Trying to remove Antimalware doctor

[peter762033]

Hi, basically i have got antimalware doctor on my laptop, ive heard this is some kind of malware? I have already tried looking up some ways of removing it but have been unsuccessful. This is the guide i followed,

http://www.bleepingcomputer.com/viru...malware-doctor

I followed the guide until it came to the point where you have to install rkill, the virus wont let the program install as it says rkill is infected, it does the same if i try to install malwarebytes

Is this a common problem, and an easy fix?
Would really appreciate some ideas on how to remove this,

cheers,
Pete

[touch]

Hello Pete


"There is unfortunately no easy fix, when it comes to malware removal. Sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous."

However, let´s start and do some repairs ->

Please run superantispyware onlinescan
Follow the instructions on the site. When downloaded, click on – Check for updates – Button.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Ignore System Restore/Volume Information on ME and XP

Please leave the others unchecked.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
NO.

When the scan have finished ->
Click Preferences . Click the Statistics/Logs tab .
Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
It will open in your default text editor (such as Notepad/Wordpad).
· Save the logfile to desktop
· Click close and close again to exit the program.
Reboot, if needed.
Post Superantispyware log and tell how things are running ?

[peter762033]

Hi touch, thanks for the reply .
Ok, i thought it wouldnt be easy. I tried what you said but i cant access the internet, whenever i try to open google chrome it says, "Application cannot be executed. The file chrome.exe is infected", its the same if i try to open anything or install any programs. Maybe i should try booting in safe mode? or would the malware still be active? Also maybe i could just rescue my files with ubuntu live and reformat the laptop, but thats a last resort i think. Any more ideas?

Appreciate the help,

thanks

[touch]

I have some suspicions that this could be pretty bad, but let's run a scan to see what we're dealing with.

Download CureIt to the desktop: here

Click on CureIt Download - button.

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Move dot to Complete scan
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Please post the Dr.Web report in your next reply.

Nb. You´ll problably have download it to a working computer and transfer it using a external drive

[Darrell09thomas]

Howdy: Please refrain from posting in this forum. Only those that are qualified to provide malware removal advice are allowed to post such.

I would suggest you read the first post in THIS THREAD.

Thank you and welcome to CTH.

Murray

[peter762033]

Ok i download and ran the 2 scans with drweb and these were the results,

express scan,

lqrog.exe;C:\Users\SCUBAS~1\AppData\Local\Temp;Tro jan.DownLoader1.16230;Deleted.;
mwaecxnros.exe;C:\Users\SCUBAS~1\AppData\Local\Tem p;Trojan.DownLoader1.18140;Incurable.Moved.;
nps4EBD.tmp\data006;C:\Users\SCUBAS~1\AppData\Loca l\Temp\nps4EBD.tmp;Exploit.PDF.978;;
nps4EBD.tmp;C:\Users\SCUBAS~1\AppData\Local\Temp;C ontainer contains infected objects;Moved.;
ooflgt.exe;C:\Users\SCUBAS~1\AppData\Local\Temp;Ba ckDoor.Tdss;Incurable.Moved.;
ubwdklcx.exe;C:\Users\SCUBAS~1\AppData\Local\Temp; Trojan.MulDrop1.42557;Incurable.Moved.;
wtpvaae.exe;C:\Users\SCUBAS~1\AppData\Local\Temp;T rojan.MulDrop1.42548;Incurable.Moved.;
winhelp.exe;c:\users\scubasteve555\appdata\local\w indows;Trojan.Hottrend.25;Deleted.;
cmcoaxishdw.exe;c:\users\scubasteve555\appdata\roa ming\stoqkwkdw;Trojan.MulDrop1.42548;Incurable.Mov ed.;
keaxy.exe;c:\users\scubasteve555\appdata\roaming\y kop;Trojan.PWS.Panda.383;Incurable.Moved.;

