Solved AVG is finding Trojan but won't remove file pdcapdc.dll.bak

juliek247 · 2007/08/10

[Resolved] AVG is finding Trojan but won't remove file pdcapdc.dll.bak

Hello,
This is my first time posting here and I hope I give you everything you need to help me. I'm fixing a friends computer and I have install and run AVG Free and every time it detects the following Trojan BHO.BQ in the file pdcapdc.dll.bak. It says it has to restart to finish the repair but never completes the repair. I've turned everything off from the msconfig startup. And it still takes 8 -10 min to boot up. The speakers sound like poop everytime they play the startup music. I don't know if the sound can be fixed when the bugs are gone. She didn't have any anti-virus, anti-spyware or firewall on when I got the computer. I have installed and run the following: AVG FRee Anti-virus and sypware, Sygate as a firewall, A-squared. All help is greatly appreciated!

She has a Toshiba Satellite with 512 Ram, XP with SP 2.

Thanks, in advance, for your help!
Julie

Here is the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:44 AM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sygate.com/swat/support/spf50_reg.htm
O2 - BHO: (no name) - {0083FFFA-535A-4583-8F5F-648A475B44B5} - C:\WINDOWS\system32\wiyddakd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14D1A72D-8705-11D8-B120-000000000000} - (no file)
O2 - BHO: (no name) - {14D1A72D-8705-11D8-B120-0040F46CB696} - (no file)
O2 - BHO: (no name) - {25DCE1C1-8ED5-4F03-B51F-54DBED07B57c} - C:\WINDOWS\system32\wiyddakd.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - (no file)
O2 - BHO: (no name) - {40902913-93A6-4AAA-97C2-1C0CE5B7CCA2} - c:\windows\system32\pdcapdc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Explorer Helper - {626482AF-17D0-5DFC-C12D-32A58E631863} - (no file)
O2 - BHO: (no name) - {78C696ED-ECD9-4059-8039-067DCB5903C1} - c:\windows\system32\ywtjhzof.dll
O2 - BHO: (no name) - {8505045B-2F9A-4869-A039-7BADAA4A479b} - C:\WINDOWS\system32\wiyddakd.dll
O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - (no file)
O2 - BHO: (no name) - {A2E4AF4D-AC7E-4BB4-B952-FAA0FBA684A2} - C:\WINDOWS\system32\wiyddakd.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {B3998C99-4349-44A4-92E7-D175B9369E5c} - C:\WINDOWS\system32\wiyddakd.dll
O2 - BHO: (no name) - {D2663995-7F24-4BCC-8398-7EAE0E2424Dd} - C:\WINDOWS\system32\wiyddakd.dll
O2 - BHO: (no name) - {F3727275-224F-4AB0-8642-7D461EFB82D8} - (no file)
O2 - BHO: (no name) - {FB8D7041-F1DF-4D57-9DCE-E73F015E4F93} - C:\WINDOWS\system32\wiyddakd.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-4262110071-3640697663-1518942255-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O20 - Winlogon Notify: chraianz - C:\WINDOWS\SYSTEM32\pdcapdc.dll
O20 - Winlogon Notify: cmkje - cmkje.dll (file missing)
O20 - Winlogon Notify: fhdge - fhdge.dll (file missing)
O20 - Winlogon Notify: kcage - kcage.dll (file missing)
O20 - Winlogon Notify: locvd - locvd.dll (file missing)
O20 - Winlogon Notify: mstsc - mstsc.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 8781 bytes

noahdfear · 2007/08/10

Welcome to WindowsBBS juliek247

Download VundoFix by Atribune, saving it to your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Then;

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log, the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

I'll check back in this evening.

juliek247 · 2007/08/11

Vundo Did not work on reboot...tried 3 times...

Hello,
Thank you for your suggestions! Here are my findings. I ran VundoFix and it found 11 issues and fixed 10 then said it had to reboot, the pc rebooted and tried to fix the issue but then once again said, could not delete some files and reboot was necessary. I did this 2 more times with no success.

