This is ZeroAccess?

Can you attach the logs from TDSSKiller and MBRCheck please?

Aldo make sure you have been through the following procedures, attach logs from those too.

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

I'll just keep you moving along while Kestrel13! is not here.

You have a lot of problems. Much more than ZeroAccess. Also you have many leftovers from an incomplete McAfee uninstall that need to be fix.

Did you install and do you use PackageAware for virtual applications?
C:\Documents and Settings\Kezzy\Local Settings\Application Data\PackageAware

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 1

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe,
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111025112355.dll
O2 - BHO: (no name) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - (no file)
O4 - HKCU\..\Run: [YlrWhucg] C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe
O4 - S-1-5-18 Startup: edame.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: edame.exe (User 'Default user')
O4 - .DEFAULT User Startup: edame.exe (User 'Default user')
O20 - Winlogon Notify: kremtel - C:\Documents and Settings\NetworkService\Local Settings\Application Data\kremtel.dll
O23 - Service: AMService - Unknown owner - C:\WINDOWS\TEMP\fgjlef\setup.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\Program Files\McAfee\VirusScan\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now download The Avenger by Swandog46, and save it to your Desktop.
See the download links under this icon http://www.majorgeeks.com/images/dll.gif

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now install the current version of Sun Java from: Sun Java Runtime Environment


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Also please attach the below logs from Malwarebytes:
"C:\Documents and Settings\Kezzy\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
mb0246~1.txt 20 Jan 2012 2324 "mbam-log-2012-01-20 (16-19-42).txt"
mbfc35~1.txt 18 Jan 2012 2648 "mbam-log-2012-01-18 (20-24-05).txt"

Make sure you tell me how things are working now!

Are you missing any items from your Start Menu, Quick Launch, .....etc ?

 

Did you purchase this? >>> PC Tune-Up


Some of the last fix worked and some did not. It would really be good if we could get ComboFix to work so let's try the below.


Uninstall your current copy ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

• Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
• "%userprofile%\Desktop\combofix" /uninstall
  • Notes: The space between the combofix" and the /uninstall, it must be there.

Then check to see if either of the below folders still exist and delete them if you see them:
C:\ComboFix
C:\Qoobox

Now download and save the below copy of ComboFix to your Desktop.

ComboFix


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [YlrWhucg] C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe
O4 - S-1-5-18 Startup: edame.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: edame.exe (User 'Default user')
O4 - .DEFAULT User Startup: edame.exe (User 'Default user')

After clicking Fix, exit HJT.

Now shutdown Microsoft Security Essentials and see if you can run ComboFix as given below. If ComboFix does not work, just stop and come back and tell me exactly what happened.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms especially do not run things like fixing issues in the registry. Never do this unless specified under the directions of an expert.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

 

Thanks for chipping in Chas, busy weekend at work.

 

We don't need a new MGlogs.zip file until ComboFix runs properly.

You can ignore messages about Microsoft Security Essentials running. ComboFix has a problem actually knowing when a program is really running or not. However the freezing is a problem we need to get past.

Try booting your PC in safe mode and see if you can follow the previous instructions. Again, only attach a new MGlogs.zip file if ComboFix runs.

 

Okay then let's try a different method.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe
O4 - HKCU\..\Run: [YlrWhucg] C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe
O4 - S-1-5-18 Startup: edame.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: edame.exe (User 'Default user')
O4 - .DEFAULT User Startup: edame.exe (User 'Default user')

After clicking Fix, exit HJT.

Now please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\edame.exe
C:\WINDOWS\system32\-1
C:\WINDOWS\Temp\19.tmp
C:\WINDOWS\Temp\1A.tmp
C:\WINDOWS\Temp\cab2
C:\WINDOWS\Temp\cab3
C:\WINDOWS\Temp\cab4
C:\WINDOWS\Temp\cab5
C:\WINDOWS\Temp\cab6
C:\Documents and Settings\Kezzy\Local Settings\Temp\qtmujwbmnodgaupu.exe
C:\Documents and Settings\Kezzy\Local Settings\Temp\tmp104.tmp
C:\Documents and Settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
C:\Documents and Settings\Kezzy\Local Settings\Application Data\PackageAware
C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp
C:\WINDOWS\Temp\hfeldl
C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"YlrWhucg"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"=-
[HKEY_USERS\S-1-5-21-1444035893-2420130285-3764947258-1006\Software\Microsoft\Windows\CurrentVersion\run]
"YlrWhucg"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes and the fix did not work. Too bad we cannot get ComboFix to work. This would be so much earsier.

Let's try another tool from Old Timer, but first be for we try to run a cleanup with it, let's run a scan.


Download OTL by Old Timer and save it to your Desktop.

See the download links under this icon http://www.majorgeeks.com/images/dll.gif

• Double click on OTL.exe to run it.
• Under Output, ensure that Minimal Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTL.txt <-- Will be opened and you can just close it.
  • Extra.txt <-- Will be minimized - and can also be closed

The OTL.txt and Extras.txt logs are saved in the same location as OTL. Attach these two log files to your next message.

Do you have your Windows XP boot CD?

 

Okay now since you went back and ran OTM again, you have changed the status of the report from OTL making it not reliable. So we will need to get new logs. One from OTL and one from MGtools.

Rerun the same scan with OTL again and attach the same logs as last time.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe
O4 - HKCU\..\Run: [YlrWhucg] C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\pev.3XE

After clicking Fix, exit HJT.



Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
O3 - HKU\S-1-5-21-1444035893-2420130285-3764947258-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1444035893-2420130285-3764947258-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-1444035893-2420130285-3764947258-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKU\S-1-5-21-1444035893-2420130285-3764947258-1006..\Run: [YlrWhucg] C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe File not found
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\gaaro.exe (SysDrive)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\edame.exe (SysDrive)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe) -C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe File not found
[2012/01/27 14:21:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp
[2011/10/25 09:25:23 | 000,006,030 | -HS- | C] () -- C:\Documents and Settings\Kezzy\Local Settings\Application Data\e4p658450oy660al14dx
[2011/10/25 09:25:23 | 000,006,030 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\e4p658450oy660al14dx
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
:Files
C:\Documents and Settings\Kezzy\Local Settings\Application Data\aprrithc.log
C:\Documents and Settings\Kezzy\Local Settings\Application Data\bgyfbqoc.log
C:\Documents and Settings\Kezzy\Local Settings\Application Data\cdouyxrs.log
C:\Documents and Settings\Kezzy\Local Settings\Application Data\fubkjglt.log
C:\Documents and Settings\Kezzy\Local Settings\Application Data\mfsscjps.log
C:\Documents and Settings\Kezzy\Local Settings\Application Data\oxjpoiwv.log
C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp
C:\Documents and Settings\Kezzy\Local Settings\Application Data\smcfqrtt.log
C:\Documents and Settings\Kezzy\Local Settings\Application Data\vpuqtqny.log
C:\Documents and Settings\Kezzy\Local Settings\Application Data\xeektqfr.log
C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe
C:\Documents and Settings\Kezzy\Start Menu\Programs\Startup\ylrwhucg.exe
C:\Documents and Settings\Kezzy\Local Settings\Temp\qtmujwbmnodgaupu.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\gaaro.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\edame.exe 
C:\Documents and Settings\Kezzy\Local Settings\Application Data\PackageAware
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"YlrWhucg"=-
[HKEY_USERS\S-1-5-21-1444035893-2420130285-3764947258-1006\Software\Microsoft\Windows\CurrentVersion\run]
"YlrWhucg"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,"
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"YlrWhucg"=
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Kezzy\Start Menu\Programs\Startup\ylrwhucg.exe"=-
[HKEY_USERS\S-1-5-21-1444035893-2420130285-3764947258-1006\Software\Microsoft\Windows\CurrentVersion\Run]
"YlrWhucg"=-
[HKEY_USERS\S-1-5-21-1444035893-2420130285-3764947258-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Kezzy\Local Settings\Application Data\qiakwrsp\ylrwhucg.exe"=-
[HKEY_USERS\S-1-5-21-1444035893-2420130285-3764947258-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Kezzy\Start Menu\Programs\Startup\ylrwhucg.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\DOCUME~1\Kezzy\LOCALS~1\Temp\qtmujwbmnodgaupu.exe"=--
[HKEY_USERS\S-1-5-21-1444035893-2420130285-3764947258-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\DOCUME~1\Kezzy\LOCALS~1\Temp\qtmujwbmnodgaupu.exe"=-
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes because OTL did not remove what it said it removed. It's possibly that something else is hiding from view.

Did it reboot automatically after running it? Or did it ask you to reboot and if so did you do the reboot immediately?

Please run the below scans and attach the logs requested.

GMER - running with a random name


Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

Also run ESET oer the below: Using ESET's Online Scanner


And one more scan:

Also, please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :regfind
  YlrWhucg
  qiakwrsp
  qtmujwbmnodgaupu
  :filefind
  qiakwrsp
  ylrwhucg.exe
  qtmujwbmnodgaupu.exe
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

 

You should not have anything else open when running fixes and you must reboot immediately. Try it one more time with everything closed except OTL. Also I will adde a couple items to the fix. Hopefully before you run it.

I would not expect the GMER and Farbar Service Scanner to be blocked. Those are not antivirus sites. But please get them downloaded and run those procedures ASAP.