Need Help to remove Antimalware Doctor

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=25da58727e6ebb42b15da5020dff6015
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-31 09:54:08
# local_time=2010-07-31 04:54:08 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 9202855 9202855 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=122855
# found=10
# cleaned=10
# scan_time=8051
C:\Documents and Settings\nikki\Application Data\Sun\Java\Deployment\cache\6.0\31\475ee9f-4f061400 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Application Data\Sun\Java\Deployment\cache\6.0\42\3c071b2a-54b6c946 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Application Data\Sun\Java\Deployment\cache\6.0\6\13b98886-414ec045 a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\92.tmp a variant of Win32/Olmarik.UL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\jar_cache3974793204991448007.tmp a variant of Java/TrojanDownloader.Agent.NBA trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\jar_cache6146789445735889649.tmp a variant of Java/Exploit.Agent.NAC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\soenxrwcma.tmp a variant of Win32/Injector.BCP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\xwcaonmres.tmp a variant of Win32/VB.PAM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\Local Settings\temp\plugtmp-45\plugin-Notes2.pdf JS/Exploit.Pdfka.OAH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\nikki\My Documents\Downloads\exeHelper.com probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=25da58727e6ebb42b15da5020dff6015
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-11 03:58:16
# local_time=2010-08-11 10:58:16 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 10135816 10135816 0 0
# compatibility_mode=8192 67108863 100 0 846733 846733 0 0
# scanned=95988
# found=7
# cleaned=7
# scan_time=4141
C:\System Volume Information\_restore{4A0D1951-71BC-4D67-9DE1-F4CF525A2DED}\RP352\A0137845.dll Win32/Adware.Lifze.N application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4A0D1951-71BC-4D67-9DE1-F4CF525A2DED}\RP354\A0137954.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\sxlsex80.dll a variant of Win32/Cimag.DC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\kxigp.dll Win32/Adware.Lifze.N application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\srenum.sys Win32/Rootkit.Agent.NTI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\temp\gilnnw.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\temp\rmukuo.exe a variant of Win32/Cimag.DC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

I'd like to see this a bit closer...

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe.
  
• Click Settings > Options. Drag the slider to High Level. Then, click the Red X.
  
• Go to the Report tab and click on the Scan button.
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/08/11 16:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7477000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\alfexj.sys
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89c035e0 Size: 2593

Hidden Services
-------------------
Service Name: alfexj
Image Path: C:\WINDOWS\system32\drivers\alfexj.sys

==EOF==

I wonder what this is: C:\WINDOWS\system32\drivers\alfexj.sys

• Please go to VirSCAN.org FREE on-line scan service
  
• Browse for the following file path into the "Suspicious files to scan" box on the top of the page:
  
  • C:\WINDOWS\system32\drivers\alfexj.sys
  
  
• Click on the Upload button
  
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  
• Paste the contents of the Clipboard in your next reply.

It wont let me upload it. it says "ERROR: Can't Upload file!"

Your computer gets reinfected, I noticed, which is why I had you run an online scan so much.

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  
  *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.
  
  With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Still with us? Please let me know how things are going!