I canceled Vundofix on the thrid try and did the Combo Fix. The combofix was hard to understand what it did. I'm posting the Combofix log here in hopes that you can explain it! I've thoughts about manually deleting the file with a Shift Delete, but I'm afraid the Trojan has embedded itself in other areas and I ma cause more harm when trying to delete the file. Do you have any other suggestions? Thanks again! Julie

ComboFix Log File:

ComboFix 07-08-09.3 - "kristi" 2007-08-11 6:58:11.1 - NTFSx86

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\144.exe
C:\WINDOWS\1800.exe
C:\WINDOWS\1809.exe
C:\WINDOWS\update7.exe

((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))

2007-08-11 06:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 16:05 <DIR> d-------- C:\VundoFix Backups
2007-08-10 08:13 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-10 07:46 <DIR> d-------- C:\DOCUME~1\NETWOR~1\.housecall6.6
2007-08-10 06:36 <DIR> d---s---- C:\DOCUME~1\kristi\UserData
2007-08-10 06:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-10 05:59 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-08-10 05:59 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-08-10 05:59 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-08-10 05:58 <DIR> d-------- C:\Program Files\Sygate
2007-08-10 05:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-09 08:44 1,835,008 --ah----- C:\DOCUME~1\kristi\NTUSER.DAT
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\WINDOWS
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\You've Got Pictures Screensaver
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\toshiba
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\Intuit
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\ATI
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\AOL
2007-08-09 08:22 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-09 06:33 <DIR> d-------- C:\Program Files\a-squared Free
2007-08-09 01:25 <DIR> d-------- C:\WINDOWS\pss
2007-08-08 23:17 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2007-08-08 23:03 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-08 18:31 <DIR> d-------- C:\Program Files\CCleaner
2007-08-02 14:11 94,208 --a------ C:\WINDOWS\system32\cwtrihoi.dll
2007-08-02 14:11 751,616 --a------ C:\WINDOWS\system32\pvhxjidp.dll
2007-07-26 19:58 <DIR> d-------- C:\Downloads
2007-07-19 09:45 <DIR> d-------- C:\Temp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 06:56 77312 --a------ C:\WINDOWS\system32\pdcapdc.dll
2007-08-11 06:56 41984 --a------ C:\WINDOWS\system32\ptxnvcoh.dll
2007-08-10 06:52 122368 --a------ C:\WINDOWS\system32\foucjjoc.dll
2007-08-10 06:44 --------- d-------- C:\Program Files\Google
2007-08-08 06:36 64000 --a------ C:\WINDOWS\system32\ywtjhzof.dll
2007-07-26 20:11 88018 --ahs---- C:\WINDOWS\system32\ospcont.dat
2007-07-25 19:26 412160 --a------ C:\WINDOWS\installer.exe
2007-07-15 09:17 359808 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-07-15 09:17 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-14 08:11 --------- d-------- C:\Program Files\LimeWire
2007-06-30 12:04 42496 --a------ C:\WINDOWS\system32\rhwedplk.dll
2007-06-20 20:29 --------- d-------- C:\Program Files\Common Files\SupportSoft
2007-06-20 20:29 --------- d-------- C:\Program Files\CHARTER
2007-06-20 20:14 1515 --a--c--- C:\WINDOWS\checkip.dat
2007-05-27 07:12 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-27 07:12 147729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-05-16 10:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
C:\WINDOWS\system32\drivers\niqdxuzn.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0083FFFA-535A-4583-8F5F-648A475B44B5}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14D1A72D-8705-11D8-B120-000000000000}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25DCE1C1-8ED5-4F03-B51F-54DBED07B57c}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36645342-9475-2663-166A-466739207346}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40902913-93A6-4AAA-97C2-1C0CE5B7CCA2}]
2007-08-11 06:56 77312 --a------ c:\windows\system32\pdcapdc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{626482AF-17D0-5DFC-C12D-32A58E631863}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78C696ED-ECD9-4059-8039-067DCB5903C1}]
2007-08-08 06:36 64000 --a------ c:\windows\system32\ywtjhzof.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8505045B-2F9A-4869-A039-7BADAA4A479b}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98B822AD-6BE7-49BC-B773-97240B774080}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2E4AF4D-AC7E-4BB4-B952-FAA0FBA684A2}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3998C99-4349-44A4-92E7-D175B9369E5c}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2663995-7F24-4BCC-8398-7EAE0E2424Dd}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB8D7041-F1DF-4D57-9DCE-E73F015E4F93}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 00:05]
"NDSTray.exe "= "NDSTray.exe" []
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2006-10-12 06:19]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SmcService "= "C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-07-15 09:20:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\chraianz]
pdcapdc.dll 2007-08-11 06:56 77312 C:\WINDOWS\system32\pdcapdc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmkje]
cmkje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fhdge]
fhdge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kcage]
kcage.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\locvd]
locvd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mstsc]
mstsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
C:\Program Files\Toshiba\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wdywabzl

