Jump to content


Photo
- - - - -

Reinfection with PUM.Hijack.StartMenu


  • This topic is locked This topic is locked
25 replies to this topic

#1 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 28 March 2013 - 06:45 PM

I have Maywarebytes Pro and am getting a daily infection with PUM.Hijack.StartMenu, which I've been removing. I haven't noticed any slowness or other system problems.

I have the DDS.txt and Attach.txt files if you need me to paste them in.

#2 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 28 March 2013 - 07:23 PM

dds.txt file ----------------------

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16470 BrowserJavaVersion: 1.6.0_26
Run by ldavies at 19:26:21 on 2013-03-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3036.1852 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Nuance\PaperPort\pptd40nt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\ldavies\AppData\Roaming\7 Taskbar Tweaker\7+ Taskbar Tweaker.exe
C:\Users\ldavies\AppData\Local\Akamai\netsession_win.exe
C:\Users\ldavies\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\ldavies\Desktop\RogueKiller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Advertising Cookie Opt-out: {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [eyeBeam SIP Client] <no file>
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Wondershare Helper Compact.exe] c:\program files\common files\wondershare\wondershare helper compact\WSHelper.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IndexSearch] "c:\program files\nuance\paperport\IndexSearch.exe"
mRun: [PaperPort PTD] "c:\program files\nuance\paperport\pptd40nt.exe"
mRun: [PPort12reminder] "c:\program files\nuance\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\12\config\ereg\Ereg.ini"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 10.0.0.1
TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA} : DHCPNameServer = 10.0.0.1
TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\0556475627D24527166756C6D275962756C6563737 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\0556475627D24527166756C6D275962756C6563737F52374548545 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\34F657274797162746D27457563747 : DHCPNameServer = 12.127.17.71 12.127.17.72
TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\35472716475737031313538373 : DHCPNameServer = 10.25.35.1
TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\C425D434D2055726C69636 : DHCPNameServer = 10.1.3.254
TCP: Interfaces\{B29B7FC2-23C7-4B44-9286-09FACA3BBEB5} : DHCPNameServer = 10.120.99.5
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ldavies\appdata\roaming\mozilla\firefox\profiles\q60g8qao.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect64.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\ldavies\appdata\local\citrix\plugins\94\npappdetector.dll
FF - plugin: c:\users\ldavies\appdata\local\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\NPPLG70N.DLL
FF - ExtSQL: 2013-02-01 07:14; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 MpKsl1a2ed16a;MpKsl1a2ed16a;c:\programdata\microsoft\microsoft antimalware\definition updates\{88aae5eb-c40a-4711-b938-c582b652241c}\MpKsl1a2ed16a.sys [2013-3-28 29904]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-12 398184]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-12 682344]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 100328]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\nuance\paperport\PDFProFiltSrvPP.exe [2010-3-9 144672]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-3-25 47104]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-3-25 49152]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-5-26 143968]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-12 21104]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-3-25 167936]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-5-26 134144]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-3-25 38400]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-7-20 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-16 1343400]
