I recently had the tratBHO problem, but thanks to looking around here, I think it’s fixed. Now, though, whenever I start up the computer it starts up isuspm .exe and starts an installer.(For Paint Shop Pro X, which is already installed) As soon as I force quit isuspm .exe, the installer stops. Avast doesn’t seem to pick up on this as a virus, but it is one, right? How do I find where it’s coming from and get rid of it?

(also, I have a short in my AC adapter cord, so my laptop tends to lose power before I can finish any long scans, and so can’t run a full antivirus scan.)

did you copy and past the name isuspm .exe or did you type it? I ask because of the space before the .

I typed it. I’m on a different computer, but there is a space there, or something that manages to look a lot like it.

If there is a space, you are still infected. Or at least that file is. Do you still have the copy of combofix you used? If you do, then post the log.

Don’t delete anything, the file(s) may still be salvaged.

I ran it again…

ComboFix 08-01-15.4 - Saerenna 2008-01-15 5:16:59.2 - NTFSx86
Running from: C:\Documents and Settings\Saerenna\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 04:09 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-15 04:09 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-15 04:09 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-15 04:09 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-15 04:09 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-15 04:08 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-15 00:02 . 2008-01-15 00:08 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 23:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 21:19 . 2008-01-14 21:19 d-------- C:\Program Files\CCleaner
2008-01-14 20:50 . 2008-01-15 05:07 2,148 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-14 13:32 . 2008-01-14 15:04 d-------- C:\VundoFix Backups
2008-01-14 02:54 . 2008-01-15 02:32 d-------- C:\Documents and Settings\Saerenna\Application Data\AVG7
2008-01-14 02:53 . 2008-01-14 02:53 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-14 02:53 . 2008-01-15 05:14 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-13 22:39 . 2007-07-16 15:53 48 --a------ C:\Documents and Settings\Saerenna\readme.bat
2007-12-28 21:53 . 2007-12-29 10:11 d-------- C:\Program Files\GridService
2007-12-28 21:53 . 2007-12-28 21:53 d-------- C:\Documents and Settings\All Users\Application Data\Grid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 12:04 --------- d-----w C:\Program Files\MegauploadToolbar
2008-01-15 12:04 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-01-15 10:20 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-15 10:19 --------- d-----w C:\Program Files\Acoustica Mixcraft 3
2008-01-15 04:30 --------- d-----w C:\Program Files\Lexmark 1400 Series
2008-01-15 03:19 --------- d-----w C:\Program Files\DellSupport
2008-01-15 03:10 --------- d-----w C:\Program Files\QuickTime
2008-01-14 06:50 --------- d-----w C:\Documents and Settings\Saerenna\Application Data\MegauploadToolbar
2008-01-14 04:16 --------- d-----w C:\Program Files\VideoLAN
2008-01-14 01:23 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-28 23:52 --------- d-----w C:\Documents and Settings\Saerenna\Application Data\BitTorrent
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-11-30 03:22 8,612 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-26 07:56 --------- d-----w C:\Documents and Settings\Saerenna\Application Data\AdobeUM
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2006-05-20 08:08 0 —ha-w C:\Documents and Settings\All Users\Application Data\gwseh.dat
2007-07-19 17:29 88 --sh–r C:\WINDOWS\system32\E7D1A1E3A5.sys
.

<pre>
----a-w            81,920 2008-01-15 03:49:53  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           249,856 2008-01-14 11:45:57  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm  .exe
----a-w            53,248 2008-01-15 03:49:49  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w         1,032,192 2008-01-15 03:49:52  C:\Program Files\Dell\QuickSet\quickset .exe
----a-w           157,696 2008-01-14 22:58:31  C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w           579,072 2008-01-15 03:50:36  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w            69,632 2008-01-15 03:50:25  C:\Program Files\HP\HP Share-to-Web\hpgs2wnd .exe
----a-w            20,480 2008-01-15 03:50:17  C:\Program Files\Lexmark 1400 Series\lxdjamon .exe
----a-w         1,121,792 2008-01-15 03:50:01  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w           761,947 2008-01-15 03:49:43  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w         4,670,968 2008-01-15 03:51:13  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w           208,952 2008-01-14 11:46:25  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w            59,392 2008-01-14 11:46:30  C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
----a-w           455,168 2008-01-14 11:46:34  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-14_23.49.51.14 )))))))))))))))))))))))))))))))))))))))))
.

• 2008-01-15 13:05:40 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_55c.dat
  .

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“mschkdsk.exe”=“C:\WINDOWS\system32\mschkdsk.exe”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:00 15360]
“DellSupport”=“C:\Program Files\DellSupport\DSAgnt.exe”
“Aim6”=“”
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SigmatelSysTrayApp”=“stsystra.exe” [2005-09-09 20:19 393216 C:\WINDOWS\stsystra.exe]
“ISUSPM Startup”=“C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe” [2008-01-14 03:45 249856]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [2004-08-04 02:00 208952]
“MSPY2002”=“C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe” [2004-08-04 02:00 59392]
“PHIME2002ASync”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 02:00 455168]
“PHIME2002A”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2004-08-04 02:00 455168]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask .exe”
“ClubBox”=“”
“lxdjmon.exe”=“C:\Program Files\Lexmark 1400 Series\lxdjmon.exe”
“LXDJCATS”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll” [2007-02-09 15:21 102400]
“Winupdate Engine”=“C:\WINDOWS\system32\wupeng.exe”
“avp”=“C:\WINDOWS\avp .exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 05:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-19 23:57:39]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components[u]0[/u]]
Source= C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei2a.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei5.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Saerenna\My Documents\My Pictures\yagyuu.png
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\Saerenna\Desktop\Shounen_Onmyouji_-_Egao_no_Wake.mp3
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
Source= C:\Documents and Settings\Saerenna\My Documents\Hyotei_Gakuen.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
–a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

S3 CoachUsb;Coach Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2004-11-24 13:34]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:00]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-07 17:48:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

• C:\Program Files\Apple Software Update\SoftwareUpdate.exe
  .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 05:27:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDJCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16???

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-15 5:31:35
ComboFix2.txt 2008-01-15 07:50:27
.
2008-01-09 11:04:44 — E O F —

Ok, let’s see what we can do. With out the first log it’s hard to see what you had origanlly, One question though, desktop images, are they yours or something that magically appeared?

I’ll need a new hjt log to go with the new combofix log. Run HJT after you do the combofix fix.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

RENV::

----a-w            81,920 2008-01-15 03:49:53  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           249,856 2008-01-14 11:45:57  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm  .exe
----a-w            53,248 2008-01-15 03:49:49  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w         1,032,192 2008-01-15 03:49:52  C:\Program Files\Dell\QuickSet\quickset .exe
----a-w           157,696 2008-01-14 22:58:31  C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w           579,072 2008-01-15 03:50:36  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w            69,632 2008-01-15 03:50:25  C:\Program Files\HP\HP Share-to-Web\hpgs2wnd .exe
----a-w            20,480 2008-01-15 03:50:17  C:\Program Files\Lexmark 1400 Series\lxdjamon .exe
----a-w         1,121,792 2008-01-15 03:50:01  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w           761,947 2008-01-15 03:49:43  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w         4,670,968 2008-01-15 03:51:13  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w           208,952 2008-01-14 11:46:25  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w            59,392 2008-01-14 11:46:30  C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
----a-w           455,168 2008-01-14 11:46:34  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

The pictures are mine.

ComboFix 08-01-15.4 - Saerenna 2008-01-15 22:09:12.4 - NTFSx86
Running from: C:\Documents and Settings\Saerenna\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Saerenna\Desktop\CFscript.txt

• Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 14:35 . 2008-01-15 14:35 98,816 --a------ C:\Documents and Settings\Saerenna\sed.exe
2008-01-15 14:35 . 2008-01-15 14:35 27,136 --a------ C:\Documents and Settings\Saerenna\nircmd.exe
2008-01-15 06:16 . 2008-01-15 06:23 d-------- C:\WINDOWS\BDOSCAN8
2008-01-15 04:09 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-15 04:09 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-15 04:09 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-15 04:09 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-15 04:09 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-15 04:08 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-15 02:18 . 2008-01-15 02:18 d-------- C:\Documents and Settings\Administrator\Application Data\Acoustica
2008-01-15 02:14 . 2006-05-20 00:12 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-01-15 02:14 . 2006-05-20 00:16 d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-01-15 00:02 . 2008-01-15 17:44 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 23:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 21:19 . 2008-01-14 21:19 d-------- C:\Program Files\CCleaner
2008-01-14 20:50 . 2008-01-15 20:58 2,148 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-14 13:32 . 2008-01-15 06:06 d-------- C:\VundoFix Backups
2008-01-14 02:54 . 2008-01-15 02:32 d-------- C:\Documents and Settings\Saerenna\Application Data\AVG7
2008-01-14 02:53 . 2008-01-14 02:53 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-14 02:53 . 2008-01-15 05:14 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-13 22:39 . 2007-07-16 15:53 48 --a------ C:\Documents and Settings\Saerenna\readme.bat
2007-12-28 21:53 . 2007-12-29 10:11 d-------- C:\Program Files\GridService
2007-12-28 21:53 . 2007-12-28 21:53 d-------- C:\Documents and Settings\All Users\Application Data\Grid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 22:35 --------- d-----w C:\Program Files\Lexmark 1400 Series
2008-01-15 12:04 --------- d-----w C:\Program Files\MegauploadToolbar
2008-01-15 12:04 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-01-15 10:20 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-15 10:19 --------- d-----w C:\Program Files\Acoustica Mixcraft 3
2008-01-15 03:19 --------- d-----w C:\Program Files\DellSupport
2008-01-15 03:10 --------- d-----w C:\Program Files\QuickTime
2008-01-14 11:46 59,392 ----a-w C:\WINDOWS\system32\dllcache\imscinst.exe
2008-01-14 11:46 455,168 ----a-w C:\WINDOWS\system32\dllcache\tintsetp.exe
2008-01-14 11:46 208,952 ----a-w C:\WINDOWS\system32\dllcache\imjpmig.exe
2008-01-14 06:50 --------- d-----w C:\Documents and Settings\Saerenna\Application Data\MegauploadToolbar
2008-01-14 04:16 --------- d-----w C:\Program Files\VideoLAN
2008-01-14 01:23 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-28 23:52 --------- d-----w C:\Documents and Settings\Saerenna\Application Data\BitTorrent
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-11-30 03:22 8,612 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-26 07:56 --------- d-----w C:\Documents and Settings\Saerenna\Application Data\AdobeUM
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 18:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2006-05-20 08:08 0 —ha-w C:\Documents and Settings\All Users\Application Data\gwseh.dat
2007-07-19 17:29 88 --sh–r C:\WINDOWS\system32\E7D1A1E3A5.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-14_23.49.51.14 )))))))))))))))))))))))))))))))))))))))))
.

• 2008-01-15 14:16:57 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
• 2008-01-15 14:16:58 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
• 2008-01-15 14:16:58 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
• 2008-01-15 14:17:08 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
• 2007-10-25 18:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
• 2007-10-25 18:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
• 2008-01-15 14:17:10 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
• 2008-01-15 14:16:59 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
• 2007-10-25 18:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
• 2007-10-25 18:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll

• 2008-01-15 07:32:45 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT

• 2008-01-16 06:08:58 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT

• 2008-01-15 07:32:45 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat

• 2008-01-16 06:08:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat

• 2008-01-15 07:32:45 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT

• 2008-01-16 06:08:58 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT

• 2008-01-15 07:32:45 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat

• 2008-01-16 06:08:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat

• 2008-01-15 07:32:46 9,191,424 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT

• 2008-01-16 06:08:59 10,104,832 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT

• 2008-01-15 07:32:46 110,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat

• 2008-01-16 06:08:59 110,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat

• 2004-08-04 10:00:00 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\imjpmig.exe

• 2008-01-14 11:46:25 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE

• 2004-08-04 10:00:00 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe

• 2008-01-14 11:46:30 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

• 2004-08-04 10:00:00 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

• 2008-01-14 11:46:34 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
• 2008-01-16 04:57:44 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_568.dat
  .