Contents of the 'Scheduled Tasks' folder
2006-04-12 21:57:51 C:\WINDOWS\Tasks\Registration reminder 2.job - C:\WINDOWS\system32\OOBE\oobebaln.exe
2006-04-12 21:57:51 C:\WINDOWS\Tasks\Registration reminder 3.job - C:\WINDOWS\system32\OOBE\oobebaln.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 07:12:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\xe1\21]
"DisplayName "= "\x3688\x34c\x3688\x34c\1 "
"DeviceDesc "= "\x3688\x34c\x3688\x34c\1 "
"ProviderName "= "\xfed4\21\xee18\x7c90\xff44\21\b "
"MFG "= "\x574 "
"DeviceInstanceIds "=str(7): "c:\chipset and display.temp\sbdrv\smbus\smbusati.inf "

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-11 7:14:51
C:\ComboFix-quarantined-files.txt ... 2007-08-11 07:13

--- E O F ---

Thanks again for your help! Julie

Here's a new HJT log from a few min ago....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:46 AM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sygate.com/swat/support/spf50_reg.htm
O2 - BHO: (no name) - {0083FFFA-535A-4583-8F5F-648A475B44B5} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14D1A72D-8705-11D8-B120-000000000000} - (no file)
O2 - BHO: (no name) - {25DCE1C1-8ED5-4F03-B51F-54DBED07B57c} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - (no file)
O2 - BHO: (no name) - {40902913-93A6-4AAA-97C2-1C0CE5B7CCA2} - c:\windows\system32\pdcapdc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Explorer Helper - {626482AF-17D0-5DFC-C12D-32A58E631863} - (no file)
O2 - BHO: (no name) - {78C696ED-ECD9-4059-8039-067DCB5903C1} - c:\windows\system32\ywtjhzof.dll
O2 - BHO: (no name) - {8505045B-2F9A-4869-A039-7BADAA4A479b} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - (no file)
O2 - BHO: (no name) - {A2E4AF4D-AC7E-4BB4-B952-FAA0FBA684A2} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {B3998C99-4349-44A4-92E7-D175B9369E5c} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: (no name) - {D2663995-7F24-4BCC-8398-7EAE0E2424Dd} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: (no name) - {FB8D7041-F1DF-4D57-9DCE-E73F015E4F93} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-4262110071-3640697663-1518942255-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O20 - Winlogon Notify: chraianz - C:\WINDOWS\SYSTEM32\pdcapdc.dll
O20 - Winlogon Notify: cmkje - cmkje.dll (file missing)
O20 - Winlogon Notify: fhdge - fhdge.dll (file missing)
O20 - Winlogon Notify: kcage - kcage.dll (file missing)
O20 - Winlogon Notify: locvd - locvd.dll (file missing)
O20 - Winlogon Notify: mstsc - mstsc.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 8275 bytes

noahdfear · 2007/08/11

Hi Julie,

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\cwtrihoi.dll
C:\WINDOWS\system32\pvhxjidp.dll
C:\WINDOWS\system32\pdcapdc.dll
C:\WINDOWS\system32\ptxnvcoh.dll
C:\WINDOWS\system32\foucjjoc.dll
C:\WINDOWS\system32\ywtjhzof.dll
C:\WINDOWS\system32\ospcont.dat
C:\WINDOWS\system32\rhwedplk.dll
C:\WINDOWS\checkip.dat
C:\WINDOWS\system32\drivers\niqdxuzn.sys
C:\WINDOWS\Tasks\Registration reminder 2.job
C:\WINDOWS\Tasks\Registration reminder 3.job

