Avast WEBforum
Other => Viruses and worms => Topic started by: matt_mk on March 17, 2014, 07:25:05 PM
-
Hi,
I'm getting repeated warnings from avast web shield regarding 4dlmng.com.
I see another user encountered this problem in thread http://forum.avast.com/index.php?topic=143648.0
I've followed the initial instructions to clear this threat and have attached the Farbar & GMER logs suggested by TwinHeadedEagle in the above thread.
Please can someone advise me of the next steps.
Any help greatly appreciated.
Thanks
-
Thanks,
I'll get a remover for you.
-
Please attach the OTL log also.
https://www.virustotal.com/en/domain/4dlmng.com/information/ (https://www.virustotal.com/en/domain/4dlmng.com/information/)
-
Monitoring.
-
Please find OTL log attached. Thanks
-
Hi,
I'll give you future malware removal instructions.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [SSync] - C:\Users\Lindy\AppData\Roaming\SSync\SSync.exe [41984 2012-12-19] ()
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [DataMgr] - C:\Users\Lindy\AppData\Roaming\DataMgr\DataMgr.exe [168776 2013-02-19] (HTTO Group, Ltd.)
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [OMESupervisor] - C:\Users\Lindy\AppData\Local\omesuperv.exe [2239264 2013-12-24] ()
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [SCheck] - C:\Users\Lindy\AppData\Roaming\SCheck\SCheck.exe [37376 2013-12-09] ()
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [Snoozer] - C:\Users\Lindy\AppData\Roaming\Snz\Snz.exe [1209628 2013-12-24] ()
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [Intermediate] - C:\Users\Lindy\AppData\Roaming\Intermediate\Intermediate.exe [37376 2013-12-09] ()
BHO-x32: No Name - {D40C654D-7C51-4EB3-95B2-1E23905C2A2D} - No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
C:\Users\Lindy\AppData\Local\Temp\msvcr71.dll
C:\Users\Lindy\AppData\Local\Temp\Scrivener-1570-update.exe
C:\Users\Lindy\AppData\Local\Temp\Scrivener-1600-update.exe
C:\Users\Lindy\AppData\Local\Temp\Scrivener-1610-update.exe
C:\Users\Lindy\AppData\Local\Temp\SkypeSetup.exe
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.
************* Next *************
Please download Malwarebytes AntiRootkit (MBAR) (http://www.malwarebytes.org/antirootkit/) and save it to your desktop.
For full instructions how MBAR works, read this article (http://blog.malwarebytes.org/news/2012/11/meet-malwarebytes-anti-rootkit/)
> Doubleclick on the MBAR file ((http://www.mcshield.net/personal/magna86/Images/mbar.png)) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
• mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.
• On the Update Database screen, click on the Update button. Once you see 'Success: Database was successfully updated' click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.
Notice: with some infections, you may see two messages boxes:
- 'Could not load protection driver'. Click 'OK'.
- 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.
>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.
>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
- Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution ...
- When you see "press any key to exit" fix is completed, press any key to close the window. Reboot the system.
> The following reports will be created in mbar folder:
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt
Please post both logs in your next reply.
-
Thank you for your help.
Please find attached 2 of the files as requested. However mbar-log-year-month-day.txt did not seem to be created.
-
What is the situation now?
-
Have restarted the computer and opened up several web pages and so far no warning :-)
Thanks for your assistance
-
Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
.
• The following will implement some post-cleanup procedures:
=> Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by Xplode to your Desktop.
Run the tool and check the following boxes below;
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Remove disinfection tools
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Create registry backup
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
-
There was nothing dangerous, just adware ;)
-
Many thanks :)
-
Unfortunately today the warning message has re-appeared. Any ideas?
-
- Please download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) by sUBs and save it to your Desktop.
You may read how Combofix works here. (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
- Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
- When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )
-
File as requested
-
Please download zoek.zip or zoek.rar by smeenk ((http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png)) from here (http://hijackthis.nl/smeenk) or here (http://home.kpn.nl/stefsmeenk/zoek.exe) and save it to your Desktop.
Unpack the archive...
- Close any open browsers
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
c:\users\Lindy\AppData\Local\FindAndRemind;fs
c:\users\Lindy\AppData\Roaming\GiveasyouLive;fs
{724b95aa-2c31-4125-b832-c3190c8338ce};c
{087069fe-8e5d-4995-9df1-d30988c8108f};c
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar];r
"{087069fe-8e5d-4995-9df1-d30988c8108f}"=-;r
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar];r64
"{087069fe-8e5d-4995-9df1-d30988c8108f}"=-;r64
[-HKEY_CLASSES_ROOT\FindAndRemind.Toolbar];r
[-HKEY_CLASSES_ROOT\FindAndRemind.Toolbar];r64
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"GiveasyouLiveHelper"=-;r
autoclean; - Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button.
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
.
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) ((http://www.mcshield.net/personal/magna86/Images/FRST_canned.png)) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
-
hi argus,
When I went to the websites for zoek I got a malware threat warning and also the files zoek.zip and zoek.rar would not download??
-
When I went to the websites for zoek I got a malware threat warning
Turn off Avast.
-
I have run zoek.exe and now after rebooting there is just a black screen??
-
Reboot your PC.
-
Files as requested.
Incidentally when I went on the zoek website a green card type ad popped up.
-
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2011-03-01] (Microsoft Corporation)
CMD: ipconfig /flushdns
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
-
he guys,
I've got the same problem.
It's driving me a bit crazy cause every 10 sec it pops up...
I must say that I'm a digital nono...
When reading the beginning of this subject I was lost after the first few words.
Is there an easy way of telling me what to do.
Other then throwing my laptop out the window ::)
thx
-
Create new topic.
-
@djk024
Is there an easy way of telling me what to do.
yes, if you start your own topic you will get step by step instructions...
-
File attached
-
@matt_mk what the situation is now?
-
All appears fine again. I'll see how things go...
-
Sadly it has come back.
-
Re-run Malwarebytes Anti-Rootkit again.
-
Done as instructed.
It said no clean up was required.
-
Rerun FRST and click scan.
-
Done
-
Rerun zoek with this script:
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
-
Done
-
- Close any open browsers
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
C:\windows\tasks\GoogleUpdateTaskMachineCore.job;f
Google Wallet;chr
mjdepfkicdcciagbigfcmdhknnoaaegf;chr
C:\Program Files (x86)\Deskperience\Word Capture\wcxChrome.crx;chr
Give as you Live;chr
emptyalltemp;
autoclean;
emptyclsid;- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button.
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
Next installment
-
Do you still have a warning?
-
No. So far so good
-
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
-
Done as advised