Win32:Malware-gen

Viruses and worms
1

After installing a power supply and RAM in a family member’s computer, I decided to run malware scans before returning it. I scanned the computer using Malwarebytes which detected several PUPs. Afterwards I ran quick,full, and boot-time scans using Avast which found PUPs, Win32:Malware-gen and several other threats such as Java:Downloader-BL. I have since run 3 full Malwarebytes scans, 3 avast full system scans, and 3 avast boot-time scans with no detections. Do I need to do anything else? Thanks in advance.

2

Hi,

Run this…

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

3

Farbar Recovery Scan results attached…

4

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
File: C:\Users\Sandra Tapper\AppData\Local\GDIPFONTCACHEV1.DAT
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.att.net/search/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W5233
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.att.net/search/
SearchScopes: HKLM - {2e51ec4e-2fa9-40fa-9007-2411de34e7ca} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YWxdm001YYus&ptb=E1A23149-BB6B-4F68-AF4A-C6FA3306D115&ind=2011092719&ptnrS=YWxdm001YYus&si=maps4pc&n=77ded6ef&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - Comcast URL = http://search.xfinity.com/?cat=subweb&con=mmchrome&q={searchTerms}&cid=xfactiv_tech_search
SearchScopes: HKCU - {2e51ec4e-2fa9-40fa-9007-2411de34e7ca} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YWxdm001YYus&ptb=E1A23149-BB6B-4F68-AF4A-C6FA3306D115&ind=2011092719&ptnrS=YWxdm001YYus&si=maps4pc&n=77ded6ef&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - {6b0d4c9d-c6eb-4a9a-981c-ac3f9d8373c0} URL = http://search.xfinity.com/?cat=subweb&con=mmchrome&cid=xfstart_tech_search&q={searchTerms}
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=uO9ouEcecr9-SSHx7bBdmVyXtQY?q={searchTerms}
SearchScopes: HKCU - {E519AA1F-E8A8-47ED-92E3-BCFB65055819} URL = http://search.comcast.net/search?cat=Web&con=toolbar&q={searchTerms}
BHO: Updater For Comcast Toolbar 3.5 - {164d3751-cac6-4a6d-becd-ea67df61d232} -  No File
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\google\BAE.dll (Gateway Inc.)
C:\google\BAE.dll
BHO: Xfinity.com Toolbar - {dcc70a83-e184-40a3-906b-779af5e941c4} - C:\Program Files\xfinitytb\xfinitydx.dll ()
BHO: Updater For Xfinity.com Toolbar 3.5 - {e6d0b79e-ecac-411b-8bf6-7a574981af30} - C:\Program Files\xfinitytb\auxi\xfinityAu.dll (Visicom Media)
Toolbar: HKLM - Xfinity.com Toolbar - {dcc70a83-e184-40a3-906b-779af5e941c4} - C:\Program Files\xfinitytb\xfinitydx.dll ()
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
C:\Program Files\xfinitytb
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} -  No File
CHR HomePage: hxxp://xfinity.comcast.netcid%3Dmtmh10/32013
CHR RestoreOnStartup: "hxxp://www.inbox.com/homepage.aspx?tbid=82572&iwk=272&lng=en","hxxp://type/paste%20hxxp://xfinity.comcast.net"]},"sync":{"suppress_start":true},"sync_promo":{"show_on_first_run_allowed"
CHR Extension: (Inbox Toolbar) - C:\Users\SANDRA~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\apgjagobplilmcdfelodhgefiidomnfl\1.0.0.9_0
CHR Extension: (Advanced SystemCare Surfing Protection) - C:\Users\SANDRA~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfengeggddojhakldhlpjdlddgkkjkdd\1.0.0_0
CHR HKLM\...\Chrome\Extension: [apgjagobplilmcdfelodhgefiidomnfl] - C:\Program Files\Inbox Toolbar\Chrome\ibxtoolbar_chr.crx
C:\Users\SANDRA~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfengeggddojhakldhlpjdlddgkkjkdd
C:\Users\SANDRA~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\apgjagobplilmcdfelodhgefiidomnfl
C:\Program Files\Inbox Toolbar
2013-11-13 12:49 - 2013-06-07 14:55 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job
2013-11-13 12:49 - 2013-06-05 03:51 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
Task: {04BA6B25-030B-4D6E-A349-430ED087784A} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv => C:\Windows\TEMP\{CA67BEE6-8A4B-4F0E-B76D-604EE205D770}.exe
Task: {AE95BAD3-6608-4186-B88F-2AF7E9E6EAF4} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv => C:\Windows\TEMP\{F8E4153C-8176-45FA-B908-EC5BA136BF81}.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job => C:\Windows\TEMP\{CA67BEE6-8A4B-4F0E-B76D-604EE205D770}.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{F8E4153C-8176-45FA-B908-EC5BA136BF81}.exe
C:\Windows\TEMP\{CA67BEE6-8A4B-4F0E-B76D-604EE205D770}.exe
C:\Windows\TEMP\{F8E4153C-8176-45FA-B908-EC5BA136BF81}.exe
C:\Windows\TEMP\{CA67BEE6-8A4B-4F0E-B76D-604EE205D770}.exe
C:\Windows\TEMP\{F8E4153C-8176-45FA-B908-EC5BA136BF81}.exe
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