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0083FFFA-535A-4583-8F5F-648A475B44B5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14D1A72D-8705-11D8-B120-000000000000}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25DCE1C1-8ED5-4F03-B51F-54DBED07B57c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36645342-9475-2663-166A-466739207346}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40902913-93A6-4AAA-97C2-1C0CE5B7CCA2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{626482AF-17D0-5DFC-C12D-32A58E631863}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78C696ED-ECD9-4059-8039-067DCB5903C1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8505045B-2F9A-4869-A039-7BADAA4A479b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98B822AD-6BE7-49BC-B773-97240B774080}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2E4AF4D-AC7E-4BB4-B952-FAA0FBA684A2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3998C99-4349-44A4-92E7-D175B9369E5c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2663995-7F24-4BCC-8398-7EAE0E2424Dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB8D7041-F1DF-4D57-9DCE-E73F015E4F93}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\chraianz] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmkje] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fhdge] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kcage] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\locvd] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mstsc] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

NetSvc::
wdywabzl

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log along with a fresh HijackThis log.
Also, post the contents of C:\ComboFix-quarantined-files.txt when done.

juliek247 · 2007/08/11

I think it deleted it.... Have to restart to confirm.

I think this worked.. I have to restart to confirm but I see the file was deleted on the ComboFix.file.. Here are the new files as you requested. Thanks for your help!
Julie

ComboFix Log:

ComboFix 07-08-09.3 - "kristi" 2007-08-11 11:42:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.76 [GMT -5:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\drivers\niqdxuzn.sys
C:\WINDOWS\system32\pdcapdc.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_WDYWABZL
-------\wdywabzl

((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))

2007-08-11 11:58 751,616 --a------ C:\WINDOWS\system32\pvhxjidp.dll
2007-08-11 11:58 64,000 --a------ C:\WINDOWS\system32\ywtjhzof.dll
2007-08-11 11:57 94,208 --a------ C:\WINDOWS\system32\cwtrihoi.dll
2007-08-11 06:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 16:05 <DIR> d-------- C:\VundoFix Backups
2007-08-10 08:13 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-10 07:46 <DIR> d-------- C:\DOCUME~1\NETWOR~1\.housecall6.6
2007-08-10 06:36 <DIR> d---s---- C:\DOCUME~1\kristi\UserData
2007-08-10 06:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-10 05:59 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-08-10 05:59 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-08-10 05:59 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-08-10 05:58 <DIR> d-------- C:\Program Files\Sygate
2007-08-10 05:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-09 08:44 1,835,008 --ah----- C:\DOCUME~1\kristi\NTUSER.DAT
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\WINDOWS
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\You've Got Pictures Screensaver
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\toshiba
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\Intuit
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\ATI
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\AOL
2007-08-09 08:22 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-09 06:33 <DIR> d-------- C:\Program Files\a-squared Free
2007-08-09 01:25 <DIR> d-------- C:\WINDOWS\pss
2007-08-08 23:17 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2007-08-08 23:03 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-08 18:31 <DIR> d-------- C:\Program Files\CCleaner
2007-07-26 19:58 <DIR> d-------- C:\Downloads
2007-07-19 09:45 <DIR> d-------- C:\Temp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 06:56 41984 --a------ C:\WINDOWS\system32\ptxnvcoh.dll
2007-08-10 06:52 122368 --a------ C:\WINDOWS\system32\foucjjoc.dll
2007-08-10 06:44 --------- d-------- C:\Program Files\Google
2007-07-26 20:11 88018 --ahs---- C:\WINDOWS\system32\ospcont.dat
2007-07-25 19:26 412160 --a------ C:\WINDOWS\installer.exe
2007-07-15 09:17 359808 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-07-15 09:17 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-14 08:11 --------- d-------- C:\Program Files\LimeWire
2007-06-30 12:04 42496 --a------ C:\WINDOWS\system32\rhwedplk.dll
2007-06-20 20:29 --------- d-------- C:\Program Files\Common Files\SupportSoft
2007-06-20 20:29 --------- d-------- C:\Program Files\CHARTER
2007-06-20 20:14 1515 --a--c--- C:\WINDOWS\checkip.dat
2007-05-27 07:12 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-27 07:12 147729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-05-16 10:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0083FFFA-535A-4583-8F5F-648A475B44B5}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14D1A72D-8705-11D8-B120-000000000000}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25DCE1C1-8ED5-4F03-B51F-54DBED07B57c}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36645342-9475-2663-166A-466739207346}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{626482AF-17D0-5DFC-C12D-32A58E631863}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78C696ED-ECD9-4059-8039-067DCB5903C1}]
2007-08-11 11:58 64000 --a------ c:\windows\system32\ywtjhzof.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8505045B-2F9A-4869-A039-7BADAA4A479b}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98B822AD-6BE7-49BC-B773-97240B774080}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2E4AF4D-AC7E-4BB4-B952-FAA0FBA684A2}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3998C99-4349-44A4-92E7-D175B9369E5c}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2663995-7F24-4BCC-8398-7EAE0E2424Dd}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB8D7041-F1DF-4D57-9DCE-E73F015E4F93}]
C:\WINDOWS\system32\wiyddakd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 00:05]
"NDSTray.exe "= "NDSTray.exe" []
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2006-10-12 06:19]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SmcService "= "C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-07-15 09:20:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmkje]
cmkje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fhdge]
fhdge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kcage]
kcage.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\locvd]
locvd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mstsc]
mstsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
C:\Program Files\Toshiba\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys
R0 Teefer;Teefer for NT;C:\WINDOWS\system32\Drivers\Teefer.sys
R1 wpsdrvnt;wpsdrvnt;\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
R2 wg3n;SyGate for NT, wg3n;C:\WINDOWS\system32\Drivers\wg3n.sys
R2 wg4n;SyGate for NT, wg4n;C:\WINDOWS\system32\Drivers\wg4n.sys
R2 wg5n;SyGate for NT, wg5n;C:\WINDOWS\system32\Drivers\wg5n.sys
R2 wg6n;SyGate for NT, wg6n;C:\WINDOWS\system32\Drivers\wg6n.sys
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
R3 ElbyCDFL;ElbyCDFL;C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
R3 Iviaspi;IVI ASPI Shell;C:\WINDOWS\system32\drivers\iviaspi.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 TVALD;Toshiba Mobile PC Service;C:\WINDOWS\system32\DRIVERS\NBSMI.sys
R3 Tvs;TOSHIBA Virtual Sound with SRS technologies;C:\WINDOWS\system32\DRIVERS\Tvs.sys
S2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
S3 BCM42RLY;BCM42RLY;\??\C:\WINDOWS\System32\BCM42RLY.SYS

Contents of the 'Scheduled Tasks' folder
2006-04-12 21:57:51 C:\WINDOWS\Tasks\Registration reminder 2.job - C:\WINDOWS\system32\OOBE\oobebaln.exe
2006-04-12 21:57:51 C:\WINDOWS\Tasks\Registration reminder 3.job - C:\WINDOWS\system32\OOBE\oobebaln.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 12:17:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\xe1\21]
"DisplayName "= "\x3688\x34c\x3688\x34c\1 "
"DeviceDesc "= "\x3688\x34c\x3688\x34c\1 "
"ProviderName "= "\xfed4\21\xee18\x7c90\xff44\21\b "
"MFG "= "\x574 "
"DeviceInstanceIds "=str(7): "c:\chipset and display.temp\sbdrv\smbus\smbusati.inf "

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 12:28:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 12:27
C:\ComboFix2.txt ... 2007-08-11 07:14

--- E O F ---

Here is the HJT File Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:04 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sygate.com/swat/support/spf50_reg.htm
O2 - BHO: (no name) - {0083FFFA-535A-4583-8F5F-648A475B44B5} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14D1A72D-8705-11D8-B120-000000000000} - (no file)
O2 - BHO: (no name) - {25DCE1C1-8ED5-4F03-B51F-54DBED07B57c} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Explorer Helper - {626482AF-17D0-5DFC-C12D-32A58E631863} - (no file)
O2 - BHO: (no name) - {78C696ED-ECD9-4059-8039-067DCB5903C1} - c:\windows\system32\ywtjhzof.dll
O2 - BHO: (no name) - {8505045B-2F9A-4869-A039-7BADAA4A479b} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - (no file)
O2 - BHO: (no name) - {A2E4AF4D-AC7E-4BB4-B952-FAA0FBA684A2} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {B3998C99-4349-44A4-92E7-D175B9369E5c} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: (no name) - {D2663995-7F24-4BCC-8398-7EAE0E2424Dd} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O2 - BHO: (no name) - {FB8D7041-F1DF-4D57-9DCE-E73F015E4F93} - C:\WINDOWS\system32\wiyddakd.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O20 - Winlogon Notify: cmkje - cmkje.dll (file missing)
O20 - Winlogon Notify: fhdge - fhdge.dll (file missing)
O20 - Winlogon Notify: kcage - kcage.dll (file missing)
O20 - Winlogon Notify: locvd - locvd.dll (file missing)
O20 - Winlogon Notify: mstsc - mstsc.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 7772 bytes

Cross your fingers........ Rebooting now!
Julie

OOPS... Here is the ConboFix Quarantined File you asked for too!!!
Code:
2007-05-23 20:34      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\update7.exe.vir
2007-06-20 17:33      218    --a------    C:\Qoobox\Quarantine\C\WINDOWS\1809.exe.vir
2007-06-20 20:42      76232    --a------    C:\Qoobox\Quarantine\C\WINDOWS\1800.exe.vir
2007-07-20 06:13      14208    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\niqdxuzn.sys.vir
2007-07-25 07:44      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\144.exe.vir
2007-08-11 06:56      77312    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pdcapdc.dll.vir
2007-08-11 11:56      1078    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_WDYWABZL.reg.cf
2007-08-11 11:56      2118    --a------    C:\Qoobox\Quarantine\Registry_backups\services_wdywabzl.reg.cf
2007-08-11 11:57      388    --a------    C:\Qoobox\Quarantine\catchme.log
2007-08-11 11:57      83002    --a------    C:\Qoobox\Quarantine\catchme2007-08-11_121419.07.zip


Folder PATH listing for volume SQ003982P01
Volume serial number is 606A-9EA4
C:\QOOBOX
\---Quarantine
    |   catchme.log
    |   catchme2007-08-11_121419.07.zip
    |   
    +---C
    |   \---WINDOWS
    |       |   144.exe.vir
    |       |   1800.exe.vir
    |       |   1809.exe.vir
    |       |   update7.exe.vir
    |       |   
    |       \---system32
    |           |   pdcapdc.dll.vir
    |           |   
    |           \---drivers
    |                   niqdxuzn.sys.vir
    |                   
    \---Registry_backups
            LEGACY_WDYWABZL.reg.cf
            services_wdywabzl.reg.cf
            

noahdfear · 2007/08/11

Well, there was some progress made. Let's give it another shot in the arm though. Open CFScript.txt and delete everything in it, then copy the contents of the code box below and paste it into CFScript.txt, close and save the changes.

Code:

File::
C:\WINDOWS\system32\pvhxjidp.dll
C:\WINDOWS\system32\ywtjhzof.dll
C:\WINDOWS\system32\cwtrihoi.dll
C:\WINDOWS\system32\ptxnvcoh.dll
C:\WINDOWS\system32\foucjjoc.dll
C:\WINDOWS\system32\rhwedplk.dll
C:\WINDOWS\Tasks\Registration reminder 2.job
C:\WINDOWS\Tasks\Registration reminder 3.job

Rootkit::
C:\WINDOWS\system32\ospcont.dat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0083FFFA-535A-4583-8F5F-648A475B44B5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14D1A72D-8705-11D8-B120-000000000000}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25DCE1C1-8ED5-4F03-B51F-54DBED07B57c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36645342-9475-2663-166A-466739207346}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{626482AF-17D0-5DFC-C12D-32A58E631863}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78C696ED-ECD9-4059-8039-067DCB5903C1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8505045B-2F9A-4869-A039-7BADAA4A479b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98B822AD-6BE7-49BC-B773-97240B774080}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2E4AF4D-AC7E-4BB4-B952-FAA0FBA684A2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3998C99-4349-44A4-92E7-D175B9369E5c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2663995-7F24-4BCC-8398-7EAE0E2424Dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB8D7041-F1DF-4D57-9DCE-E73F015E4F93}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmkje] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fhdge] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kcage] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\locvd] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mstsc]

Now close all open programs and windows, then drag CFScript.txt onto ComboFix.exe and drop it. Wait for ComboFix to complete and reboot if it wants, then post the log that opens, along with yet another new HijackThis log.

juliek247 · 2007/08/12

New Info....

