Hi there,

As of yesterday I have been receiving repeated rootkit warnings from Avast which advised I remove infection, complete a boot scan and restart however it continues to indicate there is an issue with- SVC:WindowsMangerProtect >C:.…\ Win32:Evo-gen[Susp] When I try to find the file it says it doesn’t exist, I am unsure how to deal with this as it offers no indication there is an issue during the boot scan only after the pc is restarted. Is this a virus or something else?

Any assistance will be much appreciated.

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

I have posted the MBAM,FRST and ADDITION files, aswMBR attached also for your consideration.

Thankyou

OK, now you’ve to wait a bit…

I’m happy to wait, never had anything like this before

dont do anything…just read the info
http://deletemalware.blogspot.no/2014/09/what-is-protectwindowsmanagerexe-and.html

a malware expert will be online later and check your logs, it may take some hours before anyone is online

:o Thankyou for posting the link, since I don’t have the know how myself to fix this issue, I’m not willing to do anything at all as I am unsure what has happened other than what I can glean from the reports.

Could you let me know of any problems after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION ProxyServer: [S-1-5-21-4279122312-401323784-1779212911-1001] => http=127.0.0.1:49234;https=127.0.0.1:49234; Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKU\S-1-5-21-4279122312-401323784-1779212911-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File CHR StartupUrls: Default -> "hxxp://istart.webssearches.com/?type=hp&ts=1419238097&from=obw&uid=WDCXWD3200BEVT-22A23T0_WD-WX61A60R3064R3064" 2015-01-09 18:44 - 2014-12-22 19:18 - 00003464 _____ () C:\Windows\System32\Tasks\ProPCCleaner_Popup 2015-01-09 18:44 - 2014-12-22 19:18 - 00000000 ____D () C:\Users\reeper\Documents\ProPCCleaner Task: {E4CEAC51-FB8D-40BF-A320-EC0FA7E7D087} - System32\Tasks\YTDownloader => C:\Program Files (x86)\YTDownloader\YTDownloader.exe <==== ATTENTION Task: {99E24BB1-883B-4039-A4F6-DBE7820FB421} - System32\Tasks\ProPCCleaner_Popup => C:\Program Files (x86)\Pro PC Cleaner\Splash.exe HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service" HKLM-x32\...\Run: [YTDownloader] => "C:\Program Files (x86)\YTDownloader\YTDownloader.exe" /boot HKU\S-1-5-21-4279122312-401323784-1779212911-1001\...\Run: [YTDownloader] => "C:\Program Files (x86)\YTDownloader\YTDownloader.exe" /boot HKU\S-1-5-21-4279122312-401323784-1779212911-1001\...\Run: [Codec Pack Update Checker] => "C:\Windows\system32\C2MP\UpdateChecker.exe" R2 YouTubeDownload_P6; C:\Program Files (x86)\YouTube Downloader Services\P6\youtubeserv.exe [2969208 2015-01-29] (MicroTools) 2015-01-30 03:07 - 2014-12-22 19:59 - 00000000 ____D () C:\Program Files (x86)\YouTube Downloader Services EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thankyou for your response, please find enclosed the Fixlog as instructed. EDIT-Included adwcleaner report. It appears to have removed everything.

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Thankyou for all your assistance, I am pretty much a luddite and your help is very much appreciated, i will run these programs as instructed.

There appears to be a conflict with Cryptoprevent as it completely crashed during the restart after installation citing a bad pool group and initiated a physical dump. I had to uninstall using safe mode but it has crashed again since then. I am unsure why it didn’t like my system and I am unsure if what may have happened.EDIT There is definitely an issue it is simply keeps crashing unexpectedly, has done so about 3 times so far since i uninstalled Cryptoprevent, cites bad pool again and dumps as before. I have included a txt file of crash log.

Please stay in this topic and wait for Essexboy, don’t repost it in new topics. Thanks.

Could you go to C:\windows\minidumps and zip then upload the last 3 dumps to a file sharing site or dropbox for me to collect

I have tried to zip minidumps but it keeps telling me file not found or no read permission, do I need to go to Folder options and change the settings to see the file? EDIT : I managed to work it out just copied to desktop and zipped from there to bypass restriction.

Ta, I will need access to the zipped files If you could upload them to mediafire https://www.mediafire.com/ and post the sharing link

will do
http://www.mediafire.com/download/340sgpvb9bl8494/021414-41059-01.zip
http://www.mediafire.com/download/v77kbmrntmukf4r/020115-22448-01.zip
http://www.mediafire.com/download/cy7c29s8dvcls37/010115-17409-01.zip
As it crashed again a second ago i’ve included the most recent one;
http://www.mediafire.com/download/2sa1e82m1a7161d/020215-30342-01.zip

These point towards your tcpip file

Run SFC :

Open an elevated command prompt by doing the following :

Go Start > All Programs > Accessories
Right click command prompt and select run as administrator
In the black box type the following command then enter

sfc /scannow

Wait until it has completed then reboot

No worries will start scan EDIT> scan completed said it found 0% integrity issues apparently and then promptly crashed again after reboot lol.

OK next will be to run a chkdsk

This has the hallmarks of a hardware problem

Could you follow the steps here http://www.howtogeek.com/howto/windows-vista/guide-to-using-check-disk-in-windows-vista/