Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections - Regular Partition infected with "PUM.Hijack.StartMenu" - Recovery Partitiion infected with "TR/Drop.daws.jju"


  • This topic is locked This topic is locked
1 reply to this topic

#1 notinfallible

notinfallible

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere and Nowhere
  • Local time:03:16 PM

Posted 10 February 2012 - 02:03 PM

Hello, I have a gateway desktop computer with Winidows XP SP3, Internet Explorer 8, 2GB RAM, and 600GB Hard Drive.

Avira Free Antivirus detected TR/Drop.daws.juu in my recovery partition (D:\) yesterday. MBAM detected PUM.Hijack.StartMenu on my regular partition.

I removed these infections and proceeded to backup some files to my eternal hard drive. While doing so, Avira detected TR/Keygen.AQ.19 and TR/Tool.Keygen.517 in the "system volume information" folder on my eternal hard drive. I removed these as well.

Lately I've noticed that my computer would behave strangely but more of the behavior is so subtle that it's hard describe it properly. Every now and then a process named mme.exe would show up in the task manager. I did a little bit of digging and everything I found suggested that it is maliciious.

I am usually able to resolve stuff like this on my own, but this time I'm getting nowhere. I have never had an infection on anything other than the partitiion that my operating system is installed on. I am need of your help badly.

Thank you for your time, here are the logs.

-----------------------------------------------------------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 5:50:25 on 2012-02-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1348 [GMT -6:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 192.168.*.*
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
TCP: Interfaces\{3ACF436A-DFE5-4721-BE76-2B496858409A} : DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-20 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-20 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-11-20 74640]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys --> c:\windows\system32\drivers\motfilt.sys [?]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys --> c:\windows\system32\drivers\motoandroid.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\motousbnet.sys --> c:\windows\system32\drivers\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys --> c:\windows\system32\drivers\motusbdevice.sys [?]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
S4 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-20 86224]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-11-21 79360]
.
=============== Created Last 30 ================
.
2012-02-10 09:03:55 -------- d-----w- C:\MGtools
2012-02-10 08:38:45 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-10 02:28:04 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-10 02:28:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-10 02:09:47 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2012-02-10 02:08:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-10 02:08:33 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-02-10 01:56:46 1665139 ----a-w- C:\MGtools.exe
2012-02-10 01:34:46 388096 ----a-r- c:\documents and settings\owner\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-02-10 01:34:45 -------- d-----w- c:\program files\Trend Micro
2012-02-10 00:34:33 -------- d-----w- c:\documents and settings\all users\application data\Propellerhead Software
2012-02-10 00:34:31 -------- d-----w- c:\documents and settings\owner\application data\Propellerhead Software
2012-02-09 15:56:59 -------- d--h--w- c:\windows\PIF
2012-02-09 15:52:28 -------- d-----w- c:\program files\MSECACHE
2012-02-09 15:20:31 -------- d-----w- c:\program files\Western Digital Corporation
2012-02-09 12:00:26 -------- d-----w- C:\2011.2
2012-02-09 08:47:15 -------- d-----w- c:\program files\Foxit Software
2012-02-09 07:29:29 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2012-02-09 07:29:29 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2012-02-09 07:28:00 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2012-02-09 02:28:20 839680 ----a-w- c:\windows\system32\lameACM.acm
2012-02-09 02:28:20 650752 ----a-w- c:\windows\system32\xvidcore.dll
2012-02-09 02:28:20 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2012-02-09 02:28:20 216064 ----a-w- c:\windows\system32\lagarith.dll
2012-02-09 02:28:19 175616 ----a-w- c:\windows\system32\unrar.dll
2012-02-09 02:28:19 151552 ----a-w- c:\windows\system32\ac3acm.acm
2012-02-09 02:28:16 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-02-09 02:28:14 -------- d-----w- c:\program files\K-Lite Codec Pack
2012-02-07 11:24:30 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-02-07 08:13:56 -------- d-----w- c:\program files\Lavasoft
2012-02-06 22:46:32 -------- d-----w- c:\documents and settings\all users\application data\Nero
2012-02-06 04:25:40 -------- d-----w- c:\program files\SecurityXploded
2012-02-05 19:05:34 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-02-05 19:05:30 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-02-05 19:05:29 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-02-05 19:05:25 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-02-05 19:05:21 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-02-05 19:05:07 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2012-02-05 19:05:03 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-02-05 19:05:01 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-02-05 19:03:59 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2012-02-05 19:02:56 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys
2012-02-05 19:01:56 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2012-02-05 19:00:57 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2012-02-05 18:59:59 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2012-02-05 18:58:54 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys
2012-02-05 18:57:55 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2012-02-05 18:57:49 157696 -c--a-w- c:\windows\system32\dllcache\sisv256.dll
2012-02-05 18:57:43 50432 -c--a-w- c:\windows\system32\dllcache\sisv.sys
2012-02-05 18:57:42 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys
2012-02-05 18:57:36 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll
2012-02-05 18:57:30 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys
2012-02-05 18:57:25 150144 -c--a-w- c:\windows\system32\dllcache\sis6306v.dll
2012-02-05 18:57:19 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2012-02-05 18:57:13 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2012-02-05 18:57:08 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys
2012-02-05 18:57:07 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2012-02-05 18:56:58 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2012-02-05 18:56:53 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys
2012-02-05 18:56:47 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2012-02-05 18:56:41 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2012-02-05 18:56:36 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2012-02-05 18:56:29 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2012-02-05 18:56:24 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2012-02-05 18:56:19 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2012-02-05 18:56:12 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2012-02-05 18:56:11 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2012-02-05 18:56:05 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2012-02-05 18:56:04 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2012-02-05 18:54:59 65664 -c--a-w- c:\windows\system32\dllcache\s3legacy.sys
2012-02-05 18:53:57 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2012-02-05 18:52:57 16384 -c--a-w- c:\windows\system32\dllcache\philcam1.dll
2012-02-05 18:51:59 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2012-02-05 18:50:55 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2012-02-05 18:49:58 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2012-02-05 18:48:56 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2012-02-05 18:47:59 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2012-02-05 18:46:59 59904 -c--a-w- c:\windows\system32\dllcache\imkrinst.exe
2012-02-05 18:45:59 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2012-02-05 18:44:58 123392 -c--a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2012-02-05 18:43:58 43520 -c--a-w- c:\windows\system32\dllcache\EXCH_fcachdll.dll
2012-02-05 18:42:59 7296 -c--a-w- c:\windows\system32\dllcache\elmsmc.sys
2012-02-05 18:41:59 103044 -c--a-w- c:\windows\system32\dllcache\digidxb.sys
2012-02-05 18:40:59 3712 -c--a-w- c:\windows\system32\dllcache\ctljystk.sys
2012-02-05 18:39:58 74240 -c--a-w- c:\windows\system32\dllcache\camexo20.dll
2012-02-05 18:38:58 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2012-02-05 18:37:55 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-02-05 18:37:48 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2012-02-05 18:37:48 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2012-02-05 18:37:47 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2012-02-05 18:37:47 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2012-02-05 18:37:47 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2012-02-05 18:37:46 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2012-02-04 06:47:47 -------- dc-h--w- c:\windows\ie8
2012-01-29 07:30:21 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2012-01-29 07:30:11 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2012-01-26 03:50:19 -------- d-----w- c:\documents and settings\owner\local settings\application data\Help
2012-01-25 16:51:03 -------- d-----w- c:\documents and settings\owner\local settings\application data\Temp
2012-01-13 00:32:52 -------- d-----w- c:\documents and settings\all users\Microsoft
.
==================== Find3M ====================
.
2012-02-10 08:38:33 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-02-10 08:38:33 567184 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-09 11:19:03 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-22 12:19:42 118784 ----a-w- c:\windows\dsdxirmv.exe
2011-11-21 18:35:04 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-11-21 18:35:04 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-20 22:54:20 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2011-11-20 22:54:18 24576 ----a-w- c:\windows\system32\prefscpl.cpl
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 5:51:14.21 ===============

Attached Files


Edited by boopme, 10 February 2012 - 07:59 PM.

The most important thing in communication is to hear what isn't being said.

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:16 PM

Posted 14 February 2012 - 09:36 AM

Hi there,

It appears that you are receiving help at another forum: http://forums.majorgeeks.com/showthread.php?t=253464

Having multiple topics open at different forums only serves to confuse matters and waste the volunteers' time. In addition, it seems that you have since reformatted your drive. As such, I will close your topic here.

Regards.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users