Pls help get rid of pum.hijack virus.

[Reema]

Hello,

I have pum.hijack.taskmanager and pum.hijack.regedit virus on my system which just does not seem to go away. Cold delete the same a couple of times, howvere they r back again after restart. Pls help. I use malware bytes anti malware tool to delete the virus.

Thx

[dr.moriarty]

Welcome to MajorGeeks, Reema

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and then attach the requested logs to your next reply when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   • Starting your computer in Safe mode

[Reema]

Hi,

The virus is still there after running all the steps provided in the link.
Basically my task manager and regedit both are disabled.

ComboFix.txt was not created. My system blanked out for like 3-4 hrs after which it just shut down.
I did not run again.

Also my system crashed when running MGtools since it could not get the data it was expecting. regedit would not work(cause of the pum.hijack virus) and hence the data expected by MGTools could not be found. I guess that might have just caused the crash!!The logs were created though.

Lemme know how I ca proceed.

Thx for ur help!!!

Reema

[dr.moriarty]

Please download RogueKiller to your desktop.

• Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
• When it opens, press the Scan button
• When it is finished, there will be a log on your desktop called "RKreport[1].txt"
• Attach RKreport[1].txt to your next message.

Then download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• In the Processes box, choose All.
• In the Services box, choose All.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  lsass.exe
  netbt.sys
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  Taskmgr.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.* /mp /s
  %systemdrive%\MGtools\*.*
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\$ntuninstallkb*. /120
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run 
  hklm\software\microsoft\windows\currentversion\runonce 
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

*Are you having any other problems besides Task Manager and Regedit not running?

[Reema]

Hey,

Attaching the 2nd lot of files.
Besides tskmgr ad regedit being disabled, the system becomes very very slow and just hangs at certain points, even if I am not running anythig at all!

Thx

[dr.moriarty]

You're welcome, Reema

Please move OTL.exe directly to your desktop, not here: C:\Documents and Settings\pari\My Documents\OTL.exe

Please attach these logs from running the R & R ME FIRST procedure:

Quote:

C:\TDSSKiller.2.7.37.0_11.06.2012_17.34.38_log.txt
C:\TDSSKiller.2.7.37.0_11.06.2012_17.44.49_log.txt
C:\TDSSKiller.2.7.37.0_11.06.2012_18.29.33_log.txt
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-11 (12-15-24).txt
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-11 (12-49-38).txt
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-11 (18-32-03)-1
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-12 (10-10-20).txt
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-12 (10-15-26).txt
C:\Documents and Settings\pari\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 06-11-2012 - 22-02-53.log

Uninstall:
BabylonToolbar

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

:otl
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\tdx.sys -- (tdx)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\pari\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\phsjun.sys -- (asc3360pr)
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=111808&tt=060612_5_&babsrc=HP_ss&mntrId=30576304000000000000001aa0ff4b2b
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=111808&tt=060612_5_&babsrc=SP_ss&mntrId=30576304000000000000001aa0ff4b2b
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
O4 - HKLM..\Run: [Browser companion helper] C:\Program Files\BrowserCompanion\BCHelper.exe /T=3 /CHI=gmdfpnpdmnjaffhcdbobdjpolhpacaem File not found
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\pari\My Documents\Downloads\*.tmp files -> C:\Documents and Settings\pari\My Documents\Downloads\*.tmp -> ]
:commands
[purity]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

* Can you now use Task Manager, Regedit? Are you able to run MGTools.exe now?

[Reema]

Hi,

OTL.exe doesn't seem to work.
My system just crashes and then restarts. This is immediately after running OTL.exe. Happens everytime I run OTL.

Attaching the remaining logs you asked for.

Thx.

[thisisu]

Hello Reema

dr.moriarty is out for a little while so I will help you in the meantime.

__

Do you have your Windows XP SP2 disc? Let me know this first as it can potentially change which route we take next. Thanks.

[Reema]

Hey there,

Yes I do have the cd.
PLs help quick..I have a new problem at hand now, my system shuts dow every few minutes now. The problem just seems to be getting worse.

Thx

[thisisu]

Please delete your old copy of ComboFix and download the latest copy here and run an additional scan.
Attach the latest ComboFix.txt when finished. (How to attach)

[Reema]

Hey,

It ran this time!! Yay!! Attaching log.

Thx again!!

[thisisu]

Delete items detected by RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
After the scan has completed, press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

Run the following customized scan using OTL by OldTimer.

• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

[Reema]

Hey,

Pls find files attached.

Reema

[thisisu]

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::
ClearJavaCache::
Collect::[4]
C:\WINDOWS\system32\drivers\phsjun.sys
DirLook::
C:\rei
C:\_OTL
Driver::
WinDefend
asc3360pr
File::
c:\windows\AegisP.inf
G:\Autorun.inf
FileLook::
C:\WINDOWS\system32\drivers\phsjun.sys
Folder::
C:\Documents and Settings\pari\Application Data\Babylon
C:\Documents and Settings\All Users\Application Data\Babylon
Registry::
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
"EnableLUA"=dword:00000000

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

[Reema]

Hi,

Do I use the new copy of Combofix you posted yesterday or the one before that?

Thx

[thisisu]

Quote:

Originally Posted by Reema

Do I use the new copy of Combofix you posted yesterday or the one before that?

We always want to use the latest version of ComboFix. ComboFix may have updated since you downloaded it last time. Allow it to update.