How do I know if I am infected with Content Cleaner?
This is how the main screen of the rogue application looks:
You will find these icons on your desktop and in your taskbar:
And see this kind of warnings:
How did Content Cleaner get on my computer?
Rogue programs use different methods for spreading themselves. This particular one was downloaded from their site.
How do I remove Content Cleaner?
Our program Malwarebytes' Anti-Malware can detect and remove this rogue application.
- Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected. Reboot your computer if prompted.
- When completed, a log will open in Notepad. The rogue application should now be gone.
Is there anything else I need to do to get rid of Content Cleaner?
- The shortcut called Shop eBay and save! on the desktop can be deleted if it belonged to the rogue.
How would the full version of Malwarebytes' Anti-Malware help protect me?
We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes' Anti-Malware for additional protection.
As you can see below the full version of Malwarebytes' Anti-Malware would have protected you against the Content Cleaner rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Signs in a HijackThis log:
C:\Program Files\Content Cleaner\ContentCleaner.exe
Alterations made by the installer:
File System =============== In the existing folder C:\Documents and Settings\{username}\Application Data Adds the file ebay.ico"="01:43 30/01/10 9662 bytes In the existing folder C:\Documents and Settings\{username}\Desktop Adds the file Content Cleaner.lnk"="15:19 30/01/10 761 bytes Adds the file Shop Ebay and Save!.url"="15:19 30/01/10 146 bytes In the existing folder C:\Documents and Settings\{username}\Start Menu Adds the file Shop Ebay and Save!.url"="15:19 30/01/10 146 bytes Adds the folder C:\Documents and Settings\{username}\Start Menu\Programs\Content Cleaner Adds the file Uninstall.lnk"="15:19 30/01/10 555 bytes Adds the file Content Cleaner.lnk"="15:19 30/01/10 773 bytes Adds the folder C:\Program Files\Content Cleaner Adds the file uninst.exe"="15:19 30/01/10 76343 bytes Adds the file RegAlert.exe"="01:43 30/01/10 151552 bytes Adds the file new_Delete_animated.gif"="01:43 30/01/10 8895 bytes Adds the file infected.wav"="01:43 30/01/10 136480 bytes Adds the file ContentCleaner.exe"="01:43 30/01/10 4973056 bytes Adds the file CCleaner.dll"="01:43 30/01/10 425472 bytes Adds the file cc.lnk"="15:19 30/01/10 687 bytes Adds the file aff.txt"="01:43 30/01/10 49 bytes Registry =============== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6] "Blob" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36863563FD5128C7BEA6F005CFE9B43668086CCE] "Blob" <snipped list of certificates> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ContentCleaner.exe] "(Default)"="'C:\Program Files\Content Cleaner\Content Cleaner.exe'" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Content Cleaner] "Publisher"="'Content Cleaner'" "URLInfoAbout"="'http://www.contentcleaner.com'" "DisplayVersion"="'3.1.0'" "DisplayIcon"="'C:\Program Files\Content Cleaner\Content Cleaner.exe'" "UninstallString"="'C:\Program Files\Content Cleaner\uninst.exe'" "DisplayName"="'Content Cleaner 