Infection warning @ startup

miteyjoe · December 28, 2013, 11:47pm

Every time I turn on my computer, I get a security center message warning me about: http://4dlmng.com/snz/sfen403int21.exe

I am running Avast Internet Security and it tells me the infection was blocked, but I want to be rid of the problem. Has anyone else seen this? Any thoughts on getting it cleaned up?

OTL & Malwarebytes logs attached. Any suggestions would be appreciated.

Pondus · December 29, 2013, 12:05am

update your malwarebytes …run a quick scan …make sure evrything detected is marked for removal and click remove selected button

detected as PUP by Malwarebytes
https://www.virustotal.com/en/file/c6d5d6d3c8535bc6ad9d4781e2449df801e667dbd5705264c1cafc22c9d7acb7/analysis/

PUP = not virus / Possible Unwanted Program

The OfferMosquito virus (also found as , OfferMosquito Deals, Offer Mosquito virus, OfferMosquito pop-up virus, and others; though not technically a computer virus) is potential malware categorized as adware and a browser hijacker that installs to a Microsoft Windows computer and attaches to Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer as a browser add-on, browser helper object (BHO), and browser extension with or without user consent and proceeds to display unwanted pop-up advertisements and drop-down coupons and deals, as well as cause many other issues for computer users.

Pondus · December 29, 2013, 12:11am

removal experts are notified and will check OTL log … since it is over midnight here in europe you may not recive a reply before tomorrow

miteyjoe · December 29, 2013, 5:16am

Updated MBAM log attached

TwinHeadedEagle · December 29, 2013, 9:11am

Hi,

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Then…

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );

Attach here Gmer logreports.

miteyjoe · December 29, 2013, 4:58pm

Farbar & GMER logs attached

TwinHeadedEagle · December 29, 2013, 5:08pm

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

HKLM\...\Run: [Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5}] - C:\Windows\test.bat
C:\Windows\test.bat
HKCU\...\Run: [DataMgr] - C:\Users\Lebano Family\AppData\Roaming\DataMgr\DataMgr.exe [168824 2013-10-09] (HTTO Group, Ltd.)
C:\Users\Lebano Family\AppData\Roaming\DataMgr
HKCU\...\Run: [Intermediate] - C:\Users\Lebano Family\AppData\Roaming\Intermediate\Intermediate.exe [36864 2013-04-09] ()
C:\Users\Lebano Family\AppData\Roaming\Intermediate
HKU\Joseph\...\Run: [SearchProtect] - C:\Users\Joseph\AppData\Roaming\SearchProtect\bin\cltmng.exe
C:\Users\Joseph\AppData\Roaming\SearchProtect
SearchScopes: HKLM-x32 - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.wisesearch.info/?l=1&q={searchTerms}&pid=969&r=2013/10/19&hid=15044173506979209369&lg=EN&cc=US&unqvl=39
SearchScopes: HKCU - {A2DE0A24-B168-473F-95A3-635CF11FF14B} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=1B898067-926B-43CC-9752-2385ABCC6C2E&apn_sauid=376FF5D2-7311-41DF-84E3-48BB602F1B44
FF SearchEngineOrder.1: WebSearch
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "WebSearch");: user_pref("browser.search.order.1,S", "WebSearch");
FF Keyword.URL: hxxp://websearch.wisesearch.info/?pid=969&r=2013/10/19&hid=15044173506979209369&lg=EN&cc=US&unqvl=39&l=1&q=
FF SearchPlugin: C:\Users\Lebano Family\AppData\Roaming\Mozilla\Firefox\Profiles\60ctvvod.default\searchplugins\askcom.xml
FF SearchPlugin: C:\Users\Lebano Family\AppData\Roaming\Mozilla\Firefox\Profiles\60ctvvod.default\searchplugins\WebSearch.xml
FF Extension: DDownnlOad keeppeeru - C:\Users\Lebano Family\AppData\Roaming\Mozilla\Firefox\Profiles\60ctvvod.default\Extensions\o_7zm2doc@chpiyey-yitcf.com
FF Extension: SearchNewTab - C:\Users\Lebano Family\AppData\Roaming\Mozilla\Firefox\Profiles\60ctvvod.default\Extensions\yeeuhf@aauyo.co.uk
FF Extension: OfferMosquito - C:\Users\Lebano Family\AppData\Roaming\Mozilla\Firefox\Profiles\60ctvvod.default\Extensions\om@offermosquito.com.xpi
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\Kelly\AppData\Local\Temp
C:\Users\Lebano Family\AppData\Local\Temp
AlternateDataStreams: C:\ProgramData\Temp:05F547A9
AlternateDataStreams: C:\ProgramData\Temp:08801FDB
AlternateDataStreams: C:\ProgramData\Temp:10D98D98
AlternateDataStreams: C:\ProgramData\Temp:126591AF
AlternateDataStreams: C:\ProgramData\Temp:2CB9631F
AlternateDataStreams: C:\ProgramData\Temp:3B07E6F4
AlternateDataStreams: C:\ProgramData\Temp:417B6FAC
AlternateDataStreams: C:\ProgramData\Temp:4AD2C54D
AlternateDataStreams: C:\ProgramData\Temp:56C66609
AlternateDataStreams: C:\ProgramData\Temp:5CF48ABF
AlternateDataStreams: C:\ProgramData\Temp:80E965A3
AlternateDataStreams: C:\ProgramData\Temp:98AE08EA
AlternateDataStreams: C:\ProgramData\Temp:9D5BB34A
AlternateDataStreams: C:\ProgramData\Temp:A2B3764A
AlternateDataStreams: C:\ProgramData\Temp:AD020DC3
AlternateDataStreams: C:\ProgramData\Temp:BDF08FAF
AlternateDataStreams: C:\ProgramData\Temp:C43C957E
AlternateDataStreams: C:\ProgramData\Temp:EBCF5924
AlternateDataStreams: C:\ProgramData\Temp:FECEF728
AlternateDataStreams: C:\Users\Kelly\Documents\RAV registration.jpeg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Kelly\Documents\RAV registration.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then…

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

miteyjoe · December 29, 2013, 10:09pm

FRST64 fixlog was created, but can not be attached due to Avast file size limits.

TwinHeadedEagle · December 29, 2013, 10:21pm

Upload here → http://zippyshare.com/

Procede with Adwcleaner…

miteyjoe · December 30, 2013, 2:20am

Here is the link to fixlog…http://www10.zippyshare.com/v/61541878/file.html

Adw cleaner log attached

TwinHeadedEagle · December 30, 2013, 8:38am

Re-run FRST and attach fresh report. Tell me how are the things now?

miteyjoe · December 30, 2013, 12:56pm

New FRST & addition attached.

I have not seen the infection warning again. I will update if things change.

TwinHeadedEagle · December 30, 2013, 3:18pm

Ok, PC is clean, let me know if it is ok

miteyjoe · December 30, 2013, 7:14pm

Thank you for your help, it is greatly appreciated! ;D

TwinHeadedEagle · December 30, 2013, 9:02pm

Ok, only thing left is to remove used tools:

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

system · March 17, 2014, 5:43pm

Hi,

I seem to have a very similar problem to miteyjoe. I get repeated warnings from avast web shield regarding 4dlmng.com.

I’ve followed this thread and created the Farbar & GMER logs which are attached. Please can someone advise me of the next steps. Maybe TwinHeaded Eagle?

Any help greatly appreciated.

Thanks

avastuser3796 · March 17, 2014, 6:01pm

Start your own thread please.

Infection warning @ startup

Announcements