Not sure if I have a virus or not.

[REDACTED]

Hi! Around 24 hours ago I accidentally clicked on a shady link while trying to navigate a webpage (I was using middleclick to scroll which also opens up links in a new tab) and I was taken to an unfamiliar webpage that was advertising a sort of IRL gold selling service. I attempted to not panic and tried to take note of the webpage's name (which I soon after forgot). I quickly ran CCleaner and used it to clear just about everything, then updated TDSSkiller and MalwareBytes while making sure Avast! was up to date.

After that, I unplugged both my router and modem, then ran full scans with the above programs. None of the 3 found anything, which was rather distressing. While running a scan with Avast!, I kept the file shield open so I could see what was going on. About 20% in to the scan, the shield activity went from 0 to a solid 1 for a good 40% of the scan. During that time, Avast! was not scanning the same files that the file shield was. The file shield was scanning just about every single .dll and .exe in my Autodesk folder (and by that extension Maya) 1 at a time, and towards the end of the file shield's constant scanning (which was at about 60% of the normal Avast! scan) the web shield showed some activity as well even though I was offline. That activity is what lead me to believe I had a virus (which in turn was injecting itself into those files) though I'm not sure if this was the work of said virus or something else that isn't as threatening.

I let the virus scan finish and went to do a system restore. I decided to restore to a backup that was made a good 8 hours earlier that day. The backup ended up being successful, which was nice.

After that, I downloaded ComboFix while keeping an eye on Avast!'s file shield. The file shield was no longer scanning those .dll's that I had mentioned prior (or any for that matter), but I was still very concerned. I built my computer with a secondary hard drive so I could have space for numerous large video files, and the system restore only affected the C drive. Since I installed Maya to my D drive, I'm not sure if the virus (if any) was cleaned out of my system completely.

I went back offline after disabling Avast!'s real time shields so it wouldn't affect ComboFix, and rebooted in safe mode. When safe mode was loading, it seemed to load much fewer files than I remembered in the past (however this could have just been because this was my first time starting up in safe mode on my new computer). That concerned me because a few months back I helped my father with his computer -- he had managed to infect his pc with the infamous FBI virus. It was completely stopping me from booting the laptop up in safe mode, and for whatever reason when I tried to boot up safe mode on, it would stop loading on the same file that my computer did. However, my computer was able to load up safe mode ok after that; I'm not sure if this is relevant or not, but I figured I should mention it anyways. I did do a google search on the .dll that it stopped on but it didn't harbor any helpful results.

Anyways, I ran ComboFix successfully and it apparently removed a file along with some orphans. Here is the log: http://puu.sh/hj2J2/9a195ed60f.txt -- I would appreciate if someone could take a look at that and tell me what exactly the infection/problem was (thank you!) (note: I'm not sure if ComboFix also scanned my D drive, or how I would specifically get it to do so. should I be concerned about this?)

After running ComboFix, I also ran TDSSkiller which again found nothing. After that I had to reboot normally to update MalwareBytes, which insisted on failing its scans in safe mode because the database was out of date, regardless of the fact that I had updated it just an hour or so earlier.

So yeah, I rebooted in safe mode and ran a successful MalwareBytes scan. I did a custom scan and selected both my C and D drives this time around -- nothing was found, even with rootkits checked. Here is the log: http://puu.sh/hjobw/3aab3d5c06.txt

I had posted a similar help thread on the tomshardware forum, but I only received a minimal amount of help. I was also asked to check if I had any Windows services not running: I'm not sure if I'm misunderstanding what they were asking, but here is a pic of my current services: http://puu.sh/hjo6Z/88e5af1768.png -- there are a few stopped services, but if I remember correctly those are disabled by default.

While it seems like everything is currently ok, I'm still nervous that my system wasn't completely cleaned.

Also, at the time of the supposed infection, I had a -lot- of things plugged into my PC. I'm mostly concerned about my standing microphone and midi keyboard controller, though. I also had my phone charger USB plugged in, but it wasn't attached to my phone. Could any of that have gotten infected?

Am I in the clear? Also, should I be concerned that ComboFix found and deleted a file/orphans?

[REDACTED]

Wow, mate. Calm down and have a seat. Stop panicking and most importantly running specialized removal tools such as TDSSKiller and Combofix. Using them wrongly can severely damage your computer. Now, I am incline to believe that you are not infected, I will perform the check-up procedure just to be sure. Please, follow the steps of this thread and attach the logs for my perusal. Attach the Combofix log as well.

[REDACTED]

My apologies -- I didn't mean to come off so panicked.

I have attached the log files of MalwareBytes, FRST and ComboFix. Since the attachment limit is 4, I've uploaded the awrMBR log to puush: http://puu.sh/hkgQM/0ce956dd4c.txt

I ran the FRST and awrMBR scans offline -- I did not use safe mode. Is this ok?

[Michael (alan1998)]

My apologies -- I didn't mean to come off so panicked.

I have attached the log files of MalwareBytes, FRST and ComboFix. Since the attachment limit is 4, I've uploaded the awrMBR log to puush: http://puu.sh/hkgQM/0ce956dd4c.txt

I ran the FRST and awrMBR scans offline -- I did not use safe mode. Is this ok?

Certainly, we prefer a Normal Bootup instead of Safemode. Gives us a little bit more info.

[REDACTED]

Is there anything else I should do? Or am I in the clear?

[Pondus]

Is there anything else I should do? Or am I in the clear?

valinorum need to check those logs .... but seems he has forgotten you, so i sendt him a PM

[REDACTED]

My apology for missing this topic. Inform me about your PC's condition after applying the fix.

• Step #1 Fix with FRST
  Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
  • Open Notepad.exe. Do not use any other text editor software;
    
  • Copy and Paste the contents inside the code-box to your Notepad --
    

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
Emptytemp:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-625706729-3278699554-3436046110-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
C:\Users\Chris\jagex_cl_oldschool_LIVE.dat
C:\Users\Chris\jagex_cl_runescape_LIVE.dat
C:\Users\Chris\jagex_cl_speccollect_LIVE.dat
C:\Users\Chris\random.dat
End

• Click on File > Save as...
  
  • Inside the File Name box type fixlist.txt
    
  • From the Save as type drop down list, choose All Files
• Save the file to your Desktop;
  
• Re-run FRST.exe and click Fix;
  
  • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
• After the completion, a log will be produced;
• Attach the log in your next reply.

• Step #2 Fix with AdwCleaner
  
  • Download AdwCleaner by Xplode to your Desktop from the following link.
    
    • Download Link #1
      
    • Download Link #2
  • Right-click on AdwCleaner.exe and choose Run as administrator;
    
  • Click on Scan and let the program run unhindered;
    
  • When done, click on Clean and allow the system to reboot after it is done;
    
  • A log will be opened automatically after the restart;
  • Attach the log in your reply.

• Required Log(s):
  
  • FRST Fix Log
  • AdwCleaner Log

Regards,
Valinorum

[REDACTED]

Where does ADWcleaner drop its log after the scan is finished?

[REDACTED]

C:\AdwCleaner\AdwCleaner[S*].txt where * will be replaced with a number which denoted the number of time the fix has been run.

[REDACTED]

I have attached both logs to this post.

ADWcleaner found a Chrome extension that I also found on my sister's heavily infected laptop while cleaning it yesterday. I'm a little nervous, to be honest.

[REDACTED]

• Step #3 ESET Online Scanner
  Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.
  
  • Download esetsmartinstaller_enu.exe by clicking here.
    
  • Right-click on the program and choose Run as administrator.
    
  • Accept their terms and condition and proceed.
  • Install Add-On/Active X if prompted.
    
  • From the Computer Scan Setting --
    
    • Enable detection of potentially unwanted application
  • Click on Advanced Setting--
    
    • Check the following box --
    • Remove Found Threats
    • Check the following boxes --
    • Scan archives;
      
    • Scan for potentially unsafe applications
      
    • Enable Anti-Stealth Technology
  • Click on Start and wait for the virus signature database to update.
    
  • The online scan will begin automatically and can take several hours.
    
    • Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
  • After the Scan finishes --
  • If no threats were found:
    
    • Put a checkmark in Uninstall application on close.
      
    • Close the program and report that nothing was found
  • If threats were found:
    
    • Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
      
    • Attach the log file in your next reply.
  Note: Enable your security programs afterwards.

• Required Log(s):
  
  • ESET Log

Regards,
Valinorum

[REDACTED]

I have attached the log to this post.

[REDACTED]

Looks okay. How is your PC?