Win32:Malware-gen

system · October 24, 2013, 6:00pm

Hi there, since yesterday everytime I start up my computer, I get an AVAST notification of Win32:Malware-gen infection. Is there anything I can do to clean this up permanently?

Thanks for all the help.

Eddy · October 24, 2013, 6:01pm

Please follow these instructions: http://forum.avast.com/index.php?topic=53253.0

Pondus · October 24, 2013, 6:05pm

also… what file is detected…full file path?
you may attach a screenshot of the detection pop-up

system · October 24, 2013, 10:31pm

Here are the attachments after running the programs.

The file name was
C:\Users\Aalok\AppData\Local\Temp\SecondStepInstaller.exe

Thanks for your help

Pondus · October 24, 2013, 10:40pm

C:\Users\Aalok\AppData\Local\Temp\[b]SecondStepInstaller.exe[/b]

seems to belong to conduit crapware

removal experts are notified…

magna86 · October 24, 2013, 11:54pm

Hi,

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:COMMANDS
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-2517109920-1749011122-199570253-1002\..\SearchScopes\{FF42E0EE-48A0-4CE1-BD96-850C107EBAEE}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN28453762692623423&UM=2&SSPV=TB_CIS
CHR - Extension: WhiteSmoke New = C:\Users\Aalok\AppData\Local\Google\Chrome\User Data\Default\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi\10.21.1.507_0\
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBitT.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\tbBitT.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-2517109920-1749011122-199570253-1002\..\Toolbar\WebBrowser: (BitTorrentBar Toolbar) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files (x86)\BitTorrentBar\tbBitT.dll (Conduit Ltd.)
O4 - HKU\.DEFAULT..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
O4 - HKU\S-1-5-18..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
33 - MountPoints2\{21caf6ce-abd9-11e2-9353-fe5f863721d6}\Shell - "" = AutoRun
O33 - MountPoints2\{21caf6ce-abd9-11e2-9353-fe5f863721d6}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\autorunner.exe "smhfinal2009.mov"
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\autorunner.exe "smhfinal2009.mov"
@Alternate Data Stream - 60 bytes -> C:\Users\Aalok\.DS_Store:AFP_AfpInfo

:FILES
ipconfig /flushdns /c
C:\Users\Aalok\AppData\Local\Google\Chrome\User Data\Default\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi
C:\Program Files (x86)\BitTorrentBar
C:\Program Files (x86)\ConduitEngine
C:\Users\Aalok\AppData\Roaming\SearchProtect

:COMMANDS
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

-------------- next ------------------

As I see you have been download ComboFix. Run CF by following these instructions.

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

-------------- next ------------------

Re-run OTL, just hit QuickScan and post me fresh created OTL.txt logreport.

system · October 25, 2013, 4:09am

Here are the attached logs

magna86 · October 25, 2013, 2:26pm

Looks good. Now we will check & clean posible leftovers + to preform AntiRootkitScan:

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

THEN…

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool.

[*]Select Yes if prompted to download the Avast database.
[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.

system · October 25, 2013, 4:38pm

Here are the logs for the scan.

magna86 · October 25, 2013, 8:56pm

Ok, we have clean your system fully. I shall remove my tools now.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Re-run AdwCleaner and press [Uninstall] button. This shall remove AdwCleaner and it’s Quarantine folder.

Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Win32:Malware-gen

Announcements