Re: CPU virus question
 

If he can't run anything on her side, it is acting exactly like a rootkit. A scan with malwarebytes should show that.

Re: CPU virus question
 

If he can get in as Administrator and get to security updates and use control panel and run Malwarebytes it's not a very good rootkit. Rootkits replace the kernel and you are no longer even running Windows, you are running malware that runs Windows for you, meanwhile it can do whatever it wants with your computer. Keep track of your every keypress, decode encrypted transactions, read any file and hide some from you, turn on your webcam and microphones, anything.
I like Malwarebytes. I just happen to carry SAS around on a thumb drive with me.

Re: CPU virus question
 

That was the old rootkit's 1 and 2 that may have done that. Rootkit's 3-5 (5 no one has confirmed yet) does not work this way.

Re: CPU virus question
 

One simple solution that has taken care of some (not all) of these, is a system restore to a date before this happened. In short some are worse than others, meaning some you have to catch before they load, some have to be taken care of in DOS, and some are a restore point away from being gone. Good luck.

Re: CPU virus question
 

Download and Install SpyBot Search and Destroy. It's free and it's very good. Make sure to boot into safe mode to run the scans...as some virus', bots, and maleware can stop a scanner from running properly.

Re: CPU virus question
 

It's known as "FakeAV". I have fought and beaten this exact issue. A freeware application called HitManPro will find and remove it. Install it while logged in under your profile, reboot into Safe Mode (hit F8 as it is booting up), and run a full system scan.

Many of the other common anti-malware/spyware apps will not work on this one. I have tried MalwareBytes, AVG, SpyBot, Symantec AV, McAfee AV, Trend Micro, and more. HitManPro is the only automated way. I have removed it manually by digging through the registry and tons of DLL files, but I doubt you want to venture into that.

Good luck.

Re: CPU virus question
 

Erick, all fantastic advice given to you except the most important.

Here goes
:D

Ready?
:D

Get a Mac!!!;s

Other than that, not much else I can offer.

Re: CPU virus question
 

Kaspersky is the leader in this field. I have removed trjoans, malware, etc multiple times from multiple machines with the tdsskiller. Malewarebytes will remove all the associated files from cookies and so on, and also let you know whether it's a rootkit or not. Then run tdsskiller and it "should" be gone. If that doesn't work, I have more last option, but I am not going to list it till the OP tries the others first.

I don't mean to argue with you, and I am sure you have removed it through other programs (gmer is also a good one). I have a lot of experience with this malicious software and have read hours on hours of bleepingcomputer logs to feel confident in my advice.

Re: CPU virus question
 

Unfortunately, Mac's are not immune to rootkits.

Re: CPU virus question
 

I too have extensive experience with this stuff in a work environment. I do use MalwareBytes quite a bit, but I've seen it detect and remove potions of FakeAV and leave other parts behind. Maybe the newer versions do a better job. Kaspersky very well may work. It is not one I've used so I can't comment on that either way. I know HitManPro will work and it's free. Either way I feel he has good advice from guys who've done this before, not just random "try this" suggestions from folks who are trying to help but don't have the background/experience.

Re: CPU virus question
 

I did the Malwarebytes and Comodo AV full scans. It detected the 4 viruses and deleted them, but my wife's IE still doesn't work. Says there no connection to the proxy server. This may be due to Comodo creating a unique IP? She can open all her files again. Thanks for all your help guys! Much appreciated.

Re: CPU virus question
 

Did you run tdsskiller?

Re: CPU virus question
 

I am going to have to do that one later.

Re: CPU virus question
 

Copy her files such as documents, favorite, mail settings...

Delete her profile and create a new one until you find the AV software to dig deeper.

Re: CPU virus question
 

Are you trying to connect to a proxy server!? I doubt you are... A better question may be, how do you connect to the internet (modem, dsl, cable etc)

Re: CPU virus question
 

I have DSL. When I loaded Comodo it asked if I wanted to create a different IP.

Re: CPU virus question
 

In IE, click tools, Internet options, then click the Connections Tab. Near the bottom click "LAN Settings" and uncheck the "Use Proxy" option. You'll have to close IE completely and re-open it. Some viruses (Virii) setup bogus proxies in IE to steal personal information. You can also get to these options in Control Panel under Internet Options.

For most DSL/Cable providers it is not necessary to use a proxy. Sometimes their install CD points you to one, but that is only for their benefit. They sell the tracking info of where you go, what you browse, and how often you make purchases, and where. They do no collect personal info, but I still don't like participating. Comcast amongst others does this with their proxies. This is why I don't install their CD. You don't need it to get online. Just an IP address, gateway, and a subnet mask. 99% of the time that is automatically provided by DHCP to the cable/DSL modem, so you're good.

Re: CPU virus question
 

Just ran this and it found no threats. My wifes IE has reverted back to F'd up after a restart... :sh

Re: CPU virus question
 

Found the bastard with Hitman Pro 3.5.8

3 Trojans, 1 Malware, 1 Rootkit, and 3 Tracking Cookie. Question is what do I do now? Delete, quarantine, or ignore?

Re: CPU virus question
 

I am not familiar with hitmanpro, but if it found something that tdsskiller did not, I would be wary.

Quarantine it and see what happens.

You can always go with my last option which is combofix.exe but let me know before you choose to do this step.

I also forgot to mention that you MUST run and save the tdsskiller.exe on your desktop. Or it won't work properly. Here is the basic use for it: http://www.bleepingcomputer.com/forums/topic377240.html