.
=============== Created Last 30 ================
.
2013-03-28 23:16:55 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{88aae5eb-c40a-4711-b938-c582b652241c}\MpKsl1a2ed16a.sys
2013-03-28 20:30:06 7108640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{88aae5eb-c40a-4711-b938-c582b652241c}\mpengine.dll
2013-03-27 23:35:19 7108640 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-03-26 14:23:33 -------- d-----w- c:\program files\Macrovision Corporation
2013-03-26 02:50:07 -------- d-----w- c:\users\ldavies\appdata\local\Akamai
2013-03-20 23:49:31 740840 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{24ad9560-85dd-4295-af00-260757fee297}\gapaengine.dll
2013-03-17 20:53:42 -------- d-----w- c:\users\ldavies\appdata\roaming\FLEXnet
2013-03-17 20:20:02 -------- d-----w- c:\users\ldavies\appdata\roaming\Nuance
2013-03-17 20:18:42 -------- d-----w- c:\program files\common files\ScanSoft Shared
2013-03-17 20:18:41 -------- d-----w- c:\programdata\Nuance
2013-03-17 20:18:41 -------- d-----w- c:\program files\Nuance
2013-03-17 15:27:31 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-15 22:32:46 -------- d-----w- c:\users\ldavies\appdata\roaming\Nolo
2013-03-15 22:32:44 -------- d-----w- c:\users\ldavies\appdata\local\Quicken WillMaker Plus 2013
2013-03-15 22:31:15 -------- d-----w- c:\program files\Quicken WillMaker Plus 2013
2013-03-12 19:12:56 -------- d-----w- c:\program files\Trivantis
2013-03-08 20:05:49 -------- d-----w- c:\users\ldavies\appdata\roaming\webex
2013-03-08 19:25:58 -------- d-----w- c:\programdata\WebEx
2013-03-08 18:36:29 -------- d-----r- c:\users\ldavies\appdata\roaming\Brother
2013-03-08 02:06:01 96664 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2013-03-08 02:06:01 19352 ----a-w- c:\program files\mozilla firefox\xpcom.dll
2013-03-08 02:06:01 17887640 ----a-w- c:\program files\mozilla firefox\xul.dll
2013-03-08 02:06:00 865744 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2013-03-08 02:06:00 272280 ----a-w- c:\program files\mozilla firefox\updater.exe
2013-03-08 02:06:00 170232 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2013-03-08 02:06:00 155544 ----a-w- c:\program files\mozilla firefox\ssl3.dll
2013-03-06 14:47:55 -------- d-----w- c:\users\ldavies\appdata\local\Citrix
2013-03-05 19:04:03 -------- d-----w- c:\users\ldavies\appdata\roaming\Sling Media
2013-03-05 19:03:57 -------- d-----w- c:\program files\Sling Media
2013-03-02 12:59:42 -------- d-----w- c:\users\ldavies\appdata\local\Screencast-O-Matic
.
==================== Find3M ====================
.
2013-03-13 18:37:20 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 18:37:20 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-02 13:50:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-12 04:48:31 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-02 03:38:35 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-02 03:30:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-02 03:30:21 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-02 03:26:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-02 03:26:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-02 03:23:28 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-01-30 10:53:21 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-20 20:59:04 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-20 20:59:04 100328 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-12 08:30:38 859552 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-11 13:25:11 60304 ----a-w- c:\users\ldavies\g2mdlhlpx.exe
2013-01-05 05:00:15 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-05 05:00:11 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-04 04:50:52 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 03:00:29 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-01-03 05:05:20 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 05:04:43 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
============= FINISH: 19:27:02.51 ===============

Attach.txt file: --------------------------

.
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 6/15/2010 1:18:51 PM
System Uptime: 3/27/2013 4:20:27 PM (27 hours ago)
.
Motherboard: Dell Inc. | | 047MWF
Processor: Intel® Core™2 Duo CPU T6570 @ 2.10GHz | Microprocessor | 2079/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 218 GiB total, 170.726 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP182: 3/10/2013 10:39:35 AM - Windows Update
RP183: 3/13/2013 7:57:17 PM - Windows Update
RP184: 3/15/2013 6:30:51 PM - Installed Quicken WillMaker Plus 2013
RP185: 3/16/2013 8:19:30 AM - Windows Update
RP186: 3/17/2013 11:27:34 AM - Windows Update
RP188: 3/17/2013 4:01:44 PM - Removed Brother Software Suite
RP189: 3/17/2013 4:14:53 PM - Removed PaperPort Image Printer
RP190: 3/17/2013 4:15:22 PM - Removed ScanSoft PaperPort 11
RP191: 3/17/2013 4:16:21 PM - Installed MSXML 4.0 SP3 Parser
RP192: 3/17/2013 4:16:54 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP193: 3/17/2013 4:18:01 PM - Installed Nuance PaperPort 12
RP194: 3/17/2013 4:20:18 PM - Installed Nuance PDF Viewer Plus.
RP195: 3/17/2013 4:21:15 PM - Installed PaperPort Image Printer
RP196: 3/19/2013 7:34:05 AM - Windows Update
RP197: 3/22/2013 8:14:06 PM - Windows Update
RP198: 3/25/2013 8:25:45 PM - Windows Update
RP199: 3/26/2013 10:34:40 AM - Removed Nuance PDF Viewer Plus.
RP200: 3/26/2013 10:37:18 AM - Removed Nuance PDF Viewer Plus.
RP201: 3/27/2013 3:12:24 PM - Installed Microsoft Fix it 50229
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
3CXPhone
7+ Taskbar Tweaker v4.0
Acrobat.com
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Presenter 7
Adobe Reader XI (11.0.02)
Advanced Audio FX Engine
Akamai NetSession Interface
Amazon Kindle
AnswerWorks 5.0 English Runtime
CCleaner
Compatibility Pack for the 2007 Office system
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Edoc Viewer
Dell Touchpad
Dell Webcam Central
eyeBeam 1.5.20.2
EZ Home and Office v7.0
FastStone Capture 6.5
Foxit Reader
Google Advertising Cookie Opt-out
Google Chrome
Google Update Helper
GoToMeeting 5.4.0.1082
HDAUDIO Soft Data Fax Modem with SmartCP
Intel® Graphics Media Accelerator Driver
Intel® TV Wizard
Java 7 Update 11
Java Auto Updater
Java™ 6 Update 26
Junk Mail filter update
Live! Cam Avatar Creator
Malwarebytes Anti-Malware version 1.70.0.1100
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.1
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Basic 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher 2010
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2007
Microsoft Publisher 2010
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Movie Maker
Mozilla Firefox 19.0.2 (x86 en-US)
Mozilla Maintenance Service
Mozilla Thunderbird (2.0.0.24)
MSVCRT
MSVCRT110
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2758694)
Nuance PaperPort 12
OGA Notifier 2.0.0048.0
OpenVPN 2.2.0
Oracle VM VirtualBox 4.2.4
PaperPort Image Printer
Photo Common
Photo Gallery
Pidgin
PowerDVD DX
Professor Franklin
Quicken 2011
Quicken WillMaker Plus 2013
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE 10.3
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Screencast-O-Matic
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
Snagit 11
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2768024) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
WebEx
WebSlingPlayer ActiveX
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.20 (32-bit)
WinZip 14.5
.
==== Event Viewer Messages From Past Week ========
.
3/27/2013 4:20:51 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
3/27/2013 4:19:38 PM, Error: Service Control Manager [7000] - The eamonm service failed to start due to the following error: The system cannot find the file specified.
3/22/2013 7:44:56 AM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
.
==== End Of File ===========================

#3 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 28 March 2013 - 11:32 PM

Hy there.

Please post the most recent Malwarebytes Logfile
Launch Malwarebytes --> Logs --> click on the last Logfile. A notepad Window will appear. Copy/Paste its content here in your topic.

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#4 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 29 March 2013 - 08:05 AM

Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org
Database version: v2013.03.28.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Protection: Enabled
3/28/2013 10:20:58 AM
mbam-log-2013-03-28 (10-20-58).txt
Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: Registry | File System
Objects scanned: 164493
Time elapsed: 1 minute(s), 20 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

#5 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 29 March 2013 - 11:44 AM

Hy there.

Please press the Posted Image + R Key and type notepad into the Run box.
Copy/paste the entire contents of the codebox below, into notepad:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_ShowMyComputer"=-

  • Now on the top of the window choose File --> Save as
  • Into the Save as line type in regfix.reg
  • Change the Save as type to All Files (*.*)
  • Save it on your Desktop.

It should look like this: Posted Image

Double-click on the regfix.reg file located on the desktop. A warning regarding changes applied to the registry will pop up, click on Yes as we know what we are doing here and OK.
Reboot your system.



Please press the Posted Image + R Key and Copy/Paste the following single-line command into the Run box and click OK

cmd /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" > %userprofile%\Desktop\look.txt"

A look.txt will be created on your desktop. Please post its content here

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#6 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 29 March 2013 - 12:29 PM

Thanks! Here 'tis:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Start_SearchFiles REG_DWORD 0x2
ServerAdminUI REG_DWORD 0x0
Hidden REG_DWORD 0x1
ShowCompColor REG_DWORD 0x1
HideFileExt REG_DWORD 0x0
DontPrettyPath REG_DWORD 0x0
ShowInfoTip REG_DWORD 0x1
HideIcons REG_DWORD 0x0
MapNetDrvBtn REG_DWORD 0x0
WebView REG_DWORD 0x1
Filter REG_DWORD 0x0
SuperHidden REG_DWORD 0x0
SeparateProcess REG_DWORD 0x0
AutoCheckSelect REG_DWORD 0x0
IconsOnly REG_DWORD 0x0
ShowTypeOverlay REG_DWORD 0x1
ListviewAlphaSelect REG_DWORD 0x1
ListviewShadow REG_DWORD 0x1
TaskbarAnimations REG_DWORD 0x1
StartMenuInit REG_DWORD 0x4
Start_MinMFU REG_DWORD 0x5
Start_JumpListItems REG_DWORD 0x5
TaskbarSizeMove REG_DWORD 0x0
DisablePreviewDesktop REG_DWORD 0x1
TaskbarSmallIcons REG_DWORD 0x1
TaskbarGlomLevel REG_DWORD 0x2
Start_PowerButtonAction REG_DWORD 0x2
Start_TrackProgs REG_DWORD 0x0
Start_TrackDocs REG_DWORD 0x0
FolderContentsInfoTip REG_DWORD 0x1
Start_ShowMyComputer REG_DWORD 0x1
Start_ShowMyDocs REG_DWORD 0x2
Start_ShowMyGames REG_DWORD 0x0
Start_NotifyNewApps REG_DWORD 0x0
Start_ShowMyMusic REG_DWORD 0x0
Start_ShowMyPics REG_DWORD 0x0
Start_ShowRun REG_DWORD 0x1
Start_AdminToolsRoot REG_DWORD 0x0
StartMenuAdminTools REG_DWORD 0x1
Start_ShowSetProgramAccessAndDefaults REG_DWORD 0x0
Start_ShowHelp REG_DWORD 0x0
Start_ShowUser REG_DWORD 0x0
AlwaysShowMenus REG_DWORD 0x1
NavPaneShowAllFolders REG_DWORD 0x1
ExtendedUIHoverTime REG_DWORD 0xf4240
Start_LargeMFUIcons REG_DWORD 0x0
Start_ShowPrinters REG_DWORD 0x1
Start_SearchPrograms REG_DWORD 0x0
Start_ShowRecordedTV REG_DWORD 0x0
Start_ShowNetPlaces REG_DWORD 0x0

#7 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 29 March 2013 - 12:39 PM

Hy there. I made a Typo in the Regscript above. Please perform the steps above again.
Sorry

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#8 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 29 March 2013 - 12:51 PM

Thanks, Daniel. Second shot:


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Start_SearchFiles REG_DWORD 0x2
ServerAdminUI REG_DWORD 0x0
Hidden REG_DWORD 0x1
ShowCompColor REG_DWORD 0x1
HideFileExt REG_DWORD 0x0
DontPrettyPath REG_DWORD 0x0
ShowInfoTip REG_DWORD 0x1
HideIcons REG_DWORD 0x0
MapNetDrvBtn REG_DWORD 0x0
WebView REG_DWORD 0x1
Filter REG_DWORD 0x0
SuperHidden REG_DWORD 0x0
SeparateProcess REG_DWORD 0x0
AutoCheckSelect REG_DWORD 0x0
IconsOnly REG_DWORD 0x0
ShowTypeOverlay REG_DWORD 0x1
ListviewAlphaSelect REG_DWORD 0x1
ListviewShadow REG_DWORD 0x1
TaskbarAnimations REG_DWORD 0x1
StartMenuInit REG_DWORD 0x4
Start_MinMFU REG_DWORD 0x5
Start_JumpListItems REG_DWORD 0x5
TaskbarSizeMove REG_DWORD 0x0
DisablePreviewDesktop REG_DWORD 0x1
TaskbarSmallIcons REG_DWORD 0x1
TaskbarGlomLevel REG_DWORD 0x2
Start_PowerButtonAction REG_DWORD 0x2
Start_TrackProgs REG_DWORD 0x0
Start_TrackDocs REG_DWORD 0x0
FolderContentsInfoTip REG_DWORD 0x1
Start_ShowMyComputer REG_DWORD 0x1
Start_ShowMyDocs REG_DWORD 0x2
Start_ShowMyGames REG_DWORD 0x0
Start_NotifyNewApps REG_DWORD 0x0
Start_ShowMyMusic REG_DWORD 0x0
Start_ShowMyPics REG_DWORD 0x0
Start_ShowRun REG_DWORD 0x1
Start_AdminToolsRoot REG_DWORD 0x0
StartMenuAdminTools REG_DWORD 0x1
Start_ShowSetProgramAccessAndDefaults REG_DWORD 0x0
Start_ShowHelp REG_DWORD 0x0
Start_ShowUser REG_DWORD 0x0
AlwaysShowMenus REG_DWORD 0x1
NavPaneShowAllFolders REG_DWORD 0x1
ExtendedUIHoverTime REG_DWORD 0xf4240
Start_LargeMFUIcons REG_DWORD 0x0
Start_ShowPrinters REG_DWORD 0x1
Start_SearchPrograms REG_DWORD 0x0
Start_ShowRecordedTV REG_DWORD 0x0
Start_ShowNetPlaces REG_DWORD 0x0

#9 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 29 March 2013 - 01:37 PM

The value has been recreated.

So I need to find the file doing this.


Please download ProcessMonitor to your desktop. Extract the .zip archive in its own folder.
In the first window you will see few buttons.

Click on the "Architecture" Button and choose Operation.

In the line next to the "IS" Button type RegSetValue in the line next to it. Leave everything else as it is, click ADD -> Apply.

Next click on "Architecture" Button again, choose Path. Change the "IS" Button to "contains" and type Show_MyComputer in the line. Hit ADD --> Apply.


Now click OK at the bottom. It should be an empty Windows.



Run the regfix.reg again.



now take a look into the Procmon Window. There should be one line shown which process recreates the value. Please tell me the "processname"

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#10 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 29 March 2013 - 02:09 PM

Hi -- I apologize, but I'm not following. I downloaded ProcessMonitor and unzipped it to the ProcessMonitor folder. The folder contains a file for procmon.exe and procmon.chm. Should I run the exe file? I did that but didn't see any Architecture button. What window should I be looking at in order to see those buttons?

#11 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 29 March 2013 - 02:15 PM

Sorry,
When you launch the .exe, doesn't it look like this ?

Attached File  Unbenannt.png   173.59KB   9 downloads

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#12 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 29 March 2013 - 02:30 PM

I don't see the Process Monitor Filter window.

Attached Files



#13 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 29 March 2013 - 02:50 PM

Okay, I got it. Had to select the Filter first. I re-ran the regfix but there's no process line shown.

Attached Files



#14 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 29 March 2013 - 02:56 PM

Hy there, please click on Tools --> Enable Bootlogging.

Reboot your system. As far as I know, Procmon opens automatically after the reboot and hopefully it will use the generated filter.

I am in rush right now ( friend of mine has troubles with the technic for his radio show which starts in 60mins. I love such days :D )

Will be back in around 4 hours

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#15 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 30 March 2013 - 02:33 PM

1. From ProcessMonitor > Options > Enable Bootlooging. A window displays: "Process Monitor is configured to log activity during the next boot."
I did not check the box to Generate Profile events.

2. Restart. ProcessMonitor did not open automatically after restarting.

3. Open procmon.ext > click Run.

4. The main window is blank, no process name or any text shown.

5. Alert window: "A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?"

6. Click Yes > save the Bootlog.pml file.

7. Two files are created, both called Bootlog.pml. I'm not able to open or view them. They're both over 200 MB.

#16 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 31 March 2013 - 11:50 AM

Hy there,
I found some detailed instructions for bootlogging with this tool.

http://www.msigeek.c...ss-monitor-tool


But before we play around to find it, lets see if Malwarebytes still detect this modification ( it is not really a dangerous one but it would be interesting to know, what causes the modification :) )

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#17 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 03 April 2013 - 12:33 PM

Hy there.

Are you still with me ? If I do not hear from you within 24 hours, this topic will be closed

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#18 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 08 April 2013 - 05:33 AM

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#19 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 11 April 2013 - 02:37 PM

Topic re-opened per request.
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#20 lordonia

lordonia

    New Member

  • Members
  • Pip
  • 11 posts

Posted 11 April 2013 - 06:20 PM

I wasn't able to get ProcessMonitor to work but I tracked down what's causing it to recur. I'm on Windows 7.

Start menu > customize > set Computer option to Don't Display This Item > Save. The next time malwarebytes runs, it will find and quarantine PUM.Hijack.StartMenu and the start menu Computer option will be set back to the default of Display as a Link.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users