Infection warning - 4dlmng.com

[matt_mk]

Hi,

I'm getting repeated warnings from avast web shield regarding 4dlmng.com.

I see another user encountered this problem in thread http://forum.avast.com/index.php?topic=143648.0

I've followed the initial instructions to clear this threat and have attached the Farbar & GMER logs suggested by TwinHeadedEagle in the above thread.

Please can someone advise me of the next steps.

Any help greatly appreciated.

Thanks

[Michael (alan1998)]

Thanks,

I'll get a remover for you.

[Eddy]

Please attach the OTL log also.

https://www.virustotal.com/en/domain/4dlmng.com/information/

[argus]

Monitoring.

[matt_mk]

Please find OTL log attached. Thanks

[argus]

Hi,
I'll give you future malware removal instructions.




1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [SSync] - C:\Users\Lindy\AppData\Roaming\SSync\SSync.exe [41984 2012-12-19] ()
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [DataMgr] - C:\Users\Lindy\AppData\Roaming\DataMgr\DataMgr.exe [168776 2013-02-19] (HTTO Group, Ltd.)
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [OMESupervisor] - C:\Users\Lindy\AppData\Local\omesuperv.exe [2239264 2013-12-24] ()
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [SCheck] - C:\Users\Lindy\AppData\Roaming\SCheck\SCheck.exe [37376 2013-12-09] ()
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [Snoozer] - C:\Users\Lindy\AppData\Roaming\Snz\Snz.exe [1209628 2013-12-24] ()
HKU\S-1-5-21-887285577-1908728387-2409366433-1001\...\Run: [Intermediate] - C:\Users\Lindy\AppData\Roaming\Intermediate\Intermediate.exe [37376 2013-12-09] ()
BHO-x32: No Name - {D40C654D-7C51-4EB3-95B2-1E23905C2A2D} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
C:\Users\Lindy\AppData\Local\Temp\msvcr71.dll
C:\Users\Lindy\AppData\Local\Temp\Scrivener-1570-update.exe
C:\Users\Lindy\AppData\Local\Temp\Scrivener-1600-update.exe
C:\Users\Lindy\AppData\Local\Temp\Scrivener-1610-update.exe
C:\Users\Lindy\AppData\Local\Temp\SkypeSetup.exe
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.





************* Next *************






Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
For full instructions how MBAR works, read this article


> Doubleclick on the MBAR file () and allow it to run.
•  Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
•  mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•  After reading the Introduction, click Next if you agree.

•  On the Update Database screen, click on the Update button. Once you see 'Success: Database was successfully updated' click on Next
•  Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:
-  'Could not load protection driver'. Click 'OK'.
-  'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>>  If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>>  If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
•  The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.


>>  Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
- Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution ...
- When you see "press any key to exit" fix is completed, press any key to close the window. Reboot the system.




> The following reports will be created in mbar folder:
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

[matt_mk]

Thank you for your help.

Please find attached 2 of the files as requested.  However mbar-log-year-month-day.txt did not seem to be created.

[argus]

What is the situation now?

[matt_mk]

Have restarted the computer and opened up several web pages and so far no warning :-)

Thanks for your assistance

[argus]

 Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

.






• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[argus]

There was nothing dangerous, just adware 

[matt_mk]

Many thanks

[matt_mk]

Unfortunately today the warning message has re-appeared.  Any ideas?

[argus]

• Please download ComboFix by sUBs and save it to your Desktop.
  You may read how Combofix works here.
  
  
• Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
  If you are unsure how to do this please read this or this Instruction.
  
  
• Run ComboFix. Click on I Agree! & follow the prompts.
  Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  
  
• When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
  (typical log location: C:\ComboFix.txt )

[matt_mk]

File as requested