3.1.0'" [HKEY_CURRENT_USER\Software\ContentCleaner] "ttf"="'162'" "tts"="'10182'" "fthd"="'0'"" "sthd"="'0'"" "feml"="'1'"" "seml"="'0'"" "ffil"="'0'"" "sfil"="'0'"" "fmlt"="'0'"" "smlt"="'0'"" "fmso"="'0'"" "smso"="'0'"" "fins"="'0'"" "sins"="'0'"" "fint"="'140'" "sint"="'9702'" "fwnd"="'21'" "swnd"="'480'" "Scantime"="'30- 1-2010 15:19'" "Poco Mail Draft folder"="'0'"" "Eudora Logs"="'0'"" "ACDSee 3 Search history"="'0'"" "ACDSee 3 Last opened folder"="'0'"" "FrontPage all"="'0'"" "Voice & Chat history"="'0'"" "ICQ5.1 Contact list"="'0'"" "ICQ5.1 Received files"="'0'"" "Paging file"="'0'"" "ACDSee Pro Copy & move"="'0'" "History & temp files"="'0'" "AOL Index"="'0'" "WDS Logs"="'0'" "WDS Index"="'0'" "YDS Logs"="'0'" "Saved searches"="'0'" "YDS Index"="'0'" "Dont search these items"="'0'" "Tool bar search history"="'0'" "Temporary folder"="'0'" "Links folder"="'0'" "Index and data folder"="'0'" "Acrobat 7"="'0'" "Acrobat 6"="'0'" "Acrobat 5"="'0'" "Acrobat 4"="'0'" "IM Deleted mails"="'0'" "History of email users"="'0'" "PocoMail Trash folder"="'0'" "History of email used"="'0'" "Cache data"="'0'" "Eduora Logs"="'1'" "Temporary data"="'0'" "Eudora Cache"="'0'" "History of email address"="'0'" "Trash folder"="'0'" "Trash mails"="'0'" "Deleted mails"="'1'" "Last User ID"="'1'" "Shortcuts"="'1'" "Database folder"="'0'" "Cache folder"="'0'" "BitCommet Download history"="'0'" "BitCommet Torrents"="'0'" "Channels"="'0'" "Shared files information"="'0'" "Azureus Logs"="'0'" "Azureus Shared files"="'0'" "Azureus Download history"="'0'" "Azureus Torrents"="'0'" "Torrent history"="'0'" "BT Logs"="'0'" "BT Torrents"="'0'" "Incomplete folder"="'0'" "Kazaa Filters"="'0'" "Search Agents"="'0'" "Kazaa Search information"="'0'" "Personal files"="'0'" "Kazaa Recent file list"="'0'" "User details information"="'0'" "File transfer inforamtion"="'0'" "Morpheus logs"="'0'" "Morpheus Cache"="'0'" "Tool Cache"="'0'" "Morpheus Search history"="'0'" "Recent play audio"="'0'" "Recent play video"="'0'" "Morpheus Torrents"="'0'" "Pod casts"="'0'" "Play list"="'0'" "Morpheus Search information"="'0'" "Partial download folder"="'0'" "Morpheus Temp folder"="'0'" "DivX Recent file list"="'0'" "Qucik time Recent URL list"="'0'" "Qucik Time Player Recent file list"="'0'" "Real Player History"="'0'" "VLC Cache"="'0'" "Last saved folder"="'0'" "Winamp Recent file list"="'0'" "Windows Media Player Cache"="'0'" "Windows Media Player Recent URL list"="'0'" "Windows Media Player Recent file list"="'0'" "ACDSee Pro Search history"="'0'" "ACDSee Pro Last opened folder"="'0'" "ACD See Pro Coopy & move"="'1'" "ACDSee Pro Path history"="'0'" "ACDSee Pro Search simple history"="'0'" "ACDSee 9 Search history"="'0'" "ACDSee 9 Last opened folder"="'0'" "ACDSee 9 Copy & move"="'0'" "ACDSee 9 Path histroy"="'0'" "ACDSee 9 Search simple history"="'0'" "ACDSee 8 Search history"="'0'" "ACDSee 8 Last opened folder"="'0'" "ACDSee 8 Copy & move"="'0'" "ACDSee 8 Path history"="'0'" "ACDSee 8 Search simple history"="'0'" "ACDSee 7 Search history"="'0'" "ACDSee 7 Last opened folder"="'0'" "ACDSee 7 Copy & move"="'0'" "ACDSee 7 Path history"="'0'" "ACDSee 7 Search Simple history"="'0'" "ACDSee 6 Search history"="'0'" "ACDSee 6 Last opened folder"="'0'" "ACDSee 6 Copy & move"="'0'" "ACDSee 6 Path History"="'0'" "ACDSee 5 Search history"="'0'" "ACDSee 5 Last opened folder"="'0'" "ACDSee 5 Copy & move"="'0'" "ACDSee 5 Path history"="'0'" "ACD See 3 Search history"="'1'" "ACD See 3 Last opened folder"="'1'" "ACDSee 3 Copy & move"="'0'" "ACDSee 3 Path history"="'0'" "Front page all"="'1'" "Shared Resources Search history"="'0'" "Internet server Cache"="'0'" "Recent folders"="'0'" "Power point 97"="'0'" "Access 97"="'0'" "Excel 97"="'0'" "Word 97"="'0'" "FrontPage 2000"="'0'" "Power Point 2000"="'0'" "Access 2000"="'0'" "Excel 2000"="'0'" "Word 2000"="'0'" "FrontPage XP"="'0'" "Power point XP"="'0'" "Access XP"="'0'" "Excel XP"="'0'" "Word XP"="'0'" "Saved settings"="'0'" "SnapShot viewer"="'0'" "Picture Manager"="'0'" "Clip Organizer"="'0'" "Info Path 2003"="'0'" "Project 2003"="'0'" "FrontPage 2003"="'0'" "Publisher 2003"="'0'" "Power Point 2003"="'0'" "Vision 2003"="'0'" "Excel 2003"="'0'" "Access 2003"="'0'" "Word 2003"="'0'" "Gaim Chat logs"="'0'" "GoolgleTalk Chat logs"="'0'" "Chat log & received files"="'0'" "Trillian Chat logs"="'0'" "File Transfer history"="'0'" "Recent Screen name"="'0'" "AOL Chat history"="'0'" "Program logs"="'0'" "Chat & Voice history"="'0'" "Yahoo Cache"="'0'" "Browser Cache"="'0'" "Log files"="'0'" "ICQ 5.1 Chat history"="'0'" "Cache & cookies"="'0'" "FireFox cookies"="'0'" "FireFox download history"="'0'" "FireFox cache"="'0'" "Saved forms history"="'0'" "Browse history"="'0'" "Transfer history"="'0'" "Opera cookies"="'0'" "Opera address bar history"="'0'" "Visited sites"="'0'" "Opera cache"="'0'" "Saved form history"="'0'" "Netscape download history"="'0'" "Search history"="'0'" "Netscape cookies"="'0'" "Netscape address bar history"="'0'" "Netscape cache"="'0'" "IE Address bar history"="'0'" "Download program files"="'0'" "Update log files"="'0'" "Saved dir memory"="'0'" "Download dir memory"="'0'" "Auto complete data"="'0'" "Index.dat"="'0'" "IE cookies"="'0'" "IE Visited sites"="'0'" "Temp Internet Folder"="'0'" "WordPad recent history"="'1'" "Last Registry key viewed"="'1'" "Printer connections"="'1'" "Network connections"="'1'" "Paint recent file list"="'1'" "Common dialog histroy"="'1'" "Debug histroy"="'1'" "Burn storage folder"="'1'" "Memory Dump file"="'1'" "Temp windows update folder"="'1'" "Download temp folder"="'1'" "Run command Histroy"="'1'" "Win Temp folder"="'1'" "Windows Log file"="'1'" "Flush Recycle bin"="'1'" "Temp folder"="'1'" "Find Search History"="'1'" "Document History"="'1'" "Draft folder"="'0'" "Sent folder"="'0'" "IM Out folder"="'0'" "PocOMail Draft folder"="'0'" "Poco Mail Sent folder"="'0'" "Out folder"="'0'" "PocoMail Attachments"="'0'" "Eudora Attachments"="'0'" "Nick names used"="'0'" "Edoura Out Folder"="'0'" "Download news"="'0'" "Unsent mails"="'0'" "Draft"="'0'" "Thunderbird Sent mails"="'0'" "Key database"="'0'" "Thunderbird Saved passwords"="'0'" "Outbox mails"="'0'" "Sent mails"="'0'" "Reference to addins"="'0'" "Dictionary"="'0'" "Templates"="'0'" "Stationary"="'0'" "Signatures"="'0'" "Macros & VBA programs"="'0'" "System folders view"="'0'" "Tool bar settings"="'0'" "Rules wizard"="'0'" "Nick names"="'0'" "BitCommet Download folder"="'0'" "Lime Wire Shared folder"="'0'" "uTorrent Download folder"="'0'" "Bit Torrent Download folder"="'0'" "Kazaa Shared folder"="'0'" "Morhpeus Shared folders"="'0'" "Completed Download folder"="'0'" "Movie folder"="'0'" "Qucik time Favorites"="'0'" "ACDSee Shared Favorites"="'0'" "Media lib view"="'0'" "Winamp Bookmarks"="'0'" "ACDSee Pro Image cache"="'0'" "ACDSee Pro Image