Hello Again,

Here is the new ComboFix Log:

ComboFix 07-08-09.3 - "kristi" 2007-08-12 7:43:50.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.119 [GMT -5:00]

((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))

2007-08-11 06:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 16:05 <DIR> d-------- C:\VundoFix Backups
2007-08-10 08:13 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-10 07:46 <DIR> d-------- C:\DOCUME~1\NETWOR~1\.housecall6.6
2007-08-10 06:36 <DIR> d---s---- C:\DOCUME~1\kristi\UserData
2007-08-10 06:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-10 05:59 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-08-10 05:59 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-08-10 05:59 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-08-10 05:59 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-08-10 05:58 <DIR> d-------- C:\Program Files\Sygate
2007-08-10 05:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-09 08:44 1,835,008 --ah----- C:\DOCUME~1\kristi\NTUSER.DAT
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\WINDOWS
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\You've Got Pictures Screensaver
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\toshiba
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\Intuit
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\ATI
2007-08-09 08:44 <DIR> d-------- C:\DOCUME~1\kristi\APPLIC~1\AOL
2007-08-09 08:22 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-09 06:33 <DIR> d-------- C:\Program Files\a-squared Free
2007-08-09 01:25 <DIR> d-------- C:\WINDOWS\pss
2007-08-08 23:17 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2007-08-08 23:03 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-08 18:31 <DIR> d-------- C:\Program Files\CCleaner
2007-07-26 19:58 <DIR> d-------- C:\Downloads
2007-07-19 09:45 <DIR> d-------- C:\Temp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-10 06:44 --------- d-------- C:\Program Files\Google
2007-07-25 19:26 412160 --a------ C:\WINDOWS\installer.exe
2007-07-15 09:17 359808 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-07-15 09:17 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-14 08:11 --------- d-------- C:\Program Files\LimeWire
2007-06-20 20:29 --------- d-------- C:\Program Files\Common Files\SupportSoft
2007-06-20 20:29 --------- d-------- C:\Program Files\CHARTER
2007-06-20 20:14 1515 --a--c--- C:\WINDOWS\checkip.dat
2007-05-27 07:12 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-27 07:12 147729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-05-16 10:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 00:05]
"NDSTray.exe "= "NDSTray.exe" []
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2006-10-12 06:19]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SmcService "= "C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"TOSCDSPD "= "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-07-15 09:20:23]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
C:\Program Files\Toshiba\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys
R0 Teefer;Teefer for NT;C:\WINDOWS\system32\Drivers\Teefer.sys
R1 wpsdrvnt;wpsdrvnt;\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
R2 wg3n;SyGate for NT, wg3n;C:\WINDOWS\system32\Drivers\wg3n.sys
R2 wg4n;SyGate for NT, wg4n;C:\WINDOWS\system32\Drivers\wg4n.sys
R2 wg5n;SyGate for NT, wg5n;C:\WINDOWS\system32\Drivers\wg5n.sys
R2 wg6n;SyGate for NT, wg6n;C:\WINDOWS\system32\Drivers\wg6n.sys
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
R3 ElbyCDFL;ElbyCDFL;C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
R3 Iviaspi;IVI ASPI Shell;C:\WINDOWS\system32\drivers\iviaspi.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 TVALD;Toshiba Mobile PC Service;C:\WINDOWS\system32\DRIVERS\NBSMI.sys
R3 Tvs;TOSHIBA Virtual Sound with SRS technologies;C:\WINDOWS\system32\DRIVERS\Tvs.sys
S3 BCM42RLY;BCM42RLY;\??\C:\WINDOWS\System32\BCM42RLY.SYS

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 07:57:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\xe1\21]
"DisplayName "= "\x3688\x34c\x3688\x34c\1 "
"DeviceDesc "= "\x3688\x34c\x3688\x34c\1 "
"ProviderName "= "\xfed4\21\xee18\x7c90\xff44\21\b "
"MFG "= "\x574 "
"DeviceInstanceIds "=str(7): "c:\chipset and display.temp\sbdrv\smbus\smbusati.inf "

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-12 8:01:14
C:\ComboFix-quarantined-files-8-11-07.1.37pm.txt ... 2007-08-11 13:37
C:\ComboFix-quarantined-files.txt ... 2007-08-12 07:59
C:\ComboFix2.txt ... 2007-08-11 12:28
C:\ComboFix3.txt ... 2007-08-11 07:14

--- E O F ---

[SIZE= "2"]Here is the new HJT Log:[/SIZE]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:19 AM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/showthread.php?t=66722&highlight=bho.bq
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sygate.com/swat/support/spf50_reg.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 6538 bytes

Thanks again for your help!

Julie

noahdfear · 2007/08/12

Looking good!

Lets do a bit of cleanup, then 1 more scan just to make sure we haven't missed something.

You can delete all of the following tools we have used, and the files/folders they created.

C:\WINDOWS\nircmd.exe
C:\QOOBOX
C:\VundoFix Backups
vundofix.exe
combofix.exe
all combofix and vundofix logs and scripts

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC now button

A new window will open...click the Check Now button

Enter your Country

Enter your State/Province

Enter your e-mail address and click send

Select either Home User or Company

Select the appropriate Yes or No to receiving marketing information

Click the Free Online Scan button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report along with a fresh HJT log.

juliek247 · 2007/08/13

Panda Scan Clean

Hello,
I ran the scan and it came back clean. But I clicked out of the pop up window and it closed. I don't have a report but I took a screen shot of the final page. I hope this will work, as that scan took forever!!! I don't see how I can post a pic... If you don't need it, great. If you do, please give instructions.

The computer runs good once it is open now, but is still very slow upon start up. An thoughts on this?

Thanks again!
Julie

Here's the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:04 AM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/showthread.php?t=66722&highlight=bho.bq
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sygate.com/swat/support/spf50_reg.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 6798 bytes

noahdfear · 2007/08/13

No need to see the Panda report if it came up clean.

First, a few recommendations to complete the cleanup.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Download Spybot from the link in my signature and install. Allow it to load SD Helper upon installation and install all available updates. When installation completes, run Spybot. Click Mode on the menu and select Advanced. Click Yes to the prompt. In the left pane, click Immunize. If promted that 0 (zero) products are blocked, click OK, then click the green plus sign labeled immunize in the upper left corner. Check the box below labeled Enable permanent blocking of bad addresses in Internet Explorer. Then click tools button, then IE tweaks and at least lock the HOSTS file.

Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Check for updates occassionally and install them when applicable.

Download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry. Check occasionally for updates.

That will give you some added layers of protection against unwanted parasites.

As for slow startup, I would first take a look in device manager and make sure there are no errors reported (yellow exclamation point next to a device). I would then procede to msconfig, or use Mike Lin's Startup Control Panel, disabling startup items and rebooting to see if one item in particular is the cause. I would do those in the following order.

[TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
[NDSTray.exe] NDSTray.exe
[ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
[ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
[!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
[AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP << can be started from the Start>Run line without the /startup switch, after logon, using only the path in bold
[SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui << can be started from the Start>Run line after logon, using only the path in bold

I would also recommend opening AVG Anti-Spyware and disabling the guard. If you have the free version, the guard service only works for 30 days anyway.

There are also some non-essential services that could be disabled to see if they're adding to the lag.

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

Other services that are basically non-essential, but shouldn't be disabled unless they are causing a problem, in which case I would recommend investigating a fix.

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

More services that could be disabled long enough to see if they're having a serious impact on bootup, then find a resolution to the problem if one does.

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

You can find information about all of the above processes and services through Google, using the name of the executable as the search term.

You might also find defragmenting the disk helpful. Running a free trial of TuneUp Utilities to clean and defrag the registry, check the disk, etc. might help as well.

Post back if you have questions or need further assistance with anything. Your log is otherwise clean and appears to be free of infections.

Log in or Sign up

Solved AVG is finding Trojan but won't remove file pdcapdc.dll.bak

juliek247 Inactive Thread Starter

noahdfear Inactive

juliek247 Inactive Thread Starter

noahdfear Inactive

juliek247 Inactive Thread Starter

noahdfear Inactive

juliek247 Inactive Thread Starter

noahdfear Inactive

juliek247 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved AVG is finding Trojan but won't remove file pdcapdc.dll.bak

juliek247 Inactive Thread Starter

noahdfear Inactive

juliek247 Inactive Thread Starter

noahdfear Inactive

juliek247 Inactive Thread Starter

noahdfear Inactive

juliek247 Inactive Thread Starter

noahdfear Inactive

juliek247 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches