Jump to content

Reinfection with PUM.Hijack.StartMenu


Recommended Posts

dds.txt file ----------------------

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16470 BrowserJavaVersion: 1.6.0_26

Run by ldavies at 19:26:21 on 2013-03-28

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3036.1852 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

c:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Windows\System32\rundll32.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Nuance\PaperPort\pptd40nt.exe

C:\Windows\system32\SearchIndexer.exe

C:\Users\ldavies\AppData\Roaming\7 Taskbar Tweaker\7+ Taskbar Tweaker.exe

C:\Users\ldavies\AppData\Local\Akamai\netsession_win.exe

C:\Users\ldavies\AppData\Local\Akamai\netsession_win.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\ldavies\Desktop\RogueKiller.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

c:\Program Files\Microsoft Security Client\MpCmdRun.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig

uProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Advertising Cookie Opt-out: {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - c:\program files\google\advertising cookie opt-out\opt_out.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [eyeBeam SIP Client] <no file>

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Wondershare Helper Compact.exe] c:\program files\common files\wondershare\wondershare helper compact\WSHelper.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [indexSearch] "c:\program files\nuance\paperport\IndexSearch.exe"

mRun: [PaperPort PTD] "c:\program files\nuance\paperport\pptd40nt.exe"

mRun: [PPort12reminder] "c:\program files\nuance\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\12\config\ereg\Ereg.ini"

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 10.0.0.1

TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA} : DHCPNameServer = 10.0.0.1

TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\0556475627D24527166756C6D275962756C6563737 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\0556475627D24527166756C6D275962756C6563737F52374548545 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\34F657274797162746D27457563747 : DHCPNameServer = 12.127.17.71 12.127.17.72

TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\35472716475737031313538373 : DHCPNameServer = 10.25.35.1

TCP: Interfaces\{08BAF12D-7566-4D4E-82F8-71E2D1FE69EA}\C425D434D2055726C69636 : DHCPNameServer = 10.1.3.254

TCP: Interfaces\{B29B7FC2-23C7-4B44-9286-09FACA3BBEB5} : DHCPNameServer = 10.120.99.5

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\ldavies\appdata\roaming\mozilla\firefox\profiles\q60g8qao.default\

FF - prefs.js: browser.startup.homepage - igoogle.com

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect32.dll

FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect64.dll

FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\ldavies\appdata\local\citrix\plugins\94\npappdetector.dll

FF - plugin: c:\users\ldavies\appdata\local\google\update\1.3.21.135\npGoogleUpdate3.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

FF - plugin: c:\windows\system32\NPPLG70N.DLL

FF - ExtSQL: 2013-02-01 07:14; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]

R1 MpKsl1a2ed16a;MpKsl1a2ed16a;c:\programdata\microsoft\microsoft antimalware\definition updates\{88aae5eb-c40a-4711-b938-c582b652241c}\MpKsl1a2ed16a.sys [2013-3-28 29904]

R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-12 398184]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-12 682344]

R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 100328]

R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\nuance\paperport\PDFProFiltSrvPP.exe [2010-3-9 144672]

R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-3-25 47104]

R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-3-25 49152]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-5-26 143968]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-12 21104]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-3-25 167936]

R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-5-26 134144]

S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-3-25 38400]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-7-20 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-16 1343400]

.

=============== Created Last 30 ================

.

2013-03-28 23:16:55 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{88aae5eb-c40a-4711-b938-c582b652241c}\MpKsl1a2ed16a.sys

2013-03-28 20:30:06 7108640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{88aae5eb-c40a-4711-b938-c582b652241c}\mpengine.dll

2013-03-27 23:35:19 7108640 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2013-03-26 14:23:33 -------- d-----w- c:\program files\Macrovision Corporation

2013-03-26 02:50:07 -------- d-----w- c:\users\ldavies\appdata\local\Akamai

2013-03-20 23:49:31 740840 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{24ad9560-85dd-4295-af00-260757fee297}\gapaengine.dll

2013-03-17 20:53:42 -------- d-----w- c:\users\ldavies\appdata\roaming\FLEXnet

2013-03-17 20:20:02 -------- d-----w- c:\users\ldavies\appdata\roaming\Nuance

2013-03-17 20:18:42 -------- d-----w- c:\program files\common files\ScanSoft Shared

2013-03-17 20:18:41 -------- d-----w- c:\programdata\Nuance

2013-03-17 20:18:41 -------- d-----w- c:\program files\Nuance

2013-03-17 15:27:31 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-03-15 22:32:46 -------- d-----w- c:\users\ldavies\appdata\roaming\Nolo

2013-03-15 22:32:44 -------- d-----w- c:\users\ldavies\appdata\local\Quicken WillMaker Plus 2013

2013-03-15 22:31:15 -------- d-----w- c:\program files\Quicken WillMaker Plus 2013

2013-03-12 19:12:56 -------- d-----w- c:\program files\Trivantis

2013-03-08 20:05:49 -------- d-----w- c:\users\ldavies\appdata\roaming\webex

2013-03-08 19:25:58 -------- d-----w- c:\programdata\WebEx

2013-03-08 18:36:29 -------- d-----r- c:\users\ldavies\appdata\roaming\Brother

2013-03-08 02:06:01 96664 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe

2013-03-08 02:06:01 19352 ----a-w- c:\program files\mozilla firefox\xpcom.dll

2013-03-08 02:06:01 17887640 ----a-w- c:\program files\mozilla firefox\xul.dll

2013-03-08 02:06:00 865744 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe

2013-03-08 02:06:00 272280 ----a-w- c:\program files\mozilla firefox\updater.exe

2013-03-08 02:06:00 170232 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe

2013-03-08 02:06:00 155544 ----a-w- c:\program files\mozilla firefox\ssl3.dll

2013-03-06 14:47:55 -------- d-----w- c:\users\ldavies\appdata\local\Citrix

2013-03-05 19:04:03 -------- d-----w- c:\users\ldavies\appdata\roaming\Sling Media

2013-03-05 19:03:57 -------- d-----w- c:\program files\Sling Media

2013-03-02 12:59:42 -------- d-----w- c:\users\ldavies\appdata\local\Screencast-O-Matic

.

==================== Find3M ====================

.

2013-03-13 18:37:20 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-03-13 18:37:20 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-02 13:50:40 472808 ----a-w- c:\windows\system32\deployJava1.dll

2013-02-12 04:48:31 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-02-12 04:48:26 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-02-02 03:38:35 1800704 ----a-w- c:\windows\system32\jscript9.dll

2013-02-02 03:30:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2013-02-02 03:30:21 1129472 ----a-w- c:\windows\system32\wininet.dll

2013-02-02 03:26:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2013-02-02 03:26:21 420864 ----a-w- c:\windows\system32\vbscript.dll

2013-02-02 03:23:28 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-01-30 10:53:21 232336 ------w- c:\windows\system32\MpSigStub.exe

2013-01-20 20:59:04 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2013-01-20 20:59:04 100328 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys

2013-01-12 08:30:38 859552 ----a-w- c:\windows\system32\npdeployJava1.dll

2013-01-11 13:25:11 60304 ----a-w- c:\users\ldavies\g2mdlhlpx.exe

2013-01-05 05:00:15 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-05 05:00:11 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-04 04:50:52 169984 ----a-w- c:\windows\system32\winsrv.dll

2013-01-04 03:00:29 2347008 ----a-w- c:\windows\system32\win32k.sys

2013-01-03 05:05:20 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-01-03 05:04:43 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

.

============= FINISH: 19:27:02.51 ===============

Attach.txt file: --------------------------

.

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 6/15/2010 1:18:51 PM

System Uptime: 3/27/2013 4:20:27 PM (27 hours ago)

.

Motherboard: Dell Inc. | | 047MWF

Processor: Intel® Core2 Duo CPU T6570 @ 2.10GHz | Microprocessor | 2079/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 218 GiB total, 170.726 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP182: 3/10/2013 10:39:35 AM - Windows Update

RP183: 3/13/2013 7:57:17 PM - Windows Update

RP184: 3/15/2013 6:30:51 PM - Installed Quicken WillMaker Plus 2013

RP185: 3/16/2013 8:19:30 AM - Windows Update

RP186: 3/17/2013 11:27:34 AM - Windows Update

RP188: 3/17/2013 4:01:44 PM - Removed Brother Software Suite

RP189: 3/17/2013 4:14:53 PM - Removed PaperPort Image Printer

RP190: 3/17/2013 4:15:22 PM - Removed ScanSoft PaperPort 11

RP191: 3/17/2013 4:16:21 PM - Installed MSXML 4.0 SP3 Parser

RP192: 3/17/2013 4:16:54 PM - Installed Microsoft Visual C++ 2005 Redistributable

RP193: 3/17/2013 4:18:01 PM - Installed Nuance PaperPort 12

RP194: 3/17/2013 4:20:18 PM - Installed Nuance PDF Viewer Plus.

RP195: 3/17/2013 4:21:15 PM - Installed PaperPort Image Printer

RP196: 3/19/2013 7:34:05 AM - Windows Update

RP197: 3/22/2013 8:14:06 PM - Windows Update

RP198: 3/25/2013 8:25:45 PM - Windows Update

RP199: 3/26/2013 10:34:40 AM - Removed Nuance PDF Viewer Plus.

RP200: 3/26/2013 10:37:18 AM - Removed Nuance PDF Viewer Plus.

RP201: 3/27/2013 3:12:24 PM - Installed Microsoft Fix it 50229

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

3CXPhone

7+ Taskbar Tweaker v4.0

Acrobat.com

Adobe AIR

Adobe Download Assistant

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Presenter 7

Adobe Reader XI (11.0.02)

Advanced Audio FX Engine

Akamai NetSession Interface

Amazon Kindle

AnswerWorks 5.0 English Runtime

CCleaner

Compatibility Pack for the 2007 Office system

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Dell Edoc Viewer

Dell Touchpad

Dell Webcam Central

eyeBeam 1.5.20.2

EZ Home and Office v7.0

FastStone Capture 6.5

Foxit Reader

Google Advertising Cookie Opt-out

Google Chrome

Google Update Helper

GoToMeeting 5.4.0.1082

HDAUDIO Soft Data Fax Modem with SmartCP

Intel® Graphics Media Accelerator Driver

Intel® TV Wizard

Java 7 Update 11

Java Auto Updater

Java 6 Update 26

Junk Mail filter update

Live! Cam Avatar Creator

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft IntelliPoint 8.1

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Basic 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2007

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing (English) 2010

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher 2010

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2007

Microsoft Publisher 2010

Microsoft Save as PDF Add-in for 2007 Microsoft Office programs

Microsoft Search Enhancement Pack

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Movie Maker

Mozilla Firefox 19.0.2 (x86 en-US)

Mozilla Maintenance Service

Mozilla Thunderbird (2.0.0.24)

MSVCRT

MSVCRT110

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB2758694)

Nuance PaperPort 12

OGA Notifier 2.0.0048.0

OpenVPN 2.2.0

Oracle VM VirtualBox 4.2.4

PaperPort Image Printer

Photo Common

Photo Gallery

Pidgin

PowerDVD DX

Professor Franklin

Quicken 2011

Quicken WillMaker Plus 2013

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE 10.3

Roxio Creator Tools

Roxio Express Labeler 3

Roxio Update Manager

Screencast-O-Matic

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition

Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition

Snagit 11

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition

Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Infopath 2007 Help (KB963662)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2768024) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

WebEx

WebSlingPlayer ActiveX

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Photo Common

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinRAR 4.20 (32-bit)

WinZip 14.5

.

==== Event Viewer Messages From Past Week ========

.

3/27/2013 4:20:51 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

3/27/2013 4:19:38 PM, Error: Service Control Manager [7000] - The eamonm service failed to start due to the following error: The system cannot find the file specified.

3/22/2013 7:44:56 AM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

.

==== End Of File ===========================

Link to post
Share on other sites

Hy there.

Please post the most recent Malwarebytes Logfile

Launch Malwarebytes --> Logs --> click on the last Logfile. A notepad Window will appear. Copy/Paste its content here in your topic.

Link to post
Share on other sites

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.28.07

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Protection: Enabled

3/28/2013 10:20:58 AM

mbam-log-2013-03-28 (10-20-58).txt

Scan type: Flash scan

Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled: Registry | File System

Objects scanned: 164493

Time elapsed: 1 minute(s), 20 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Hy there.

Please press the windows.jpg + R Key and type notepad into the Run box.

Copy/paste the entire contents of the codebox below, into notepad:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_ShowMyComputer"=-

  • Now on the top of the window choose File --> Save as
  • Into the Save as line type in regfix.reg
  • Change the Save as type to All Files (*.*)
  • Save it on your Desktop.

