ThreatCleaner.info is a deceptive website that masquerades as a legitimate security scanner, falsely claiming your computer is infected with viruses, malware, or other threats. This scareware tactic is designed to panic visitors into downloading questionable software or paying for unnecessary "cleanup" services. While ThreatCleaner.info itself isn't technically malware that installs on your system, it's part of a broader category of browser-based scams that can lead to real infections if you follow its instructions. Users typically land on this page through malicious redirects caused by adware already present on their machine, compromised websites, or deceptive advertisements.
The site employs convincing visual elements—fake progress bars, fabricated scan results, and urgent warning messages—to create a sense of immediate danger. Many visitors don't realize these "scans" are purely cosmetic JavaScript animations that can't actually examine your computer's contents. The real threat comes from what happens next: downloading the recommended "removal tool" (which may be a trojan or PUP), calling a fake tech support number, or providing payment information for worthless services.
Threat Profile
| Attribute | Details |
|---|---|
| Threat Type | Browser-based scareware / Tech support scam landing page |
| Associated Families | Related to FakeAV campaigns, browser notification spam, adware-driven redirects |
| Primary Distribution | Malicious redirects from compromised sites, adware infections (particularly browser hijackers), malvertising networks, bundled PUPs |
| Target Platforms | Windows, macOS (any system with a web browser) |
| Browser Impact | Forced redirects, persistent pop-ups, fake security alerts, unwanted notifications |
| Typical Payload Goal | Drive downloads of PUPs/trojans, collect payment for fake services, harvest personal/financial data, generate affiliate revenue |
| Common Aliases | Threat Cleaner scam, ThreatCleaner[.]info pop-up, various similar domains with slight variations |
| Persistence Mechanism | The website itself doesn't persist; underlying adware uses browser extensions, scheduled tasks, registry modifications, and notification permissions |
| Artifacts (if adware present) | Unwanted browser extensions, modified shortcuts with appended URLs, notification permissions for suspicious domains, Run registry keys |
| Network Indicators | HTTP requests to threatcleaner[.]info and affiliated domains, tracking cookies, referrer chains from adware C&C servers |
| User Impact | Anxiety from fake warnings, potential financial loss, installation of actual malware if recommendations followed, privacy compromise |
| Removal Difficulty | Low to moderate—the page itself requires no removal, but the underlying adware causing redirects can be persistent |
How It Spreads
Most people encounter ThreatCleaner.info not through direct navigation but via forced redirects orchestrated by adware already lurking on their computer. This adware typically arrives bundled with free software downloads—especially from third-party download sites that repackage legitimate programs with "bonus" installations. Users rushing through installation wizards without reading each screen often inadvertently agree to install browser extensions, system optimizers, or other potentially unwanted programs that later trigger these redirects.
Malicious advertising networks (malvertising) represent another common infection vector. Legitimate websites can unknowingly serve compromised ads that execute redirect scripts when clicked—or sometimes even when simply loaded on the page. Compromised WordPress sites and outdated content management systems frequently host injected scripts that redirect visitors to scareware pages like ThreatCleaner.info. In some cases, users arrive at the site after clicking deceptive "Download" or "Play" buttons on questionable streaming, file-sharing, or adult content sites.
The scam's effectiveness relies on catching users off-guard. The sudden appearance of professional-looking security warnings, complete with your actual operating system details (gleaned from your browser's user agent string), creates an illusion of legitimacy that can fool even cautious computer users.
- Software bundling: Free utility programs, video converters, PDF tools, and download managers from third-party sites often include unwanted browser extensions or adware in their installers
- Malicious browser extensions: Extensions promising useful features (ad-blocking, coupons, video downloading) but actually injecting redirects and ads
- Compromised websites: Legitimate sites with outdated software or security vulnerabilities that have been injected with redirect scripts
- Malvertising: Malicious advertisements on otherwise legitimate sites that trigger redirects or pop-unders
- Spam email attachments: Some email campaigns deliver adware droppers disguised as invoices, shipping notifications, or document files
- Fake software updates: Pop-ups claiming your Flash Player, browser, or media codec needs updating, delivering adware instead
- Torrent and file-sharing sites: Executable files masquerading as cracks, keygens, or pirated software that install redirect-triggering adware
What It Does On Your Machine
ThreatCleaner.info itself is simply a deceptive webpage—it doesn't install files on your computer or modify your system directly. However, the adware responsible for redirecting you to this site absolutely does leave traces throughout your system. This adware typically modifies browser settings, installs unwanted extensions, and establishes persistence mechanisms to ensure you keep seeing these fake warnings. The goal is to generate revenue through forced ad impressions, affiliate commissions from software downloads, or direct payment for bogus services.
