Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:Malware-gen; Might've gotten myself infected


  • Please log in to reply
4 replies to this topic

#1 Math.

Math.

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 30 July 2014 - 09:42 PM

I was just on CNET, chose 'direct download' (nobody wants OpenCandy or similar junk on there system, do they?), run it through VirusTotal (0/54 btw) downloaded a SoundCloud downloader, and upon closer inspection of the EULA I don't trust this program... at all. Avast! detected Win32:Malware-gen, currently running Malwarebytes and ADWCleaner, I'm really scared.

 

A bit of an intro to myself: I'm a 12-year-old kid who has a passion for malware removal. I browse this site half and hour a day and visit the virus removal forums, and I'm going to sign up for Malware Removal University soon, but I never expected to have myself in this situation. Please advise!

 

I'm really scared! Please help! Will post MBAM and ADWCleaner logs in just a sec, they both came out clean last time I ran them about a week ago.

 

EDIT 1:

 

ADWCleaner Log:

 

# AdwCleaner v3.302 - Report created 30/07/2014 at 22:43:47
# Updated 30/07/2014 by Xplode
# Operating System : Windows 8.1  (64 bits)
# Username : mathb_000 - ADAMLAPTOP2
# Running from : C:\Users\mathb_000\Downloads\adwcleaner_3.302.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Found : C:\Users\mathb_000\AppData\Roaming\Software Updater
Folder Found : C:\Users\mathb_000\Favorites\StumbleUpon
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17126
 
Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL] - hxxp://mystart.toshiba.com
Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages] - hxxp://mystart.toshiba.com
 
-\\ Mozilla Firefox v30.0 (en-US)
 
[ File : C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\prefs.js ]
 
 
-\\ Google Chrome v36.0.1985.125
 
[ File : C:\Users\mathb_000\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1595 octets] - [06/02/2014 18:05:17]
AdwCleaner[R1].txt - [1746 octets] - [30/03/2014 12:10:29]
AdwCleaner[R2].txt - [1287 octets] - [11/05/2014 11:02:30]
AdwCleaner[R3].txt - [1287 octets] - [11/05/2014 11:02:40]
AdwCleaner[R4].txt - [1377 octets] - [20/05/2014 12:54:49]
AdwCleaner[R5].txt - [1486 octets] - [02/06/2014 13:59:41]
AdwCleaner[R6].txt - [1378 octets] - [13/06/2014 19:23:17]
AdwCleaner[R7].txt - [1576 octets] - [06/07/2014 09:47:29]
AdwCleaner[R8].txt - [1560 octets] - [06/07/2014 10:40:06]
AdwCleaner[R9].txt - [1701 octets] - [30/07/2014 22:43:47]
AdwCleaner[S0].txt - [1687 octets] - [30/03/2014 12:16:26]
AdwCleaner[S1].txt - [1553 octets] - [02/06/2014 14:09:15]
AdwCleaner[S2].txt - [1643 octets] - [06/07/2014 09:55:39]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R9].txt - [1941 octets] ##########
 
That "Software Updater" is new... I like StumbleUpon so I'm not removing that. I'm not going to reboot like ADWCleaner but instead delete manually as I don't trust that there isn't a hidden "Run" registry key... I can't see as DDS says it's running in "compatibility mode". Crap, I can't delete it manually. I'm scared & I'm close to crying here :(
 
NEW EDIT:
 
Ran scans with ESET Online and Malwarebytes, Malwarebytes found nothing and ESET found a couple CNET installers of which I carefully unticked the offers...
 
Last night I got a warning from a legitimate firewall that I've never heard of (possibly the one set up in this apartment complex?), saying that OTL was infected with Kryptik, which is obviously not the case. The malware which was uninstall.exe in a bizarre location has also mysteriously disappeared from Avast! chest and I can't get FRST to download here... I'm pretty sure FRST is getting blocked by something. The download goes really fast, then it stops at the same place every time with a 'failed - network error' warning.

Edited by Math., 31 July 2014 - 07:39 AM.


BC AdBot (Login to Remove)

 


#2 Math.

Math.
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 31 July 2014 - 07:40 AM

Rkill just terminated a hidden process and I deleted the folder 'Software Updater' - progress. I'm guessing there is some (now broken) registry keys attached to it, so I would love your help fixing that! FRST still doesn't download from BC... if I go to MajorGeeks it downloads but that's an outdated version.

 

EDIT AGAIN:

 

SonicWall Gateway Anti-Virus is blocking every .exe directly downloaded with a message similar to BitDefender's blocking page... please advise!  I know for a fact that FRST doesn't have 'Win32:Worm-Autoit'??


Edited by Math., 31 July 2014 - 07:44 AM.


#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:59 AM

Posted 31 July 2014 - 07:45 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
  • List Restore Points

Click Go and post the result.

p22002970.gif Please download Malwarebytes Anti-Malware to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.



If you already have MBAM 2.0 installed:

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


How to get logs:
(Export log to save as txt)


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.



(Copy to clipboard for pasting into forum replies or tickets)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.


p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.
Do NOT use spoilers.
Do NOT edit your reply to post additional logs. Create new reply. I'll not get any email notifications about edits so I won't know you posted something new.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#4 Math.

Math.
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 01 August 2014 - 10:07 AM

Sorry to interfere, but I forgot to note that I already got help at Avast! forums. Big apologies, I thought I created a post noting the fact. Thanks for the intro anyways!



#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:59 AM

Posted 01 August 2014 - 07:25 PM

No problem :)


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users