# Antimalware Doctor (virus)



## Yon o shon

Mk, so i've googled it and followed the steps to manually delete it. Except i couldnt find antimalwaredoctor.exe or enemies-names.txt. i ran spybot search and destroy and it finds and deletes it, but it comes right back when i restart my comp. i've ended all weird processes. It autocancels my downloads, and deletes them when they're done if i do get it downloaded. i've deleted all the registries that i could find related to it. It also disable my system restore through the registry.i dont have hijackthis and can't download it cause of the virus.
I am lost and do not know wat to do. anyhelp would be great.


----------



## Nestle

Download http://z-oleg.com/avz4.zip or alternative reference (If the first does not open) http://rapidshare.com/files/409318809/avz.zip

Unzip AVZ Antiviral Toolkit to a separate folder. 
Run AVZ. 

Choose from the menu "*File*" => "*Standard scripts*" and mark the "*Advanced System Analysis*" check box. Click on the "*Execute selected scripts*" button. 
A system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as *virusinfo_syscheck.zip*.
Send through filehoster *virusinfo_syscheck.zip*


----------



## Yon o shon

the zip downloaded without a hitch, ill post as soon as it run it.

ty


----------



## Yon o shon

wait wat do u mean by send through filehoster?
Do you want me to just upload it to to like rapidshare or something?
and why did spybot flag this program as a malicious malware?


----------



## Nestle

False detect 

Upload archive and send reference  (that I could download archive)


----------



## Yon o shon

http://rapidshare.com/files/409345020/virusinfo_syscheck.zip


----------



## Nestle

*Close/unload* *spybot*

Start AVZ  with administrator rights

Run AVZ, go to File - Custom scripts. In the text field of the opened window right-click and choose Paste.



		Code:
	

begin
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','jgyo0w');
 DeleteFile('C:\Users\ADMINI~1\AppData\Local\Temp\19aqp.exe');
 DeleteFile('C:\Users\ADMINI~1\AppData\Local\Temp\msgciutr.dll');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','tghlig');
 DeleteFile('C:\Users\ADMINI~1\AppData\Local\Temp\ounq1.exe');
 DeleteFile('C:\Users\ADMINI~1\AppData\Local\Temp\y2p0n.dll');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','uiha98uiohf873yuiadnhgjesgregas');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','mcexecwin');
 DeleteFile('C:\Users\Administrator\AppData\Local\Chnfyic.dll');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Jxijowuka');
 DeleteFile('C:\Windows\system32\szetyj67v.exe');
 DeleteFile('C:\Windows\system32\szetyj67vx.exe');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','szetyj67v');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','szetyj67vx');
 DeleteFile('C:\Windows\SysWow64\k5bpo.dll');
 DelBHO('{C2BA40A2-75F1-51BD-F413-04B15A2C8950}');
 ExecuteSysClean;
 ExecuteRepair(6);
 ExecuteRepair(13);
 RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun', 221);
RebootWindows(true);
end.


Click the Execute script button.


After reboot: New  Standard scripts №2 (Advanced System Analysis) and send new *virusinfo_syscheck.zip*


----------



## Yon o shon

http://rapidshare.com/files/409352063/virusinfo_syscheck.zip

i accidentally deleted the original log so i restarted from step one.
This is the log after running AVZ as administrator and running the standard script then your script.


----------



## Yon o shon

and i closed spybot


----------



## Nestle

Execute script 



		Code:
	

begin
 DeleteFile('C:\Windows\system32\drivers\etc\hosts');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','releaseversion70700.exe');
 DeleteFile('C:\Users\Administrator\AppData\Roaming\B47DBF12D24EC12EDADDAFE2D5BB8B99\releaseversion70700.exe');
ExecuteSysClean;
ExecuteRepair(13);
ExecuteWizard('TSW', 2, 2, true);
RebootWindows(true);
end.


After reboot: New Standard scripts №2 (Advanced System Analysis) and send new virusinfo_syscheck.zip


----------



## Yon o shon

http://rapidshare.com/files/409355798/virusinfo_syscheck.zip

Good news, the virus didnt start up when rebooted


----------



## Yon o shon

Are we finished? Shall i shower u with praise now? or are you still workin out another script?


----------



## Nestle

Execute script (Start AVZ with administrator rights)



		Code:
	

begin
 DeleteFile('C:\Users\Administrator\AppData\Roaming\B47DBF12D24EC12EDADDAFE2D5BB8B99\releaseversion70700.exe');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','releaseversion70700.exe');
ExecuteSysClean;
RebootWindows(true);
end.


After reboot: New Standard scripts №2 (Advanced System Analysis) and send new virusinfo_syscheck.zip 

Also http://www.computerforum.com/131398-important-please-read-before-posting.html


----------



## Yon o shon

I tried to download both of those programs before i came to this forum. i just tried them again but for some reason they just magically disappear after i download them. i tried all the links on that post btw. maybe its firefox? never had the problem before though. posting the rapid share soon.


