TheDarkKnight

Hello BrianLevy, Please try repairing Internet Explorer: http://support.microsoft.com/kb/318378 Does IE work now?

Hey BrianLevy, This will be a multistep process so please print these instructions for an easy read. Please uninstall MBAM from your Control Panel. ===== Next, please download the attached Fix zip file and run the Fix.BAT file within. Double-click it to run a Command Prompt window. When it finishes type EXIT and press ENTER. Restart your computer. ===== Now, please reinstall MBAM from here: http://www.malwarebytes.org/ ===== Do MBAM and IE work now? FIX.zip

Hello BrianLevy, Please re-run SystemLook. Copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan: :filefind ieframe.dll When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt.

Good morning BrianLevy, Please download TDSSKiller: http://support.kaspersky.com/downloads/utils/tdsskiller.exe Save it in this folder: C:\Program Files\Malwarebytes Anti-Malware\Chameleon ===== Then, please do the following to install Chameleon: Press the Windows key + R and in the Run box, copy and paste the following command then press Enter. Copy All of the line from beginning to end {from the double-quote ...all the way to the last o ......ALL "C:\Program Files\Malwarebytes' Anti-Malware\Chameleon" /o A black DOS prompt will appear with a prompt to press any key to continue, please do. ===== >>> TDSSKiller: Double-click on TDSSKiller.exe to run the application. Click Change parameters. Make sure you check the box Loaded modules. A window will popup and say Reboot is required. Please click Reboot now. Then click Change parameters again. Check the box Detect TDLFS file system. Click on the Start Scan button. If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue. If you are asked to reboot the computer to complete the process, click on the Reboot Now button. Once the tool has finished, please click Report. Please copy and paste the contents of that log in your reply. Note: A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt).

Hey BrianLevy, Please run the System File Checker: http://www.bleepingcomputer.com/forums/t/43051/how-to-use-sfcexe-to-repair-system-files/

Hey BrianLevy, Please download HitmanPro. For 32-bit Operating System - . This is the mirror - For 64-bit Operating System - This is the mirror - Launch the program by double clicking on the icon. (Windows Vista/7 users right click on the HitmanPro icon and select Run as administrator). Click on the next button. You must agree with the terms of EULA. Check the box beside "No, I only want to perform a one-time scan to check this computer". Click on the next button. The program will start to scan the computer. The scan will typically take no more than 2-3 minutes. When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!! on the next button. Click on the "Export scan results to XML file". Save that file to your Desktop and zip and attach it in your next reply.

Hello BrianLevy, Please re-run RogueKiller. Click on the Delete button. The report has been created on the Desktop. Please post it in your reply. How are things now?

Hey BrianLevy, Please download to the Desktop RogueKiller (by tigzy). Please quit all programs. Start RogueKiller.exe. Wait until Prescan has finished. Click on Scan. Click on Report and copy/paste the contents of the report in your next reply.

Hey BrianLevy, Please try it in OTL and see how you go.

Hey BrianLevy, Please run OTL.exe. Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :OTL O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O15 - HKCU\..Trusted Domains: adp.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: adp.com ([*.ds] http in Trusted sites) O15 - HKCU\..Trusted Domains: adp.com ([*.ds] https in Trusted sites) O15 - HKCU\..Trusted Domains: adp.com ([dsra1he.ds] * in Trusted sites) O15 - HKCU\..Trusted Domains: adp.com ([dsrac1he.ds] * in Trusted sites) O15 - HKCU\..Trusted Domains: adp.com ([dssda1he.ds] * in Trusted sites) O15 - HKCU\..Trusted Domains: adp.com ([dssda2he.ds] * in Trusted sites) O15 - HKCU\..Trusted Domains: adpcrm.net. ([multiautomall] * in Trusted sites) O15 - HKCU\..Trusted Domains: adpremotesupport.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: adpremotesupport.com ([]http in Trusted sites) O15 - HKCU\..Trusted Domains: adpremotesupport.com ([]https in Trusted sites) O15 - HKCU\..Trusted Domains: adpremotesupport.com ([www] * in Trusted sites) O15 - HKCU\..Trusted Domains: autopartners.net ([www] https in Trusted sites) O15 - HKCU\..Trusted Domains: dmotorworks.com ([www] https in Trusted sites) O15 - HKCU\..Trusted Domains: ebizautos.com ([cp] https in Trusted sites) O15 - HKCU\..Trusted Domains: jmagroup.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: jmfamily.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: reyrey.com ([www.gs] https in Trusted sites) O15 - HKCU\..Trusted Domains: yahoo.com ([www] http in Trusted sites) O15 - HKCU\..Trusted Ranges: adpRange1 ( in Trusted sites) O15 - HKCU\..Trusted Ranges: adpRange2 ( in Trusted sites) O15 - HKCU\..Trusted Ranges: adpRange3 ( in Trusted sites) O15 - HKCU\..Trusted Ranges: Range1 ( in Trusted sites) :Commands [EmptyTemp] Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. What issues remain?

Hey BrianLevy, My apologies for the delay. Please download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Click Run Scan and let the program run uninterrupted. When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread. You may need to use two posts to get it all.

Hi BrianLevy, My apologies. I missed the email notification. Please download to your Desktop SystemLook by jpshortstuff from here. Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan: :filefind i8042prt.sys When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt.

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review.

Are you still with me?

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review. ===== Also, please update MBAM and post a fresh log in your reply. ===== In your reply please provide the logs from ComboFix and MBAM.

Hey fishtaco254, Sorry I missed your reply. The Bitdefender Rescue CD is a bootable CD based version of Bitdefender Antivirus. The download is in ISO format. If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn. There is a tutorial on running it at How to Use the BitDefender Rescue CD to Clean Your Infected PC Please download the Bitdefender Rescue CD: http://download.bitdefender.com/rescue_cd/bitdefender-rescue-cd.iso Burn the Bitdefender Rescue CD ISO image to CD. Insert the Bitdefender Rescue CD into your CD/DVD drive and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive). Select "Start Bitdefender Rescue CD in English", then press Enter. Once the graphical interface starts, select "Continue". Bitdefender Update will start automatically. When finished updating, scanning will start automatically. When finished scanning, if threats were detected, double-click the Desktop icon "Scan Logs". In the window that opens, double-click the log file and open it with Firefox browser. To save the log, go to File > Save Page As, enter a file name you will remember such as BDSCAN.TXT, then in the "Save in folder" field select your system drive, and click "Save". The log will save in the root of your system drive (C:\). Close the scanner, restart your system, and post the log in your next reply.

Hey fishtaco254, So when you use AdBlockPlus, it removes the ad but not the box? Can you remove the ad by clicking an x?

Hey fishtaco254, You are using Chrome. Time to try Adblock Plus. https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb?hl=en Please install it. Now you may need to play around with it a little, but see if that makes the ad vanish.

Hey fishtaco254, So it is the car ad? And you notice it more on Yahoo! than anywhere else?

Hey Mars25, Yeah, a program could if it wanted. The old version should be uninstalled. Your logs look good. Please run a free online scan with the ESET Online Scanner. Note: You can use Internet Explorer or Mozilla Firefox for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start. When asked, allow the ActiveX control to install. Click Start. Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked. Click Scan. Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic.

Hello Mars25, Not sure what happened to your post. OK so this ActiveDesktop thing Malwarebytes keeps finding. Basically MBAM looks at the Registry and flags things it finds have changed from their default values. For instance, if you turn on Active Desktop then MBAM will flag this as malicious, even if you have changed this. Did you change this? Active Desktop is a function that allows you to add HTML and other features to your Desktop.

Hey Benjid, A repair install would be adequate if needed. No. Although, S + D is not very effective against the later threats. You are better off just keeping your antivirus, MBAM and Spyware Blaster.

Hey fishtaco254, Please take a screenshot and attach it to your post.

Hey fishtaco254, OK. Please reinstall Chrome and let me know if it comes back.

Hey Benjid, Yes, that's fine. To remove all of the tools we used and the files and folders they created do the following: Double click OTL.exe. Click the CleanUp button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. ===== Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup: IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure. As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program. Please consider installing and running the following program (there is a free version available): SpywareBlaster A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here. Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above. Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options. Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates. Please also read Tony Klein's excellent article: How did I get infected in the first place. Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.