complete scan,

lqrog.exe;C:\Users\SCUBAS~1\AppData\Local\Temp;Tro jan.DownLoader1.16230;Deleted.;
mwaecxnros.exe;C:\Users\SCUBAS~1\AppData\Local\Tem p;Trojan.DownLoader1.18140;Incurable.Moved.;
nps4EBD.tmp\data006;C:\Users\SCUBAS~1\AppData\Loca l\Temp\nps4EBD.tmp;Exploit.PDF.978;;
nps4EBD.tmp;C:\Users\SCUBAS~1\AppData\Local\Temp;C ontainer contains infected objects;Moved.;
ooflgt.exe;C:\Users\SCUBAS~1\AppData\Local\Temp;Ba ckDoor.Tdss;Incurable.Moved.;
ubwdklcx.exe;C:\Users\SCUBAS~1\AppData\Local\Temp; Trojan.MulDrop1.42557;Incurable.Moved.;
wtpvaae.exe;C:\Users\SCUBAS~1\AppData\Local\Temp;T rojan.MulDrop1.42548;Incurable.Moved.;
winhelp.exe;c:\users\scubasteve555\appdata\local\w indows;Trojan.Hottrend.25;Deleted.;
cmcoaxishdw.exe;c:\users\scubasteve555\appdata\roa ming\stoqkwkdw;Trojan.MulDrop1.42548;Incurable.Mov ed.;
keaxy.exe;c:\users\scubasteve555\appdata\roaming\y kop;Trojan.PWS.Panda.383;Incurable.Moved.;
lctnltb[1].htm;C:\Documents and Settings\scubasteve555\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\L;Trojan.MulDrop1.42557;Incurabl e.Moved.;
mqupjickr[1].htm;C:\Documents and Settings\scubasteve555\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\X;Trojan.MulDrop1.42548;Incurabl e.Moved.;
newsecureapp70700[2].exe;C:\Documents and Settings\scubasteve555\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\X;Trojan.DownLoader1.18211;Incur able.Moved.;
pgaiqxwq[1].htm;C:\Documents and Settings\scubasteve555\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\X;BackDoor.Tdss;Incurable.Moved. ;
qhysq[1].htm;C:\Documents and Settings\scubasteve555\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\X;Trojan.DownLoader1.16230;Delet ed.;
vzgbidyje[2].htm;C:\Documents and Settings\scubasteve555\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\X;Trojan.PWS.Panda.383;Incurable .Moved.;

It seems to have removed the virus as im not getting all of the pop ups like before but i now cannot connect to the internet and the laptop is running slower. Im guessing these problems are still linked with the virus? What can i try next?

thanks

[touch]

Quote:

but i now cannot connect to the internet

See if you can connect from safe mode with network ?

Otherwise, check this ->

Go to Start > Settings > Control Panel > Internet Options > Connections tab > LAN Settings, and uncheck all boxes (proxy and auto detect).

Reboot.

If you connect now, please follow my instrutions here:
07:14 AM

[peter762033]

Ok i unchecked all of the boxes and im now back on the internet thankyou so much appreciate the help! I have just updated Malwarebytes and iam running another full scan just to be sure the malware is gone.

Im now looking into a free firewall and heard that comodo free is pretty good, do you have any experience with the program?

http://download.cnet.com/Comodo-Inte...-10460704.html

Are there better free firewalls out there?

Also i heard ccleaner is a good program for cleaning computers, is this worth downloading and running?

Basically i would like to thoroughly clean the computer and get it well protected so i dont have this problem again, what else can i do?

Thanks again for all of your help!

Pete

[touch]

Quote:

Basically i would like to thoroughly clean the computer and get it well protected so i dont have this problem again, what else can i do?

Ok. Then I need to see a combofix log. When your computer are clean, I´ll tell/suggest (IMO) which security and other programs you should install, to prevent reinfection.

Please download Combofix from: Here
And save to the desktop.

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.


Post the contents of that log in your next reply

The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.



NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

[peter762033]

i followed your instructions and her are the log reports,


ComboFix 10-08-23.06 - scubasteve555 24/08/2010 17:38:27.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3034.1960 [GMT 1:00]
Running from: c:\users\scubasteve555\Downloads\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\scubasteve555\AppData\Local\Windows Server
c:\users\scubasteve555\AppData\Local\Windows Server\hlp.dat
c:\users\scubasteve555\AppData\Local\Windows Server\server.dat
c:\users\scubasteve555\AppData\Roaming\inst.exe
c:\users\scubasteve555\AppData\Roaming\Microsoft\W indows\Start Menu\Programs\Antimalware Doctor
c:\users\scubasteve555\AppData\Roaming\Microsoft\W indows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\users\scubasteve555\AppData\Roaming\Microsoft\W indows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

.
((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))
.

2010-08-23 18:30 . 2010-08-23 18:30 -------- d-----w- c:\program files\CCleaner
2010-08-22 17:25 . 2010-08-22 17:51 -------- d-----w- c:\users\scubasteve555\DoctorWeb
2010-08-22 17:14 . 2010-08-22 17:14 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\A16F93C65AF E3DB87BB431D111D89D9A
2010-08-22 16:19 . 2010-08-22 16:19 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\SUPERAntiSp yware.com
2010-08-22 16:19 . 2010-08-22 16:19 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-22 14:51 . 2010-08-22 14:51 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\Malwarebyte s
2010-08-22 14:51 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-22 14:51 . 2010-08-22 14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-22 14:51 . 2010-08-22 14:51 -------- d-----w- c:\programdata\Malwarebytes
2010-08-22 14:51 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-22 14:24 . 2010-08-22 14:24 2838 ----a-w- c:\users\scubasteve555\AppData\Local\idofunaner.dl l
2010-08-21 12:57 . 2010-08-21 12:57 2838 ----a-w- c:\users\scubasteve555\AppData\Local\iduwisucejal. dll
2010-08-21 11:33 . 2010-08-21 11:33 2838 ----a-w- c:\users\scubasteve555\AppData\Local\ecukeyoj.dll
2010-08-20 17:33 . 2010-08-20 17:33 2838 ----a-w- c:\users\scubasteve555\AppData\Local\enaroluqotiwu .dll
2010-08-20 17:00 . 2010-08-20 17:00 2838 ----a-w- c:\users\scubasteve555\AppData\Local\etojelehe.dll
2010-08-20 16:47 . 2010-08-20 16:47 2838 ----a-w- c:\users\scubasteve555\AppData\Local\efaqadunujane cat.dll
2010-08-20 16:39 . 2010-08-20 16:39 2838 ----a-w- c:\users\scubasteve555\AppData\Local\ivukawepa.dll
2010-08-20 16:36 . 2010-08-23 17:27 -------- d-----w- c:\users\scubasteve555\AppData\Local\stoqkwkdw
2010-08-20 16:36 . 2010-08-22 18:04 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\stoqkwkdw
2010-08-20 16:35 . 2010-08-22 18:04 -------- d-----w- c:\users\scubasteve555\AppData\Local\Windows
2010-08-15 21:36 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-15 21:36 . 2010-06-29 15:47 834048 ----a-w- c:\windows\system32\wininet.dll
2010-08-15 21:36 . 2010-06-28 16:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-08-15 21:36 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-15 21:36 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-08-15 21:36 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-15 21:35 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-15 21:35 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-15 21:35 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-15 21:35 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-15 21:35 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-15 21:28 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-08-24 16:46 . 2009-03-15 15:24 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\DNA
2010-08-23 22:44 . 2010-03-11 20:58 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\vlc
2010-08-22 18:04 . 2010-07-20 07:56 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\Ykop
2010-08-20 17:00 . 2009-03-08 19:58 -------- d-----w- c:\program files\Norton Security Scan
2010-08-20 16:38 . 2009-04-05 12:07 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\Uper
2010-08-16 15:05 . 2008-11-27 07:50 -------- d-----w- c:\program files\Microsoft Works
2010-08-16 14:49 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-15 19:37 . 2009-03-25 11:52 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\dvdcss
2010-07-13 18:36 . 2008-12-31 16:29 6648 ----a-w- c:\users\scubasteve555\AppData\Local\d3d9caps.dat
2010-07-02 07:37 . 2010-07-02 07:37 -------- d-----w- c:\users\scubasteve555\AppData\Roaming\GARMIN
2010-07-02 07:37 . 2010-07-02 07:37 -------- d-----w- c:\program files\Garmin GPS Plugin
2010-07-02 07:37 . 2010-07-02 07:37 -------- d-----w- c:\program files\DIFX
2010-07-02 07:36 . 2010-07-02 07:36 -------- d-----w- c:\program files\Garmin
2010-07-01 17:15 . 2010-07-01 17:15 -------- d-----w- c:\program files\Delta
2010-06-26 10:29 . 2010-01-18 12:54 -------- d-----w- c:\program files\Microsoft.NET
2010-06-20 15:46 . 2010-06-20 15:46 8854 ----a-r- c:\users\scubasteve555\AppData\Roaming\Microsoft\I nstaller\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E34423 7A2D9D856464AD727.exe
2010-06-20 15:46 . 2010-06-20 15:46 40960 ----a-r- c:\users\scubasteve555\AppData\Roaming\Microsoft\I nstaller\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D85 6464AD727.exe
2010-06-20 15:46 . 2010-06-20 15:46 40960 ----a-r- c:\users\scubasteve555\AppData\Roaming\Microsoft\I nstaller\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-06-15 21:13 . 2009-02-14 20:42 47360 ----a-w- c:\users\scubasteve555\AppData\Roaming\pcouffin.sy s
2010-06-15 21:13 . 2009-02-14 20:42 47360 ----a-w- c:\users\scubasteve555\AppData\Roaming\pcouffin.sy s
2010-05-26 17:06 . 2010-06-11 10:03 34304 ----a-w- c:\windows\system32\atmlib.dll
2008-11-27 09:08 . 2008-11-27 09:07 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-11-27 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"BitTorrent DNA"="c:\users\scubasteve555\Program Files\DNA\btdna.exe" [2009-11-13 323392]
"Google Update"="c:\users\scubasteve555\AppData\Local\Goog le\Update\GoogleUpdate.exe" [2009-08-16 133104]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-09-04 200704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-17 170520]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-09-17 145944]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-08-05 3563520]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-11 180269]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-17 442460]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-27 07:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):4d,e4,f6,a0,b6,66,ca,01