When you land on ThreatCleaner.info, you'll see what appears to be a security scan in progress, complete with animated progress bars and a growing list of "detected threats." These are entirely fabricated—JavaScript animations that display the same results for every visitor regardless of their actual system state. The site may display your IP address, approximate geographic location, operating system, and browser version to create an illusion of a genuine scan, but this information comes from standard data your browser sends with every web request, not from examining your computer's contents.
The real danger emerges when users follow the site's recommendations. Clicking the "Remove Threats" or "Clean Now" button typically triggers a download of questionable software—often a potentially unwanted program that may be bundled with actual trojans or data stealers. Some variants display fake tech support phone numbers, connecting victims to scammers who request remote access to "fix" the fabricated problems. These operators often install legitimate-looking remote access tools, then run harmless commands in the Windows Event Viewer or Task Manager while claiming to demonstrate infections, ultimately pressuring victims into paying hundreds of dollars for unnecessary "repairs."
The underlying adware that delivers these redirects operates more tangibly on your system. It modifies browser shortcuts to append command-line parameters that load specific URLs on startup. It may register scheduled tasks that periodically launch browser windows to advertising sites. Browser extensions—often with innocent-sounding names like "Helper," "Secure," or "Optimizer"—inject scripts into web pages to trigger pop-ups and redirects. Some variants modify the Windows hosts file to redirect requests for legitimate security software websites to dead ends, making cleanup more difficult.
Manual Removal — Step by Step
Disconnect from the Internet
Unplug your ethernet cable or disable Wi-Fi to prevent the adware from communicating with its command servers, downloading additional components, or triggering more pop-ups during cleanup. This also stops any remote access if you unfortunately allowed tech support scammers to connect to your system.
Boot into Safe Mode with Networking
Restart your computer and repeatedly press F8 during boot (or Shift+F8 on newer systems). Select "Safe Mode with Networking" from the menu. On Windows 10/11, you can also hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart → press 5 for Safe Mode with Networking. This prevents most adware from loading automatically.
Uninstall Suspicious Programs
Open Control Panel → Programs and Features (or Settings → Apps on Windows 10/11). Sort by "Installed On" date and look for unfamiliar programs installed around the time the redirects started. Common culprits have names like "PC Optimizer," "Browser Helper," "Driver Updater," or random strings of characters. Uninstall anything suspicious, but research the name first if you're unsure—some legitimate programs have unusual names.
Remove Malicious Browser Extensions
Check all installed browsers—Chrome, Edge, Firefox, etc. In Chrome, type chrome://extensions in the address bar; in Firefox, use about:addons; in Edge, use edge://extensions. Remove any extensions you don't recognize or didn't intentionally install. Pay special attention to extensions with vague names, no reviews, or excessive permissions. Don't forget to check all user profiles if multiple people use the computer.
Reset Browser Settings and Clear Notification Permissions
In Chrome, go to Settings → Privacy and security → Site Settings → Notifications, and remove any suspicious domains (especially threatcleaner.info and similar). Then go to Settings → Reset settings → Restore settings to their original defaults. This clears startup pages, search engines, and pinned tabs modified by adware. Repeat for all browsers. Export your bookmarks first if you want to preserve them.
Check and Fix Browser Shortcuts
Right-click browser icons on your desktop and taskbar, select Properties, and examine the Target field. It should end with the browser's .exe filename—nothing else. If you see URLs or command-line parameters appended after the .exe, delete everything after the closing quotation mark of the file path, click Apply, then OK. Repeat for all browser shortcuts.
