Posts by gerbil

Use LKGC [last known good config], you get that option by using F8 at startup, AFTER the IDE/drive detection window comes up in BIOS.
The problem appears to be a password/logon hash corruption originating from I don't know what, but poss connected with the last M$ updates. The malicious sware rem tool? I don't know.

"just pulled the plug and wiped the hard drive"
Drastic, but It would work. But first you fight, esp if there is data, a configuration hard built worth saving.

Well, you could help, because the final arbiter on this matter is M$, and they will make their authority known when validation is sought. M$ do allow upgrading, parts replacement, and if a machine is more than a year old it can be major surgery. Don't they track the MAC.addy? Which is very likely tied to the e-machine by a block of codes, and so M$ would know a different NIC was in place, not an emachine, and so express their judgement on that? I dunno, I just wondering.. and I don't know the finer points of the software licences.
All I know about those two files is that they should be in i386 for the OEM Setup's purposes. But I don't know how to help.

Do you have another hard drive, or space for a new partition on the old drive? Temporarily install a new copy of windows into it, no need to activate it.... and see if that can access those files. This is safer than slaving the drive in case it is infected.
You could also use the Recovery Console from your XP installation disk to see if you can copy them, but if the files are in My Documents or on another drive [ie, not the OS or bootdrive] then you need to do a couple of things toa llow the RC to access them [it has limitations which need to be bypassed]:
Save this as a .reg file on your desktop and run it:

Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole
"SetCommand"="1"

Start RC from your disk, then make these commands at the prompt:
set allowallpaths = true
set AllowRemovableMedia = true
set AllowWildCards = true
[set NoCopyPrompt = true]
And see what you can do.

.

To uninstall McAfee you should get the uninstaller from their website. Run it twice, rebooting each time.
Try renaming the MBAM installer to mambo-installer.exe, and see if that will install MBAM [uncheck the update now and auto start boxes before you press finish].
If it does install, rename mbam.exe to mambo.exe, and run that. Do not forget to update it.
Then try to dl and run hijackthis.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

MBAM can still be installed and updated without a connection. Using a flashdrive on another system, download & save the installer file from http://www.majorgeeks.com/Malwarebyt...are_d5756.html, then dl the latest updates file: http://www.gt500.org/malwarebytes/mbam-rules.exe , both to a thumbdrive.
Run the installer, when it completes uncheck the Launch and Update boxes to finish. Next, dclick the mbam-rules.exe file, it will install into MBAM.
Start MBAM via the icon and ...

Why did you pick that service, Jim? And isn't it a vista service, anyway?
Have you tried making a new account on the puter to see if the svchost error occurs inside it? I note that error listed in SDFix...

Aww... he's given up on us. That cuts deep... really hurts.
Sorry we're useless some of the time, Bob

So it would appear that if using LKGC sorted their problem then it would be some corruption of password/logon hashes? And if it did, then possibly that is all it was, and there is not an infection at the foot of this? I wonder if another user could log on?

Just wondering if the M$ Malicious Software Removal tool which comes each month in auto updates [It is supposed to find the Sasser worm which attacks LSASS.EXE, amongst others] didn't turn malicious? I don't ever dl that particular update.

Fine, pg. When you have used that Symantec removal tool could you post a final hijackthis log, please?

I would be stunned if SR in one OS restored the registry in another OS....
If you are still able to start the OS in C:, and there are restore points available [ie. made at times] then I don't see why you don't just copy them into current registry.. ie, config.

Well, there ya go... I often rework ppl's monickers, caper, mostly for simplicity, mostly keep them in my head..... mine for Bob was Twisted Bob, but i didn dare address him as that.
Absolutely no offence in that, Bob, it's just easier to think than your proper room name.
And Bob, if you are not using your own machine in those pc lounges then it must be an effect of an aura about there, your's or the earth's.

I was just making sure that those files are gone, pg. If you could not find them, that is fine.
Some antivirus software, for example Symantec's [and McAfee's too] cannot be simply removed without special software. Your McAfee is fine, no need to touch it, but there are still parts of Symantec remaining on your machine. If you visit the Symantec website you will be able to find and download the correct removal tool which you then run.
Would you do this for me please:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat to your desktop; dclick it to run, then post the file showkey.txt

reg query "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce" /s >showkey.txt
reg query "HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce"  /s >>showkey.txt
reg query "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce" /s >>showkey.txt
reg query "HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce" /s >>showkey.txt
start showkey.txt
pause

Post the notepad that pops onto your desktop, please.

Hello, pg, yes, that is what i wanted.
Please start hijackthis again, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [bone thunk axis copy] C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe
O4 - HKLM\..\Run: [Comp about extra bin] C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
O4 - HKCU\..\Run: [Sect Real] C:\DOCUME~1\PERFEC~1\APPLIC~1\IDLE01~1\Gplantitype.exe
O4 - HKCU\..\Run: [swg] C:\WINDOWS\system32\regsvr32.exe

Good, now find and delete these files:
C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe
C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
C:\Documents and Settings\PERFECT_GIRL\Application Data\IDLE01~1\Gplantitype.exe
-IDLE01~1 is an abbreviation of some folder name, I do not know what, but it commences with IDLE01, and is the only one that starts like that.

Please visit the Symantec website and download and run the appropriate removal tool for the version of their antivirus that you once used.
Make and post a fresh hijackthis log, please.

Are you hoping to use Windows as an accurate clock [absolute time] or as a stopwatch [relative time]?

Ah.. I find comfort in that, caper. The world is safe.. some people are not obsessed by computers, to them they are mere tools. Ripper.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: (no name) - {da21bd13-ca22-42e3-a071-98f08f1ca1e7} - (no file)
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

Good. [nothing wrong with those RunOnce entries, it is jus that they have done their job, and should have been removed by the installar].
Now :
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"

And that should be all.

:), so he did.... should have worn all the rough bits off it, then.
GEAR is what I was hoping you would find in that file, spyder. It is a set of drivers that interface iTunes with your cd burner.
That all looks good. Go Start, Run and type or paste in :
combofix /u
-this will remove combofix and its quarantine.
Orright, get out there and play again, but in a less muddy spot, okay? That was quite a collection of rootkit gear.

Poaching happens. I don't hold a torch for any browser... I switched from IE early on to Opera [it just made sense to have tabs on one browser process]. After a bit I experimented with FF and while I was doing that it became my main. But several months ago it started to fault on long pages and so I switched back to Opera.
Not going to say I love it, it doesn't "excite" me , I just prefer it. Atm. I have all 3 on quicklaunch.
Opera has just a few % of the market, I don't know why. I do know it takes a crowbar to get ppl weaned off IE. I have heard that some ppl use Netscape. Or did.
And still we have nothing to offer poor Bob.

Ah. See? It was worth running Combofix also, wasn't it?
I take it that you ran random's sys info tool?
Is this associated with your iPod? c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
Right...
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
c:\windows\system32\cont_adsoftinc-remove.exe
C:\srelqu.exe
c:\windows\system32\ibtuaivlrurj.exe
C:\-723922735
c:\windows\system32\nsf57.dll
c:\windows\system32\dllcache\s3legacy.dll
c:\windows\DUMP61b7.tmp

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Then get rid of the Symantec stuff.

Irish, the message "error loading operating system" is actually written into the MBR on your hard drive, so your BIOS was actually reading from the hard drive to get hold of that message; the next step which is locating the OS [via C drive being marked as Active] was done also, but the files which are used to load the OS itself were not loaded or found.
You need to borrow an installation cd and use that to get into the Recovery Console. Try to get one which matches your service pack number ..eg SP2. Your first hd is probably physically ok, it just has some file damage.
I find it strange that another hd would not work... what msg did you get with that? Did it have an OS on it?

"I say that FF3 is fine, because from my standpoint it is." That is fine then, hot; if it works for you, well, that is all that is required of it [FF]. I have no strong point to make on this issue... it is just that for some it works, some of the time [check caper's posts...], and for some it does not, most of the time [me ..]. Perhaps is works for some, all of the time. I do not know networking, or much about browsers.. I don't think I know NKOTB either...

This is a pretty common action taken by some malwares to decrease the chance of their being detected.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Then:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

You are welcome, George.
Please go Start, Run, and type or paste in:
combofix /u
-this will remove combofix and its quarantine folder with malware contents.

Those two tools have done a superb job. You had a pretty comprehensive infection there. MBAM took out the ADS file attached to svchost.exe, so no action by you is required there.
May I see the Combofix log, please? This is important.
Your hijack this log shows as clean, but you should go to the Symantec website and identify and download the tool to remove the specific Symantec AV protection you once had. There are parts of it still running. A simple Remove instruction in Add/Remove Pgms does not suffice.