THEN …

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.
  1. Temporarily disable your AntiVirus program.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]=> Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

  1. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

  2. Also, please post me fresh FRST.txt logreport. Just re-run FRST and press Scan button.

5

ComboFix and FRST scan results

6

We shall continue tomorrow.

7

Ok.

8

I’m back. :slight_smile:

  1. Go to the link below for instructions on how to change you homepage in Chrome.
    https://support.google.com/chrome/answer/95314?hl=en

  2. Open notepad and copy/paste the text present inside the code box below:

KillAll::

ClearJavaCache::

File::
C:\Users\Sandra Tapper\AppData\Local\GDIPFONTCACHEV1.DAT

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000000

DirLook::
c:\windows\system32\DRVSTORE
c:\programdata\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}

FileLook::
c:\program files\CA\PPRT\bin\CACheck.dll

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

9

ComboFix results attached. Regarding step 1, do you want me to change my homepage in Chrome?

10

Yes, back on google.

Latest ComboFix log looks good. I wanna re-check that. Please re-run FRST, just tick checkbox for Addition.txt and press Scan button.

Post me fresh created FRST.txt and Addition.txt logreport.

11

I changed the homepage to google. FRST results attached…

12

Hi,

FRST logs still show me that home page and search page for Google Chrome is set on ‘xfinity.comcast’
Did you run FRST before setting home page to google or after?

Btw, posted logs are clean. They doesn’t show traces of malware activities. You are clean. Now, run TFC to clean temp & cache for system acceleration…

Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

How’s your computer running now?

13

-TFC has been run. Computer is running good, seems that desktop programs are opening faster.

  • Regarding the homepage, I followed the instructions above, changed the homepage to google before running the FRST scan, then submitted the post. It seems that it only changed the page that displays if selecting the home icon on an open chrome web browser but it didn’t change the page (infinty.comcast) that opens up when selecting the chrome icon on the desktop so I went back into settings after submitting my post and changed the startup page in the “on startup” section of settings.

  • I know that the software you had me use should only be used when being helped by someone that is knowledgeable of it, such as yourself. Would TFC be considered in that category or can I run it on my computer ocasionally.

Thanks for your help.

14

You may feel free to run TFC one a while or whenever you think it is suitable. TFC is small & usefull utility that shall clean temp & cache files from all userprofiles.
TFC shall clean up Temp folder, Temporary Internet Files, FireFox cache, Google Chrome cache, Flash cache, and it will clean RecycleBin.
As addition TFC shall search and delete all temp files (random_name.tmp) from %systemdrive% folder; %systemroot% folder; %systemroot%\System32 folder and from %systemroot%\System32\drivers folder.
If some malware uses the temp folder to its loading point, TFC will use force in attempt to delete that file (which requires a reboot).
note that TFC is NOT malware removal tool ! !

You may read TFC description here:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

I shall remove used tools now.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

Please post me DelFix log for confirmation.

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

15

DelFix report attached…