• WELCOME
Welcome to the Myantispyware - free site offering help and assistance on spyware, malware and adware removal. As a guest you can only browse and view the various topics in the forums, but can not create a new topic and reply to an existing topic. If you are seeking help, you will need to be a logged into the forums with a registered account. Registering is free.
Click here to Create a free account and read How to use Spyware Removal Forum

CleanThis Virus - my Hijack This log

Moderator: Moderators

Topic locked

CleanThis Virus - my Hijack This log

Postby adgon12 » Mon Apr 25, 2011 9:31 pm

Hi,

I'm having some problems removing the CleanThis Virus. I was able to get through Step 1 and Step 2 of the removal instructions for the CleanThis Virus on myantispyware.com. But when it came time to download Malwarebytes Anti-malware, the download became blocked. Pleas help me remove this virus. Your time and help is greatly appreaciated! Thank you.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:22:59 PM, on 4/25/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.17037)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Users\DeE\AppData\Roaming\AntiVirus AntiSpyware 2011\AntiVirus AntiSpyware.exe
C:\Users\DeE\AppData\Roaming\AntiVirus AntiSpyware 2011\securitymanager.exe
C:\Users\DeE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Windows\system32\wuauclt.exe
C:\Users\DeE\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SfKg6wIPuSp] C:\Users\DeE\AppData\Roaming\Microsoft\Windows\jnipmo.exe
O4 - HKCU\..\Run: [GabPath] C:\Users\DeE\AppData\Roaming\GabPath\GabPath.exe
O4 - HKCU\..\Run: [AntiVirus AntiSpyware 2011] "C:\Users\DeE\AppData\Roaming\AntiVirus AntiSpyware 2011\AntiVirus AntiSpyware.exe" /STARTUP
O4 - HKCU\..\Run: [AntiVirus AntiSpyware 2011 Security] C:\Users\DeE\AppData\Roaming\AntiVirus AntiSpyware 2011\securitymanager.exe
O4 - Startup: ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe

--
End of file - 6871 bytes
adgon12
 
Posts: 2
Joined: Mon Apr 25, 2011 9:17 pm
Top

Re: CleanThis Virus - my Hijack This log

Postby 12056 » Mon Apr 25, 2011 9:57 pm

Re-Run HijackThis and check the boxes next to:

Code: Select all
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKCU\..\Run: [SfKg6wIPuSp] C:\Users\DeE\AppData\Roaming\Microsoft\Windows\jnipmo.exe
O4 - HKCU\..\Run: [GabPath] C:\Users\DeE\AppData\Roaming\GabPath\GabPath.exe
O4 - HKCU\..\Run: [AntiVirus AntiSpyware 2011] "C:\Users\DeE\AppData\Roaming\AntiVirus AntiSpyware 2011\AntiVirus AntiSpyware.exe" /STARTUP
O4 - HKCU\..\Run: [AntiVirus AntiSpyware 2011 Security] C:\Users\DeE\AppData\Roaming\AntiVirus AntiSpyware 2011\securitymanager.exe


Then click "Remove Checked Items", and allow HJT time to remove the threats from the registry.
Restart Your Computer.

The infection should be disabled, but we need to scan for hidden threats:

1. Download SuperAntiSpyware from here.
2. During the Install Process, it will ask to submit a diagnostic report, please allow it to do so!
3. Update it to the latest signature version, and Preform a "Quick Scan"
4. Remove Any Infections it finds.

5. Locate the log file (Preferences -> "Statistics and Logs").
6. Post the log file contents for my review.
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm
Top

Re: CleanThis Virus - my Hijack This log

Postby adgon12 » Wed Apr 27, 2011 2:06 am

Thank you so much! Followed your steps and so far looks like the virus is gone :)

Here is the log you asked for:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2011 at 04:52 PM

Application Version : 4.51.1000

Core Rules Database Version : 6930
Trace Rules Database Version: 4742

Scan type : Quick Scan
Total Scan Time : 00:51:37

Memory items scanned : 590
Memory threats detected : 0
Registry items scanned : 2243
Registry threats detected : 1
File items scanned : 23924
File threats detected : 62

