Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help! PUM.hijack infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 notinfallible

notinfallible

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere and Nowhere
  • Local time:11:54 AM

Posted 15 December 2012 - 12:20 AM

Hello, I have just recently completely reformatted my hard drive and reinstalled my operating system. I am running XP SP3, and prior to reformatting I was getting a lot of strange behavior at very random times. I would sometimes get a blue screen saying something about recently installed hardware. After reformatting I thought everything was all good to go, until running MBAM and it detected "PUM.hijack". I quickly removed the infection, but I would like an expert to analyze my computer because I think the there is still something wrong that I am unable to find.

Here is the DDS log.......................

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Owner at 23:09:16 on 2012-12-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2023.1448 [GMT -6:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uProxyServer = socks=127.0.0.1:9050
mSearchAssistant = hxxp://www.google.com/ie
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1355315183328
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1355318169250
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{EFED29BF-38D1-49CA-A456-9C864DFA6977} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-12-12 36552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-12-12 85280]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-12-12 109344]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-12-12 83944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-12-12 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-12-12 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-12-12 168384]
.
=============== Created Last 30 ================
.
2012-12-15 02:46:55 -------- d-----w- c:\program files\Mask Surf
2012-12-15 02:46:55 -------- d-----w- c:\documents and settings\owner\application data\Tor
2012-12-14 02:10:21 -------- d-----w- c:\windows\pss
2012-12-13 04:37:39 -------- d-----w- C:\Pimp bleep
2012-12-13 01:27:36 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-12-13 01:27:36 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-12-13 00:51:02 -------- d-----w- c:\documents and settings\owner\local settings\application data\Sun
2012-12-13 00:47:32 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-12-13 00:47:32 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-13 00:47:32 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-12-13 00:47:12 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-12 22:27:46 -------- d-----w- C:\Muhbleep Music
2012-12-12 22:24:48 -------- d-----w- C:\2012
2012-12-12 22:23:47 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-12-12 22:23:40 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-12-12 22:23:40 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-12-12 22:23:40 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-12-12 22:23:40 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-12-12 22:23:40 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-12-12 22:23:40 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2012-12-12 22:23:40 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-12-12 22:23:40 117760 ------w- c:\windows\system32\prntvpt.dll
2012-12-12 22:15:43 -------- d-----w- c:\program files\Windows Media Connect 2
2012-12-12 22:14:39 -------- d-----w- c:\windows\system32\LogFiles
2012-12-12 21:55:06 -------- d-----w- C:\Cakewalk Projects
2012-12-12 20:58:46 -------- d-----w- C:\- Jonserz bleep
2012-12-12 20:57:47 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2012-12-12 20:51:28 47616 ----a-w- c:\program files\windows media player\msoobci.dll
2012-12-12 20:51:28 1669120 ----a-w- c:\program files\windows media player\wmsetsdk.exe
2012-12-12 20:51:09 -------- d-----w- c:\windows\RegisteredPackages
2012-12-12 20:48:19 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-12-12 20:38:23 -------- d-----w- c:\windows\system32\scripting
2012-12-12 20:38:23 -------- d-----w- c:\windows\l2schemas
2012-12-12 20:38:22 -------- d-----w- c:\windows\system32\en
2012-12-12 20:38:22 -------- d-----w- c:\windows\system32\bits
2012-12-12 20:36:46 -------- d-----w- c:\windows\network diagnostic
2012-12-12 20:30:33 41984 ------w- c:\windows\Ctregrun.exe
2012-12-12 20:29:58 81920 ----a-w- c:\windows\system32\OpenAL32.dll
2012-12-12 20:28:49 3072 ----a-w- c:\windows\CTXFIRES.DLL
2012-12-12 20:28:49 11776 ----a-w- c:\windows\INRES.DLL
2012-12-12 20:28:49 10240 ----a-w- c:\windows\CTDCRES.DLL
2012-12-12 20:28:49 -------- d-----w- c:\windows\system32\Data
2012-12-12 20:26:27 -------- d-----w- c:\program files\Creative
2012-12-12 20:25:08 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2012-12-12 20:25:08 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2012-12-12 20:25:08 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2012-12-12 20:25:08 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2012-12-12 20:25:07 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2012-12-12 20:25:07 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2012-12-12 20:25:05 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2012-12-12 20:25:05 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2012-12-12 20:06:20 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-12-12 20:04:40 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-12-12 20:02:09 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-12-12 20:02:09 3072 ------w- c:\windows\system32\iacenc.dll
2012-12-12 20:00:39 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-12-12 20:00:18 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-12-12 19:58:38 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-12-12 19:58:28 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-12-12 19:58:14 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2012-12-12 19:58:14 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2012-12-12 19:58:14 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-12-12 19:57:46 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-12-12 19:55:08 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-12-12 19:52:04 -------- d-----w- c:\documents and settings\owner\application data\Avira
2012-12-12 19:49:23 83944 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-12-12 19:49:23 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-12-12 19:49:22 -------- d-----w- c:\program files\Avira
2012-12-12 19:49:22 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-12-12 13:37:26 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2012-12-12 13:37:10 -------- d-----w- c:\program files\MSXML 4.0
2012-12-12 13:33:52 -------- d-----w- c:\windows\ie8updates
2012-12-12 13:33:17 -------- d-----w- c:\windows\ServicePackFiles
2012-12-12 13:32:08 -------- d-----w- c:\documents and settings\owner\local settings\application data\ApplicationHistory
2012-12-12 13:30:17 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-12-12 13:30:17 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-12-12 13:30:17 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-12-12 13:30:16 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-12-12 13:30:16 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-12-12 13:30:16 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-12-12 13:30:14 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-12-12 13:29:54 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-12-12 13:28:31 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-12-12 13:28:27 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-12-12 13:28:16 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2012-12-12 13:27:32 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-12-12 13:27:32 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-12-12 13:27:27 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-12-12 13:26:15 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2012-12-12 13:25:48 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2012-12-12 13:23:43 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-12-12 13:23:43 272128 ------w- c:\windows\system32\drivers\bthport.sys
2012-12-12 13:23:41 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-12-12 13:20:49 -------- d-----w- c:\windows\system32\PreInstall
2012-12-12 13:17:39 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-12-12 13:17:39 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-12-12 13:17:39 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-12-12 13:17:39 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-12-12 12:53:24 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-12-12 12:53:15 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-12-12 12:53:11 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-12-12 12:51:11 -------- d-----w- c:\program files\VS Revo Group
