Trouble removing Malware/Trojan causing browser hijack

Hi there:

I have been folowing some of the threads on malware removal in hope of being able to resolve this issue myself, but have been unsuccessful in removing an infection that keeps hijacking my browser and generally giving me fits. >:(

I have downloaded MWBAM and run several scans, and now OTS, but the infection persists. I am at a loss as for how to preceed. ???

Any help would be greatly appreciated! :-\

—Jim.

welcome to the forum.

please post those two scan you did with malwarebytes and OTS so we can have look on them so we could give you better support.

as mikaelrask say, you need to post (attach ) the scan logs from Malwarebytes and OTS

lower left corner > Additional Options > Attach…and OTS log must be saved as ANSI if not it will look like chinese gibbely gobbel

Ok, thanks for the responses.

Attached here is the Malwarebytes log, and the OTS log.

Your assistance is greately appreciated!

—Jim.

you forgot to update MBAM before you scanned, the database in your scan is 6628 and latest is 6654

always update before you scan :wink:

Did you disable system restore ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: Main\\"XMLHTTP_UUID_Default" -> 57 22 E5 03 DC 67 74 40 B9 F4 37 96 01 82 D1 9B  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: Main\\"XMLHTTP_UUID_Default" -> 57 22 E5 03 DC 67 74 40 B9 F4 37 96 01 82 D1 9B  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> 
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> 57 22 E5 03 DC 67 74 40 B9 F4 37 96 01 82 D1 9B  [binary data]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {03E52257-67DC-4074-B9F4-37960182D19b} [HKLM] -> C:\WINDOWS\system32\atmfd32.dll [Reg Error: Value error.]
YN -> {CE7C3CF0-4B15-11D1-ABED-709549C10000} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\mf321632.dll -> C:\WINDOWS\system32\mf321632.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\apphelpwow.exe" -> [C:\WINDOWS\apphelpwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\iasacctwow.exe" -> [C:\WINDOWS\iasacctwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\LegitCheckControlwow.exe" -> [C:\WINDOWS\LegitCheckControlwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\localuiwow.exe" -> [C:\WINDOWS\localuiwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\mspmspwow.exe" -> [C:\WINDOWS\mspmspwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\ntshruiwow.exe" -> [C:\WINDOWS\ntshruiwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\2D.tmp" -> [C:\WINDOWS\system32\2D.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\5.tmp" -> [C:\WINDOWS\system32\5.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\pxwma32.exe" -> [C:\WINDOWS\system32\pxwma32.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\win32splwow.exe" -> [C:\WINDOWS\win32splwow.exe:*:Enabled:Windows Update Service]
[Files/Folders - Created Within 30 Days]
NY ->  mf321632.dll -> C:\WINDOWS\System32\mf321632.dll
NY ->  atmfd32.dll -> C:\WINDOWS\System32\atmfd32.dll
[Files/Folders - Modified Within 30 Days]
NY ->  1759769042 -> C:\WINDOWS\System32\1759769042
NY ->  1221188350 -> C:\WINDOWS\System32\1221188350
NY ->  48198da9 -> C:\WINDOWS\System32\48198da9
NY ->  1647812057 -> C:\WINDOWS\System32\1647812057
NY ->  mf321632.dll -> C:\WINDOWS\System32\mf321632.dll
NY ->  atmfd32.dll -> C:\WINDOWS\System32\atmfd32.dll
[Files - No Company Name]
NY ->  48198da9 -> C:\WINDOWS\System32\48198da9
NY ->  1759769042 -> C:\WINDOWS\System32\1759769042
NY ->  1221188350 -> C:\WINDOWS\System32\1221188350
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

PONDUS:

Here is the new log generated by the updated version of Malwarebytes scan.

Essexboy:

I did not realize that I needed to turn off system restore.

What (exactly) order of operations should I perform to be sure that the scans are returning the results you’re looking for? ??? I will wait for your reply before I take any other actions to avoid complicating the issue.

Please excuse my ignorance in this area? :-\

Thanks!
—Jim.