Database"="'0'" "ACDSee 9 Image Database"="'0'" "ACDSee 8 Image Database"="'0'" "ACDSee 7 Image database"="'0'" "ACDSee 6 Image Database"="'0'" "ACDSee 5 Image Database"="'0'" "ACDSee 3 Image database"="'0'" "Trillian Received files"="'0'" "Skype Received files"="'0'" "Voice mail history"="'0'" "Received & Shared files"="'0'" "ICQ1 Contact list"="'0'" "ICQ1 Received files"="'0'" "Pictures"="'0'" "ICQ2003b Shared files"="'0'" "ICQ2003b Contact list"="'0'" "ICQ2003b Downloads"="'0'" "ICQ2003b Book Marks"="'0'" "ICQ2003b Received files"="'0'" "Key passwords"="'0'" "FireFox Saved passwords"="'0'" "Cache and Password"="'0'" "AOL Cookies"="'0'" "AOL History"="'0'" "Internet cache folder"="'0'" "AOL Address bar history"="'0'" "Address bar passcard history"="'0'" "Data card history"="'0'" "IE Saved passwords"="'0'" "Start Page"="'0'" "IE favorites"="'0'" "Recent log user"="'0'" "Disk Error log file"="'0'" "Start Menu Order Histroy"="'0'" "Start Menu Click Histroy"="'0'" "di1"="'1'" "di0"="'1'" "di7"="'1'" "di25"="'1'" "di23"="'1'" "di24"="'1'" "di2"="'1'" "di3"="'1'" "di10"="'1'" "di8"="'1'" "di6"="'1'"
Malwarebytes' Anti-Malware log:
Malwarebytes' Anti-Malware 1.44 Database version: 3663 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 1/30/2010 8:32:08 PM mbam-log-2010-01-30 (20-32-08).txt Scan type: Quick Scan Objects scanned: 98119 Time elapsed: 2 minute(s), 31 second(s) Memory Processes Infected: 1 Memory Modules Infected: 1 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 11 Memory Processes Infected: C:\Program Files\Content Cleaner\ContentCleaner.exe (Rogue.ContentCleaner) -> Unloaded process successfully. Memory Modules Infected: C:\Program Files\Content Cleaner\CCleaner.dll (Rogue.ContentCleaner) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\content cleaner (Rogue.ContentCleaner) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\ContentCleaner (Rogue.ContentCleaner) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\{username}\Start Menu\Programs\Content Cleaner (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Program Files\Content Cleaner (Rogue.ContentCleaner) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\Content Cleaner\ContentCleaner.exe (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Program Files\Content Cleaner\CCleaner.dll (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Content Cleaner\Content Cleaner.lnk (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\Content Cleaner\Uninstall.lnk (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Program Files\Content Cleaner\aff.txt (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Program Files\Content Cleaner\cc.lnk (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Program Files\Content Cleaner\infected.wav (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Program Files\Content Cleaner\new_Delete_animated.gif (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Program Files\Content Cleaner\RegAlert.exe (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Program Files\Content Cleaner\uninst.exe (Rogue.ContentCleaner) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Desktop\Content Cleaner.lnk (Rogue.ContentCleaner) -> Quarantined and deleted successfully.
As mentioned before the full version of Malwarebytes' Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention