XP Recovery go me- Anti Malware found pum.hijack.taskmanager

Hello all,

Working on two computers at once the other evening and up pops XP Recovery asking to start scan. And I started the scan, like a fool. Avast immediatley notified that there was a problem, after I started the scan…too late. unable to see any of my programs in the start menu.
I have read your posts and ran mbam and then OTS. Mbam located and stated it deleted the pum.hijack.taskmanager.
Thank you in advance for your help
Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6858

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/14/2011 3:38:36 PM
mbam-log-2011-06-14 (15-38-36).txt

Scan type: Quick scan
Objects scanned: 237119
Time elapsed: 17 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

PUM = Possible Unwanted Modification :wink:

was your malwarebytes fully updated before you scanned?

Yes, I updated it before running scan. Thxs

It appears that your files and folders are hidden - lets see if we can recover them for you

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  ~17162020r -> C:\Documents and Settings\All Users\Application Data\~17162020r
NY ->  ~17162020 -> C:\Documents and Settings\All Users\Application Data\~17162020
NY ->  17162020 -> C:\Documents and Settings\All Users\Application Data\17162020
[Files - No Company Name]
NY ->  ~17162020r -> C:\Documents and Settings\All Users\Application Data\~17162020r
NY ->  ~17162020 -> C:\Documents and Settings\All Users\Application Data\~17162020
NY ->  17162020 -> C:\Documents and Settings\All Users\Application Data\17162020
[Custom Items]
:files
attrib -H c:\*.* /s /d /c
:end
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Two programmes to run to catch any I missed

First :

Download Unhide.exe to your desktop and run

Second :
Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 6 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Ran OTS with the Fix from Essexboy(thank you)Then Undie.exe then Roguekiller. My programs now show up in the start menu.

Her is the log from Roguekiller, please let me know if I need to do anything further. I really appreciate the help I have gotten from your forum!

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Shortcuts HJfix – Date : 06/14/2011 23:45:45

Bad processes: 4
[SUSP PATH] sttray.exe – c:\windows\sttray.exe → KILLED
[SUSP PATH] OTS.exe – c:\documents and settings\administrator\desktop\ots.exe → KILLED
[SUSP PATH] notepad.exe – c:\windows\notepad.exe → KILLED
[SUSP PATH] notepad.exe – c:\windows\notepad.exe → KILLED

File attributes restored:
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 1 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 36 / Fail 0
My documents: Success 10 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 2530 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 – 0x3 → Restored
[D:] \Device\CdRom0 – 0x5 → Skipped

Finished : << RKreport[1].txt >>
RKreport[1].txt

Under the start menu I can see my Programs but when I choose them and drill down it shows up as , not allowing me to choose the executable tht would normally be there.

This next one will produce the necessary shortcut links which you can cut and paste into the start menu folder
http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/Repair.vbs
From the above link download the repair.vbs file to your destop
Run the repair.vbs
It will ask for a folder name call it recovery
The tool will let you know when it is finished
On the desktop will be a recovery folder
Open the folder
Cut and Paste the links that you want to C:\documents and settings[i]your name[/i]\start menu

http://i1224.photobucket.com/albums/ee362/Essexboy3/recoverxp1.gif

http://i1224.photobucket.com/albums/ee362/Essexboy3/recoverxp2.gif

How is your computer behaving now ?

Thanks for the fix. You have been a big help. It will take a little bit to rename the shortcuts but it’s a lot better than reloading windows and the programs.

Once you are happy let me know and I will remove my tools ;D