Have malware/spyware or something and will just not leave- HEEEEEELP

Welcome to Major Geeks!

Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First. If TDSSserv is not found, just continue on with the READ & RUN ME.
  • TDSSserv Non-Plug & Play Driver Disable

READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

You were just restoring your malware. Once a PC has malware and you get it removed, you need to delete ALL system restore points since they are not trustworthy as they may be infected.

Huh? If you have an original CD, it is highly unlikely to be infected. If you have a copied CD or a CD you made yourself containing additional files then it could have been infected when it was created.

Do you use AOL or anything from AOL like AIM?

At this point, you must STOP doing anything on your own and only do what we ask you to do.

You need to remember to disable your protection software before running cleaning procedures. Your ComboFix log shows you had CA Antivirus enabled but their firewall was disable.

Please remove MGtools.exe from your Desktop ( C:\Documents and Settings\Owner\Desktop\MGtools.exe ) this is not where we asked you to save it to.

Your Malwarebytes log shows that you took no action. Did you save the log before fixing things or did you forget to fix the problems it found?

Some people seem to think that the below service is malware. I think it may be part of your CA software. Probably related to internet content filtering (like parental controls).
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe

Does this file exist? If so, please put a copy of it into a ZIP file and attach it here.

Your logs are basically clean other than what has been deleted. What actual problems are you having right now?

 

We are not CompUSA. You need to do only what we ask you to do and nothing else. If you want to work with CompUSA you can do that, but then you should not be working with us. I thought CompUSA went out of business.

You need to be specific and if it is not occurring all the time then it is less likely to be malware.

Also may not be malware. Check how many accounts show in Outlook and remove any unneeded accounts.

Many svchost.exe processes are always running in Windows. Your last logs however only showed 2. You could be seeing more at other times. Your CA software may also impact how many of these are open since it loads an svchost manager.

Again you will have to be more specific since I don't know what you are referring to. If you are missing entries in your registry that are required to run some software, you will need to reinstall the software.

Recovery Disks are not what I personally would want. They put your PC back to the way it was shipped. What you want is a Windows XP SP3 installation CD so you can repair problems within the Windows Operating System without having to go back to a state that no one wants (i.e, the state a PC is shipped in with all the useless junk that the company put on it --- like AOL software ---and none of the software you have installed and setup afterwards.)

I suggest that you uninstall all this CA software that does not appear to be working properly anyway. It also could be just getting in the way of cleanup (i.e., preventing us from removing infections manually. After uninstalling it, reboot your PC.

After reboot, run Malwarebytes and first update it. After update, run a full system scan which will take longer and is more thorough. DO NOT save a log until after you fix what is found. Make sure you fix/quarantine what is found and then immediately reboot your PC. After reboot run another scan (a quick scan is fine). Attach these two logs.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• the 2 logs from running Malwarebytes twice
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

But I did not suggest another destructive recovery followed by you deleting a variety of things from your computer including MSN gaming zone. You probably just need to uninstall the HP Internet Games that were installed. They should appear in add/remove programs. However none of this is a topic for the malware forum anyway so you can post about issues with doing recoveries and uninstalling factory pre-installed software in our Software Forums if you require help with this.

Your logs are clean, but your system is unprotected now. The last step in the below covers getting properly protected.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!