The Emsi Software malware research team has discoverd a new outbreak of the CleanUP Antivirus adware. a-squared Anti-Malware detects this malware as Adware.Win32.CleanUPAntivirus.

CleanUP Antivirus is a rogue security software that show false warning messages and show misleading scan results. It will start automatically when your computer starts. The installer will also create numerous harmless files on your computer, usually at Recent folder, that are used to impersonate malware files. Once the program is running it will scan your computer and then display these files as infections, but will not allow you to remove them until you purchase the program.

Create new files:

• %AllUsersProfile%\Application Data\58969\CUf4c.exe
• %AllUsersProfile%\Application Data\58969\CUA.ico
• %AllUsersProfile%\Application Data\CUQKWA\CUZNJUENEA.cfg
• %UserProfile%\Application Data\CleanUp Antivirus\Instructions.ini
• %UserProfile%\Application Data\CleanUp Antivirus\cookies.sqlite
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\CleanUp Antivirus.lnk
• %UserProfile%\Desktop\CleanUp Antivirus.lnk
• %UserProfile%\Start Menu\CleanUp Antivirus.lnk
• %UserProfile%\Start Menu\Programs\CleanUp Antivirus.lnk

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AdwarePrj.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\agent.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AlphaAV
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AlphaAV.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Anti-Virus Professional.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntispywarXP2009.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusPlus
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusPlus.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusPro_2010.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusXP
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntivirusXP.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\antivirusxppro2009.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AntiVirus_Pro.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\av360.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\AVCare.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\brastk.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Cl.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\csc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\dop.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\frmwrk32.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\gav.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\gbn976rl.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\homeav2010.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\init32.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\MalwareRemoval.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ozn695m5.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pav.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsAuxs.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsGui.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsSvc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pctsTray.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\PC_Antispyware2010.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\pdfndr.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\PerAvir.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\personalguard
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\personalguard.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\protector.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\qh.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Quick Heal.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\QuickHealCleaner.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\rwg
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\rwg.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SafetyKeeper.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Save.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SaveArmor.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SaveDefense.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SaveKeep.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Secure Veteran.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\secureveteran.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Security Center.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SecurityFighter.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\securitysoldier.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\smart.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\smartprotector.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\smrtdefp.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\SoftSafeness.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\spywarexpguard.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\tapinstall.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\TrustWarrior.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\tsc.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\W3asbas.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\winav.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\windll32.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\windows Police Pro.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\xpdeluxe.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\xp_antispyware.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\~1.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\~2.exe
• HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run, “CleanUp Antivirus

Modify hosts file:

• 127.0.0.1       localhost
• 74.125.45.100 4-open-davinci.com
• 74.125.45.100 securitysoftwarepayments.com
• 74.125.45.100 privatesecuredpayments.com
• 74.125.45.100 secure.privatesecuredpayments.com
• 74.125.45.100 getantivirusplusnow.com
• 74.125.45.100 secure-plus-payments.com
• 74.125.45.100 www.getantivirusplusnow.com
• 74.125.45.100 www.secure-plus-payments.com
• 74.125.45.100 www.getavplusnow.com
• 74.125.45.100 safebrowsing-cache.google.com
• 74.125.45.100 urs.microsoft.com
• 74.125.45.100 www.securesoftwarebill.com
• 74.125.45.100 secure.paysecuresystem.com
• 74.125.45.100 paysoftbillsolution.com
• 74.125.45.100 protected.maxisoftwaremart.com

Screenshots:

How to remove the infection of CleanUP Antivirus (Adware.Win32.CleanUPAntivirus)?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.