Could you run the OTS fix next please - Also I was asking if you had turned system restore off previously as it is not working at the moment

Once the OTS fix is complete could you let me know if you are still having problems

Essexboy:

I have applied the fix in OTS as you directed. Here is (attached)the log file that resulted from that operation.

I tried a few Google search/browse operations, and so far, no hijacks! ;D I did, however trigger an Avast! alert indicating that a “suspicous file” had been blocked—file name=C:\Documents and Settings\William J. Wickstrom\Local Settings\Temporary Internet Files\Content.IE5\1Y51HNLS\adview[1].txt while navigating to make this response to this thread. I chose the “delete” option, as the file location did not look like it would cause any problem to do so. Is this something I should be worried about? ???

—Jim.

Running another Malwarebytes scan reveals Trojan.BHO registry key HKEY_CLASSES_ROOT.fsharproj >:(

Attached is the Malwarebytes log associated with this scan.

How should I proceed?

—Jim

You will have to wait a little while for essexboy to get on the forums after work, to check out the log. As from what I see some of the things were moved successfully and others not found, which I think is good (but this isn’t my field). So it would need essexboy to confirm it is clean.

You already have since MBAM has been “Quarantined and deleted successfully.”

Ok your system restore is now working - which is good

The logs look OK

Any further problems ?

Essexboy:

I think everything’s working properly now. ::slight_smile:

Thank you all for your assistance—you guys RULE!

Is there any need or benefit from running any further scans i.e.: Avast!, Ad-Aware to see if they detect anything?

Also, I have another machine that I think may be infected. Should I start another thread for tha problem, or can I apply the same OTS fix?

Thanks again, ALL, for your patience and asistance!

—Jim. 8)

Should I start another thread for tha problem, or can I apply the same OTS fix?
Continue here - and do not use the fix on any other system as it may have unintended consequences, each fix is unique

Leave the system that we have repaired to run for a day or so to ensure that all is good.

For the second system could you run and post an aswMBR log and an OTS scan

Essexboy:

Ok, here are the scan logs you specified.

—Jim.

Oops! I don’t see the OTS log in my previous post—here it is.

—Jim.

I see that you have run Combofix could you attach the log

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\cmutilwow.exe" -> [C:\WINDOWS\cmutilwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\hnetmonwow.exe" -> [C:\WINDOWS\hnetmonwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\19.tmp" -> [C:\WINDOWS\system32\19.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\1E.tmp" -> [C:\WINDOWS\system32\1E.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\1F.tmp" -> [C:\WINDOWS\system32\1F.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\dsquery32.exe" -> [C:\WINDOWS\system32\dsquery32.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\wmdmpswow.exe" -> [C:\WINDOWS\wmdmpswow.exe:*:Enabled:Windows Update Service]
[Files/Folders - Modified Within 30 Days]
NY ->  4df5eed -> C:\WINDOWS\System32\4df5eed
NY ->  606413462 -> C:\WINDOWS\System32\606413462
NY ->  68094394 -> C:\WINDOWS\System32\68094394
NY ->  sl1710136104 -> C:\WINDOWS\System32\sl1710136104
NY ->  unrar.exe -> C:\WINDOWS\System32\unrar.exe
NY ->  787566237 -> C:\WINDOWS\System32\787566237
[Files - No Company Name]
NY ->  4df5eed -> C:\WINDOWS\System32\4df5eed
NY ->  606413462 -> C:\WINDOWS\System32\606413462
NY ->  sl1710136104 -> C:\WINDOWS\System32\sl1710136104
NY ->  unrar.exe -> C:\WINDOWS\System32\unrar.exe
NY ->  68094394 -> C:\WINDOWS\System32\68094394
NY ->  787566237 -> C:\WINDOWS\System32\787566237
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Here’s the ComboFix log you requested.

—Jim.

This should get it

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

File:: c:\windows\system32\msshavmsg32.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=“”
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“5985:TCP”=-

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .

Essexboy:

Should I do this First, BEFORE the OTS fix you specified, or AFTER I apply the OTS fix?

—Jim.