Antimalware Doctor

Hi,

Computer infected with "antimalwaredoctor". Recently was infected with Bankerfox too, but got rid of that- not sure if it's connected?

Don't know how to get rid of this one though,

help much appreciated

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.

---

IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


If you follow these instructions, everything should go smoothly .

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click , then click Preferences. Make sure Always notify me of replies is set to Yes

---

With that out of the way:

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Commyexe - put it on computer (in safe mode?) and it said it's preparing to run, access denied.
and it's now "attempting to create a new System Restore point"

?

now it says deleting files. access denied.

C:\Windows\system32\autorun.inf

and says completerd stage-1, up to stage 5?

Ok please let it run. It may take a while

I tried to open my computer to see the log file but its frozen :/

had to restart and try and find it.
think I found it :


ComboFix 10-07-15.01 - Lucia 15/07/2010 20:26:10.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1013.601 [GMT 1:00]
Running from: C:\Users\Lucia\Desktop\commy.exe
Command switches used :: /stepdel
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Lucia\AppData\Roaming\48771D8FCAF5EA9A40AB489FE89C9562
C:\Users\Lucia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
C:\Users\Lucia\AppData\Roaming\48771D8FCAF5EA9A40AB489FE89C9562\070700Setup.exe
C:\Users\Lucia\AppData\Roaming\48771D8FCAF5EA9A40AB489FE89C9562\enemies-names.txt
C:\Users\Lucia\AppData\Roaming\48771D8FCAF5EA9A40AB489FE89C9562\local.ini
C:\Users\Lucia\AppData\Roaming\48771D8FCAF5EA9A40AB489FE89C9562\lsrslt.ini
C:\Users\Lucia\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk
C:\Users\Lucia\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk
C:\Users\Lucia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
C:\Users\Lucia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
C:\Users\Lucia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk
C:\Users\Lucia\Desktop\Antimalware Doctor.lnk
C:\Windows\system32\AutoRun.inf

.

that's not the full logfile. I will need the full logfile located at C:\combofix.txt

I couldnt find a combofix.txt in C:\ so I started again.
I let it run through just as before and when it was done the window dissapeared.
I never saw the windows in the screenshots you have posted above.
At this point last time I tried to find the combofix.txt, but the computer froze and had to reboot.
This time I thought I should just wait to see if anything happens, but it dosent seem to be doing anything.
I dont want to do anything just yet incase it freezes again.
Is this supposed to happen? what do I do now?

ComboFix 10-07-15.01 - Lucia 16/07/2010 0:35.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1013.205 [GMT 1:00]
Running from: c:\users\Lucia\Desktop\commy.exe
Command switches used :: /stepdel
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-15 23:50 . 2010-07-15 23:50 -------- d-----w- c:\users\Lucia\AppData\Local\temp
2010-07-15 23:50 . 2010-07-15 23:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-15 22:00 . 2010-07-15 22:10 -------- d-----w- C:\commy7678c
2010-07-15 19:22 . 2010-07-15 19:32 -------- d-----w- C:\commy
2010-07-01 22:42 . 2010-07-01 22:42 -------- d-----w- c:\users\Lucia\AppData\Roaming\Floodlight Games
2010-07-01 22:42 . 2010-07-01 22:42 -------- d-----w- c:\programdata\Floodlight Games
2010-07-01 22:38 . 2010-07-01 22:38 -------- d-----w- c:\program files\Agatha Christie - 450 from Paddington
2010-06-24 23:14 . 2009-11-08 09:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 23:13 . 2009-11-08 09:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 23:13 . 2009-11-08 09:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 23:13 . 2009-11-08 09:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 23:13 . 2009-11-08 09:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 08:31 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 08:31 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 23:52 . 2008-11-06 21:03 -------- d-----w- c:\programdata\Kontiki
2010-07-14 12:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-14 12:17 . 2008-10-19 17:31 -------- d-----w- c:\programdata\Microsoft Help
2010-06-27 23:13 . 2008-09-14 07:56 -------- d-----w- c:\program files\Google
2010-06-25 08:05 . 2010-03-16 21:30 -------- d-----w- c:\users\Lucia\AppData\Roaming\Skype
2010-06-25 02:02 . 2008-10-19 17:34 -------- d-----w- c:\program files\Microsoft.NET
2010-06-06 11:42 . 2009-05-05 20:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 23:05 . 2010-03-16 21:33 -------- d-----w- c:\users\Lucia\AppData\Roaming\skypePM
2010-05-29 10:57 . 2010-05-29 10:57 -------- d-----w- c:\program files\Windows Portable Devices
2010-05-29 10:57 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-29 10:56 . 2010-05-29 10:56 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-26 20:22 . 2009-05-05 20:33 -------- d-----w- c:\program files\Microsoft
2010-05-26 20:15 . 2008-12-25 21:18 -------- d-----w- c:\users\Lucia\AppData\Roaming\Apple Computer
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-26 17:06 . 2010-06-12 11:39 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-12 11:39 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 13:14 . 2010-05-08 09:22 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-08 07:54 . 2008-11-21 20:11 5972 ----a-w- c:\users\Lucia\AppData\Local\d3d9caps.dat
2010-05-06 20:59 . 2010-05-08 08:51 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2010-05-08 08:51 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2010-05-08 08:53 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2010-05-08 08:53 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2010-05-08 08:53 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:34 . 2010-05-08 08:53 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-06 20:33 . 2010-05-08 08:53 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-04 05:59 . 2010-06-12 11:39 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-12 11:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-12 11:38 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-12 11:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-12 11:38 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 14:45 . 2010-04-28 14:45 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-23 14:13 . 2010-05-25 21:59 2048 ----a-w- c:\windows\system32\tzres.dll
2008-09-14 16:25 . 2008-09-14 16:24 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"kdx"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-12-16 3528440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 3444736]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"4oD"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960]
"HostManager"="c:\program files\Common Files\AOL\1233090106\ee\AOLSoftware.exe" [2006-11-14 50736]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]

c:\users\Lucia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-9-14 50688]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-14 08:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):7c,d6,66,62,0f,fd,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9d1ad15e5f527;Google Update Service (gupdate1c9d1ad15e5f527);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 133104]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-03-06 111616]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 20:22]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-gvwkmunq - c:\users\Lucia\AppData\Local\kbjtfrskj\lcpworttssd.exe
HKCU-Run-070700Setup.exe - c:\users\Lucia\AppData\Roaming\48771D8FCAF5EA9A40AB489FE89C9562\070700Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 00:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Lucia\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-16 00:55:49
ComboFix-quarantined-files.txt 2010-07-15 23:55

Pre-Run: 69,106,737,152 bytes free
Post-Run: 69,049,831,424 bytes free

- - End Of File - - EEF451E9EA2FE4A6B501D2645FB671CE

Hi torton,

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   Rootkit::
   c:\users\Lucia\AppData\Local\Temp\catchme.dll
   
   DDS::
   uInternet Settings,ProxyOverride =
   uInternet Settings,ProxyServer = http=127.0.0.1:5555
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 10-07-15.01 - Lucia 16/07/2010 11:20:15.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1013.119 [GMT 1:00]
Running from: c:\users\Lucia\Desktop\commy.exe
Command switches used :: C:\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))
.

2010-07-16 10:33 . 2010-07-16 10:38 -------- d-----w- c:\users\Lucia\AppData\Local\temp
2010-07-16 10:33 . 2010-07-16 10:33 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-16 10:33 . 2010-07-16 10:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-15 23:32 . 2010-07-15 23:55 -------- d-----w- C:\commy24075c
2010-07-15 22:00 . 2010-07-15 22:10 -------- d-----w- C:\commy7678c
2010-07-15 19:22 . 2010-07-15 19:32 -------- d-----w- C:\commy
2010-07-01 22:42 . 2010-07-01 22:42 -------- d-----w- c:\users\Lucia\AppData\Roaming\Floodlight Games
2010-07-01 22:42 . 2010-07-01 22:42 -------- d-----w- c:\programdata\Floodlight Games
2010-07-01 22:38 . 2010-07-01 22:38 -------- d-----w- c:\program files\Agatha Christie - 450 from Paddington
2010-06-24 23:14 . 2009-11-08 09:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 23:13 . 2009-11-08 09:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 23:13 . 2009-11-08 09:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 23:13 . 2009-11-08 09:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 23:13 . 2009-11-08 09:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 08:31 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 08:31 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-16 10:41 . 2008-11-06 21:03 -------- d-----w- c:\programdata\Kontiki
2010-07-14 12:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-14 12:17 . 2008-10-19 17:31 -------- d-----w- c:\programdata\Microsoft Help
2010-06-27 23:13 . 2008-09-14 07:56 -------- d-----w- c:\program files\Google
2010-06-25 08:05 . 2010-03-16 21:30 -------- d-----w- c:\users\Lucia\AppData\Roaming\Skype
2010-06-25 02:02 . 2008-10-19 17:34 -------- d-----w- c:\program files\Microsoft.NET
2010-06-06 11:42 . 2009-05-05 20:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 23:05 . 2010-03-16 21:33 -------- d-----w- c:\users\Lucia\AppData\Roaming\skypePM
2010-05-29 10:57 . 2010-05-29 10:57 -------- d-----w- c:\program files\Windows Portable Devices
2010-05-29 10:56 . 2010-05-29 10:56 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-26 20:22 . 2009-05-05 20:33 -------- d-----w- c:\program files\Microsoft
2010-05-26 20:15 . 2008-12-25 21:18 -------- d-----w- c:\users\Lucia\AppData\Roaming\Apple Computer
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-26 20:01 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-26 17:06 . 2010-06-12 11:39 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-12 11:39 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 13:14 . 2010-05-08 09:22 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-08 07:54 . 2008-11-21 20:11 5972 ----a-w- c:\users\Lucia\AppData\Local\d3d9caps.dat
2010-05-06 20:59 . 2010-05-08 08:51 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2010-05-08 08:51 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2010-05-08 08:53 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2010-05-08 08:53 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2010-05-08 08:53 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:34 . 2010-05-08 08:53 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-06 20:33 . 2010-05-08 08:53 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-04 05:59 . 2010-06-12 11:39 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-12 11:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-12 11:38 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-12 11:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-12 11:38 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 14:45 . 2010-04-28 14:45 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-23 14:13 . 2010-05-25 21:59 2048 ----a-w- c:\windows\system32\tzres.dll
2008-09-14 16:25 . 2008-09-14 16:24 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"kdx"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-12-16 3528440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 3444736]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"4oD"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960]
"HostManager"="c:\program files\Common Files\AOL\1233090106\ee\AOLSoftware.exe" [2006-11-14 50736]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]

c:\users\Lucia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-9-14 50688]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-14 08:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):7c,d6,66,62,0f,fd,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9d1ad15e5f527;Google Update Service (gupdate1c9d1ad15e5f527);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 133104]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-03-06 111616]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 20:22]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\DellTPad\HidFind.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-07-16 11:49:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-16 10:49
ComboFix2.txt 2010-07-15 23:55

Pre-Run: 68,962,127,872 bytes free
Post-Run: 68,855,173,120 bytes free

- - End Of File - - 5819A4F7DA4FC8B1143188DD86AE0968

How are things running now?

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log

thank you. It seems to be okay but I'm just concerned because I've had other viruses recently and unlike them I'm not sure where this one came from.

here is the scan-



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4322

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

17/07/2010 23:06:46
mbam-log-2010-07-17 (23-06-46).txt

Scan type: Quick scan
Objects scanned: 130346
Time elapsed: 17 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups