BleepingComputer.com: Multiple Infections - Regular Partition infected with "PUM.Hijack.StartMenu" - Recovery Partitiion infected with "TR/Drop.daws.jju"

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Multiple Infections - Regular Partition infected with "PUM.Hijack.StartMenu" - Recovery Partitiion infected with "TR/Drop.daws.jju" 2 more infections detected on external hard

#1 User is offline   notinfallible 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 74
  • Joined: 03-April 11
  • Gender:Male
  • Location:Everywhere and Nowhere

Posted 10 February 2012 - 02:03 PM

Hello, I have a gateway desktop computer with Winidows XP SP3, Internet Explorer 8, 2GB RAM, and 600GB Hard Drive.

Avira Free Antivirus detected TR/Drop.daws.juu in my recovery partition (D:\) yesterday. MBAM detected PUM.Hijack.StartMenu on my regular partition.

I removed these infections and proceeded to backup some files to my eternal hard drive. While doing so, Avira detected TR/Keygen.AQ.19 and TR/Tool.Keygen.517 in the "system volume information" folder on my eternal hard drive. I removed these as well.

Lately I've noticed that my computer would behave strangely but more of the behavior is so subtle that it's hard describe it properly. Every now and then a process named mme.exe would show up in the task manager. I did a little bit of digging and everything I found suggested that it is maliciious.

I am usually able to resolve stuff like this on my own, but this time I'm getting nowhere. I have never had an infection on anything other than the partitiion that my operating system is installed on. I am need of your help badly.

Thank you for your time, here are the logs.

-----------------------------------------------------------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 5:50:25 on 2012-02-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1348 [GMT -6:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 192.168.*.*
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
TCP: Interfaces\{3ACF436A-DFE5-4721-BE76-2B496858409A} : DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-20 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-20 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-11-20 74640]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys --> c:\windows\system32\drivers\motfilt.sys [?]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys --> c:\windows\system32\drivers\motoandroid.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\motousbnet.sys --> c:\windows\system32\drivers\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys --> c:\windows\system32\drivers\motusbdevice.sys [?]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
S4 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-20 86224]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-11-21 79360]
.
=============== Created Last 30 ================
.
2012-02-10 09:03:55 -------- d-----w- C:\MGtools
2012-02-10 08:38:45 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-10 02:28:04 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-10 02:28:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-10 02:09:47 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2012-02-10 02:08:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-10 02:08:33 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-02-10 01:56:46 1665139 ----a-w- C:\MGtools.exe
2012-02-10 01:34:46 388096 ----a-r- c:\documents and settings\owner\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-02-10 01:34:45 -------- d-----w- c:\program files\Trend Micro
2012-02-10 00:34:33 -------- d-----w- c:\documents and settings\all users\application data\Propellerhead Software
2012-02-10 00:34:31 -------- d-----w- c:\documents and settings\owner\application data\Propellerhead Software
2012-02-09 15:56:59 -------- d--h--w- c:\windows\PIF
2012-02-09 15:52:28 -------- d-----w- c:\program files\MSECACHE
2012-02-09 15:20:31 -------- d-----w- c:\program files\Western Digital Corporation
2012-02-09 12:00:26 -------- d-----w- C:\2011.2
2012-02-09 08:47:15 -------- d-----w- c:\program files\Foxit Software
2012-02-09 07:29:29 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2012-02-09 07:29:29 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2012-02-09 07:28:00 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2012-02-09 02:28:20 839680 ----a-w- c:\windows\system32\lameACM.acm
2012-02-09 02:28:20 650752 ----a-w- c:\windows\system32\xvidcore.dll
2012-02-09 02:28:20 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2012-02-09 02:28:20 216064 ----a-w- c:\windows\system32\lagarith.dll
2012-02-09 02:28:19 175616 ----a-w- c:\windows\system32\unrar.dll
2012-02-09 02:28:19 151552 ----a-w- c:\windows\system32\ac3acm.acm
2012-02-09 02:28:16 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-02-09 02:28:14 -------- d-----w- c:\program files\K-Lite Codec Pack
2012-02-07 11:24:30 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-02-07 08:13:56 -------- d-----w- c:\program files\Lavasoft
2012-02-06 22:46:32 -------- d-----w- c:\documents and settings\all users\application data\Nero
2012-02-06 04:25:40 -------- d-----w- c:\program files\SecurityXploded
2012-02-05 19:05:34 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-02-05 19:05:30 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-02-05 19:05:29 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-02-05 19:05:25 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-02-05 19:05:21 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-02-05 19:05:07 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2012-02-05 19:05:03 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-02-05 19:05:01 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-02-05 19:03:59 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2012-02-05 19:02:56 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys
2012-02-05 19:01:56 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2012-02-05 19:00:57 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2012-02-05 18:59:59 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2012-02-05 18:58:54 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys
2012-02-05 18:57:55 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2012-02-05 18:57:49 157696 -c--a-w- c:\windows\system32\dllcache\sisv256.dll
2012-02-05 18:57:43 50432 -c--a-w- c:\windows\system32\dllcache\sisv.sys
2012-02-05 18:57:42 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys
2012-02-05 18:57:36 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll
2012-02-05 18:57:30 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys
2012-02-05 18:57:25 150144 -c--a-w- c:\windows\system32\dllcache\sis6306v.dll
2012-02-05 18:57:19 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2012-02-05 18:57:13 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2012-02-05 18:57:08 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys
2012-02-05 18:57:07 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2012-02-05 18:56:58 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2012-02-05 18:56:53 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys
2012-02-05 18:56:47 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2012-02-05 18:56:41 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2012-02-05 18:56:36 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2012-02-05 18:56:29 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2012-02-05 18:56:24 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2012-02-05 18:56:19 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2012-02-05 18:56:12 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2012-02-05 18:56:11 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2012-02-05 18:56:05 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2012-02-05 18:56:04 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2012-02-05 18:54:59 65664 -c--a-w- c:\windows\system32\dllcache\s3legacy.sys
2012-02-05 18:53:57 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2012-02-05 18:52:57 16384 -c--a-w- c:\windows\system32\dllcache\philcam1.dll
2012-02-05 18:51:59 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2012-02-05 18:50:55 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2012-02-05 18:49:58 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2012-02-05 18:48:56 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2012-02-05 18:47:59 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2012-02-05 18:46:59 59904 -c--a-w- c:\windows\system32\dllcache\imkrinst.exe
2012-02-05 18:45:59 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2012-02-05 18:44:58 123392 -c--a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2012-02-05 18:43:58 43520 -c--a-w- c:\windows\system32\dllcache\EXCH_fcachdll.dll
2012-02-05 18:42:59 7296 -c--a-w- c:\windows\system32\dllcache\elmsmc.sys
2012-02-05 18:41:59 103044 -c--a-w- c:\windows\system32\dllcache\digidxb.sys
2012-02-05 18:40:59 3712 -c--a-w- c:\windows\system32\dllcache\ctljystk.sys
2012-02-05 18:39:58 74240 -c--a-w- c:\windows\system32\dllcache\camexo20.dll
2012-02-05 18:38:58 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2012-02-05 18:37:55 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-02-05 18:37:48 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2012-02-05 18:37:48 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2012-02-05 18:37:47 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2012-02-05 18:37:47 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2012-02-05 18:37:47 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2012-02-05 18:37:46 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2012-02-04 06:47:47 -------- dc-h--w- c:\windows\ie8
2012-01-29 07:30:21 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2012-01-29 07:30:11 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2012-01-26 03:50:19 -------- d-----w- c:\documents and settings\owner\local settings\application data\Help
2012-01-25 16:51:03 -------- d-----w- c:\documents and settings\owner\local settings\application data\Temp
2012-01-13 00:32:52 -------- d-----w- c:\documents and settings\all users\Microsoft
.
==================== Find3M ====================
.
2012-02-10 08:38:33 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-02-10 08:38:33 567184 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-09 11:19:03 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-22 12:19:42 118784 ----a-w- c:\windows\dsdxirmv.exe
2011-11-21 18:35:04 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-11-21 18:35:04 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-20 22:54:20 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2011-11-20 22:54:18 24576 ----a-w- c:\windows\system32\prefscpl.cpl
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 5:51:14.21 ===============

Attached File(s)

  • Attached File  attach.txt (9.7K)
    Number of downloads: 1
  • Attached File  ark.txt (1.83K)
    Number of downloads: 1

This post has been edited by boopme: 10 February 2012 - 07:59 PM

The most important thing in communication is to hear what isn't being said.

#2 User is offline   Casey_boy 

  • Bleeping physicist
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 5,224
  • Joined: 02-January 09
  • Gender:Male
  • Location:United Kingdom

Posted 14 February 2012 - 09:36 AM

Hi there,

It appears that you are receiving help at another forum: http://forums.majorgeeks.com/showthread.php?t=253464

Having multiple topics open at different forums only serves to confuse matters and waste the volunteers' time. In addition, it seems that you have since reformatted your drive. As such, I will close your topic here.

Regards.

Casey
If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users