Laptop lagging; CPU Usage near 100%

Thanks a bunch for those valuable advice Kevin...

I'd hope to work on my laptop asap with those help of yours (flying to HK tonight n not done with packing yet..keke)..so pardon if I can't reply within the next week or so...this just has to happen just as I wanna go on a vacation happily...

Good day dude~

No problem. Have a safe trip. We can continue working on this when you get back.

Enjoy

Oh gosh...I did it ~~ I actually managed to get the first scan done...but like 8 hours...haha..Thanks Kevin~I'll enjoy myself more if I fxi this today~

Malwarebytes' Anti-Malware 1.11
Database version: 683

Scan type: Full Scan (C:\|)
Objects scanned: 123412
Time elapsed: 8 hour(s), 43 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 36
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 83

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{40722371-e24c-4b36-8e76-010bb6c7185b} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{825c19d3-35ce-428f-876b-88e080466689} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0409743c-e5e3-4bdd-9ec7-eff622530282} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6f553c18-15e6-4e5e-8f44-add50de754ed} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nowstarter.nowstarterctrl.1 (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1a86d7dc-d241-4136-af64-c5d241a07651} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7a3dc573-7005-4a24-bb29-8aa47294391e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qiawpbjj.msdn_hlp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\zango (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Administrator\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\acespy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully.
C:\WINDOWS\DownUpdater.exe (Adware.CWS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\acespy\systune.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\acespy\__acelog.ndx (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\7search.dll (Adware.7Search) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stfv.bin (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ESHOPEE.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wml.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vxddsk.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\users_rating.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\secuity_center_logo.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\logo_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\icon_warning.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\features.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\download_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\close_icon.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\buy_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\arrow.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\alert_icon.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\5_stars.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\4_stars.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gtv_sd.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fuamfu32.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\din.ip (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwuwin32.drv (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prrbpgbr.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jofstvyt.sbin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\detect.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\pt.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\s_detect.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\v.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\x.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\764.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\absolute key logger.lnk (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aconti.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aconti.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aconti.log (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aconti.sdb (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\acontidialer.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\adbar.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cbinst$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\daxtime.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dp0.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\eventlowg.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\fhfmm-Uninstaller.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\fhfmm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\flt.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\hcwprn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\hotporn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ie_32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplorr23.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\jd2002.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\kkcomp$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\kkcomp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\kvnab$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqad$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqad.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqui-Uninstaller.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqui.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ngd.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\pbar.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\settn.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\spredirect.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\wbeInst$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xadbrk.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xadbrk_.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xxxvideo.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\wml.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\vxddsk.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsass.log (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


Did not manage to do the Combofix scan as it would run till certain stage # and my laptop would go into the blue screen (the one with the physical dumping stuff)..Then after it restarts, Windows would give a prompt saying it has recovered from a serious error...I did this thrice to make sure I followed your instructions correctly but it still happened...

It's giving you a bluescreen with a Windows system error I assume? Not the one where it's still showing the stage #s right?

Try renaming combofix.exe to something like CFfemaki84.exe instead. Then run it again and see if you can get it working successfully.

Hi Kevin! I'm back from HK!!

Thanks alot for ya advice...I redid the CF scan and managed to do it this time~~Here's the log for your further advice:

ComboFix 08-04-22.5 - Administrator 2008-05-02 3:45:53.4 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\CFfemaki84.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\SKBGM5.che
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\SKBGM6.che
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\SKBGM7.che
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\SKBGM8.che
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\SKBGM9.che
.
---- Previous Run -------
.
C:\WINDOWS\dat.txt
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-26 22:04 . 2008-04-26 22:08 <DIR> d-------- C:\ComboFix
2008-04-26 12:37 . 2008-04-26 12:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 12:37 . 2008-04-26 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 12:37 . 2008-04-26 12:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-20 12:46 . 2008-04-20 12:46 29,696 --a------ C:\My Favourites.doc
2008-04-14 01:30 . 2008-04-14 01:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 01:30 . 2008-04-14 01:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-07 03:23 . 2008-04-12 16:14 3,204 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-07 03:19 . 2008-04-07 03:19 <DIR> d-------- C:\Program Files\Dynacom Technologies, Inc
2008-04-07 02:57 . 1997-09-14 03:00 37,136 --a------ C:\WINDOWS\VIREG32.EXE
2008-04-07 02:57 . 2007-07-02 20:36 681 --a------ C:\WINDOWS\VIXUNIN.EXE.manifest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 14:32 --------- d-----w C:\Program Files\CleanUp!
2008-04-20 03:17 --------- d-----w C:\Program Files\FileAmigo 7
2008-04-19 11:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-04-19 02:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-19 01:53 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-29 11:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-03-23 17:35 --------- d-----w C:\Program Files\iMusicSoft
2008-03-23 14:48 --------- d-----w C:\Program Files\Naver
2008-03-14 14:54 --------- d-----w C:\Program Files\Java
2008-03-08 07:06 --------- d-----w C:\Program Files\Uniblue
2008-03-01 09:24 --------- d-----w C:\Program Files\Avant Browser
2008-01-13 12:31 25,480 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-10 13:05 344064]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-04-09 03:08 73728]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 17:01 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 19:50 729178]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-10-25 06:23 499712]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-08 02:56 409600]
"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-23 02:12 17920]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-06-30 05:48 233534]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 16:47 184320]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-10-08 11:03 155648]
"imekrmig"="C:\IME\IMKR\imekrmig.exe" [2001-01-09 12:01 44544]
"AME_CSA"="amecsa.cpl" []
"TalkAndWrite"="C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" [2007-05-25 03:58 2664448]
"SkypeRec"="C:\Documents and Settings\Administrator\Application Data\MXSkypeRec\MXSkypeRecorder.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"combofix"="C:\WINDOWS\system32\CF28613.exe" [2004-08-04 16:00 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-05-31 14:29:16 577597]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-03-13 02:32:36 184320]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
TK8 EasyNote 1.1.lnk - C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe [2006-09-08 21:46:32 439808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll 2005-07-26 02:41 40960 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\fscagent.exe"=
"C:\\WINDOWS\\system32\\clubbox.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\grdmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\MSNShell\\Bin\\engie.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\WINDOWS\\system32\\skcbgm.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\mstsc.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 02:31]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 16:00]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 02:35]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-04-18 09:00]
R3 msvad_simple;SoliCall;C:\WINDOWS\system32\drivers\solicall.sys [2006-06-10 16:19]
S3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2002-12-17 09:29]
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 16:00]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 16:00]
S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 18:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051bd34e-008a-11dc-8694-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051bd34f-008a-11dc-8694-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051bd350-008a-11dc-8694-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f96f54-c977-11db-860d-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f96f55-c977-11db-860d-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 04:04:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????6?4?6?9??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 3336

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HPQ\IAM\Bin\asghost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\Alwil Software\Avast4\Setup\avast.setup
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-02 4:17:48 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-01 20:17:09

Pre-Run: 38,752,821,248 bytes free
Post-Run: 38,893,514,752 bytes free

165 --- E O F --- 2008-04-12 08:15:27

Do you know what C:\My Favourites.doc is for? If not, delete it.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Quote:

File:: C:\WINDOWS\VIREG32.EXE C:\WINDOWS\VIXUNIN.EXE.manifest

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?

Hi Kevin

Thanks for ya advice again...I'd do it when I'm home...accessing this in office now..reason being that I'm suddenly blocked from this portal since 1 week ago.saying I'm attempting some attack on the forum or something... never happened to me before...something conflicting between my IP/com and the forum? i don't know..

Anywayz..prior to this latest fix..my lappie is still the same as when I first sought ya advice...

Hi Kevin...Im done with the scan again...Really appreciate that you're helping us here...

-----------------------------------------------------------------------------------

ComboFix 08-05-09.1 - Administrator 2008-05-11 22:02:25.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.496 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Combofix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-11 21:53 . 2008-05-11 21:53 <DIR> d-------- C:\CFfemaki84
2008-04-26 12:37 . 2008-04-26 12:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 12:37 . 2008-04-26 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 12:37 . 2008-04-26 12:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-14 01:30 . 2008-04-14 01:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 01:30 . 2008-04-14 01:30 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 09:46 --------- d-----w C:\Program Files\FileAmigo 7
2008-04-26 14:32 --------- d-----w C:\Program Files\CleanUp!
2008-04-19 11:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-04-19 02:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-19 01:53 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-12 08:14 3,204 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-06 19:19 --------- d-----w C:\Program Files\Dynacom Technologies, Inc
2008-03-29 11:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-03-23 17:35 --------- d-----w C:\Program Files\iMusicSoft
2008-03-23 14:48 --------- d-----w C:\Program Files\Naver
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-14 14:54 --------- d-----w C:\Program Files\Java
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-01-13 12:31 25,480 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-05-02_ 4.16.23.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 19:59:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-11 13:14:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-11 13:16:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-10 13:05 344064]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-04-09 03:08 73728]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 17:01 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 19:50 729178]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-10-25 06:23 499712]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-08 02:56 409600]
"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-23 02:12 17920]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-06-30 05:48 233534]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 16:47 184320]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-10-08 11:03 155648]
"imekrmig"="C:\IME\IMKR\imekrmig.exe" [2001-01-09 12:01 44544]
"AME_CSA"="amecsa.cpl" []
"TalkAndWrite"="C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" [2007-05-25 03:58 2664448]
"SkypeRec"="C:\Documents and Settings\Administrator\Application Data\MXSkypeRec\MXSkypeRecorder.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-05-31 14:29:16 577597]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-03-13 02:32:36 184320]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
TK8 EasyNote 1.1.lnk - C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe [2006-09-08 21:46:32 439808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll 2005-07-26 02:41 40960 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\fscagent.exe"=
"C:\\WINDOWS\\system32\\clubbox.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\grdmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\MSNShell\\Bin\\engie.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\WINDOWS\\system32\\skcbgm.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\mstsc.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 02:31]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 16:00]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 02:35]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-04-18 09:00]
R3 msvad_simple;SoliCall;C:\WINDOWS\system32\drivers\solicall.sys [2006-06-10 16:19]
S3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2002-12-17 09:29]
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 16:00]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 16:00]
S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 18:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051bd34e-008a-11dc-8694-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051bd34f-008a-11dc-8694-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051bd350-008a-11dc-8694-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f96f54-c977-11db-860d-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f96f55-c977-11db-860d-0010c6fc62db}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 22:07:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????6?4?6?9??`???? ???B?????????????hLC? ??????

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-11 22:12:30
ComboFix-quarantined-files.txt 2008-05-11 14:11:23
ComboFix2.txt 2008-05-01 20:17:49

Pre-Run: 39,020,957,696 bytes free
Post-Run: 39,250,161,664 bytes free

140 --- E O F --- 2008-04-12 08:15:27

Is the laptop still running slow after all the fixes? If so, run the below scan:

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply along with a new HijackThis log.

Hello there

Yes the laptop's still running slow..But it's better than when I initially brought the problem here~~cheers..

I;ve tried to do the panda scan but the activex cannot be installed and loaded... it says "Sorry, loading is incomplete due to an error. Please try again"...It'll load till 95% when files are copied to my hard disk..then it halts and the error msg is displayed..I need some advice here...really not a techy person to analyze even this small stumbling stone...

Download SDFix at http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum.

Download SmitfraudFix at http://siri.urz.free.fr/Fix/SmitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so!

NOTE: process.exe is detected by some antivirus programs as a Risk Tool. It is not a virus. If you get this detected, ignore it.

