Jump to content

Infected with pum.hijack.startmenu


Recommended Posts

Hello babaloo and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.27.05

Windows XP Service Pack 2 x86 NTFS

Internet Explorer 8.0.6001.18702

Jerry :: HOMEDVR [administrator]

7/27/2012 8:43:04 AM

mbam-log-2012-07-27 (08-43-04).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 204261

Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-07-27 09:28:04

-----------------------------

09:28:04.381 OS Version: Windows 5.1.2600 Service Pack 2

09:28:04.381 Number of processors: 1 586 0x207

09:28:04.381 ComputerName: HOMEDVR UserName: Jerry

09:28:05.475 Initialize success

09:30:22.459 AVAST engine defs: 12072700

09:31:02.084 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5

09:31:02.084 Disk 0 Vendor: WDC_WD800JD-60LSA0 07.01D07 Size: 76319MB BusType: 3

09:31:02.084 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-10

09:31:02.084 Disk 1 Vendor: Hitachi_HDS721010KLA330 GKAOA70M Size: 953869MB BusType: 3

09:31:02.100 Disk 0 MBR read successfully

09:31:02.100 Disk 0 MBR scan

09:31:02.147 Disk 0 Windows XP default MBR code

09:31:02.147 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63

09:31:02.162 Disk 0 scanning sectors +156280320

09:31:02.240 Disk 0 scanning C:\WINDOWS\system32\drivers

09:31:15.803 Service scanning

09:31:32.193 Modules scanning

09:31:37.678 Disk 0 trace - called modules:

09:31:38.193 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS

09:31:38.193 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8677dab8]

09:31:38.193 3 CLASSPNP.SYS[f78a405b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x867944e8]

09:31:38.365 AVAST engine scan C:\WINDOWS

09:31:45.053 AVAST engine scan C:\WINDOWS\system32

09:33:38.756 AVAST engine scan C:\WINDOWS\system32\drivers

09:33:54.240 AVAST engine scan C:\Documents and Settings\Jerry

09:42:22.975 AVAST engine scan C:\Documents and Settings\All Users

09:43:32.100 Scan finished successfully

09:45:13.928 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jerry\Desktop\MBR.dat"

09:45:13.928 The log file has been saved successfully to "C:\Documents and Settings\Jerry\Desktop\aswMBR.txt"

From what I've read, I guess there could be items (folders, files) hidden now? The only think I noticed so far missing is an icon in the system tray for SUPERAntiSpyware, but then I haven't rebooted yet either...

Link to post
Share on other sites

Yes and I want to check this:

Please download unhide.exe from here and save it to your Desktop. Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run. When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt .

Link to post
Share on other sites

Unhide by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Unhide.exe can be found at this link:

http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 07/27/2012 01:26:44 PM

Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the A:\ drive

Finished processing the A:\ drive. 0 files processed.

Processing the C:\ drive

Finished processing the C:\ drive. 45058 files processed.

Processing the F:\ drive

Finished processing the F:\ drive. 24320 files processed.

The C:\DOCUME~1\Jerry\LOCALS~1\Temp\smtmp\ folder does not exist!!

Unhide cannot restore your missing shortcuts!!

Please see this topic in order to learn how to restore default

Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.

- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

* Start_ShowMyMusic was set to 0! It was set back to 1!

* Start_ShowMyPics was set to 0! It was set back to 1!

Restarting Explorer.exe in order to apply changes.

Program finished at: 07/27/2012 01:29:00 PM

Execution time: 0 hours(s), 2 minute(s), and 16 second(s)

Link to post
Share on other sites

Looks good! :)

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

post-115573-0-13306200-1343499045.jpgManiac,

I downloaded & ran COMBOFIX, but wasn't right there watching it. Anyway, it appears a reboot happened (not exactly sure) because there was no longer a COMBOFIX window, and the SUPERAntiSpyware app was showing in the system tray (wasn't there before).

Viewing from Windows Explorer, there is what appears to be a link in the C: drive to "My Computer" called Combofix (see uploaded screenshot), because if I expand it, I see everything in "My Computer".

There is not a combofix.txt in the root of C:, but I did find a hidden directory C:\Combofix that had one. Posting the contents of that here:

ComboFix 12-07-27.03 - Jerry 07/28/2012 11:38:12.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.587 [GMT -4:00]

Running from: C:\Documents and Settings\Jerry\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

That's it. I was thinking that maybe there was a reboot during the Combofix run before it completed. I have not tried running it again yet - waiting on your direction.

Link to post
Share on other sites

Are you sure this is the entire log?

ComboFix 12-07-27.03 - Jerry 07/28/2012 11:38:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.587 [GMT -4:00]
Running from: C:\Documents and Settings\Jerry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

Link to post
Share on other sites

Finally tried it again in normal Windows mode (not safe mode) and got it to work. Here's the log file:

ComboFix 12-07-31.06 - Jerry 08/03/2012 19:43:48.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.709 [GMT -4:00]

Running from: c:\documents and settings\Jerry\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\5.tmp

c:\windows\dasetup.log

c:\windows\system32\dllcache\wmpvis.dll

c:\windows\system32\msssc.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-07-03 to 2012-08-03 )))))))))))))))))))))))))))))))

.

.

2012-07-26 00:45 . 2012-07-26 00:45 -------- d-----w- c:\documents and settings\Jerry\Application Data\Malwarebytes

2012-07-26 00:45 . 2012-07-26 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-07-26 00:45 . 2012-07-26 00:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-26 00:45 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-10 03:54 . 2012-07-10 03:54 -------- d-----w- c:\program files\MSECache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-17 12:29 . 2012-05-18 13:05 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-17 12:29 . 2011-12-26 22:32 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-30 39408]

"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2003-05-14 36942]

"ATI Launchpad"="c:\program files\ATI Multimedia\main\LaunchPd.exe" [2003-05-14 106574]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-24 3905408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]

"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-29 323584]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/w...0&ver=10.0.1325" [?]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5900:TCP"= 5900:TCP:VNC

"5800:TCP"= 5800:TCP:VNC HTTP

.

R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 4:32 AM 31952]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 235216]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 7:54 AM 301248]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [7/4/2012 5:25 PM 5160568]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 12:56 AM 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 12:56 AM 135664]

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 04:56]

.

2012-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 04:56]

.

2012-07-27 c:\windows\Tasks\restart.job

- C:\restart.bat [2010-02-07 18:05]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

TCP: DhcpNameServer = 192.168.10.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-03 19:50

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(896)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2012-08-03 19:52:19

ComboFix-quarantined-files.txt 2012-08-03 23:52

ComboFix2.txt 2012-07-28 15:38

.

Pre-Run: 31,580,348,416 bytes free

Post-Run: 32,078,589,952 bytes free

.

- - End Of File - - 93431BF061085CA37136F89FE4672DF2

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Link to post
Share on other sites

Nothing found! :D

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.04.04

Windows XP Service Pack 2 x86 NTFS

Internet Explorer 8.0.6001.18702

Jerry :: HOMEDVR [administrator]

8/4/2012 10:33:11 AM

mbam-log-2012-08-04 (10-33-11).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 191309

Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.