MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 06-11-12, 20:03
Reema Reema is offline
Private E-2
 
Join Date: Jun 2012
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Pls help get rid of pum.hijack virus.

Hello,

I have pum.hijack.taskmanager and pum.hijack.regedit virus on my system which just does not seem to go away. Cold delete the same a couple of times, howvere they r back again after restart. Pls help. I use malware bytes anti malware tool to delete the virus.

Thx
Reply With Quote
Sponsored links
  #2  
Old 06-11-12, 21:50
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,944
Thanks: 157
Thanked 562 Times in 544 Posts
Default Re: Pls help get rid of pum.hijack virus.

Welcome to MajorGeeks, Reema

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and then attach the requested logs to your next reply when you finish these instructions.
  • **** If something does not run, write down the info to explain to us later but keep on going. ****
  • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
  • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
  1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!
Reply With Quote
  #3  
Old 06-12-12, 17:17
Reema Reema is offline
Private E-2
 
Join Date: Jun 2012
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Pls help get rid of pum.hijack virus.

Hi,

The virus is still there after running all the steps provided in the link.
Basically my task manager and regedit both are disabled.

ComboFix.txt was not created. My system blanked out for like 3-4 hrs after which it just shut down.
I did not run again.

Also my system crashed when running MGtools since it could not get the data it was expecting. regedit would not work(cause of the pum.hijack virus) and hence the data expected by MGTools could not be found. I guess that might have just caused the crash!!The logs were created though.

Lemme know how I ca proceed.

Thx for ur help!!!

Reema
Attached Files
File Type: zip Logs.zip (4.0 KB, 9 views)
Reply With Quote
  #4  
Old 06-12-12, 19:38
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,944
Thanks: 157
Thanked 562 Times in 544 Posts
Default Re: Pls help get rid of pum.hijack virus.

Please download RogueKiller to your desktop.
  • Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
  • When it opens, press the Scan button
  • When it is finished, there will be a log on your desktop called "RKreport[1].txt"
  • Attach RKreport[1].txt to your next message.

Then download OTL by Old Timer to your desktop.
  • See the download links under this icon:
  • Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
  • When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
  • Select Scan All Users.
  • In the Processes box, choose All.
  • In the Services box, choose All.
  • Check the boxes beside LOP Check and Purity Check.
  • Copy the text in the code box below and paste it into the text-field.
    Code:
    netsvcs
    /md5start
    afd.sys
    atapi.sys
    csrss.exe
    explorer.exe
    lsass.exe
    netbt.sys
    nsiproxy.sys
    regedit.exe
    services.exe
    svchost.exe
    Taskmgr.exe
    tcpip.sys
    userinit.exe
    winlogon.exe
    /md5stop
    %systemdrive%\*.* /mp /s
    %systemdrive%\MGtools\*.*
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %windir%\$ntuninstallkb*. /120
    %windir%\assembly\GAC\*.ini
    %windir%\assembly\GAC_MSIL\*.ini
    %windir%\assembly\gac_32\*.ini
    %windir%\assembly\gac_64\*.ini
    %windir%\assembly\temp\*.ini
    %windir%\assembly\tmp\u /s
    %allusersprofile%\application data\*.exe
    hklm\system\currentcontrolset\services\dhcp
    hklm\system\currentcontrolset\services\afd
    hklm\system\currentcontrolset\services\tdx
    hklm\system\currentcontrolset\services\tcpip
    hklm\system\currentcontrolset\services\nsiproxy
    hklm\software\microsoft\windows\currentversion\run 
    hklm\software\microsoft\windows\currentversion\runonce 
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • Now click the button.
  • When the scan is complete, Notepad will open with the results of the OTL scan.
  • Close Notepad.
  • There will be two log files on your desktop entitled OTL.txt and Extras.txt.
  • Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

*Are you having any other problems besides Task Manager and Regedit not running?
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!
Reply With Quote
  #5  
Old 06-12-12, 21:04
Reema Reema is offline
Private E-2
 
Join Date: Jun 2012
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Pls help get rid of pum.hijack virus.

Hey,

Attaching the 2nd lot of files.
Besides tskmgr ad regedit being disabled, the system becomes very very slow and just hangs at certain points, even if I am not running anythig at all!

Thx
Attached Files
File Type: zip Log2.zip (300.7 KB, 11 views)
Reply With Quote
Sponsored links
  #6  
Old 06-13-12, 11:16
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,944
Thanks: 157
Thanked 562 Times in 544 Posts
Default Re: Pls help get rid of pum.hijack virus.

You're welcome, Reema

Please move OTL.exe directly to your desktop, not here: C:\Documents and Settings\pari\My Documents\OTL.exe

Please attach these logs from running the R & R ME FIRST procedure:
Quote:
C:\TDSSKiller.2.7.37.0_11.06.2012_17.34.38_log.txt
C:\TDSSKiller.2.7.37.0_11.06.2012_17.44.49_log.txt
C:\TDSSKiller.2.7.37.0_11.06.2012_18.29.33_log.txt
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-11 (12-15-24).txt
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-11 (12-49-38).txt
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-11 (18-32-03)-1
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-12 (10-10-20).txt
C:\Documents and Settings\pari\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-06-12 (10-15-26).txt
C:\Documents and Settings\pari\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 06-11-2012 - 22-02-53.log

