Solved Win32:Malware-gen infection

[Javsuomi]

Test passed, used Seatools for DOS tutorial and runned it on long test mode. No error or any bad stuff found.

I reinstalled Chrome and now works perfect ), everything but he hard drive thing looks great.

Also tried to uninstal some programs that doesn't work yust to reinstall them again from zero, some of them are not even in the program list, and few of the ones thar are in the list, does not allow me to uninstall them giving me some error or just simply stoping at the midle of the uninstall proces. Do you recomend me any tool to do so? I would love to get one that deletes all unuseful files and folders so my pc doesn't end up full of garbage...

 

[Javsuomi]

I'm also getting the WindowsUpdate_00000643 error in 12 updates all of them related to Windows Microsoft .NET framework 4

 

[Javsuomi]

Microsoft .Net framewor issue solved

 

[Broni]

As for uninstalling programs...

1. First try Revo...
Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.

Please note there is a chance when you look for this program to uninstall through Revo it might not be listed because of the previous uninstall. If that is the case simply stop and let me know.

• Please download and install Revo Uninstaller Free
• Double click Revo Uninstaller to run it.
• From the list of programs double click on the program you want to remove
• When prompted if you want to uninstall click Yes.
• Be sure the Moderate option is selected then click Next.
• The program will run, If prompted again click Yes
• When the built-in uninstaller is finished click on Next
• Once the program has searched for leftovers click Next.
• Check the items in bold only on the list then click Delete. You may have to expand some folders by clicking the "+" mark.
• When prompted click on Yes and then on Next.
• Put a check on any folders that are found and select Delete
• When prompted select Yes then Next
• Once done click Finish.

2. If Revo doesn't find some particular program(s) you may be dealing with just dead Control Panel>Programs & Features entries. In that case...
Download UnInstall Cleaner
Unzip downloaded file.
Double click on UIClean.exe to run the tool.
Click on leftover entry and click Delete button.

As for chkdsk...
Click Start, then Run, type cmd, and click "Ok".
At the prompt in the command window that opens, type:
fsutil dirty query C:
and press "Enter".
Does the result of this indicate the drive is "Dirty"?

 

[Javsuomi]

It sais that C: has no errors

 

[Broni]

Is chkdsk still running at the startup?

 

[Javsuomi]

Doesn't look like, when I swiched on my computer before it didn't do it, en I just I tried a few times more and started whithout chkdisk and quite fast )

 

[Broni]

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

14. Please, let me know, how your computer is doing.

 

[Javsuomi]

I had to run OTL, 3 times: the first one, it gave me a error message but then finish the "run fix" but because of the error I decided to run ir again. The second time it got stock, so after more than an hour of waiting, I decided to stop it and I couldn´t so I had to reset the computer. A log file came up when the computer restarted anywais. The third time worked perfectly.

Runing Malwarebytes scan, it found four PUP.Optional.OpenCandy, so I also past after the OTL log files, the log file Malwarebytes...


OTL(first log):

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: User1
->Temp folder emptied: 146217981 bytes
->Temporary Internet Files folder emptied: 199906888 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 74330228 bytes
->Flash cache emptied: 841 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 525152533 bytes
RecycleBin emptied: 65836 bytes

Total Files Cleaned = 902,00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: User1
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: User1
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0,00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 11152013_063704

Files\Folders moved on Reboot...
C:\Users\User1\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


---------------------------------------
---------------------------------------


OTL(second):

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...


Registry entries deleted on Reboot...


---------------------------------------------
---------------------------------------------


OTL(3rd):

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: User1
->Temp folder emptied: 942 bytes
->Temporary Internet Files folder emptied: 128 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 9256588 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3515 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 9,00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: User1
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: User1
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0,00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 11152013_133843

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


---------------------------------------------------
---------------------------------------------------

Malwarebytes:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.15.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16736
User1 :: USER1-PC [administrator]

Protection: Disabled

15/11/2013 15:46:13
MBAM-log-2013-11-15 (15-51-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197454
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Users\User1\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\User1\AppData\Roaming\OpenCandy\1682736DCBC7431E930859009168FF2C (PUP.Optional.OpenCandy) -> No action taken.

Files Detected: 2
C:\Users\User1\Downloads\SetupImgBurn_2.5.8.0.exe (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\User1\AppData\Roaming\OpenCandy\1682736DCBC7431E930859009168FF2C\Setupsft_chr_p1v7.exe (PUP.Optional.OpenCandy) -> No action taken.

(end)

 

[Broni]

Your MBAM log says "No action taken".
Did you remove the thing?

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

14. Please, let me know, how your computer is doing.

 

[Javsuomi]

No, I just did nothing: I googled it and read that was not a big threat, but also that for its removal I needed to install anoter program, so I decided to wait until you tell me what to do.
My computer is doing great, everything working prefect. I still uninstalling and reinstalling broken programs and had no problem til now...

 

[Broni]

Re-run MBAM and get rid of that pest.

Good luck and stay safe

 

[Javsuomi]

Ok!
Thanks a lot for your help!!
and the same for you

 

[Broni]