This arises because Windows remembers all removable storage devices connected to it, the reason being that it tries to keep track of the file structure that it used when it accessed that device last. Windows cares nought for the drive letter or the drive name you give because you can change them at will and confuse Windows, so it associates the persistent volume name with unique volume identifiers and disk signatures..
This is the key you need: HKLM/System/Mounted Devices
Identify your device at \Dos Devices\"its drive letter": and delete it [delete that name]
It will also occur up the page as one of the \??\Volume {....} entries. To find which one you will have to rclick on each, select Modify and read the upper part of the ASCII interpretation to identify the drive [the remainder of that ASCII is the unique identifier]. Until you find the correct one... then delete that name also.
Restart your machine, the drive will/should be re-associated, perhaps correctly.
This is why if you plug in a drive to your firm's computer and do something really naughty then you had better get rid of that drive afterward. Its unique identifier is stored, plus what was on it.

:)... I jus dunno, caper.... an Bob, I was afraid you would say that. "as I get the problem from the download of the cover page where I need to log on from."

Caper, I have FF3.04 [latest] and it will not pull in that page I put up. Opera does. Anyway... poor ole Bob...
Bob, try creating another account...

Spyder, this will remove the ADS ext.exe from C:\WINDOWS\system32\svchost.exe:ext.exe
ext.exe is an ADS [alternate data stream] attached to C:\WINDOWS\system32\svchost.exe, and you need a special tool to remove it.
Get this tool, ADS Spy from http://www.bleepingcomputer.com/files/adsspy.php - you will need to dl the file , extract ADSSpy.exe and then copy that into your sys [via that flashdrive].
Simply dclick it to start it,
-select Scan only this Folder,
-type into the box C:\Windows [or browse to it via the .. box]
-press Scan the sys...
If it appears, check C:\windows\svchost.exe... and then Remove Selected Items.

At work and online? Then grab a flashdrive and dl Combofix into it from http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or : http://subs.geekstogo.com/ComboFix.exe
Change the filename combofix.exe to mycfix.exe, and copy it to your DESKTOP..... It does not need to update, and does not want the web connected...:
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Ah, thank you, pg. Could you poat a fresh hijack this log, please?

Hello, irish. Something has damaged your boot sector on the systemdrive. You will need the Recovery Console from your installation cd, and the commands you should run are:
chkdsk /r -see if the sys will start after this completes; if not, then:
fixboot

FF, the latest update, 3 .04? without checking [came in last week?] Zero plugins.
Opera has no ads, it is just good, clean, fast. Crash? Never. FF is a copy of it.
I'll point you at a long post so you can see what I mean about FF... http://www.daniweb.com/forums/thread155796-4.html
Does it render the whole page? Perfectly? No omissions, blank spaces, black areas?

Firefox does NOT like DW. I don't know why, but one particular symptom is tha it cannot render pages containing a long post.
Opera copes admirably.. no problems at all.

Browse the sr.inf installer to your C:\WINDOWS\Driver Cache\i386\sp3.cab or C:\WINDOWS\ServicePackFiles\i386\sp3.cab so tht it can use the most recent files.

Okay, sham, you are at the sharp end, experience what I cannot see. Sorry I could not help further.

I would be satisfied, george, with where you are at now. The hidden files thing is just a presentation option for explorer... it does not actually set attributes on a file that are not already there. Other pgms can see them. Do a quick scan in safe mode if you wish, but any keys present would be found in normal mode; you would be hoping to spot a rootkit only that had not started up.

Hello, spyder, your sys has been knocked silly by some malwares. Being midnight in Aust Cohen has likely wandered off to bed.
I see these things in running processes:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\HP_Administrator\Desktop\mbam-setup.exe
So, delete the folder C:\Program Files\Malwarebytes' Anti-Malware
Rename this file C:\Documents and Settings\HP_Administrator\Desktop\mbam-setup.exe to mambo-sup.exe
Before you try starting the installer again though, let's do this [some of it may stick...].
At this point you may wish to dl this program:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Right. Set? Rename hijackthis.exe to imabunny.exe, then start it, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: C:\WINDOWS\system32\jsdf8j3dgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsdf8j3dgf.dll
O4 - HKLM\..\Run: [txitbnqzugza] C:\WINDOWS\System32\regsvr32.exe /s "C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\xngaotwnxcst.dll"
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: gsgehtaw - C:\WINDOWS\SYSTEM32\gsgehtaw.dll
O22 - SharedTaskScheduler: lke3iemrl490kgfgdsfd - {C5AF42A3-94F3-42BD-F434-3604832C897D} - C:\WINDOWS\system32\hsd63geff.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsdf8j3dgf.dll
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe

Good, now delete these files:
C:\WINDOWS\system32\jsdf8j3dgf.dll
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\xngaotwnxcst.dll
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\TEMP\csrssc.exe
C:\WINDOWS\SYSTEM32\gsgehtaw.dll
C:\WINDOWS\system32\hsd63geff.dll
C:\WINDOWS\system32\svchost.exe:ext.exe

Be aware that C:\WINDOWS\system32\svchost.exe is a valid system file …

Delete this file, mobius:
C:\DOCUME~1\Ryan\LOCALS~1\Temp\stf8D.tmp
I do not see what was used to start it running.

