pum.hijack infection

[Will_Raleigh]

My computer was infected today by this malware.

I ran malware bytes and it found the following items:

Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|GpsloETRwVekmjv.exe (Trojan.FakeAlert.3CH) -> Data: C:\Documents and Settings\All Users\Application Data\GpsloETRwVekmjv.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 6

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Documents and Settings\All Users\Application Data\GpsloETRwVekmjv.exe (Trojan.FakeAlert.3CH) -> Delete on reboot.

A further scan has come up clean but I am still missing icons in my start menu folders and I seem to have lost my recycle bin as well as the icons above the programs in the start menu, such as windows update. I was able to unhide most of the files and folders but the rest of them are still "missing". Any help you could render would be very much appreciated.

Thank you

P.S. Avast did not pick this up and it was fully up to date.

dds.txt

attach.txt

[MrCharlie]

Welcome to the forum.

Run "unhide" and see if that brings back any missing items:

http://www.bleepingcomputer.com/forums/topic405109.html

--------------------------

Then.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[Will_Raleigh]

Unhide has put the files back into there proper place. Thank you for that.

I still seem to be missing my recycling bin, maybe it got recycled? heh

RKreport1.txt

[MrCharlie]

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[Will_Raleigh]

After downloading tdskiller, I double clicked on it and nothing happens. No install wizard or pop-ups like are shown in your post.

[MrCharlie]

Delete your copy and download a fresh one....

Try it in safe mode and/or rename it to abc.exe, abc.com or abc.scr

explorer.exe or .com or.scr.

let me know, MrC

[Will_Raleigh]

I've rebooted and tried again normally. I've also tried running it from safe mode and renaming it.

In safe mode it will ask me if I want to run it or cancel, I choose run and then nothing happens.

[MrCharlie]

Try this................

Delete any TDSSKiller you have now.

Download a fresh copy to your desktop

Cut and paste TDSSKill.exe into Malwarebytes Chameleon folder:

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

Install the Chameleon driver by doing the following:

Press the Windows key + R and in the Run box, copy and paste the following command then press Enter.

"%programfiles%\Malwarebytes' Anti-Malware\Chameleon/mbam-chameleon.com" /o

A black DOS prompt will appear with a prompt to press any key to continue, please do until the Dos prompt disappears.

Execute TDSSKiller.exe by doubleclicking on it in the Chameleon folder.

See if it runs.

Let me know, MrC

[Will_Raleigh]

Ok that worked. It found something in my MBR. It says it can not cure the MBR and asks to write a standard boot code.

I clicked no because Im not sure if this should be done. It also said I'd need to reinstall any custom boot loaders. But I don't have anything like that as all I have instaled is windows XP.

TDSSKiller.2.7.48.0_26.07.2012_13.37.29_log.txt

[MrCharlie]

You have no choice, run TDSSKiller again and let it do what it wants to the MBR.

MrC

[Will_Raleigh]

Ok done. Here is the new .txt file.

No recycling bin though.

TDSSKiller.2.7.48.0_26.07.2012_13.54.39_log.txt

[MrCharlie]

Next...................

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Will_Raleigh]

As per your instructions, here is the log from Combofix.

Still no recycle bin, I'm beginning to think its being held hostage.

log.txt

[MrCharlie]

Download and run this file:

http://go.microsoft....?linkid=9643543

See if it restores the bin, MrC

[Will_Raleigh]

Thank you very much. It's back.

[MrCharlie]

Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[Will_Raleigh]

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.28.07

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 7.0.5730.13

Raleigh :: KEEP [administrator]

Protection: Enabled

7/28/2012 8:44:55 PM

mbam-log-2012-07-28 (20-44-55).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 245990

Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

Great

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!