Remove Persistence Mechanisms
Press Win+R, type msconfig, and press Enter. Go to the Startup tab (or "Open Task Manager" on Windows 10/11, then the Startup tab there). Disable any unfamiliar startup items. Next, press Win+R again, type taskschd.msc, and examine the Task Scheduler Library for suspicious scheduled tasks with names like "Update," "Optimizer," or random characters that launch programs from AppData or Program Files. Right-click and delete these tasks.
Scan with Reputable Anti-Malware Tools
Download and run Malwarebytes (the free version works fine for one-time scans) and perform a full scan. Also run a scan with your regular antivirus if you have one. Consider supplementing with AdwCleaner, specifically designed for adware and PUPs. Let these tools quarantine or remove everything they find—false positives are rare with these specific threats.
Manually Delete Remaining Folders
Navigate to C:\Users\[YourUsername]\AppData\Local and C:\Users\[YourUsername]\AppData\Roaming (you may need to enable "Show hidden files" in File Explorer's View options). Look for folders with suspicious names or random GUIDs created around the time of infection. Also check C:\Program Files and C:\Program Files (x86) for any optimization or helper programs you uninstalled that left folders behind. Delete these folders, but be cautious—when in doubt, Google the folder name first.
Reboot Normally and Verify
Restart your computer normally (not in Safe Mode) and reconnect to the internet. Open your browser and navigate to several different websites to confirm the redirects have stopped. Check that your homepage, search engine, and new tab page are what you expect. If ThreatCleaner.info or similar scareware pages still appear, repeat the process or seek professional assistance—some variants use rootkit techniques that require specialized removal tools.
Prevention
- Download software only from official sources. Avoid third-party download sites like Download.com, Softonic, or CNET, which often bundle installers with adware. Go directly to the software developer's website or use the Microsoft Store for Windows applications.
- Read installation screens carefully. Choose "Custom" or "Advanced" installation rather than "Express" or "Recommended." Uncheck any boxes offering to install additional software, browser toolbars, homepage changes, or "partner offers." Decline offers to change your default search engine or install browser extensions.
- Keep your software updated. Enable automatic updates for your operating system, browsers, and all plugins. Many infections exploit known vulnerabilities in outdated software. Consider uninstalling rarely-used plugins like Java and Flash entirely—they're major security liabilities.
- Use a reputable ad blocker. Browser extensions like uBlock Origin (not just "uBlock") block malvertising networks and many scareware sites. This won't protect against bundled adware, but it significantly reduces exposure to malicious redirects from compromised websites.
- Think before clicking. Be skeptical of urgent security warnings that appear suddenly while browsing. Legitimate antivirus software displays alerts through its own interface, not random web pages. Never call phone numbers from pop-up warnings, and never download "security software" recommended by an unexpected website.
- Review browser extensions regularly. Once per month, open your browser's extension management page and remove anything you don't actively use. Extensions can be updated with malicious code after you install them, so even previously safe extensions may become compromised.
- Run regular malware scans. Schedule weekly scans with Malwarebytes or your preferred anti-malware tool. Free versions work fine for this purpose. Supplement your traditional antivirus—adware often slips past standard AV software because it operates in a legal gray area.
- Create separate user accounts. Use a standard (non-administrator) account for daily browsing and computing. Many adware installers require administrator privileges, so UAC prompts on a standard account provide an additional barrier. Save your admin account for intentional software installations only.
Bring It In
While the steps above work for many infections, adware that drives redirects to ThreatCleaner.info sometimes employs rootkit techniques, browser hijackers that reinstall themselves, or multiple layered infections that require specialized tools. If you've followed the removal steps and still experience redirects, pop-ups, or suspicious browser behavior, professional assistance is the fastest path to a clean system. Our technicians at Computer Repair Roswell see these scareware campaigns daily and have developed efficient workflows to eliminate them completely—typically within a few hours.
We're located in Roswell, Georgia, and we service both Windows PCs and Macs. Beyond malware removal, we'll check your system for performance issues, optimize startup programs, update critical software, and configure your security settings to prevent future infections. You can reach us at (770) 879-3330 or stop by our shop during business hours. If you're uncertain whether you're infected or just saw a one-time pop-up, give us a call—we're happy to provide guidance over the phone at no charge. We'd rather answer a quick question and prevent an infection than see you after significant damage has occurred.