If he can't run anything on her side, it is acting exactly like a rootkit. A scan with malwarebytes should show that.
[Reply]

If he can get in as Administrator and get to security updates and use control panel and run Malwarebytes it's not a very good rootkit. Rootkits replace the kernel and you are no longer even running Windows, you are running malware that runs Windows for you, meanwhile it can do whatever it wants with your computer. Keep track of your every keypress, decode encrypted transactions, read any file and hide some from you, turn on your webcam and microphones, anything.
I like Malwarebytes. I just happen to carry SAS around on a thumb drive with me.
[Reply]

That was the old rootkit's 1 and 2 that may have done that. Rootkit's 3-5 (5 no one has confirmed yet) does not work this way.
[Reply]

One simple solution that has taken care of some (not all) of these, is a system restore to a date before this happened. In short some are worse than others, meaning some you have to catch before they load, some have to be taken care of in DOS, and some are a restore point away from being gone. Good luck.
[Reply]

Download and Install SpyBot Search and Destroy. It's free and it's very good. Make sure to boot into safe mode to run the scans...as some virus', bots, and maleware can stop a scanner from running properly.
[Reply]

It's known as "FakeAV". I have fought and beaten this exact issue. A freeware application called HitManPro will find and remove it. Install it while logged in under your profile, reboot into Safe Mode (hit F8 as it is booting up), and run a full system scan.

Many of the other common anti-malware/spyware apps will not work on this one. I have tried MalwareBytes, AVG, SpyBot, Symantec AV, McAfee AV, Trend Micro, and more. HitManPro is the only automated way. I have removed it manually by digging through the registry and tons of DLL files, but I doubt you want to venture into that.

Good luck.
[Reply]

Erick, all fantastic advice given to you except the most important.

Here goes
:-)

Ready?
:-)

Get a Mac!!!:-)

Other than that, not much else I can offer.
[Reply]

Kaspersky is the leader in this field. I have removed trjoans, malware, etc multiple times from multiple machines with the tdsskiller. Malewarebytes will remove all the associated files from cookies and so on, and also let you know whether it's a rootkit or not. Then run tdsskiller and it "should" be gone. If that doesn't work, I have more last option, but I am not going to list it till the OP tries the others first.

I don't mean to argue with you, and I am sure you have removed it through other programs (gmer is also a good one). I have a lot of experience with this malicious software and have read hours on hours of bleepingcomputer logs to feel confident in my advice.
[Reply]

Unfortunately, Mac's are not immune to rootkits.
[Reply]

I too have extensive experience with this stuff in a work environment. I do use MalwareBytes quite a bit, but I've seen it detect and remove potions of FakeAV and leave other parts behind. Maybe the newer versions do a better job. Kaspersky very well may work. It is not one I've used so I can't comment on that either way. I know HitManPro will work and it's free. Either way I feel he has good advice from guys who've done this before, not just random "try this" suggestions from folks who are trying to help but don't have the background/experience.
[Reply]

I did the Malwarebytes and Comodo AV full scans. It detected the 4 viruses and deleted them, but my wife's IE still doesn't work. Says there no connection to the proxy server. This may be due to Comodo creating a unique IP? She can open all her files again. Thanks for all your help guys! Much appreciated.
[Reply]

Did you run tdsskiller?
[Reply]

I am going to have to do that one later.
[Reply]

Copy her files such as documents, favorite, mail settings...

Delete her profile and create a new one until you find the AV software to dig deeper.
[Reply]

Are you trying to connect to a proxy server!? I doubt you are... A better question may be, how do you connect to the internet (modem, dsl, cable etc)
[Reply]

I have DSL. When I loaded Comodo it asked if I wanted to create a different IP.
[Reply]

In IE, click tools, Internet options, then click the Connections Tab. Near the bottom click "LAN Settings" and uncheck the "Use Proxy" option. You'll have to close IE completely and re-open it. Some viruses (Virii) setup bogus proxies in IE to steal personal information. You can also get to these options in Control Panel under Internet Options.

For most DSL/Cable providers it is not necessary to use a proxy. Sometimes their install CD points you to one, but that is only for their benefit. They sell the tracking info of where you go, what you browse, and how often you make purchases, and where. They do no collect personal info, but I still don't like participating. Comcast amongst others does this with their proxies. This is why I don't install their CD. You don't need it to get online. Just an IP address, gateway, and a subnet mask. 99% of the time that is automatically provided by DHCP to the cable/DSL modem, so you're good.
[Reply]

Just ran this and it found no threats. My wifes IE has reverted back to F'd up after a restart... :-)
[Reply]

Found the bastard with Hitman Pro 3.5.8

3 Trojans, 1 Malware, 1 Rootkit, and 3 Tracking Cookie. Question is what do I do now? Delete, quarantine, or ignore?
[Reply]

I am not familiar with hitmanpro, but if it found something that tdsskiller did not, I would be wary.

Quarantine it and see what happens.

You can always go with my last option which is combofix.exe but let me know before you choose to do this step.

I also forgot to mention that you MUST run and save the tdsskiller.exe on your desktop. Or it won't work properly. Here is the basic use for it: http://www.bleepingcomputer.com/forums/topic377240.html
[Reply]