Jump to content

- - - - -

DisallowRun policy, PUM.Hijack.DisplayProperties

  • This topic is locked This topic is locked
2 replies to this topic

#1 JenBeee


    New Member

  • Members
  • Pip
  • 1 posts

Posted 08 December 2010 - 05:18 PM

A virus on my computer is trying to prevent me from using Firefox, Chrome, and Safari by adding registry entries in HKCU\Software\Policies\Explorer\DisallowRun. I can remove the bad registry entries with MalwareBytes, but they keep reappearing. I have to delete the entries every time I want to use Firefox.

The MalwareBytes scan also picks up Hijack.ControlPanel, PUM.Hijack.DislayProperties, and Hijack.Homepage.

Something is also trying to block MalwareBytes from running on startup.

I ran HJT and DDS, but GMER Rootkit scanner was still scanning after 2 hours so I put it out of its misery.


DDS (Ver_10-12-05.01) - NTFSx86
Run by jenniferb at 15:58:05.53 on Wed 12/08/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3036.1508 [GMT -5:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\GFI\FAXmaker Client\fmstart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox3\firefox.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet.esi-dc.com
uDefault_Page_URL = hxxp://intranet.esi-dc.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [AdobeBridge]
mRun: [FMStart] "c:\program files\gfi\faxmaker client\fmstart.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoAutorun = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: RestrictWelcomeCenter = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoInplaceSharing = 1 (0x1)
uPolicies-disallowrun: 1 = chrome.exe
uPolicies-disallowrun: 2 = firefox.exe
uPolicies-disallowrun: 3 = safari.exe
uPolicies-system: NoDispScrSavPage = 1 (0x1)
uPolicies-system: Wallpaper = c:\esi.bmp
uPolicies-system: WallpaperStyle = 2
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: PreXPSP2ShellProtocolBehavior = 0 (0x0)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-explorer: NoDisconnect = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 4 (0x4)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: FilterAdministratorToken = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: LogonType = 0 (0x0)
mPolicies-system: ReportControllerMissing = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: adp.com
Trusted Zone: adp.com\agateway
Trusted Zone: adp.com\lh
Trusted Zone: adp.com\netsecure
Trusted Zone: adp.com\netsecure2
Trusted Zone: adp.com\netsecure2cred
Trusted Zone: adp.com\netsecurecred
Trusted Zone: adp.com\payex
Trusted Zone: adp.com\support
Trusted Zone: discoverybenefits.com
Trusted Zone: metlife.com
Trusted Zone: microsoft.com
Trusted Zone: navigatorsuite.com
Trusted Zone: navigatorsuite.com\dbiemployer
Trusted Zone: adp.com
Trusted Zone: adp.com\agateway
Trusted Zone: adp.com\lh
Trusted Zone: adp.com\netsecure
Trusted Zone: adp.com\netsecure2
Trusted Zone: adp.com\netsecure2cred
Trusted Zone: adp.com\netsecurecred
Trusted Zone: adp.com\payex
Trusted Zone: adp.com\support
Trusted Zone: discoverybenefits.com
Trusted Zone: metlife.com
Trusted Zone: microsoft.com
Trusted Zone: navigatorsuite.com
Trusted Zone: navigatorsuite.com\dbiemployer
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\jennif~1\appdata\roaming\mozilla\firefox\profiles\n40ek0na.default\
FF - prefs.js: network.proxy.http - http://toxy.co.uk
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox3\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\jennif~1\appdata\roaming\mozilla\firefox\profiles\n40ek0na.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\users\jennif~1\appdata\roaming\mozilla\firefox\profiles\n40ek0na.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - c:\users\jennif~1\appdata\roaming\mozilla\firefox\profiles\n40ek0na.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-8 363344]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2008-4-3 121744]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2008-4-3 1956240]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-9-12 144128]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-14 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-8 20952]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [2009-9-12 59136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 PeerDistSvc;BranchCache;c:\windows\system32\svchost.exe -k PeerDist [2008-1-20 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-12-08 19:36:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-08 19:36:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-08 19:36:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-08 18:12:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-08 18:12:58 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-08 17:38:46 -------- d-----w- c:\program files\Mozilla Firefox3
2010-12-03 07:01:57 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-12-03 07:01:42 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-10 07:00:24 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-11-10 07:00:24 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-11-10 07:00:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

==================== Find3M ====================

2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL

============= FINISH: 15:58:53.68 ===============

Attached Files

#2 Maniac


    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 09 December 2010 - 05:30 AM

Hello JenBeee! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#3 screen317


    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 16 December 2010 - 03:48 AM

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users