SDFix: Version 1.183
Run by Administrator on Sun 05/18/2008 at 12:38 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 12:57:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications]
"øÂtÇÔÆÜ\xb4 ?\xa4ÂSÒ\24µ$Æ"="C:\Program Files\Cyworld Studio\CyStudio.exe /StiDevice:%1 /StiEvent:%2\0"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\hü]
"Í\x2039í\x2039T\x20acó`"=dword:00000001
"Í\x2039í\x2039\x201c\x008feQ"=dword:00000001
"\20\x90\20nÐc:y"=dword:00000001
"\26Y\1xÐc:y"=dword:00000001
"Òczz<h"=dword:00000000
"IQ\ahß\x8d\x8f\x2013"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\fscagent.exe"="C:\\WINDOWS\\system32\\fscagent.exe:*:Enabled:fscagent"
"C:\\WINDOWS\\system32\\clubbox.exe"="C:\\WINDOWS\\system32\\clubbox.exe:*:Enabled:clubbox"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\grdmgr.exe"="C:\\WINDOWS\\system32\\grdmgr.exe:*:Enabled:CDN ???? ??"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\MSNShell\\Bin\\engie.exe"="C:\\Program Files\\MSNShell\\Bin\\engie.exe:*:Enabled:MSNShell"
"C:\\Program Files\\Avant Browser\\avant.exe"="C:\\Program Files\\Avant Browser\\avant.exe:*:Enabled:Avant Browser"
"C:\\WINDOWS\\system32\\skcbgm.exe"="C:\\WINDOWS\\system32\\skcbgm.exe:*:Enabled:SK Communications Cyworld BGM Player"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS\\system32\\mstsc.exe"="C:\\WINDOWS\\system32\\mstsc.exe:*:Enabled:Remote Desktop Connection"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 22 Mar 2008 1,823,744 ...H. --- "C:\Feli's Stuff\~WRL3959.tmp"
Thu 14 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sat 13 May 2006 395,264 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2063.tmp"
Fri 24 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 19 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 17 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0089cd1ec7c03d0a52caa6b6ea801507\BIT8.tmp"
Thu 10 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT12.tmp"
Sat 7 Apr 2007 189,440 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0327.tmp"
Mon 19 Mar 2007 587,776 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1611.tmp"
Sat 7 Apr 2007 304,128 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2105.tmp"
Fri 18 Jan 2008 0 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3481.tmp"
Sat 7 Apr 2007 308,224 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3976.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe"
Fri 24 Mar 2006 4,348 ...H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1key.bak"
Fri 24 Mar 2006 20 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 24 Mar 2006 400 A.SH. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2key.bak"
Wed 15 Feb 2006 40,448 A..H. --- "C:\Feli's Stuff\School\BBBA 2005-2007\Sem 4- SO, OTD, WIL, P&M\(OTD) Organisation Theory & Design [Credit]\~WRL0531.tmp"
Fri 17 Feb 2006 229,376 A..H. --- "C:\Feli's Stuff\School\BBBA 2005-2007\Sem 4- SO, OTD, WIL, P&M\(OTD) Organisation Theory & Design [Credit]\~WRL0645.tmp"
Fri 17 Feb 2006 94,720 A..H. --- "C:\Feli's Stuff\School\BBBA 2005-2007\Sem 4- SO, OTD, WIL, P&M\(OTD) Organisation Theory & Design [Credit]\~WRL1228.tmp"
Sat 13 May 2006 98,816 A..H. --- "C:\Feli's Stuff\School\BBBA 2005-2007\Sem 4- SO, OTD, WIL, P&M\Work Integrated Learning 1 [Distinction]\~WRL1245.tmp"
Thu 11 May 2006 111,616 A..H. --- "C:\Feli's Stuff\School\BBBA 2005-2007\Sem 4- SO, OTD, WIL, P&M\Work Integrated Learning 1 [Distinction]\~WRL1930.tmp"
Wed 19 Apr 2006 30,208 A..H. --- "C:\Feli's Stuff\School\BBBA 2005-2007\Sem 4- SO, OTD, WIL, P&M\Work Integrated Learning 1 [Distinction]\~WRL2998.tmp"
Mon 19 Mar 2007 1,681,920 A..H. --- "C:\Feli's Stuff\School\BBBA 2005-2007\Sem 6-WIL2, SM, WER, MC\Strategic Mgt [Cr]\~WRL3894.tmp"
Sat 7 Apr 2007 456,192 A..H. --- "C:\Feli's Stuff\School\BBBA 2005-2007\Sem 6-WIL2, SM, WER, MC\WIL 2 [Di]\~WRL2133.tmp"
Sat 7 Apr 2007 492,032 A..H. --- "C:\Feli's Stuff\School\BBBA 2005-2007\Sem 6-WIL2, SM, WER, MC\WIL 2 [Di]\~WRL2628.tmp"

Finished!


----------------------------------------------------------------------------------

SmitFraudFix v2.242

Scan done at 13:52:14.59, Sun 05/18/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{66BE9090-E4DA-402D-8CA7-5BB3B1D463A8}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{66BE9090-E4DA-402D-8CA7-5BB3B1D463A8}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{66BE9090-E4DA-402D-8CA7-5BB3B1D463A8}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

----------
tHANkS KevIn!