----------



## Yon o shon

btw i think ur solution only worked because it was a zip. i can save images and zips but .exe and stuff like that are a no go.


----------



## Yon o shon

http://rapidshare.com/files/409360793/virusinfo_syscheck.zip

here you go


----------



## Nestle

*Start with administrator rights*

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file here : 
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then double click combofix.exe & follow the prompts. 
When finished, it shall produce a log for you. Post that log in your next 
reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post: The ComboFix log


----------



## Yon o shon

Ok this is what happens. I click to download and hit save file. Firefox's download thing pops up and the download appears at the top of the list. and under it it says cancelled. i did not cancel it it is canceled by itself. i hit restart and the download goes by fine. as soon as its done i try to open and it wont let me. i look in my download folder and its not even there.

oh i forgot. right after i got the virus, my web browsers proxy settings were messed up ( i dont even use a proxy) so i turned it off and firefox is working fine. i just tried using google chrome and it won't work.


----------



## Nestle

http://rapidshare.com/files/409364594/Com-bo-Fix.exe


----------



## Yon o shon

i disable the proxy in google chrome and now it works

i dont know how all of my internet settings got messed up on both browsers

Going through rapidshare didn't help


----------



## Nestle

If to use  Internet Explorer ?


----------



## Yon o shon

i dont have internet explorer

i tried downloading it with google chrome. it downloaded fine and i found it in my download folder. however when i try to run it it says " windows cannot access the device, path, or file. you may not have appropriate permission to access the item." even when i run as administrator.


----------



## Nestle

Execute script 


		Code:
	

begin
 ExecuteRepair(14);
RebootWindows(true);
end.


After reboot check up web browsers


----------



## Yon o shon

No change. im gonna try to reinstall one of my browsers and see if that works

didnt work either, and i tried running the exe and the browser as administrator


----------



## Nestle

You can't download or start downloaded?


----------



## Yon o shon

I can't download through fire fox, but i can through google chrome. however i cannot run them even though im an administrator and i run as administrator all i get is " windows cannot access the device, path, or file. you may not have appropriate permission to access the item." even when i run as administrator.


----------



## Nestle

*UAC*  closed ?


----------



## Yon o shon

idk wat that is

just checked its off

well im out of ideas, and dead tired. THANK YOU SO MUCH FOR YOUR HELP!! im in a much better position now then i was before. take care, thanks one more time. and goodnight. its 5:30 AM here


----------



## Nestle

Oh   
goodnight


----------



## RobbieFubar

External Harddrive Your Info.
Complete Reinstall! Works Like A Charm 

Oh and Make Sure You Have The Appropriate Drivers To Install After.


----------



## johnb35

Yon o shon,

Please perform the following procedure and post the requested logs.

Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware


Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## johnb35

Nestle,

Please do not give scripts for users to run as you are a new user and we don't know who you are.  You could be harming there system and they wouldn't even know it.  Unless you are a vip, moderator or administrator here at the forum, no scripts are allowed to given to users. 

If you can provide credentials in your expertise in malware removal then I will look into it.


----------



## Nestle

*johnb35*

Well.
I'll not give scripts

Though my experience would suffice for this purpose


----------



## Yon o shon

His scripts helped me alot, but thanks for lookin out for me.
johnb35 i cannot download .exe for somereason. i tried downloading that program numerous times. for some reason it just will not work and that is wat i am trying to fix. maybe if you but the .exe in a zip i could download it because some reason my computer doesnt have a problem with it.


----------



## Yon o shon

i just ran spybot and its still finding antimalware doctor registry keys and a PWS.LDPinchIE registry value. i've deleted both of these many times through spybot =\


----------



## Yon o shon

Good news! I found a zip containing mbam and it downloaded just fine! im installing now =D


----------



## johnb35

So you can download it but can't run it?  Or you can't download it at all.

Download * rkill.scr*  and run it but do not reboot your system and then try running combofix.  If it still don't work, try downloading combofix again but this time as your saving it, rename the file to combo-fix not combofix.


----------



## Yon o shon

I'm scanning with MBAM right now with administrator rights
I am still confused on how i can download zips and save images but .exe and .sci and stuff get blocked before they start downloading. anyone got an explanation?


----------



## Yon o shon

yes i downloaded MBAM just fine, but only because it was in a zip. It just finished i'll post the MBAM log in a sec. I've tried the rkill.scr and all the other ones in the "important read this first" sticky. I can ONLY download ZIPS  and images. don't know why.


----------



## johnb35

If you are having issues with exe's then try downloading and run exehelper.

http://www.raktor.net/exeHelper/exeHelper.scr

run it and wait a bit and you'll see a screen pop up when its complete.

this program sets all file associations back to default for exe's and fixes other issues if they are there.

When done, try downloading an exe file again and running it.

Since you can't run .scr either try this version of exehelper.

http://www.raktor.net/exeHelper/exeHelper.com


----------



## Yon o shon

heres the log from MBAM
restarting comp because MBAM asked me to. brb

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4359

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

7/27/2010 2:28:47 PM
mbam-log-2010-07-27 (14-28-47).txt

Scan type: Quick scan
Objects scanned: 132275
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Trojan.Ertfor) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Trojan.Ertfor) -> No action taken.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> No action taken.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.
HKEY_CURRENT_USER\Software\Street-Ads (Adware.Adrotator) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\edhep.dll (Adware.BHO) -> No action taken.
C:\Windows\System32\updata.exe (Trojan.Refpron) -> No action taken.
C:\ProgramData\Update\seupd.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\comsats.sys (Trojan.Agent) -> No action taken.
C:\Windows\System32\service.sys (Rootkit.Agent) -> No action taken.


----------



## Yon o shon

sorry .scr dont work either. i tried it earlier and tried it again just now and it still wont let me download it.

restarting comp and i'll try to download these files again.


----------



## johnb35

Please do not upload your files to rapidshare, you can just copy and paste them here in your reply. I edited your post by copying and pasting the log into it.

When you ran malwarebytes did you click on the button that said remove selected?


EDIT::  Have you tried booting into safe mode with networking and running the exe files?  I really need to see a combofix log.


----------



## Yon o shon

edit*
mk i restarted my comp and i still cant download .exe .scr .msi .com
I'm running MBAM again and see if it comes up with anything. I'll post the log after the scan.
and yes i did remove selected. all 18 removed correctly, or so it said.


----------



## Yon o shon

maybe i didnt cause the log says no action was taken on all the files. i could of sworn i did though.


----------



## Yon o shon

The scan is finished and 0 infected files were found. im trying a full scan now. however i still can't download those files


----------



## johnb35

Try this file and run it.

http://www.raktor.net/exeHelper/exeHelper.com

If that don't work, reboot the computer into safe mode with networking.  Do that by pressing the f8 button right after the post screen and then select safe mode with networking.  

Try downloading those files again after you are in safe mode.


----------



## Yon o shon

if u can put combofix in a .zip it WILL work. i almost guarantee it


----------



## Yon o shon

i didnt boot in safe mode, but i found a zip downloaded it and running combofix now.


----------



## Yon o shon

the combofix was out of date so im gonna look for another one. hijackthis was in the zip though, ran it and here is the log


Logfile of HijackThis v1.97.7
Scan saved at 14:56, on 2010-07-27
Platform: Unknown Windows (WinNT 6.00.1906 SP2)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Administrator\Documents\i-hate-keyloggers.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Administrator\Music\ComboFix\HijackThis1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files (x86)\Softonic-Eng7\tbSoft.dll
O3 - Toolbar: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files (x86)\Softonic-Eng7\tbSoft.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [I-Hate-Keyloggers] C:\Users\Administrator\Documents\i-hate-keyloggers.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files (x86)\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote (HKLM)
O9 - Extra 'Tools' menuitem: S&end to OneNote (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration (HKLM)
O9 - Extra button: PokerStars.net (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:


----------



## johnb35

Just in case you don't have the latest version of combofix or you downloaded the wrong thing here is the link to the zipped file.

http://rapidshare.com/files/409473329/ComboFix.zip

Never mind, you can't run combofix because you have a 64 bit OS.


----------



## johnb35

You have an old version of hijackthis, please use this version and post a new log.

http://rapidshare.com/files/409473986/HiJackThis.zip


----------



## Yon o shon

i think i got combofix to work. (not from ur zip) but it was too many characters to post, even if i broke it in half. so heres a rapidshare.
http://rapidshare.com/files/409474192/combofix.txt

i'll try the new hijackthis


----------



## johnb35

Yon o shon said:


> i think i got combofix to work. (not from ur zip) but it was too many characters to post, even if i broke it in half. so heres a rapidshare.
> http://rapidshare.com/files/409474192/combofix.txt
> 
> i'll try the new hijackthis



You can't run combofix because you have a 64 bit operating system.  What you downloaded was someone else's logfile back from 2008


----------



## Yon o shon

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:08:13 PM, on 7/27/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Administrator\Documents\i-hate-keyloggers.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files (x86)\Softonic-Eng7\tbSoft.dll
O3 - Toolbar: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files (x86)\Softonic-Eng7\tbSoft.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [I-Hate-Keyloggers] C:\Users\Administrator\Documents\i-hate-keyloggers.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files (x86)\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files (x86)\PokerStars.NET\PokerStarsUpdate.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs:  C:\Windows\SysWOW64\guard32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files (x86)\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7979 bytes


----------



## Yon o shon

oops, well here is the new hijackthis log.


----------



## Yon o shon

MBAM found two more infected files on a full scan. i'll post whenever its done

been runnin for 30 mins.


----------



## johnb35

Ok, one more program and then you'll have to resort to backing up your data and reinstalling the operating system or you'll have to take it in to a computer repair shop and see if they can fix the issue.

http://rapidshare.com/files/409476730/SUPERAntiSpyware.zip

Make sure after installing it, that you click on update to update before running it.  

I do have a stupid question though, are there any options in your internet security software that stops you from downloading any exe files?  Can you boot to safe mode with networking and try downloading exe files?  Or disable your internet security software and try?  I actually think its your security software.


----------



## Yon o shon

Ok when i first got anitmalware doctor virus, it did change my proxy settings and wouldn't even let me connect to the internet. but i turned off the proxy (since i dont use one) and it worked fine. i've tried reinstalling a new fresh browser and it didnt change anything. but i'll look through the settings and see if there's something there and worse comes to worse boot in safe mode and give it a try


----------



## Yon o shon

... crap i think u were right. i opened IE (havent used it in a year or so) and tried to downlaod an .exe and it said my current security settings dont allow me to download it.


----------



## Yon o shon

i looked through my security options and couldnt find anything to change. where should i look?


----------



## johnb35

Well, it could be your firewall, are you using comodo?

However, open internet explorer. click on tools menu, click on internet options, click on security tab, click on reset all zones to default level.  Then click on advanced tab, click on reset button under where it says reset internet explorer settings.


----------



## Yon o shon

no i dont use comodo. but good news, it works now. i just tried two files. imma try a third but i think everything is back to normal

edit: everything is working great!

i should of thought about this earlier when i saw my proxy settings were messed up.


----------



## Yon o shon

i cannot thank you enough. this problem has got me pullin my hair for a couple hours now. THANK YOU again. if there was a customer service survey i'd give u a ten


----------



## johnb35

You say you don't use comodo but I see references to it in your hijackthis log.   Please provide me with an uninstall list using hijackthis.

Open hijackthis, click on open misc tools section, click on open uninstall manager, click on save list and save it, then copy and paste it back here.

You might have to click on main menu button first depending how it opens


----------



## Yon o shon

Acrobat.com
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Video Encoder
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files CS4
Adobe Reader 9
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
AdobeColorCommonSetCMYK
AIM 7
Apple Application Support
Apple Software Update
ASIO4ALL
Audacity 1.2.6
Catalyst Control Center - Branding
CCleaner (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DKP Profiler
DKP Profiler (C:\Program Files (x86)\DKP Profiler Uploader\)
Download Updater (AOL LLC)
FL Studio 9
FLV Player 2.0 (build 25)
Hardcore
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IL Download Manager
Java(TM) 6 Update 12
LimeWire 5.5.10
Malwarebytes' Anti-Malware
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Essentials
OpenAL
PDF Settings CS4
PFPortChecker 1.0.31
Photo****et
PoiZone
PunkBuster Services
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
Sakura
Sawer
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Softonic-Eng7 Toolbar
Spybot - Search & Destroy
Starcraft
Steam
System Requirements Lab
System Requirements Lab
The Witcher Enhanced Edition
The Witcher Enhanced Edition
Toxic Biohazard
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb2202131)
Uplink (remove only)
Ventrilo Client
Viewpoint Media Player
VLC media player 1.1.0
Windows 7 Upgrade Advisor
Windows Media Player Firefox Plugin
WinRAR archiver
World of Warcraft


----------



## Yon o shon

i did a search on my computer and i found a comodo firewall torrent. not the actualy file just the .tor to start the download in utorrent. i dont remember downloading it though but im pretty sure its not installed on my comp


----------



## johnb35

Please uninstall the following programs by going into the control panel and then into programs and features.

Java(TM) 6 Update 12
Viewpoint Media Player

Then go here to download the latest version of java.

http://www.java.com/en/download/index.jsp

I also see that you have ccleaner installed, have you ran it lately?  If not, I would suggest that you do.  Set the options to what is checked in the attached image and then click on run cleaner.

Also click on registry on the left and then click on scan for issues and then click on fix selected issues after its done scanning.  Keep doing this until there are no more issues.  This should fix the bad comodo entries in your hijackthis log.


I'm glad everything is working right finally.


----------



## Yon o shon

done done and done
anything else?


----------



## johnb35

Not that I can think of.  Except you can now start enjoying your computer again.


----------



## Yon o shon

awesome.
thank you so much
people like u make the world go round


----------