R1 SASDIFSV;SASDIFSV;c:\users\SCUBAS~1\AppData\Local\ Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\SCUBAS~1\AppData\Local\ Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\ v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mo n.sys [2008-07-30 23888]
R3 PCAMp50;PCAMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50.sys [2006-11-28 28224]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30 319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsd efs\20091217.001\IDSvix86.sys [2009-11-20 286768]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileReposi tory\stwrt.inf_85b55258\aestsrv.exe [2008-09-17 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-10-19 102448]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMN DISV.SYS [2009-02-19 41008]

[peter762033]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 20:29]

2010-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 20:29]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2398985377-1469646343-1411235317-1000Core.job
- c:\users\scubasteve555\AppData\Local\Google\Update \GoogleUpdate.exe [2009-08-16 20:34]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2398985377-1469646343-1411235317-1000UA.job
- c:\users\scubasteve555\AppData\Local\Google\Update \GoogleUpdate.exe [2009-08-16 20:34]

2010-08-20 c:\windows\Tasks\Norton Security Scan for scubasteve555.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-fsm - (no file)



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-24 17:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-24 17:55:29
ComboFix-quarantined-files.txt 2010-08-24 16:55

Pre-Run: 18,325,331,968 bytes free
Post-Run: 18,217,926,656 bytes free

- - End Of File - - 52C771FED52B52BD875234EA1AE80841

What does this mean?

thanks again, Pete

[touch]

It means/showing you have a large number of infections


Open notepad and copy/paste the text in the codebox below into it:
Name the file as CFScript
and Save it on the desktop

Code:

http://www.cybertechhelp.com/forums/showthread.php?p=1182866#post1182866
Killall::
Snapshot::
Collect::
c:\users\scubasteve555\AppData\Local\idofunaner.dll
c:\users\scubasteve555\AppData\Local\iduwisucejal.dll
c:\users\scubasteve555\AppData\Local\ecukeyoj.dll
c:\users\scubasteve555\AppData\Local\enaroluqotiwu.dll
c:\users\scubasteve555\AppData\Local\etojelehe.dll
c:\users\scubasteve555\AppData\Local\efaqadunujanecat.dll
c:\users\scubasteve555\AppData\Local\ivukawepa.dll
Folder::
c:\users\scubasteve555\AppData\Local\stoqkwkdw
c:\users\scubasteve555\AppData\Roaming\stoqkwkdw
c:\users\scubasteve555\AppData\Roaming\DNA
c:\users\scubasteve555\Program Files\DNA
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

When ComboFix has finished its scan / cleaning opens a ComboFix log along with a small message box. Now click OK in the message box to upload the compiled files for further analysis (you must have an Internet connection to upload files).

Combofix will create a logfile and display it after your computer has rebooted.

Usually located in c:\combofix.txt, please post it to your next reply