Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM Pro detected OCSetupHlp.dll (PUP.Optional.OpenCandy)


  • Please log in to reply
8 replies to this topic

#1 Genex17

Genex17

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 05 December 2013 - 10:26 PM

Running MBAM Pro on my Windows 7 Ultimate Dell laptop detected Open Candy

 

Deleted and Quarantined it, and rebooted.

 

Files Detected: 1
C:\Users\Gene\AppData\Local\Temp\is-9FOPN.tmp\OCSetupHlp.dll (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.

A reboot and two MBAM successive scans have not come up with any other infections.

 

A  Eset Nod32  v7 Smart Scan has not detected anything else.

 

I also have CryptoPrevent 4.3 installed. It blocks malware from using the AppData folder. No issues there.

 

I don't think I have any infections, but to be sure, where do I go from here?

 

I have had assistance from Bleeping Computer Techs before, so I am good at downloading the tools and posting reports exactly as asked. 

 

Thanks in advance,

 

Gene


Edited by Genex17, 05 December 2013 - 10:37 PM.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:05 AM

Posted 06 December 2013 - 12:16 PM

Hi Gene,
 
Run these for me:
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

-------------
 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

----------

 

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart the computer.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Genex17

Genex17
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 06 December 2013 - 02:00 PM

Hi xXToffeeXx.  Thanks for having a look at this. Here is the AdwCleaner log. The JRT log will be posted as soon as possible.

 

 

 

# AdwCleaner v3.014 - Report created 06/12/2013 at 10:49:16
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Gene - SIGNUM
# Running from : C:\Users\Gene\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\Gene\AppData\Roaming\NCH Software
File Deleted : C:\Users\Gene\AppData\Roaming\Mozilla\Firefox\Profiles\yekcsqxi.default\invalidprefs.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKCU\Software\NCH Software
Key Deleted : HKLM\Software\systweak

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\Gene\AppData\Roaming\Mozilla\Firefox\Profiles\yekcsqxi.default\prefs.js ]


[ File : C:\Users\Shamal\AppData\Roaming\Mozilla\Firefox\Profiles\9nirdt4p.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [1380 octets] - [06/12/2013 10:48:08]
AdwCleaner[S0].txt - [1275 octets] - [06/12/2013 10:49:16]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1335 octets] ##########
 



#4 Genex17

Genex17
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 06 December 2013 - 02:29 PM

Ran JRT and turned off NOD32 as well as MBAM Pro.  I also ran TFC and rebooted. It removed 113 MB of files. Startup seems a bit faster now.

 

Will await further information.

 

Thanks again,

 

Gene

 

 

Here's the JRT log.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Ultimate x64
Ran by Gene on Fri 12/06/2013 at 11:05:20.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Register Perfect Mask 5_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Register Perfect Mask 5_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\Register Perfect Mask 5_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\Register Perfect Mask 5_RASMANCS



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Users\Gene\AppData\Roaming\mozilla\firefox\profiles\yekcsqxi.default\prefs.js

user_pref("extensions.itrans.client_secret", "WG8Dd7LV9jxcLly9qxw8UY3Vl38OYr22F5yP21G5xK8=");
Emptied folder: C:\Users\Gene\AppData\Roaming\mozilla\firefox\profiles\yekcsqxi.default\minidumps [212 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/06/2013 at 11:11:00.06
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


Edited by Genex17, 06 December 2013 - 06:17 PM.


#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:05 AM

Posted 08 December 2013 - 12:20 PM

Hi Gene,
 
How is your computer running? Also, please run these for me:
 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

----------
 
Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 Genex17

Genex17
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 08 December 2013 - 09:14 PM

Hi  Toffee,

 

The OpenCandy dll never returned and my MBAM Pro and even my ESET Nod32 did not pick up on anything new.

 

However running the Eset online scanner exactly as instructed found 5 instances of OpenCandy. I'll copy and paste the log and will run Security Check and post its' log in my next message.

 

Gene

 

C:\Users\Gene\Documents\CrystalDiskInfo5_1_0Shizuku-en.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\Users\Gene\Documents\CrystalDiskInfo5_6_2Shizuku-en.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\Users\Gene\Documents\CrystalDiskInfo6_0_1ShizukuUltimate-en.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\Users\Gene\Documents\CrystalDiskMark3_0_2cShizuku-en.exe    Win32/OpenCandy application    cleaned by deleting - quarantined
C:\Users\Gene\Documents\duplicate-file-finder-setup.exe    a variant of Win32/Bundled.Toolbar.Ask application    cleaned by deleting - quarantined
 



#7 Genex17

Genex17
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 08 December 2013 - 09:25 PM

Security Check info. Again I'll await further information and instructions.

 

I did read up on OpenCandy (wikipedia) and it seems to be add-ons bundled in a lot of freeware. Most of the time I'll uncheck the box asking if i want it,but there are times I'll miss it.

 

 

 

 Results of screen317's Security Check version 0.99.77  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
ESET NOD32 Antivirus 7.0   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0    
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 45  
 Adobe Flash Player 11.9.900.152  
 Mozilla Firefox (25.0.1)
````````Process Check: objlist.exe by Laurent````````  
 ESET NOD32 Antivirus egui.exe  
 ESET NOD32 Antivirus ekrn.exe  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 


Edited by Genex17, 08 December 2013 - 10:04 PM.


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:05 AM

Posted 10 December 2013 - 02:56 PM

Hey Gene,

 

Security Check info. Again I'll await further information and instructions.

 

I did read up on OpenCandy (wikipedia) and it seems to be add-ons bundled in a lot of freeware. Most of the time I'll uncheck the box asking if i want it,but there are times I'll miss it.

The security check log looks good.

 

Yes, sometimes it's included in the installer so it's not always possible to uncheck. Normally you can though and just make sure to keep an eye out.

 

Anything else needed?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 Genex17

Genex17
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 PM

Posted 10 December 2013 - 03:11 PM

Hi Toffee,

 

The problem has been settled thoroughly.

 

Thank you for taking your time and your expertise to help me properly deal with it and

 

Have  a great day!  :)

 

Gene






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users