2012-12-12 12:50:42 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2012-12-12 12:50:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-12-12 12:50:29 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-12-12 12:49:44 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2012-12-12 12:49:39 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-12 12:49:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-12 12:49:39 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-12-12 12:47:29 -------- d-----w- c:\program files\CCleaner
2012-12-12 12:46:24 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-12 12:46:24 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 12:43:11 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2012-12-12 12:41:47 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2012-12-12 12:41:16 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2012-12-12 12:40:09 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2012-12-12 12:39:36 -------- dc----w- c:\windows\ie8
2012-12-12 12:37:43 -------- d-----w- c:\windows\$hf_mig$
2012-12-12 12:26:15 -------- d-sh--w- c:\documents and settings\owner\UserData
2012-12-12 11:35:33 -------- d-----w- c:\windows\system32\appmgmt
2012-12-12 11:24:59 -------- d-----w- c:\program files\Microsoft Money 2005
2012-12-12 11:24:54 543232 ----a-w- c:\windows\zHotkey.exe
2012-12-12 11:24:54 532544 ----a-w- c:\windows\PIC.dll
2012-12-12 11:24:54 5280 ----a-w- c:\windows\hotbtnv.vxd
2012-12-12 11:24:54 3926 ----a-w- c:\windows\mHotkey.reg
2012-12-12 11:24:54 36864 ----a-w- c:\windows\ShowWnd.exe
2012-12-12 11:24:54 24576 ----a-w- c:\windows\HKNTDLL.dll
2012-12-12 11:24:52 20480 ----a-w- c:\windows\system32\Marker32.exe
2012-12-12 11:24:51 471298 ----a-w- c:\windows\wallpg.exe
2012-12-12 11:21:12 -------- d-----w- c:\documents and settings\all users\application data\McAfee.com
2012-12-12 11:19:58 -------- d-----w- c:\program files\Pure Networks
2012-12-12 11:19:57 -------- d-----w- c:\windows\occache
2012-12-12 11:19:56 1483264 ----a-w- c:\windows\system32\shdocvw.bak
2012-12-12 11:18:05 -------- d-----w- c:\windows\system32\QuickTime
2012-12-12 11:18:02 -------- d-----w- c:\program files\common files\Nullsoft
2012-12-12 11:17:58 -------- d-----w- c:\program files\common files\Real
2012-12-12 11:17:43 54784 ----a-w- c:\windows\system32\Inetwh32.dll
2012-12-12 11:17:43 29184 ----a-w- c:\windows\system32\popup.ocx
2012-12-12 11:17:43 1044480 ----a-w- c:\windows\system32\roboex32.dll
2012-12-12 11:15:20 -------- d-----w- c:\program files\common files\AOL
2012-12-12 11:14:28 -------- d-----w- c:\windows\system32\ReinstallBackups
2012-12-12 11:14:25 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2012-12-12 11:14:25 614532 ------w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2012-12-12 11:14:25 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2012-12-12 11:14:25 225280 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll
2012-12-12 11:14:25 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2012-12-12 11:11:00 -------- d-----w- c:\documents and settings\all users\application data\Prism Deploy
2012-12-12 11:10:59 -------- d-----w- c:\program files\common files\New Boundary
2012-12-12 11:05:29 -------- d-----w- c:\windows\system32\URTTemp
2012-12-12 11:04:56 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-12-12 11:04:51 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-12-12 11:03:54 7168 ----a-w- c:\windows\system32\hccoin.dll
2012-12-12 11:03:54 30208 ----a-w- c:\windows\system32\drivers\usbehci.sys
2012-12-12 11:01:45 -------- d-----w- c:\windows\creator
2012-12-12 11:01:44 24064 ----a-w- c:\windows\system32\IntelNic.dll
2012-12-12 11:01:44 154112 ----a-w- c:\windows\system32\drivers\e100b325.sys
2012-12-12 11:01:44 12288 ----a-w- c:\windows\system32\e100bmsg.dll
2012-12-12 11:01:44 118784 ----a-w- c:\windows\system32\Prounstl.exe
2012-12-12 11:01:44 -------- d-----w- c:\windows\SMINST
2012-12-12 11:01:30 -------- d-----r- C:\Program Files
2012-12-12 11:01:24 -------- d-----r- c:\documents and settings\all users\Documents
2012-12-12 11:00:55 -------- d-----r- c:\windows\Offline Web Pages
2012-12-12 11:00:12 -------- dcsh--r- c:\windows\system32\dllcache
.
==================== Find3M ====================
.
2012-12-12 20:29:58 233472 ----a-w- c:\windows\system32\wrap_oal.dll
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41:17 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
.
============= FINISH: 23:10:05.34 ===============