Adware.Tracking Cookie
C:\Users\DeE\AppData\Roaming\Microsoft\Windows\Cookies\dee@questionmarket[2].txt
C:\Users\DeE\AppData\Roaming\Microsoft\Windows\Cookies\dee@msnportal.112.2o7[1].txt
C:\Users\DeE\AppData\Roaming\Microsoft\Windows\Cookies\dee@ad.adparatus[1].txt
C:\Users\DeE\AppData\Roaming\Microsoft\Windows\Cookies\dee@mediatraffic[2].txt
C:\Users\DeE\AppData\Roaming\Microsoft\Windows\Cookies\dee@atdmt[2].txt
C:\Users\DeE\AppData\Roaming\Microsoft\Windows\Cookies\dee@doubleclick[1].txt
C:\Users\DeE\AppData\Roaming\Microsoft\Windows\Cookies\dee@www.windowsmedia[2].txt
a.ads2.msads.net [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
a.media.abcfamily.go.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
adimages.scrippsnetworks.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
ads2.msads.net [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
b.ads2.msads.net [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
bc.youporn.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
cdn.insights.gravity.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
cdn1.image.freeporn.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
cdn1.pics.mofosex.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
cdn4.specificclick.net [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
core.insightexpressai.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
ia.media-imdb.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
media.mtvnservices.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
media.scanscout.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
media1.break.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
media1.spinletslab.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
msnbcmedia.msn.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
msntest.serving-sys.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
po*n.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
s0.2mdn.net [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
secure-us.imrworldwide.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
spe.atdmt.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
static.sunporno.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
static.youporn.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
vidego.multicastmedia.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
www.naiadsystems.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
www.po*n.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
www.po*n.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
www.po*n.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
www.po*n.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]
wwwstatic.megaporn.com [ C:\Users\DeE\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\52RVK4VF ]

Malware.Trace
HKU\S-1-5-21-4272875943-764085013-169038176-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Rogue.AntivirusStudio
C:\Users\DeE\LOCAL SETTINGS\TEMP\JKFUCKFU.EXE
C:\Users\DeE\LOCAL SETTINGS\TEMP\DESTROYER.EXE
C:\Users\DeE\LOCAL SETTINGS\TEMP\DFFUCK.EXE
C:\Users\DeE\LOCAL SETTINGS\TEMP\COCKSUCKER.EXE
C:\Users\DeE\LOCAL SETTINGS\TEMP\COSOCK.EXE

Rogue.MSE-Fraud
C:\Users\DeE\AppData\Roaming\install
C:\Users\DeE\AppData\Roaming\completescan

Rogue.AntiVirusAntiSpyware2011
C:\Users\DeE\AppData\Roaming\ANTIVIRUS ANTISPYWARE 2011\AntiVirus AntiSpyware.exe
C:\Users\DeE\AppData\Roaming\ANTIVIRUS ANTISPYWARE 2011\IcoActivate.ico
C:\Users\DeE\AppData\Roaming\ANTIVIRUS ANTISPYWARE 2011\IcoHelp.ico
C:\Users\DeE\AppData\Roaming\ANTIVIRUS ANTISPYWARE 2011\IcoMain.ico
C:\Users\DeE\AppData\Roaming\ANTIVIRUS ANTISPYWARE 2011\IcoUninstall.ico
C:\Users\DeE\AppData\Roaming\ANTIVIRUS ANTISPYWARE 2011\securityhelper.exe
C:\Users\DeE\AppData\Roaming\ANTIVIRUS ANTISPYWARE 2011\securitymanager.exe
C:\Users\DeE\AppData\Roaming\ANTIVIRUS ANTISPYWARE 2011
C:\USERS\DEE\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\ANTIVIRUS ANTISPYWARE 2011.LNK
C:\USERS\DEE\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ANTIVIRUS ANTISPYWARE 2011\ACTIVATE ANTIVIRUS ANTISPYWARE 2011.LNK
C:\USERS\DEE\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ANTIVIRUS ANTISPYWARE 2011\ANTIVIRUS ANTISPYWARE 2011.LNK
C:\USERS\DEE\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ANTIVIRUS ANTISPYWARE 2011.LNK
C:\USERS\DEE\DESKTOP\ANTIVIRUS ANTISPYWARE 2011.LNK
C:\Windows\Prefetch\ANTIVIRUS ANTISPYWARE.EXE-64D394B7.pf

Trojan.Agent/Gen-Krpytik
C:\DISNEY\CSDEMO\PMPRO62F.DLL
C:\DISNEY\TOYSTORY\PMPRO62F.DLL
adgon12
 
Posts: 2
Joined: Mon Apr 25, 2011 9:17 pm
Top

Re: CleanThis Virus - my Hijack This log

Postby 12056 » Wed Apr 27, 2011 2:33 am

Glad I could be of assistance! :)
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm
Top
Topic locked

Return to Archived Logs

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

phpBB SEO
Advertisements by Advertisement Management