Win32:Malware-gen

Hi there. I would like to ask you for help.
Yesterday I downloaded a program for watermarks. My AVAST Internet Security informed me that I got Win32:Malware-gen. After that AVAST moved the infected file in the chest. Here is what is written:
SA Dictionary 2010 Beta 1.msi C:/users/owner/AppData/Local/Downloaded Installations/{0CDD6862-8E38-4176-8D39-A2D700D39CD7} Win32:Malware-gen

I tried to delete the file, but it comes again after restart.
Please advice me how to remove the virus.

Thank you in advance.

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

a malware expert will then assist you when online

I tried with Malwarebytes, but it didn`t find anything … :frowning:

Follow the instructions posted by Pondus.

Malwarebytes Anti-Malware

Scan Date: 05.02.2016
Scan Time: 11:35 ч.
Logfile: MBytes.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.05.02
Rootkit Database: v2016.01.20.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 323913
Time Elapsed: 23 min, 9 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Please attach all your logs…!!

Here are FRST and Addition txt files.

:frowning:

OK, now you’ve to wait a bit…

This should remove it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: ShellExecuteHooks: - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File [ ] BHO: No Name -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> No File Toolbar: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{5D02926A-212E-11D0-9DF9-00A0C922E6EC}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{9D148291-B9C8-11D0-A4CC-0000F80149F6}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 -> no filepath CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID\{F3364BA0-65B9-11CE-A9BA-00AA004AE837}\InprocServer32 -> no filepath C:/users/owner/AppData/Local/Downloaded Installations/{0CDD6862-8E38-4176-8D39-A2D700D39CD7} Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Fix result of Farbar Recovery Scan Tool (x86) Version:27-01-2016
Ran by owner (2016-02-05 15:52:36) Run:1
Running from C:\Users\owner\Desktop\Desktop
Loaded Profiles: owner (Available Profiles: owner)
Boot Mode: Normal

==============================================

fixlist content:


CreateRestorePoint:
ShellExecuteHooks: - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
BHO: No Name → {72853161-30C5-4D22-B7F9-0BBC1D38A37E} → No File
Toolbar: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000 → No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
CHR HKLM.…\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path\update_url>
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{25336920-03F9-11CF-8FD0-00AA00686F13}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{5D02926A-212E-11D0-9DF9-00A0C922E6EC}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{8856F961-340A-11D0-A96B-00C04FD705A2}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{9D148291-B9C8-11D0-A4CC-0000F80149F6}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 → no filepath
CustomCLSID: HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{F3364BA0-65B9-11CE-A9BA-00AA004AE837}\InprocServer32 → no filepath
C:/users/owner/AppData/Local/Downloaded Installations/{0CDD6862-8E38-4176-8D39-A2D700D39CD7}
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Restore point was successfully created.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\{B5A7F190-DDA6-4420-B3BA-52453494E6CD} => value removed successfully.
HKCR\CLSID{B5A7F190-DDA6-4420-B3BA-52453494E6CD} => key not found.
“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{72853161-30C5-4D22-B7F9-0BBC1D38A37E}” => key removed successfully.
HKCR\CLSID{72853161-30C5-4D22-B7F9-0BBC1D38A37E} => key not found.
HKU\S-1-5-21-2361347564-4041297416-3110693420-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => value removed successfully.
HKCR\CLSID{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => key not found.
“HKLM\SOFTWARE\Google\Chrome\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{25336920-03F9-11CF-8FD0-00AA00686F13}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{50D5107A-D278-4871-8989-F4CEAAF59CFC}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{5D02926A-212E-11D0-9DF9-00A0C922E6EC}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{871C5380-42A0-1069-A2EA-08002B30309D}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{8856F961-340A-11D0-A96B-00C04FD705A2}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{9D148291-B9C8-11D0-A4CC-0000F80149F6}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{ADB880A6-D8FF-11CF-9377-00AA003B7A11}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{DFFACDC5-679F-4156-8947-C5C76BC0B67F}” => key removed successfully.
“HKU\S-1-5-21-2361347564-4041297416-3110693420-1000_Classes\CLSID{F3364BA0-65B9-11CE-A9BA-00AA004AE837}” => key removed successfully.
C:/users/owner/AppData/Local/Downloaded Installations/{0CDD6862-8E38-4176-8D39-A2D700D39CD7} => Error: No automatic fix found for this entry.

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= RemoveProxy: =========

HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-2361347564-4041297416-3110693420-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-2361347564-4041297416-3110693420-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.

========= End of RemoveProxy: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.0.6001 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

Unable to cancel {272AC9E4-0799-40AD-A695-32FF36D9FD7F}.
0 out of 1 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 67.7 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 15:57:14 ====

AdwCleaner v5.032 - Logfile created 05/02/2016 at 16:12:56

Updated 31/01/2016 by Xplode

Database : 2016-02-02.1 [Server]

Operating system : Windows Vista ™ Home Premium Service Pack 2 (x86)

Username : owner - LANDIN

Running from : C:\Users\owner\Desktop\Desktop\AdwCleaner.exe

Option : Cleaning

Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files\GreenTree Applications
[-] Folder Deleted : C:\Users\owner\AppData\Local\Conduit
[-] Folder Deleted : C:\Users\owner\AppData\Local\eSupport.com
[-] Folder Deleted : C:\Users\owner\AppData\Local\MalwareProtectionLive
[-] Folder Deleted : C:\Users\owner\AppData\LocalLow\Conduit

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\nfengeggddojhakldhlpjdlddgkkjkdd
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pkijdmeepjhpenmighhaodgfoogncnlk
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{97D69524-BB57-4185-9C7F-5F05593B771A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
[-] Key Deleted : HKCU\Software\eSupport.com
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache{86D4B82A-ABED-442A-BE86-96357B70F4FE}
[!] Key Not Deleted : HKU\S-1-5-21-2361347564-4041297416-3110693420-1000\Software\eSupport.com
[!] Key Not Deleted : HKU\S-1-5-21-2361347564-4041297416-3110693420-1000\Software\YahooPartnerToolbar
[!] Key Not Deleted : HKU\S-1-5-21-2361347564-4041297416-3110693420-1000\Software\AppDataLow\Software\Conduit
[!] Key Not Deleted : HKU\S-1-5-21-2361347564-4041297416-3110693420-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache{86D4B82A-ABED-442A-BE86-96357B70F4FE}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{83A5C533-9702-4876-BE37-6A946DB0A6E9}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{83A5C533-9702-4876-BE37-6A946DB0A6E9}
[!] Key Not Deleted : HKU\S-1-5-21-2361347564-4041297416-3110693420-1000\Software\Microsoft\Internet Explorer\SearchScopes{83A5C533-9702-4876-BE37-6A946DB0A6E9}

***** [ Web browsers ] *****


:: “Tracing” keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [3810 bytes] ##########

I checked Avast and it`s still the same :frowning:

Probably I made a mistake… I didn`t stop Avast and Malwarebytes in general when I started AdwCleaner.exe …

Wait for Essexboy, he’ll guide you.

My error my slashes were back to front :-\

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: C:\Users\owner\AppData\Local\Downloaded Installations\{0CDD6862-8E38-4176-8D39-A2D700D39CD7}\

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Fix result of Farbar Recovery Scan Tool (x86) Version:27-01-2016
Ran by owner (2016-02-05 18:09:22) Run:2
Running from C:\Users\owner\Desktop\Desktop
Loaded Profiles: owner (Available Profiles: owner)
Boot Mode: Normal

==============================================

fixlist content:


CreateRestorePoint:
C:\Users\owner\AppData\Local\Downloaded Installations{0CDD6862-8E38-4176-8D39-A2D700D39CD7}\


Restore point was successfully created.
“C:\Users\owner\AppData\Local\Downloaded Installations{0CDD6862-8E38-4176-8D39-A2D700D39CD7}” => not found.

==== End of Fixlog 18:10:07 ====

I found something that could help you. I have installed Dictionary SA as a program for 3-4 years.
And if I start to uninstall this program - I receive an answer - you could find it as an attached photo.

Do you wish to uninstall the programme ?

If you think that is a good idea - of course.
SA Dictionary 2010 Beta 1.msi is the infected file.
And the program is SA Dictionary 2010 Beta.
But you are the specialist - I don`t do anything. Waiting for help …