TheDarkKnight

Good morning adelatorre, OTL only found remnants I believe. Even in the log it couldn't locate the offending file, so unfortunately I don't think you will be able to give them a sample. You could give them a link to this topic and see what they think. Please run a free online scan with the ESET Online Scanner. Note: You can use Internet Explorer or Mozilla Firefox for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start. When asked, allow the ActiveX control to install. Click Start. Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked. Click Scan. Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic.

Hello aryama, OK. Please bear in mind that ComboFix may still fail while the disc should succeed.

Good morning kingtaoist, So the issue is gone? Please download Security Check by screen317 from here or here. Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. There are signs of the Yahoo! Toolbar in your log. This toolbar comes bundled with other third party applications you may not want installed. Please see here for more information. I recommend you remove it. Please go to Start>Control Panel>Programs and uninstall the following programs (if present): Yahoo! Companion Yahoo! Toolbar Please restart your computer after these program removals. ===== Next, please run OTL.exe. Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :OTL F3:64bit: - HKCU WinNT: Load - (C:\Users\KEVIN~1.MIA\LOCALS~1\Temp\msiaqaatw.pif) - File not found F3 - HKCU WinNT: Load - (C:\Users\KEVIN~1.MIA\LOCALS~1\Temp\msiaqaatw.pif) - File not found O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Main present O15 - HKCU\..Trusted Domains: hp.com ([]https in Trusted sites) O15 - HKCU\..Trusted Domains: miamidiver.com ([]file in Local intranet) O33 - MountPoints2\{7d39a230-7bde-11e0-8705-bcaec534d5b9}\Shell - "" = AutoRun O33 - MountPoints2\{7d39a230-7bde-11e0-8705-bcaec534d5b9}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a O33 - MountPoints2\{dcefb63e-d28e-11e0-9d12-bcaec534d5b9}\Shell - "" = AutoRun O33 - MountPoints2\{dcefb63e-d28e-11e0-9d12-bcaec534d5b9}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\drivers\setup.exe @Alternate Data Stream - 226 bytes -> C:\ProgramData\Temp:0FF263E8 :Commands [EmptyTemp] Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. ===== Then, please go to http://www.virustotal.com, click on Choose File, and upload the following file for analysis: You will only be able to have one file scanned at a time. C:\Windows\SysWow64\igdde32.dll C:\Windows\SysWow64\ig4icd32.dll Then click Scan It!. Allow the file to be scanned, and then please copy/paste the results here for me to see. Note: If a message appears saying the file has already been analysed, please resend the file. ===== In your reply please provide the following: OTL fix log. Results from VirusTotal. How is your computer currently running?

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please uninstall ARO2012 via the Control Panel. ===== Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review.

Hey Jedarius, Please re-run RogueKiller. Click on the Delete button. The report has been created on the Desktop. Please post it in your reply. ===== Now try MBAM and see what it finds please. ===== In your reply please provide the contents of the logs from MBAM and RogueKiller.

Good afternoon Jedarius, Please download to the Desktop RogueKiller (by tigzy). Please quit all programs. Start RogueKiller.exe. Wait until Prescan has finished. Click on Scan. Click on Report and copy/paste the contents of the report in your next reply.

Good afternoon QubicComputers, Your logs appear clean. I notice you have a few users. Did you create them? I think your issues are only Cloud-related. Please run a free online scan with the ESET Online Scanner. Note: You can use Internet Explorer or Mozilla Firefox for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start. When asked, allow the ActiveX control to install. Click Start. Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked. Click Scan. Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic.

Good morning aryama, Please read all these directions before proceeding. When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier. Be sure to read these: Download Kaspersky Rescue Disk 10 How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it? How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk? Please go to a clean computerDownload the .iso image file. Create a CD (or flash drive if you prefer). On the infected computer: put the disk in the drive and reboot. Follow the directions here, but you will find some differences. Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10? Then, please print the following directions: Boot from Kaspersky Rescue Disk 10: Restart your computer and put the disk in the drive while booting. Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically. Select the required interface language using the arrow-keys on your keyboard. Press the Enter key on the keyboard. In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode Click Enter. Click 'A' to accept the agreement. Select operating system from dropdown menu (select Windows whatever). Select Objects to scan: check Disk boot sectors, Hidden startup objects, C: Click My Update Center and update. Back to other tab and click Start Object Scan. When scan has completed save a report: On the upper part of the Kaspersky Rescue Disk window, click on the Report link. On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button. On the upper right hand corner of the Detailed report window, click on the Save button. After clicking Detailed Report and 'SAVE', a browse window opens. Double-click on the \ Click 'disks'. All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt. Click on the Save button. The report has been saved to the file. Remove the disk from the drive (or disconnect USB) and reboot normally.

Good morning QubicComputers, You can now try removing the security programs you don't want to keep again. Please follow these instructions to remove the remaining malicious entries: Please close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open Notepad and copy/paste the text in the quotebox below into it: Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail. Save this as CFScript.txt, in the same location as ComboFix.exe. Referring to the picture above, drag CFScript into ComboFix.exe. When finished, it shall produce a log for you at C:\ComboFix.txt. Please post the ComboFix.txt in your next reply. ===== Also, please download Malwarebytes Anti-Rootkit here. Unzip the contents to a folder on the Desktop. Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7). Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Please post the two logs produced. Please note: This tool is still in BETA mode, so please ensure you have backed up any important files. ===== In your reply I would like to see the following please: ComboFix.txt. Both MBAR logs. How is the computer running?

Good morning Jedarius, Now please run a fresh scan with MBAM and post its new log in your reply.

Good evening Woe_is_Me_n_myPC, There are signs of the AVG Security Toolbar in your log. This toolbar comes bundled with Yahoo! and makes changes to your browser settings without your consent. Please see here for more information. I recommend you remove it. Also, there are signs of the Yahoo! Toolbar in your log. This toolbar comes bundled with other third party applications you may not want installed. Please see here for more information. I recommend you remove it. I also see the Google Toolbar in your log. This toolbar has been known to exhibit suspicious behaviour. Please see here for more information. I recommend you remove it. Please go to Start>Control Panel>Programs and uninstall the following program (if present): AVG Security Toolbar Google Toolbar Yahoo! Companion Yahoo! Toolbar Please restart your computer after these program removals. ===== Please run OTL.exe. Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :OTL IE - HKCU\..\SearchScopes\{4A0FE87B-3640-4E2A-A237-645B533666F4}: "URL" = http://search.softon...archSource=4= IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168.*.*;*.local O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present :Commands [EmptyTemp] Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. ===== Then, please read all these directions before proceeding. When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier. Be sure to read these: Download Kaspersky Rescue Disk 10 How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it? How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk? Please go to a clean computerDownload the .iso image file. Create a CD (or flash drive if you prefer). On the infected computer: put the disk in the drive and reboot. Follow the directions here, but you will find some differences. Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10? Then, please print the following directions: Boot from Kaspersky Rescue Disk 10: Restart your computer and put the disk in the drive while booting. Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically. Select the required interface language using the arrow-keys on your keyboard. Press the Enter key on the keyboard. In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode Click Enter. Click 'A' to accept the agreement. Select operating system from dropdown menu (select Windows whatever). Select Objects to scan: check Disk boot sectors, Hidden startup objects, C: Click My Update Center and update. Back to other tab and click Start Object Scan. When scan has completed save a report: On the upper part of the Kaspersky Rescue Disk window, click on the Report link. On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button. On the upper right hand corner of the Detailed report window, click on the Save button. After clicking Detailed Report and 'SAVE', a browse window opens. Double-click on the \ Click 'disks'. All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt. Click on the Save button. The report has been saved to the file. Remove the disk from the drive (or disconnect USB) and reboot normally. ===== In your reply please provide the contents of the following: OTL fix log. Detected portion of the Kaspersky log.

Hey Jedarius, Please follow these instructions to remove the remaining malicious entries: Please close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open Notepad and copy/paste the text in the quotebox below into it: Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail. Save this as CFScript.txt, in the same location as ComboFix.exe. Referring to the picture above, drag CFScript into ComboFix.exe. When finished, it shall produce a log for you at C:\ComboFix.txt. Please post the ComboFix.txt in your next reply.

Good evening Jedarius, Please follow these instructions to remove the remaining malicious entries: Please close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open Notepad and copy/paste the text in the quotebox below into it: Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail. Save this as CFScript.txt, in the same location as ComboFix.exe. Referring to the picture above, drag CFScript into ComboFix.exe. When finished, it shall produce a log for you at C:\ComboFix.txt. Please post the ComboFix.txt in your next reply. ===== Also, please download to the Desktop RogueKiller (by tigzy). Please quit all programs. Start RogueKiller.exe. Wait until Prescan has finished. Click on Scan. Click on Report and copy/paste the contents of the report in your next reply. ===== In your reply please provide the following: ComboFix.txt. RogueKiller log.

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review.

Hey kingtaoist, Please read all these directions before proceeding. When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier. Be sure to read these: Download Kaspersky Rescue Disk 10 How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it? How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk? Please go to a clean computerDownload the .iso image file. Create a CD (or flash drive if you prefer). On the infected computer: put the disk in the drive and reboot. Follow the directions here, but you will find some differences. Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10? Then, please print the following directions: Boot from Kaspersky Rescue Disk 10: Restart your computer and put the disk in the drive while booting. Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically. Select the required interface language using the arrow-keys on your keyboard. Press the Enter key on the keyboard. In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode Click Enter. Click 'A' to accept the agreement. Select operating system from dropdown menu (select Windows whatever). Select Objects to scan: check Disk boot sectors, Hidden startup objects, C: Click My Update Center and update. Back to other tab and click Start Object Scan. When scan has completed save a report: On the upper part of the Kaspersky Rescue Disk window, click on the Report link. On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button. On the upper right hand corner of the Detailed report window, click on the Save button. After clicking Detailed Report and 'SAVE', a browse window opens. Double-click on the \ Click 'disks'. All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt. Click on the Save button. The report has been saved to the file. Remove the disk from the drive (or disconnect USB) and reboot normally.

Good afternoon Woe_is_Me_n_myPC, OK well time to take the infections out, one by one. I see you have the Softtonic Toolbar installed. It has been known to exhibit suspicious behaviour (please see here for more information). I recommend removing it. I notice that you are running multiple antivirus programs: McAfee Microsoft Security Essentials Running multiple antivirus programs is dangerous because the programs can conflict with each other and actually reduce your security. I recommend removing McAfee and keeping Microsoft Security Essentials as your antivirus program. Please go to Start>Control Panel>Programs and uninstall the following programs: McAfee Antivirus Softtonic Toolbar Please restart your computer after these program removals. ===== Also, please download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Click Run Scan and let the program run uninterrupted. When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread. You may need to use two posts to get it all.

Hello davejjj, I notice that you have the User Account Control turned off. This is a very important security feature on Windows Vista and 7, as it allows you to restrict access to your computer and control programs that try to run. Please see below on how to turn it on: http://windows.microsoft.com/en-AU/windows-vista/Turn-User-Account-Control-on-or-off ===== Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable. Please follow the instructions below to update Java: Please go to the below link and download the latest Windows 7 version: http://www.java.com/en/download/manual.jsp Save it to your Desktop. Please go to Start>Control Panel>Programs. Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them: Select Uninstall. Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed. ===== Also, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it: Please go to Start>All Programs>Adobe Reader. Open Adobe Reader and navigate to Help>Check for Updates. Please follow the prompts to install the latest version. ===== In your reply please let me know how the updates go.

Good afternoon QubicComputers, You have the ZeroAccess infection. This is a rootkit that can offer backdoor access to a remote user. If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the trojan has been identified and can be removed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please visit the following sites for more information on internet theft and when to reformat! How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall I will of course do my best to help clean the computer of any infections that I can see if you would like to continue. If you have any questions before making a final decision, please feel free to ask. Instructions on how to format and reinstall Windows can be found here ===== If you decide you wish to attempt to clean your computer in spite of this threat then please proceed with these instructions: Please run OTL.exe. Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :OTL IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;192.168.*.* [2012/07/26 16:36:50 | 000,000,000 | ---D | M] -- C:\Users\Shawn.Michael-HP\Desktop\McCormic\Mike\Local Settings\Application Data\{fbe85e6f-9791-cc8e-9b92-421bf3956b14}\U [2012/07/26 16:36:50 | 000,000,000 | ---D | M] -- C:\Users\Shawn.Michael-HP\Desktop\McCormic\Mike\Local Settings\Application Data\{fbe85e6f-9791-cc8e-9b92-421bf3956b14} @Alternate Data Stream - 233 bytes -> C:\ProgramData\Temp:E5F8E280 @Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:9D6EAEC3 @Alternate Data Stream - 226 bytes -> C:\ProgramData\Temp:D055FC10 @Alternate Data Stream - 196 bytes -> C:\ProgramData\Temp:E84CA8F2 @Alternate Data Stream - 148 bytes -> C:\ProgramData\Temp:A039EDF9 @Alternate Data Stream - 148 bytes -> C:\ProgramData\Temp:7D288858 @Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:25F31665 @Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:07BB519E @Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:CC45913B @Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:A4BF246C @Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:4B244549 @Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:F84B8DB5 @Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:D0AB0B4A @Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:E6EC5C2A @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:9547F1DB @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:57EE48CA @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:C0913157 @Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:A41FEAA2 @Alternate Data Stream - 115 bytes -> C:\ProgramData\Temp:BE64143E @Alternate Data Stream - 115 bytes -> C:\ProgramData\Temp:0D786AE3 @Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:ED9B661E :Commands [EmptyTemp] Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. ===== Then try running ComboFix and post its log in your reply. ===== In your reply please post the contents of OTL and ComboFix if you decide to proceed.