Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pum.hijack startmenu


  • This topic is locked This topic is locked
4 replies to this topic

#1 frankleee

frankleee

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 25 November 2012 - 06:21 PM

Hello forum picked up this object with a malwarebytes scan pum.hijack startmenu. I Used the delete and ran malwarebytes again and now am clean, this is XP home. Just checking in to make sure I am clean overall. Ran combofix, I recognize that I jumped the gun by running combofix, however I had not intended to post here, then thought why not. So in the future I will not run any cleaners out of line with the instructions given.

I also realize now I am posted in the wrong place and the combofix log I had posted is not helpful.

This XP install is not that important it is a OEM and can just be wiped and reinstalled with the hard discs I have. If the helpers feel this is best.

Edited by frankleee, 25 November 2012 - 07:10 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:10 PM

Posted 27 November 2012 - 11:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
    • DDS.scr <- not recommended if you use Chrome to download this .scr file. Use the other options.
    • DDS.pif
    • DDS.COM
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Search for AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review.

Let me know of any issues with this computer.

#3 frankleee

frankleee
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 27 November 2012 - 12:19 PM

Hello thanks for taking a look at this XP install. I rarely use this install it is a backup computer, however it seems to be running fine. I have never been much of a XP user, I started on open source, but am a W7 user for use of MS office when needed. I also run my windows setups from the standard user second account primarily unless the admin account is needed which has a password.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by wilee at 9:02:41 on 2012-11-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1266 [GMT -8:00]
.
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Enabled*
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\EMET (Tech Preview)\EMET_notifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/webhp?hl=en
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [EMET Notifier] c:\program files\emet (tech preview)\EMET_notifier.exe
StartupFolder: c:\docume~1\wilee\startm~1\programs\startup\taskmgr.lnk - c:\windows\system32\taskmgr.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1346200184938
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1346200835125
TCP: NameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{9605BBA3-B7DC-48BA-AEBF-13F043E42F45} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{9605BBA3-B7DC-48BA-AEBF-13F043E42F45} : DHCPNameServer = 192.168.0.1 205.171.3.25
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\wilee\application data\mozilla\firefox\profiles\6557kpv7.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/webhp?hl=en
FF - plugin: c:\documents and settings\wilee\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\wilee\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\wilee\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - ExtSQL: 2012-11-25 13:54; https-everywhere@eff.org; c:\documents and settings\wilee\application data\mozilla\firefox\profiles\6557kpv7.default\extensions\https-everywhere@eff.org
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2012-11-25 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2012-11-25 199320]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2012-11-25 106560]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-11-25 20624]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-11-25 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-11-25 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-11-25 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-11-25 44808]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2012-11-25 133912]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2012-8-28 38912]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-11-25 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-11-25 8456]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-11-26 05:25:55 2468520 ----a-w- c:\windows\system32\¸´¼þ BootMan.exe
2012-11-26 05:25:55 19840 ----a-w- c:\windows\system32\EuEpmGdi.dll
2012-11-26 05:25:54 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2012-11-26 05:25:54 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2012-11-26 05:25:54 2468520 ----a-w- c:\windows\system32\BootMan.exe
2012-11-26 05:25:54 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2012-11-26 05:25:16 -------- d-----w- c:\program files\EaseUS
2012-11-26 04:49:33 -------- d-----w- c:\program files\ESET
2012-11-25 22:38:32 -------- d-sha-r- C:\cmdcons
2012-11-25 22:36:34 98816 ----a-w- c:\windows\sed.exe
2012-11-25 22:36:34 256000 ----a-w- c:\windows\PEV.exe
2012-11-25 22:36:34 208896 ----a-w- c:\windows\MBR.exe
2012-11-25 22:15:29 -------- d-----w- c:\documents and settings\wilee\application data\TrueCrypt
2012-11-25 20:59:30 -------- d-----w- c:\program files\LibreOffice 3.6
2012-11-25 20:54:45 -------- d-----w- c:\windows\ie8updates
2012-11-25 20:25:26 -------- d-----w- c:\program files\VideoLAN
2012-11-25 20:23:44 -------- d-----w- c:\program files\EMET (Tech Preview)
2012-11-25 20:20:09 -------- d-----w- c:\documents and settings\wilee\application data\Malwarebytes
2012-11-25 20:19:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-11-25 20:19:22 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-25 20:19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-11-25 18:05:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-11-25 18:05:35 106560 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-11-25 18:05:18 199320 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-11-25 18:05:17 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-11-25 18:05:17 20624 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-11-25 18:04:53 41224 ----a-w- c:\windows\avastSS.scr
2012-11-25 18:04:53 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-11-25 18:04:40 -------- d-----w- c:\documents and settings\wilee\local settings\application data\Temp
2012-11-25 18:04:40 -------- d-----w- c:\documents and settings\wilee\local settings\application data\Adobe
.
==================== Find3M ====================
.
2012-11-25 22:15:51 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-10-24 14:26:14 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-10-24 14:26:14 421200 ----a-w- c:\windows\system32\msvcp100.dll
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
.
============= FINISH: 9:03:25.90 ===============

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Internet Security
ESET Online Scanner v3
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Adobe Flash Player 11.4.402.265
Adobe Reader 10.1.4 Adobe Reader out of Date!
Mozilla Firefox (17.0)
Mozilla Thunderbird (17.0.)
````````Process Check: objlist.exe by Laurent````````
AVAST Software Av
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 1%
````````````````````End of Log``````````````````````

# AdwCleaner v2.009 - Logfile created 11/27/2012 at 09:09:35
# Updated 24/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : wilee - LEE-5DFD05F0D02
# Boot Mode : Normal
# Running from : C:\Documents and Settings\wilee\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\nilee\Application Data\Mozilla\Firefox\Profiles\zgjz41i6.default\extensions\staged

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0 (en-US)

Profile name : default
File : C:\Documents and Settings\wilee\Application Data\Mozilla\Firefox\Profiles\6557kpv7.default\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\nilee\Application Data\Mozilla\Firefox\Profiles\zgjz41i6.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1015 octets] - [27/11/2012 09:09:35]

########## EOF - C:\AdwCleaner[R1].txt - [1075 octets] ##########

Edited by frankleee, 27 November 2012 - 12:27 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:10 PM

Posted 27 November 2012 - 02:24 PM

If this computer is not connected to the internet you can consider it safe and clean.

If you do then get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

#5 frankleee

frankleee
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 27 November 2012 - 02:32 PM

Thanks for your help, the computer was connected to the net when running the scans. It is off most of the time as it is a netbook, I just fire it up on occasion to update. I did notice the outdated adobereader notation, thanks for pointing it out.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users