I have been folowing some of the threads on malware removal in hope of being able to resolve this issue myself, but have been unsuccessful in removing an infection that keeps hijacking my browser and generally giving me fits. >:(
I have downloaded MWBAM and run several scans, and now OTS, but the infection persists. I am at a loss as for how to preceed. ???
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > ->
YN -> HKEY_USERS\.DEFAULT\: Main\\"XMLHTTP_UUID_Default" -> 57 22 E5 03 DC 67 74 40 B9 F4 37 96 01 82 D1 9B [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > ->
YN -> HKEY_USERS\S-1-5-18\: Main\\"XMLHTTP_UUID_Default" -> 57 22 E5 03 DC 67 74 40 B9 F4 37 96 01 82 D1 9B [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > ->
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> 57 22 E5 03 DC 67 74 40 B9 F4 37 96 01 82 D1 9B [binary data]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {03E52257-67DC-4074-B9F4-37960182D19b} [HKLM] -> C:\WINDOWS\system32\atmfd32.dll [Reg Error: Value error.]
YN -> {CE7C3CF0-4B15-11D1-ABED-709549C10000} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\mf321632.dll -> C:\WINDOWS\system32\mf321632.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\apphelpwow.exe" -> [C:\WINDOWS\apphelpwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\iasacctwow.exe" -> [C:\WINDOWS\iasacctwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\LegitCheckControlwow.exe" -> [C:\WINDOWS\LegitCheckControlwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\localuiwow.exe" -> [C:\WINDOWS\localuiwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\mspmspwow.exe" -> [C:\WINDOWS\mspmspwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\ntshruiwow.exe" -> [C:\WINDOWS\ntshruiwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\2D.tmp" -> [C:\WINDOWS\system32\2D.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\5.tmp" -> [C:\WINDOWS\system32\5.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\pxwma32.exe" -> [C:\WINDOWS\system32\pxwma32.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\win32splwow.exe" -> [C:\WINDOWS\win32splwow.exe:*:Enabled:Windows Update Service]
[Files/Folders - Created Within 30 Days]
NY -> mf321632.dll -> C:\WINDOWS\System32\mf321632.dll
NY -> atmfd32.dll -> C:\WINDOWS\System32\atmfd32.dll
[Files/Folders - Modified Within 30 Days]
NY -> 1759769042 -> C:\WINDOWS\System32\1759769042
NY -> 1221188350 -> C:\WINDOWS\System32\1221188350
NY -> 48198da9 -> C:\WINDOWS\System32\48198da9
NY -> 1647812057 -> C:\WINDOWS\System32\1647812057
NY -> mf321632.dll -> C:\WINDOWS\System32\mf321632.dll
NY -> atmfd32.dll -> C:\WINDOWS\System32\atmfd32.dll
[Files - No Company Name]
NY -> 48198da9 -> C:\WINDOWS\System32\48198da9
NY -> 1759769042 -> C:\WINDOWS\System32\1759769042
NY -> 1221188350 -> C:\WINDOWS\System32\1221188350
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Here is the new log generated by the updated version of Malwarebytes scan.
Essexboy:
I did not realize that I needed to turn off system restore.
What (exactly) order of operations should I perform to be sure that the scans are returning the results you’re looking for? ??? I will wait for your reply before I take any other actions to avoid complicating the issue.
I have applied the fix in OTS as you directed. Here is (attached)the log file that resulted from that operation.
I tried a few Google search/browse operations, and so far, no hijacks! ;D I did, however trigger an Avast! alert indicating that a “suspicous file” had been blocked—file name=C:\Documents and Settings\William J. Wickstrom\Local Settings\Temporary Internet Files\Content.IE5\1Y51HNLS\adview[1].txt while navigating to make this response to this thread. I chose the “delete” option, as the file location did not look like it would cause any problem to do so. Is this something I should be worried about? ???
You will have to wait a little while for essexboy to get on the forums after work, to check out the log. As from what I see some of the things were moved successfully and others not found, which I think is good (but this isn’t my field). So it would need essexboy to confirm it is clean.
You already have since MBAM has been “Quarantined and deleted successfully.”
I see that you have run Combofix could you attach the log
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\cmutilwow.exe" -> [C:\WINDOWS\cmutilwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\hnetmonwow.exe" -> [C:\WINDOWS\hnetmonwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\19.tmp" -> [C:\WINDOWS\system32\19.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\1E.tmp" -> [C:\WINDOWS\system32\1E.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\1F.tmp" -> [C:\WINDOWS\system32\1F.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\dsquery32.exe" -> [C:\WINDOWS\system32\dsquery32.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\wmdmpswow.exe" -> [C:\WINDOWS\wmdmpswow.exe:*:Enabled:Windows Update Service]
[Files/Folders - Modified Within 30 Days]
NY -> 4df5eed -> C:\WINDOWS\System32\4df5eed
NY -> 606413462 -> C:\WINDOWS\System32\606413462
NY -> 68094394 -> C:\WINDOWS\System32\68094394
NY -> sl1710136104 -> C:\WINDOWS\System32\sl1710136104
NY -> unrar.exe -> C:\WINDOWS\System32\unrar.exe
NY -> 787566237 -> C:\WINDOWS\System32\787566237
[Files - No Company Name]
NY -> 4df5eed -> C:\WINDOWS\System32\4df5eed
NY -> 606413462 -> C:\WINDOWS\System32\606413462
NY -> sl1710136104 -> C:\WINDOWS\System32\sl1710136104
NY -> unrar.exe -> C:\WINDOWS\System32\unrar.exe
NY -> 68094394 -> C:\WINDOWS\System32\68094394
NY -> 787566237 -> C:\WINDOWS\System32\787566237
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.