Hi,

New to the forum and looking for some advice regarding a possible infection. Avast keeps popping up saying I am infected with some kind of trojan? The last one is currently sitting in my chest:

FWManager.dll
c:\Program Files (x86)\ Common Files\ Pure Networks Shared\ Platform
Win32:Malware-gen

I am in the process of backing up my files to be safe. Though I would like to be sure I’m not backing up something nasty which could reinfect my system again… if that even makes sense?

Pleas find attached the required logs.

Hi,i’m not a specialist but let’s try to do it
download TDSSKiller.exe:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
open the program=>”Additional options”, check mark in the box next to “Detect TDLFS File System”
click OK
Press Start Scan
-Only if Malicious objects are found then ensure Cure is selected
-Then click Continue > Reboot now
Copy and paste the log in your next reply
ALso I need in hijackthis logs!
P.S. download hijackthis=>do a system scan and save a logfile

Thanks for the advice, while I’m doing that is it possible to tell from the logs already submitted if there is a problem?

H

Sorry,but i can analyze only hijackthis logs! Please,do it,it takes only 2-3 minutes!

Andrey,pro, not being a malware removal specialist you should refrain from offering help in this section.

SlackHarry i suggest you wait for a qualified malware specialist to assist you.

Thanks, I’ll wait for a specialist… The info provided thus far wasn’t bad was it?

Let me look these over.

While we are waiting let’s run TDSSKiller anyway but use these instructions please.

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

Thanks for the help, here is the TDSSkiller log. The scan didn’t alert me to a problem

Good…thanks.

Did you use Computer Associates Antivirus at one time?

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

[*]Open the scanner and select the Protection tab
[*]Remove the tick from “Start Protection Module with Windows” as seen below

http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM16orgreater.jpg

Once complete continue with the instructions…

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?ocid=OIE9HP
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 04 95 74 DF 96 CB 01  [binary data]
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" =
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-3777869203-959041960-3802440178-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" =
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Ok cheers I’ll get on with that now. Yes for a short time I used Symantec Endpoint Protection, though it didn’t seem very good and due to some other problems I did a complete reinstall of the OS, interesting you should still pick it up?

That is odd if you formatted the hard drive…anyway…when you get that completed be sure to attach the new OTL log created.

I saved the log after the fix on the desktop but it has now vanished? Any ideas where I can find another copy of it?

I did the second OTL scan as you asked but about half way through the scan the LOP Check and Purity boxes ticked themselves? Do you still want the resulting log?

Update: Attached anyway
Update: Scrap that, found the fix log. Both files now attached

Hi,

That looks better.

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Copy and paste that log as a reply to this topic

In your next reply attach the logs made by Malwarebytes and ESET.

As requested here are the logs. What you think, all clear?

How is your system running?

A lot smoother than before, thanks a lot for the help :). So what was the problem, anything serious? Is there a good chance any of my data could have been compromised?

I use Avast and Malwarebytes obv, anything else you can recommend I use to help stop this happening again?

A lot smoother…that is good to hear. I didn’t see anything horrible or that you should worry about data being compromised.

When you ran OTL for the first time there was a log created named Extras.txt. Could you attach that please?

Once we get a look at the Extras.txt log we will check for any updates and then we will go over some of your questions about programs to keep and use.

As far as I can see when I ran OTL it only created the log file I attached? Any ideas where it might have saved the extras file? OTL was on the desktop and that it is where it placed the log file.

No worries…

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)
[*]In the Extra Registry section change it to All
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open 2 notepad windows, OTL.Txt and Extra.txt. Please post the Extra.txt.