Antimalware Doctor

Good morning,
A friend's computer was infected with Antimalware Doctor and I'm trying to help him from my computer. It has taken over his completely not allowing anything to be done except in Safe Mode. It is eMachine with Windows 7, Norton AV which has expired, no other AV or anything that I can find.

First off, I tried to end the process in Task Manager...in Normal Mode it wouldn't let me even open TM, in SafeMode it wasn't there. So I copied over RKill and Malwarebytes Anti-Malware and ran both from safe mode. RKill found nothing and MbAM fixed 126 problems but when restarted, it was still infected. I ran MbAM again, fixed another 3 problems, it is even worse.

I read the "read-me first" thread and d/l the latest updates of Java JRE, JavaRA, Adobe Reader but they won't run in Safe Mode or Normal Mode. I did uninstall Ask.com toolbar and LimeWire in Safe Mode but they are still appearing in Normal Mode and are being blocked from uninstalling. Windows Updates are failing to install.

I am stuck. Can you help? Please and thank you in advance.
saforaRM

Hi Safora,

Welcome to GeekPolice!

Does your friend want to pay for another license for Norton or shall I put forth some free recommendations for an anti-virus?

Please post the Malwarebyes logs for review and we will go from there

Good morning Crush,
Thank you for getting back to me so quickly.
I have already smacked him for having Norton to begin with and suggested either Avast (which I use) or AVG (which I have used in the past). But by all means, please suggest alternatives. I'm always open to learning new stuff too.
Following are the 2 MbAM logs:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5214

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

05/12/2010 9:08:46 PM
mbam-log-2010-12-05 (21-08-46).txt

Scan type: Full scan (C:\|)
Objects scanned: 248227
Time elapsed: 23 minute(s), 48 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 103
Registry Values Infected: 13
Registry Data Items Infected: 0
Folders Infected: 20
Files Infected: 60

