Pls help get rid of pum.hijack virus.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Reema, Jun 11, 2012.

  1. Reema

    Reema Private E-2

    Hello,

    I have pum.hijack.taskmanager and pum.hijack.regedit virus on my system which just does not seem to go away. Cold delete the same a couple of times, howvere they r back again after restart. Pls help. I use malware bytes anti malware tool to delete the virus.

    Thx
     
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks, Reema

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and then attach the requested logs to your next reply when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
     
  3. Reema

    Reema Private E-2

    Hi,

    The virus is still there after running all the steps provided in the link.
    Basically my task manager and regedit both are disabled.

    ComboFix.txt was not created. My system blanked out for like 3-4 hrs after which it just shut down.
    I did not run again.

    Also my system crashed when running MGtools since it could not get the data it was expecting. regedit would not work(cause of the pum.hijack virus) and hence the data expected by MGTools could not be found. I guess that might have just caused the crash!!The logs were created though.

    Lemme know how I ca proceed.

    Thx for ur help!!! :)

    Reema
     

    Attached Files:

  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Please download RogueKiller to your desktop.
    • Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    • When it opens, press the Scan button
    • When it is finished, there will be a log on your desktop called "RKreport[1].txt"
    • Attach RKreport[1].txt to your next message.

    Then download OTL by Old Timer to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
    • When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
    • Select Scan All Users.
    • In the Processes box, choose All.
    • In the Services box, choose All.
    • Check the boxes beside LOP Check and Purity Check.
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      netsvcs
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      explorer.exe
      lsass.exe
      netbt.sys
      nsiproxy.sys
      regedit.exe
      services.exe
      svchost.exe
      Taskmgr.exe
      tcpip.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemdrive%\*.* /mp /s
      %systemdrive%\MGtools\*.*
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\$ntuninstallkb*. /120
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\tdx
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\nsiproxy
      hklm\software\microsoft\windows\currentversion\run 
      hklm\software\microsoft\windows\currentversion\runonce 
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
      
    • Now click the [​IMG] button.
    • When the scan is complete, Notepad will open with the results of the OTL scan.
    • Close Notepad.
    • There will be two log files on your desktop entitled OTL.txt and Extras.txt.
    • Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

    *Are you having any other problems besides Task Manager and Regedit not running?
     
  5. Reema

    Reema Private E-2

    Hey,

    Attaching the 2nd lot of files.
    Besides tskmgr ad regedit being disabled, the system becomes very very slow and just hangs at certain points, even if I am not running anythig at all!

    Thx
     

    Attached Files:

    • Log2.zip
      File size:
      300.7 KB
      Views:
      11
  6. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome, Reema

    Please move OTL.exe directly to your desktop, not here: C:\Documents and Settings\pari\My Documents\OTL.exe

    Please attach these logs from running the R & R ME FIRST procedure:

    Uninstall:
    BabylonToolbar

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :otl
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
    DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\tdx.sys -- (tdx)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\pari\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\phsjun.sys -- (asc3360pr)
    IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=111808&tt=060612_5_&babsrc=HP_ss&mntrId=30576304000000000000001aa0ff4b2b
    IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
    IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=111808&tt=060612_5_&babsrc=SP_ss&mntrId=30576304000000000000001aa0ff4b2b
    IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
    O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
    O4 - HKLM..\Run: [Browser companion helper] C:\Program Files\BrowserCompanion\BCHelper.exe /T=3 /CHI=gmdfpnpdmnjaffhcdbobdjpolhpacaem File not found
    O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\pari\My Documents\Downloads\*.tmp files -> C:\Documents and Settings\pari\My Documents\Downloads\*.tmp -> ]
    :commands
    [purity]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    * Can you now use Task Manager, Regedit? Are you able to run MGTools.exe now?
     
    Last edited: Jun 13, 2012
  7. Reema

    Reema Private E-2

    Hi,

    OTL.exe doesn't seem to work. :cry
    :( My system just crashes and then restarts. This is immediately after running OTL.exe. Happens everytime I run OTL.

    Attaching the remaining logs you asked for.

    Thx.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    Hello Reema :)

    dr.moriarty is out for a little while so I will help you in the meantime.

    __

    Do you have your Windows XP SP2 disc? Let me know this first as it can potentially change which route we take next. Thanks.
     
  9. Reema

    Reema Private E-2

    Hey there,

    Yes I do have the cd.
    PLs help quick..I have a new problem at hand now, my system shuts dow every few minutes now. The problem just seems to be getting worse. :cry

    Thx
     
  10. thisisu

    thisisu Malware Consultant

    [​IMG] Please delete your old copy of ComboFix and download the latest copy here and run an additional scan.
    Attach the latest ComboFix.txt when finished. (How to attach)
     
  11. Reema

    Reema Private E-2

    Hey,

    It ran this time!! Yay!! Attaching log.

    Thx again!!
     

    Attached Files:

    • log.txt
      File size:
      8.1 KB
      Views:
      7
  12. thisisu

    thisisu Malware Consultant

    [​IMG] Delete items detected by RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    After the scan has completed, press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[3].txt
    Attach RKreport[3].txt to your next message. (How to attach)

    [​IMG] Run the following customized scan using OTL by OldTimer.

    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  13. Reema

    Reema Private E-2

    Hey,

    Pls find files attached.

    Reema
     

    Attached Files:

  14. thisisu

    thisisu Malware Consultant

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]Collect::[4][/COLOR]
    C:\WINDOWS\system32\drivers\phsjun.sys
    [COLOR="DarkRed"]DirLook::[/COLOR]
    C:\rei
    C:\_OTL
    [COLOR="DarkRed"]Driver::[/COLOR]
    WinDefend
    asc3360pr
    [COLOR="DarkRed"]File::[/COLOR]
    c:\windows\AegisP.inf
    G:\Autorun.inf
    [COLOR="DarkRed"]FileLook::[/COLOR]
    C:\WINDOWS\system32\drivers\phsjun.sys
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\pari\Application Data\Babylon
    C:\Documents and Settings\All Users\Application Data\Babylon
    [COLOR="DarkRed"]Registry::[/COLOR]
    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
    "DisableRegistryTools"=dword:00000000
    "DisableTaskMgr"=dword:00000000
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableRegistryTools"=dword:00000000
    "DisableTaskMgr"=dword:00000000
    "EnableLUA"=dword:00000000
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)
     
  15. Reema

    Reema Private E-2

    Hi,

    Do I use the new copy of Combofix you posted yesterday or the one before that?

    Thx
     
  16. thisisu

    thisisu Malware Consultant

    We always want to use the latest version of ComboFix. ComboFix may have updated since you downloaded it last time. Allow it to update.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds