Has my computer been infected, need help.

Welcome to MajorGeeks!

Please follow only the requested steps in our READ & RUN ME First guide, and instructions given to you. * Having an infected restore point is better that not having any at all should something go wrong in the malware removal process.

I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

Thanks for your patience.
dr.m

 

Hello, ricky22

I strongly recommend that you clean up this account's Desktop immediately leaving only links. [ C:\Documents and Settings\Ricky\desktop] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

I find no malware present in your logs; however your SUPERAntiSpyware version is outdated.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new "Quick scan" of your system. And attach this new log.

Comment: You have quite a mess in your "C:\Documents and Settings\Ricky\My Documents" directory!
e.g.

Do you know what this is? C:\WINDOWS\is-JBBK3.exe

Using Windows Explorer - navigate to and delete:

Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).

Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Now go to this link MGTools and download the new version of MGtools.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

• C:\MGlogs.zip
• updated SASlog.txt log from SuperAntiSpyware.

dr.m

 

Hello, ricky22

First - now that I'm working your thread, please only follow the instructions I post. Doing things on your own can complicate the removal process and make this a l-o-n-g drawn-out affair.

Answering your questions:
1) Spybot locking your hosts file - is a good thing!
2) RootRepeal can run randomly on different machines. While reviewing your logs, I'll see if we need to use another tool.
3) After following my previous instructions on replacing your old SAS version - just update the newest version \ run a new "Quick Scan" \ attach that new log only.
4) The effectiveness of your protection software may have prevented the malware from fully installing - therefore you might not find entries shown posted on the web. *Note - the names of infected files often "morph" or have random names; they may have different names per individual PC's.

Please be patient and give me time to go through your present logs, but do attach the new SASlog.txt after installing, updating and running the newest version.

dr.m

 

I see no signs of infection, ricky.

Your logs look good! If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
   
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. Goto the C:\MGtools folder and find the MGclean.bat file. Double-click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work through the below link:
   • How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

 

*Unless you are diagnosing a problem, you should leave your startup mode in "Normal Startup Mode".

dr.m

 

The only time you're instructed to do this is "Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix." And - if you would read any of our post reply instructions for the running of a "CFscript.txt", you will also find wording like:

And - other than having you delete some temporary files, I stated:

In fact, the only thing found in every scan log that you gave me was this being found and removed by ComboFix, in your FIRST attachments --->c:\windows\system32\AVSredirect.dll

My "Best Wishes" in straightening out your other problems.
dr.m