Uninstall:
BabylonToolbar

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.
Code:
:otl
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | System | Stopped] -- system32\DRIVERS\tdx.sys -- (tdx)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\pari\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\phsjun.sys -- (asc3360pr)
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=111808&tt=060612_5_&babsrc=HP_ss&mntrId=30576304000000000000001aa0ff4b2b
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=111808&tt=060612_5_&babsrc=SP_ss&mntrId=30576304000000000000001aa0ff4b2b
IE - HKU\S-1-5-21-790525478-1580818891-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
O4 - HKLM..\Run: [Browser companion helper] C:\Program Files\BrowserCompanion\BCHelper.exe /T=3 /CHI=gmdfpnpdmnjaffhcdbobdjpolhpacaem File not found
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-21-790525478-1580818891-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\pari\My Documents\Downloads\*.tmp files -> C:\Documents and Settings\pari\My Documents\Downloads\*.tmp -> ]
:commands
[purity]
[emptytemp]
[resethosts]
Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

* Can you now use Task Manager, Regedit? Are you able to run MGTools.exe now?
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!

Last edited by dr.moriarty; 06-13-12 at 11:34.. Reason: add questions
Reply With Quote
  #7  
Old 06-13-12, 19:42
Reema Reema is offline
Private E-2
 
Join Date: Jun 2012
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Pls help get rid of pum.hijack virus.

Hi,

OTL.exe doesn't seem to work.
My system just crashes and then restarts. This is immediately after running OTL.exe. Happens everytime I run OTL.

Attaching the remaining logs you asked for.

Thx.
Attached Files
File Type: zip Logs3.zip (67.7 KB, 8 views)
Reply With Quote
  #8  
Old 06-14-12, 18:06
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Pls help get rid of pum.hijack virus.

Hello Reema

dr.moriarty is out for a little while so I will help you in the meantime.

__

Do you have your Windows XP SP2 disc? Let me know this first as it can potentially change which route we take next. Thanks.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #9  
Old 06-14-12, 21:58
Reema Reema is offline
Private E-2
 
Join Date: Jun 2012
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Pls help get rid of pum.hijack virus.

Hey there,

Yes I do have the cd.
PLs help quick..I have a new problem at hand now, my system shuts dow every few minutes now. The problem just seems to be getting worse.

Thx
Reply With Quote
  #10  
Old 06-15-12, 12:32
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Pls help get rid of pum.hijack virus.

Please delete your old copy of ComboFix and download the latest copy here and run an additional scan.
Attach the latest ComboFix.txt when finished. (How to attach)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
Sponsored links
  #11  
Old 06-15-12, 16:13
Reema Reema is offline
Private E-2
 
Join Date: Jun 2012
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Pls help get rid of pum.hijack virus.

Hey,

It ran this time!! Yay!! Attaching log.

Thx again!!
Attached Files
File Type: txt log.txt (8.1 KB, 7 views)
Reply With Quote
  #12  
Old 06-15-12, 16:34
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Pls help get rid of pum.hijack virus.

Delete items detected by RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
After the scan has completed, press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

Run the following customized scan using OTL by OldTimer.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the text-field.
    Code:
    activex
    netsvcs
  • Now click the button.
  • One report will be created:
    • OTL.txt <-- Will be opened
  • Attach OTL.txt to your next message. (How to attach)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #13  
Old 06-16-12, 10:13
Reema Reema is offline
Private E-2
 
Join Date: Jun 2012
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Pls help get rid of pum.hijack virus.

Hey,

Pls find files attached.

Reema
Attached Files
File Type: txt RKreport[3].txt (1.8 KB, 6 views)
File Type: zip OTL.zip (36.3 KB, 6 views)
Reply With Quote
  #14  
Old 06-16-12, 10:56
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Pls help get rid of pum.hijack virus.

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:
Code:
KillAll::
ClearJavaCache::
Collect::[4]
C:\WINDOWS\system32\drivers\phsjun.sys
DirLook::
C:\rei
C:\_OTL
Driver::
WinDefend
asc3360pr
File::
c:\windows\AegisP.inf
G:\Autorun.inf
FileLook::
C:\WINDOWS\system32\drivers\phsjun.sys
Folder::
C:\Documents and Settings\pari\Application Data\Babylon
C:\Documents and Settings\All Users\Application Data\Babylon
Registry::
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
"EnableLUA"=dword:00000000
Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #15  
Old 06-16-12, 14:32
Reema Reema is offline
Private E-2
 
Join Date: Jun 2012
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Pls help get rid of pum.hijack virus.

Hi,

Do I use the new copy of Combofix you posted yesterday or the one before that?

Thx
Reply With Quote
Sponsored links
  #16  
Old 06-16-12, 14:42
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Pls help get rid of pum.hijack virus.

Quote:
Originally Posted by Reema View Post
Do I use the new copy of Combofix you posted yesterday or the one before that?
We always want to use the latest version of ComboFix. ComboFix may have updated since you downloaded it last time. Allow it to update.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
Reply

Tags
disabled, hijack, taskmanager, virus

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hijack virus...new to forum CyranodeBergerac Malware Removal 3 10-23-10 20:35
hijack virus clean? bradjay Malware Removal 3 09-24-10 10:11
Have a DNS virus. Looking for help with HiJack This Log Rugbymuffin Malware Removal 5 01-23-09 11:39
issue with virus/needs help with hijack this roastm Malware Removal 1 02-06-06 08:17
Need help with hijack and/or virus tbo Malware Removal 3 11-13-05 23:24


All times are GMT -5. The time now is 23:24.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger