Behavior description: Window message
detail:
Pid = 1332, Hwnd=0xc017a, Text = Welcome to the [b]Cheat Engine 6.4[/b] Setup Wizard , ClassName = TNewStaticText.
Pid = 1332, Hwnd=0xd01f6, Text = [b]This will install Cheat Engine 6.4 on your computer.[/b] It is recommended that you close all other applications before continuing, ClassName = TNewStaticText.
Pid = 1332, Hwnd=0xb0170, Text = [b]A. Cheat Engine Licence B. OpenCandy End User License Agreement [/b]A. Cheat Engine Licence 1) This license agreement is a legal, ClassName = TRichEditViewer.
...
Look! it is trying to install some cheat tool too and look at the blue part, there is opencandy mentioned.
When I scan this file avast say it is clean.
It is good rickyyeung posted it here the more as inside Google Chrome PC and Android Apps are slowly integrating and the difference get even more blurred, with persisitent malware that is so long up and active and generally undetected (there also may be an mail-component involved
(OVERDUE! 9668.2 hrs.) it can go here and on the android forum section.
SOPHOS did an extended analysis of Open Candy here: http://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OpenCandy/detailed-analysis.aspx About MalSign.OpenCandy.7AF variant.
The funny thing is that AVG detects Avast’s file aswRec.dll as malware as well. This will probably be fixed soon. It’s a false positive. If you keep getting notifications about this threat in Avast’s folder, simply reboot your computer in SAFE MODE: Full path: Program Files/Avast Software/Avast/aswRec.dll. However, other threats that you may get are likely to be real and not false positives.
The user plays an active part in installing this crap, because for this malware to attack your machine you need to install the server part of the application. It also often comes bundled. As said the infection is also commonly spread via email attachments and infected websites.
Removal should be done under guidance of a qualified removal expert. Info source: deletemalware Admin.