It should look like this: regfix_kl.jpg

Double-click on the regfix.reg file located on the desktop. A warning regarding changes applied to the registry will pop up, click on Yes as we know what we are doing here and OK.

Reboot your system.

Please press the windows.jpg + R Key and Copy/Paste the following single-line command into the Run box and click OK

cmd /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" > %userprofile%\Desktop\look.txt"

A look.txt will be created on your desktop. Please post its content here

Link to post
Share on other sites

Thanks! Here 'tis:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Start_SearchFiles REG_DWORD 0x2

ServerAdminUI REG_DWORD 0x0

Hidden REG_DWORD 0x1

ShowCompColor REG_DWORD 0x1

HideFileExt REG_DWORD 0x0

DontPrettyPath REG_DWORD 0x0

ShowInfoTip REG_DWORD 0x1

HideIcons REG_DWORD 0x0

MapNetDrvBtn REG_DWORD 0x0

WebView REG_DWORD 0x1

Filter REG_DWORD 0x0

SuperHidden REG_DWORD 0x0

SeparateProcess REG_DWORD 0x0

AutoCheckSelect REG_DWORD 0x0

IconsOnly REG_DWORD 0x0

ShowTypeOverlay REG_DWORD 0x1

ListviewAlphaSelect REG_DWORD 0x1

ListviewShadow REG_DWORD 0x1

TaskbarAnimations REG_DWORD 0x1

StartMenuInit REG_DWORD 0x4

Start_MinMFU REG_DWORD 0x5

Start_JumpListItems REG_DWORD 0x5

TaskbarSizeMove REG_DWORD 0x0

DisablePreviewDesktop REG_DWORD 0x1

TaskbarSmallIcons REG_DWORD 0x1

TaskbarGlomLevel REG_DWORD 0x2

Start_PowerButtonAction REG_DWORD 0x2

Start_TrackProgs REG_DWORD 0x0

Start_TrackDocs REG_DWORD 0x0

FolderContentsInfoTip REG_DWORD 0x1

Start_ShowMyComputer REG_DWORD 0x1

Start_ShowMyDocs REG_DWORD 0x2

Start_ShowMyGames REG_DWORD 0x0

Start_NotifyNewApps REG_DWORD 0x0

Start_ShowMyMusic REG_DWORD 0x0

Start_ShowMyPics REG_DWORD 0x0

Start_ShowRun REG_DWORD 0x1

Start_AdminToolsRoot REG_DWORD 0x0

StartMenuAdminTools REG_DWORD 0x1

Start_ShowSetProgramAccessAndDefaults REG_DWORD 0x0

Start_ShowHelp REG_DWORD 0x0

Start_ShowUser REG_DWORD 0x0

AlwaysShowMenus REG_DWORD 0x1

NavPaneShowAllFolders REG_DWORD 0x1

ExtendedUIHoverTime REG_DWORD 0xf4240

Start_LargeMFUIcons REG_DWORD 0x0

Start_ShowPrinters REG_DWORD 0x1

Start_SearchPrograms REG_DWORD 0x0

Start_ShowRecordedTV REG_DWORD 0x0

Start_ShowNetPlaces REG_DWORD 0x0

Link to post
Share on other sites

Thanks, Daniel. Second shot:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Start_SearchFiles REG_DWORD 0x2

ServerAdminUI REG_DWORD 0x0

Hidden REG_DWORD 0x1

ShowCompColor REG_DWORD 0x1

HideFileExt REG_DWORD 0x0

DontPrettyPath REG_DWORD 0x0

ShowInfoTip REG_DWORD 0x1

HideIcons REG_DWORD 0x0

MapNetDrvBtn REG_DWORD 0x0

WebView REG_DWORD 0x1

Filter REG_DWORD 0x0

SuperHidden REG_DWORD 0x0

SeparateProcess REG_DWORD 0x0

AutoCheckSelect REG_DWORD 0x0

IconsOnly REG_DWORD 0x0

ShowTypeOverlay REG_DWORD 0x1

ListviewAlphaSelect REG_DWORD 0x1

ListviewShadow REG_DWORD 0x1

TaskbarAnimations REG_DWORD 0x1

StartMenuInit REG_DWORD 0x4

Start_MinMFU REG_DWORD 0x5

Start_JumpListItems REG_DWORD 0x5

TaskbarSizeMove REG_DWORD 0x0

DisablePreviewDesktop REG_DWORD 0x1

TaskbarSmallIcons REG_DWORD 0x1

TaskbarGlomLevel REG_DWORD 0x2

Start_PowerButtonAction REG_DWORD 0x2

Start_TrackProgs REG_DWORD 0x0

Start_TrackDocs REG_DWORD 0x0

FolderContentsInfoTip REG_DWORD 0x1

Start_ShowMyComputer REG_DWORD 0x1

Start_ShowMyDocs REG_DWORD 0x2

Start_ShowMyGames REG_DWORD 0x0

Start_NotifyNewApps REG_DWORD 0x0

Start_ShowMyMusic REG_DWORD 0x0

Start_ShowMyPics REG_DWORD 0x0

Start_ShowRun REG_DWORD 0x1

Start_AdminToolsRoot REG_DWORD 0x0

StartMenuAdminTools REG_DWORD 0x1

Start_ShowSetProgramAccessAndDefaults REG_DWORD 0x0

Start_ShowHelp REG_DWORD 0x0

Start_ShowUser REG_DWORD 0x0

AlwaysShowMenus REG_DWORD 0x1

NavPaneShowAllFolders REG_DWORD 0x1

ExtendedUIHoverTime REG_DWORD 0xf4240

Start_LargeMFUIcons REG_DWORD 0x0

Start_ShowPrinters REG_DWORD 0x1

Start_SearchPrograms REG_DWORD 0x0

Start_ShowRecordedTV REG_DWORD 0x0

Start_ShowNetPlaces REG_DWORD 0x0

Link to post
Share on other sites

The value has been recreated.

So I need to find the file doing this.

Please download ProcessMonitor to your desktop. Extract the .zip archive in its own folder.

In the first window you will see few buttons.

Click on the "Architecture" Button and choose Operation.

In the line next to the "IS" Button type RegSetValue in the line next to it. Leave everything else as it is, click ADD -> Apply.

Next click on "Architecture" Button again, choose Path. Change the "IS" Button to "contains" and type Show_MyComputer in the line. Hit ADD --> Apply.

Now click OK at the bottom. It should be an empty Windows.

Run the regfix.reg again.

now take a look into the Procmon Window. There should be one line shown which process recreates the value. Please tell me the "processname"

Link to post
Share on other sites

Hi -- I apologize, but I'm not following. I downloaded ProcessMonitor and unzipped it to the ProcessMonitor folder. The folder contains a file for procmon.exe and procmon.chm. Should I run the exe file? I did that but didn't see any Architecture button. What window should I be looking at in order to see those buttons?

Link to post
Share on other sites

Hy there, please click on Tools --> Enable Bootlogging.

Reboot your system. As far as I know, Procmon opens automatically after the reboot and hopefully it will use the generated filter.

I am in rush right now ( friend of mine has troubles with the technic for his radio show which starts in 60mins. I love such days :D )

Will be back in around 4 hours

Link to post
Share on other sites

1. From ProcessMonitor > Options > Enable Bootlooging. A window displays: "Process Monitor is configured to log activity during the next boot."

I did not check the box to Generate Profile events.

2. Restart. ProcessMonitor did not open automatically after restarting.

3. Open procmon.ext > click Run.

4. The main window is blank, no process name or any text shown.

5. Alert window: "A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?"

6. Click Yes > save the Bootlog.pml file.

7. Two files are created, both called Bootlog.pml. I'm not able to open or view them. They're both over 200 MB.

Link to post
Share on other sites

Hy there,

I found some detailed instructions for bootlogging with this tool.

http://www.msigeek.com/6231/how-to-enable-system-boot-time-logging-using-process-monitor-tool

But before we play around to find it, lets see if Malwarebytes still detect this modification ( it is not really a dangerous one but it would be interesting to know, what causes the modification :) )

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

I wasn't able to get ProcessMonitor to work but I tracked down what's causing it to recur. I'm on Windows 7.

Start menu > customize > set Computer option to Don't Display This Item > Save. The next time malwarebytes runs, it will find and quarantine PUM.Hijack.StartMenu and the start menu Computer option will be set back to the default of Display as a Link.

Link to post
Share on other sites

Did you disabled the Computer Option by your own before asking for help here ?

If you want to hide MyComputer, than it is a customized setting and MBAM tend to reset such things to their default.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.