:), you're welcome, Kiran.

Hi, George... I don't know how pauseDEL got into that last batch command... :) .. it should have had just pause as the second command. But no matter. And i did not see where stu2.exe got deleted in our procedure...
Any further occurrences of the two trojans?

"No possibility to Run System Restore either, not even in Save Mode."
Ah, but have you had SR enabled? Cos if you have restore points available we can fish those out and plug them into your registry.
Try to get SR running by navigating to C\windows\inf, and dclicking sr.inf; choose Install.
If it works after that, then fine. If not, then because you are still able to start in your C: drive OS there is a workaround to get at those restore points. Say if you want it.

Ok, Geoss.. SP2 userinit.exe filesize is 24576 bytes. But your SP3 userinit.exe filesize should be 26112 bytes. Check that the same file exists in your system32\dllcache directory [you will need to go to Tools > Folder options > View, and uncheck Hide Protected Operating System files..
Yes, when you ran that batch file all you would have sen is a small black cmd.exe window flash briefly. It copied stu2.exe into userinit.exe. So all is good.
This will give you a chance to see the cmd window as stu2.exe is deleted:
Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixui.bat to your desktop; dclick it to run.

DEL c:\windows\system32\stu2.exe
pause

Say how things are, and post a fresh hijackthis scan log, please.

There is a very good chance that you have been hit by a malicious software that as part of its actions to protect itself disable Safe Mode. What version of XP are you running? Sp number?

Go to C:\windows\inf, rclick sr.inf, choose Install. I don't know whether you have a cd or not, or have updated to SP3 over the web.. but you need to point the installer at the installation files. They could be on the cd [i386 folder] or in Windows\ServicePackFiles. I do not know your service pack position or Dells so cannot be exact.

Hi, jb... I am wondering what the exact situation is with stu2.exe and userinit.exe. If userinit.exe is corrupted Combofix should have said so.
An XP cd with SP3 would make things so simple. But atm I hesitate to just use COPY to replace userinit.exe with stu2.exe. Geoss could still start into safe mode, though, if it failed.

Geoss, please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixui.bat to your desktop; dclick it to run.

COPY /Y c:\windows\system32\stu2.exe c:\windows\system32\userinit.exe

Restart your sys, and say how things are.

Geoss, yes, that version number 5.1.2600.5512 (xpsp.080413-2113) is for SP3. If you go back to system32\stu2.exe, in its properties > Version tab, you would also see its Original filename. It should be USERINIT.EXE - what is its filesize, to the exact byte?
Is the same information in system32\userinit.exe? What is its filesize, to the byte?
Now, we have to be careful here because the genuine file is protected by Windows File Protection System, and a counterfeit copy should have been automatically replaced. But the malware may have caused its own reworked version of userinit.exe to be placed into the cache also. It can do that by simply deleting the genuine copy in the cache. So:
-do you have this file: C:\Windows\Driver Cache\i386\SP3.cab
Let me know.

Sham... sorry.. this c:\documents and settings\sam08\.tfo3 is actually a folder .tfo3. Delete that folder.
So how is web access now?

Hi, geoss. Recovery Console takes up about 350Mb on your C: drive. It is a very worthwhile thing to have, especially if you do not have an installation cd.
Combofix warns about its absence and offers the facility of installing it cos sometimes combofix [or the user] goes haywire. 1/100 the odds....
Right. What is inside this folder, nothing? c:\windows\system32\unknown
This file is your ORIGINAL userinit.exe: c:\windows\system32\stu2.exe
-it was renamed to this by the malware. First, check that it is the MS file from its properties... vsn5.1.2600.2180, size 24,576 bytes, in Version tab, original filename should be USERINIT.EXE
-if this is all correct, rename it to userinit.exe
Right, you have a worm and a net traffic interceptor which was hidden by a rootkit.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
c:\windows\system32\iiffEvWP.dll.vir
C:\jfidoj.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc7unj0erbg]

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

Your Java is way out of date. Keep it updated for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms …

Sham, please delete these files:

c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\winhlp.exe
c:\documents and settings\sam08\.tfo3

This is a good delete tool if you require it:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
But they should delete in Safe Mode, if not normal mode. Tell me if you cannot find any of them.
Now try to folow the MBAM instructions. Do a quick scan, then follow with a hijackthis log, please.