Attached Files


Edited by notinfallible, 15 December 2012 - 12:22 AM.

The most important thing in communication is to hear what isn't being said.

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:54 PM

Posted 15 December 2012 - 05:06 PM

Good evening. :)

Run MBAM and select the Logs Tab.
Each log has the time and date attached to it - let me have the one that identified what you are referring to.

So long, and thanks for all the fish.

 

 


#3 notinfallible

notinfallible
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere and Nowhere
  • Local time:11:54 AM

Posted 15 December 2012 - 07:34 PM

Here is the MBAM log......

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.12.04

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Owner :: YOUR-1F482D957D [administrator]

12/14/2012 9:28:58 PM
mbam-log-2012-12-14 (21-28-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208972
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Here is a log from MBAR. Notice it's the same infection that I removed earlier with MBAM.....

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 3.000000 GHz
Memory total: 2120867840, free: 1618165760

------------ Kernel report ------------
12/15/2012 02:12:54
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
aliide.sys
cmdide.sys
toside.sys
viaide.sys
intelide.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
cpqarray.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
atapi.sys
aha154x.sys
sparrow.sys
symc810.sys
aic78xx.sys
dac960nt.sys
ql10wnt.sys
amsint.sys
asc.sys
asc3550.sys
mraid35x.sys
i2omp.sys
ini910u.sys
ql1240.sys
aic78u2.sys
symc8xx.sys
sym_hi.sys
sym_u3.sys
ABP480N5.SYS
asc3350p.sys
cd20xrnt.sys
ultra.sys
adpu160m.sys
dpti2o.sys
ql1080.sys
ql1280.sys
ql12160.sys
perc2.sys
perc2hib.sys
hpn.sys
cbidf2k.sys
dac2w2k.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
sisagp.sys
viaagp.sys
Mup.sys
agp440.sys
alim1541.sys
amdagp.sys
agpCPQ.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ialmnt5.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\ctaud2k.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\ctoss2k.sys
\SystemRoot\system32\drivers\ctprxy2k.sys
\SystemRoot\system32\DRIVERS\e100b325.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\ha20x2k.sys
\SystemRoot\system32\drivers\emupia2k.sys
\SystemRoot\system32\drivers\ctsfm2k.sys
\SystemRoot\system32\drivers\ctac32k.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\ssmdrv.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\avkmgr.sys
\SystemRoot\system32\DRIVERS\avipbb.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\system32\DRIVERS\avgntflt.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\??\C:\WINDOWS\system32\drivers\npf.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a3ddab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\
Lower Device Object: 0xffffffff8a3e0b00
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.12.15.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a3ddab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a383170, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a3ddab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a3e0b00, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe15048c8, 0xffffffff8a3ddab8, 0xffffffff88369040
Lower DeviceData: 0xffffffffe15b2338, 0xffffffff8a3e0b00, 0xffffffff88398040
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 52DF0FB1

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 9446220 Numsec = 1240812405
Partition file system is NTFS
Partition is bootable

Partition 1 type is Other (0xb)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 9446157

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 640135028736 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-1250243728-1250263728)...
Done!
Performing system, memory and registry scan...
Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|Start_ShowMyDocs --> [PUM.Hijack.StartMenu]
Done!
Scan finished
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal successful. No system shutdown is required.
=======================================

Edited by notinfallible, 15 December 2012 - 07:35 PM.

The most important thing in communication is to hear what isn't being said.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:54 PM

Posted 16 December 2012 - 02:41 PM

Good evening. :)

The term PUM is short for Potentially Unwanted Modification. These detections represent changes to system settings which may be undesirable to the user and are frequently changed by infections. MBAM is unable to read your mind and so highlights them and leaves you to decide whether or not they are changes that you approve of. If they are, set MBAM to ignore them, or in this case it, in the future - in this case it appears that My Documents has been removed from the Start Menu.

So long, and thanks for all the fish.

 

 


#5 notinfallible

notinfallible
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere and Nowhere
  • Local time:11:54 AM

Posted 16 December 2012 - 03:41 PM

I am relieved, but at the same time I'm kind of disappointed in myself. I wasted your time and my own time, so......I am sorry.

Edited by notinfallible, 16 December 2012 - 03:41 PM.

The most important thing in communication is to hear what isn't being said.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:54 PM

Posted 17 December 2012 - 02:53 PM

Good evening. :)

As i'm free to do what I what with my time, it's my time to "waste" and my blame should I consider it wasted - which I don't. You had a problem, which turns out to be more of the "didn't know" kind that anything nastier, and now you don't have a problem. I consider that to be one solved, which is always good to see.

So long, and thanks for all the fish.

 

 


#7 notinfallible

notinfallible
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere and Nowhere
  • Local time:11:54 AM

Posted 17 December 2012 - 09:21 PM

Well said!

I appreciate you taking the time to help me out. Thank you.

Peace.
The most important thing in communication is to hear what isn't being said.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users