HELP ! I've got a fsmgmt.dll virus

georgiac

Norton has flagged up fsmgmt.dll as a trojan on my computer.

It is sat inside system 32 and norton can't deal with it.

Please does anyone have any advice, otherwise it's off to the pc doctor.

Thanks

georgiac

I am not sure I can do a safe mode scan, bizarrely.

A dell engineer came on Thursday to ficx a problem with my dvd drive and couldn't get it.

My keyboard isn't recognised until after booting up the machine into full screen.

Is there any other way to get to safe mode?

Viper_7

Aye, Malware gremlin. Safe boot startup then just delete it.
It's currently being loaded and thus held open so it can't be deleted under normal startup.
Also clean out your registry, there will be entries to it in there.
Google Regseeker or something similar for a good reliable registry edit cleaner.
Install Spy bot Search and Destroy (freeware) , this will also remove any malware/dialler nasties that virus scanners don't pick up.

More importantly though is prevention. How do you think you ended up with this in the first place?
Identify the hole and seal it.

pchelpman

The file is probably located in your C:\Windows\System32 folder. If you can see it you may delete it and empty your recycle bin immediately.

This is a new infection and has been identified as associated with hackers who steal critical system information.

I would advise you to disconnect this PC from the internet immediately.

If you do any banking or other financial transactions on the PC, or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to let them know your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but we can't guarantee that it will be 100% secure afterwards.

Please let us know what you have decided to do in your next post.

Viper_7

not this PC doctor though, as they didn't read your post.
You can't delete it and you already pointed out where it was!

Most firealarms will block outbound connections. I've always liked Zone Alarm from Mcfee as a pop up appears informing you something is trying to connect outbound, it tells you what it is. If you don't know what it is you just say no. So even if infected your details won't be compromised.

Spybot will remove this for you, get it installed.

georgiac

Thanks viper, I tried to do a safe boot and delete, b ut it refuses to be removed - says it is in use (GULP )

Next step is to install the other software you mentioned, but I have not used the computer since.

One thing, please, when I launched in safe mode I couldn't launch norton - is this normal?

Thanks again, gc

Browntoa

you can delete it in safe mode or by using killbox

http://www.killbox.net/

by entering the path for the location of the file.

Having a firewall may not stop it as the PC may be unpatched ( up to date with windows updates) and can disguise the traffic as legitimate by exploiting this , or lower the secutity levels/totatally disable it.

As PChelpman says this is NOT an easy infection to remove and severely compromises your Pc, please do not carry out secure transactions even if you run Spybot

Norton will not run in safe mode

Browntoa

Trojan-PWS.WOW.AIC attempts to steal sensitive information such as usernames and passwords. It may also download additional malware components from the Internet.

A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

http://www.threatexpert.com/report.aspx?uid=106d97c7-95fe-44cd-aaf8-0a102d027df2

Browntoa

as Martin pointed out , customers can be held liable if their Pc is infected

http://www.vnunet.com/vnunet/news/2214522/banking-code-leave-customers-liable

The new UK voluntary Banking Code could leave online banking customers liable for losses on their account if they fail to keep their PC secure with up-to-date antivirus and anti-spyware software and a personal firewall.
Security firm Finjan highlighted sections of the new Code which specify that online banking customers must be able to show they are not "acting without reasonable care

Ben-Itzhak explained that the new approach in dealing with online banking fraud potentially gives banks a position to reject online fraud claims upfront.
Unless business customers adopt this approach to IT security, they might face an uphill battle in recovering funds if they go missing in the event of electronic fraud

georgiac

Hi all.

Thanks for your advice re my fsmgmt.dll virus.

I took Browntoa's advice and installed killbox.

Killbox wouldn't delete it first time around but then I had it delete the file on reboot and that appears to have worked.

I have run spybot nad that found plenty to get excited about.

What should I do next please - apart from breathe a little bit easier.

Browntoa

I'd wait for Pchelpman to pop back, he knows FAR more than me about this !!

only take his advice from now on