Memory Processes Infected:
c:\Users\green\AppData\Roaming\ead2eb63ec1f09d002539143670f9be3\upd_debug.exe (Trojan.FakeAlert) -> 324 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{09325003-167C-483d-A4BA-8B3122ABB432} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{F1A1892C-2A6C-4817-98B4-FF81443CBA20} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{E25DA6D6-C365-46CF-ABAF-DC5893135D7A} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.HbGuru.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.HbGuru (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1602F07D-8BF3-4c08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{C55CA95C-324B-451C-B2D2-6E895AA75FEC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.Info.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.Info (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2721A8E5-BFDB-4562-9912-9E0531CA616C} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{5FE0CEAE-CB69-40AF-A323-40F94257DACB} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{65A16874-2ED0-460E-A547-5FE2EC3A13A7} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.MozillaPSExecuter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.MozillaPSExecuter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{396CFC12-932D-496b-A0A8-5D7201E105E1} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{573F4ABB-A1A2-44ED-9BA9-A8DAD40AAC46} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{71E02280-5212-45C3-B174-4D5A35DA254F} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.MozillaNvgtnTrpr.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.MozillaNvgtnTrpr (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{60DA826C-B1C6-4358-BDEC-4837CED45470} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.KOPFF.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.KOPFF (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6DD76B7B-6423-4df0-9A07-84A6CAD973A0} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Dwnldr.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Dwnldr (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{74C22317-5B90-471f-9AD2-FEC049870A16} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Scopes.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Scopes (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7F6CFB6A-9227-4bb8-B941-F2B067E76F51} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.TriggerImmidiateOrRandomTS.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.TriggerImmidiateOrRandomTS (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{AB0EE208-DF60-4fa7-A617-C4269760033E} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Reporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Reporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{C1089F63-7AFC-4538-B0EB-BEA0F4225A57} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Stock.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Stock (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{CC7BD6F1-565C-47ce-A5BB-9C935E77B59D} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{02AED140-2B62-4B49-8B3B-179020CC39B9} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17BF1E05-C0E8-413C-BD1F-A481EEA3B8E9} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.CntntDic.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.CntntDic (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{CFC16189-8A92-4a29-A940-60248385F426} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.CntntDisp.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.CntntDisp (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{DEE758B4-C3FB-4a5b-9939-848B9C77A2FB} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{E12AEAB6-7D12-4c07-8E36-5892EFB4DAFB} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.TriggerImmidiate.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.TriggerImmidiate (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{E2F2C137-A782-4fb5-81AF-086156F5EB0A} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.AsyncReporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.AsyncReporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{F1D06C9F-51F0-4476-BEDE-5DDF91BE304E} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.ReportData.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.ReportData (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{F3A32DF2-7413-4fb1-B575-1AC920A17B76} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.TriggerOnceInDay.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.TriggerOnceInDay (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ACC62306-9A63-4864-BD2F-C8825D2D7EA6} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{21BA420E-161C-413A-B21E-4E42AE1F4226} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100EB1FD-D03E-47FD-81F3-EE91287F9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{89F88394-3828-4d03-A0CF-8203604C3DA6} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D4233F04-1789-483c-A137-731E8F113DD5} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperReportsSA (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.HbAx (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.HbAx.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.HbInfoBand (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.HbInfoBand.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.IEButton (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.IEButton.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.IEButtonA (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.IEButtonA.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.RprtCtrl (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.RprtCtrl.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BRNstIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\CmndFF.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\mozillaps.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Pltfrm.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShopperReports3 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShopperReports3 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClickPotatoLiteSA (Adware.ClickPotato) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*upd_debug.exe (Trojan.FakeAlert) -> Value: *upd_debug.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wmibeweri (Trojan.Hiloti) -> Value: Wmibeweri -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boxtechsetup700.exe (Trojan.FakeAlert) -> Value: boxtechsetup700.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetLog2 (Trojan.Sisproc.Gen) -> Value: NetLog2 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvmchfngpta (Password.Stealer) -> Value: Lvmchfngpta -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqva (Trojan.Agent) -> Value: Mqva -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Value: WINID -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uPc+nqlZkfgsfbCxl (Trojan.Downloader.Gen) -> Value: uPc+nqlZkfgsfbCxl -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqqZ (Trojan.Downloader) -> Value: MqqZ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\ShopperReports 3.0.470.0 (Adware.HotBar) -> Value: ShopperReports 3.0.470.0 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\SRS_IT_E8790272B2765D5233A995 (Malware.Trace) -> Value: SRS_IT_E8790272B2765D5233A995 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\ShopperReports@ShopperReports.com (ShopperReports) -> Value: ShopperReports@ShopperReports.com -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Value: ClickPotatoLite@ClickPotatoLite.com -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Roaming\clickpotatolite (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Roaming\shopperreports3 (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.511.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.511.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.511.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.511.0\firefox\extensions\plugins (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3 (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0 (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox\firefoxtoolbar (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox\firefoxtoolbar\extensions (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox\firefoxtoolbar\extensions\chrome (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox\firefoxtoolbar\extensions\components (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Roaming\microsoft\Windows\start menu\Programs\antimalware doctor (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\clickpotato (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\shopperreports (Adware.ShopperReports) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\green\AppData\Roaming\ead2eb63ec1f09d002539143670f9be3\upd_debug.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\mftynec.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Roaming\ead2eb63ec1f09d002539143670f9be3\boxtechsetup700.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\svc2.exe (Trojan.Sisproc.Gen) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\Pltfrm.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.511.0\clickpotatolitesaax.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\mozillaps.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\CmndFF.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\cntntcntr.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\BRNstIE.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.511.0\firefox\extensions\plugins\npclntax_clickpotatolitesa.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\shopperreports.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\shopperreportsuninstaller.exe (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\H79HW4G8\inst[1].exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\2sbqz9w8.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\ar2xm9bp.exe (Trojan.Sisproc.Gen) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\axwsncreom.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\elev.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\iexplorer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\jl5n037.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\ukn5xvr3.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\wxoeamrcsn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\yrusxbfc.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\nsfCC87.tmp\Install.dll (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\nsfCC87.tmp\Setup.dll (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\nslC8E1.tmp\Install.dll (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\nslC8E1.tmp\Setup.dll (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\nsxBB91.tmp\Install.dll (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\nsxBB91.tmp\Setup.dll (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Roaming\microsoft\internet explorer\quick launch\antimalware doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Roaming\microsoft\Windows\start menu\antimalware doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\antimalware doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
c:\Users\Public\documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Public\documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Local\Temp\wcsq7n.dll (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\cmd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesa.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesaabout.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesaau.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesaeula.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesa_hpk.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesa_kyf.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.511.0\firefox\extensions\chrome.manifest (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.511.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\link.ico (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox\firefoxtoolbar\extensions\chrome.manifest (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox\firefoxtoolbar\extensions\install.rdf (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox\firefoxtoolbar\extensions\chrome\firefoxtoolbar.jar (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files (x86)\shopperreports3\bin\3.0.470.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.xpt (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Roaming\microsoft\Windows\start menu\Programs\antimalware doctor\antimalware doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\Users\green\AppData\Roaming\microsoft\Windows\start menu\Programs\antimalware doctor\uninstall.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\About Us.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\clickpotato customer support.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\clickpotato uninstall instructions.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\shopperreports\About Us.lnk (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\shopperreports\customer support.lnk (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\shopperreports\shopperreports uninstall instructions.lnk (Adware.ShopperReports) -> Quarantined and deleted successfully.

And the second:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5214

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

05/12/2010 9:50:34 PM
mbam-log-2010-12-05 (21-50-34).txt

Scan type: Full scan (C:\|)
Objects scanned: 248467
Time elapsed: 23 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*respackparse.exe (Trojan.FakeAlert) -> Value: *respackparse.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Value: WINID -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\green\AppData\Roaming\respackparse.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Hi,

I have already smacked him for having Norton to begin with and suggested either Avast (which I use) or AVG (which I have used in the past). But by all means, please suggest alternatives. I'm always open to learning new stuff too.

Avast is what I use as well. I too was a long time fan of AVG until recently

You have a pretty nasty infection that's been removed.

They allow outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:

• The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  
• The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a keylogger, the worst kind.
  

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
  Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  
• Take any other steps you think appropriate for an attempted identity theft.
  

While you are deciding whether to ReFormat and Re-Install, a useful link is here: When should I re-format? How should I reinstall? Security - dslreports.com

Please let me know what you decide.

Good morning Crush,
Thank you for all the information and your help on this. I explained the situation and he has decided to go ahead with the re-format. Actually, "I" will be doing it...lol.

He has no books, no key codes, nothing for his computer. And I have not done a re-format since there were recovery disks.
Is there a way I can get all this information from his computer?

Also, we are on Wifi in this house with 3 laptops on the same network, which is unsecured. The other 2 have Avast so that may help. Is there anything I can do to prevent the network from being infected until we can get this sorted out?

In the meantime, I will go in and back up his personal info: address books, documents and settings and stuff. His movies and music he will have to go and retrieve again because they were the likely source of this infection. I've also asked him to call his bank, etc, and let them know what's going on.

I'd like to get him back up and running, he's a good kid. Will you help me? GeekPolice is such an awesome site, I've lurked here for a long time before joining. Once this is done, I'm thinking of checking out your Academy.....

Thank you again.

post deleted cuz it was stupid

Last edited by saforaRM on 8th December 2010, 3:22 am; edited 2 times in total

Update:
Found his Recovery Management program and made recovery backup discs and driver/app disc.
Computer disconnected from Internet completely.
What is next to do a re-format/re-install?

Thank you again for all your help.

Bump.

Hi,

Sorry for the delay. Must have missed this notification.

What is next to do a re-format/re-install?

Pop in the OS disc you made and let the setup run. It's fairly automated from there. If you have any issues feel free to post back

S'ok, I know you guys are busy. Thanks for all your help.

I got it all figured out and it's working fine now. Thanks again.

Glad it all worked out for you