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:00 15360]
“DellSupport”=“C:\Program Files\DellSupport\DSAgnt.exe”
“Aim6”=“”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SigmatelSysTrayApp”=“stsystra.exe” [2005-09-09 20:19 393216 C:\WINDOWS\stsystra.exe]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [2008-01-14 03:46 208952]
“MSPY2002”=“C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe” [2008-01-14 03:46 59392]
“PHIME2002ASync”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2008-01-14 03:46 455168]
“PHIME2002A”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [2008-01-14 03:46 455168]
“ClubBox”=“”
“lxdjmon.exe”=“C:\Program Files\Lexmark 1400 Series\lxdjmon.exe”
“LXDJCATS”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll” [2007-02-09 15:21 102400]
“Winupdate Engine”=“C:\WINDOWS\system32\wupeng.exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 05:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-19 23:57:39]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components[u]0[/u]]
Source= C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei2a.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei5.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Saerenna\My Documents\My Pictures\yagyuu.png
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\Saerenna\Desktop\Shounen_Onmyouji_-_Egao_no_Wake.mp3
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
Source= C:\Documents and Settings\Saerenna\My Documents\Hyotei_Gakuen.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
–a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

S3 CoachUsb;Coach Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2004-11-24 13:34]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:00]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-07 17:48:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

• C:\Program Files\Apple Software Update\SoftwareUpdate.exe
  .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 22:18:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDJCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16???

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-15 22:22:19
ComboFix2.txt 2008-01-16 02:08:25
ComboFix3.txt 2008-01-15 13:31:36
ComboFix4.txt 2008-01-15 07:50:27
.
2008-01-09 11:04:44 — E O F —

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:25:12, on 2008/01/15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Saerenna\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [lxdjmon.exe] “C:\Program Files\Lexmark 1400 Series\lxdjmon.exe”
O4 - HKLM..\Run: [LXDJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,RunDLLEntry@16
O4 - HKLM..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\DellSupport\DSAgnt.exe” /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {D8F2DC62-F4A1-4A10-AE19-61DF6EC9BF50} (xc_loader_activex.cntMain) - http://157.201.248.49/ac/tools/xc_loader_activex.CAB
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei2a.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei5.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Saerenna\My Documents\My Pictures\yagyuu.png
O24 - Desktop Component 4: The Rogue Beat - http://roguebeat.crosswithyou.net/musici/index.php?dir=Vocals/&file=Egao%20no%20Wake.mp3
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Saerenna\Desktop\Shounen_Onmyouji-_Egao_no_Wake.mp3
O24 - Desktop Component 6: (no name) - http://www.youtube.com/watch?v=GV-l_EtK-iY
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\Saerenna\My Documents\Hyotei_Gakuen.htm

–
End of file - 6419 bytes

What do you know about these? Each one is a desktop component, that could be an image etc. I don’t want to remove them if you put them there your self.

O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei2a.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei5.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Saerenna\My Documents\My Pictures\yagyuu.png
O24 - Desktop Component 4: The Rogue Beat - http://roguebeat.crosswithyou.net/musici/index.php?dir=Vocals/&file=Egao%20no%20Wake.mp3
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Saerenna\Desktop\Shounen_Onmyouji_-_Egao_no_Wake.mp3
O24 - Desktop Component 6: (no name) - http://www.youtube.com/watch?v=GV-l_EtK-iY
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\Saerenna\My Documents\Hyotei_Gakuen.htm

It will take a while to go through this and see what was able to be fixed and what wasn’t.

I’m sneaking this in from work, so soon as I get home. I’ll go over these and try to sort it out for you. ;D

Let me know what is going on at your end.

Actually go to this folder and post the contents of the quaratined file.txt

C:\QooBox, ComboFix-quarantined-files.txt,

Thanks

Thank you so much for all your help so far.

Yes, all of those were put there by me, but I wouldn’t be too upset if anything happened to them.

I can’t seem to find any files like that… There are no files under C:\Qoobox\Quarantine just empty folders.

I played around with hijackthis a bit, but everything I fixed is still in the backups. Should I restore them and run it again?

isuspm .exe is most probably the dropper of Virtumonde/BHO/Trat*… we’re working on detection of all the droppers, cause the included BHO’s are detected (and deleted after restart), but the dropper repairs them until we kill it too…

Combofix didn’t report removing anything this time. I’m hoping that all the files where repaired. But we’ll see.

I’m guesing that this is a diferent copy of combofix then what you ran origionaly, since there is no log of removed items.

That will make it a bit tougher, but we’ll get through.

No ,don’t restore the HJT lines. There may be one pointing at an infected file that I can’t see in the log. We don’t want to start this all over again, do we?

What I’d like you to do, is in windows explorer, navigate to the HJT backup files, right click on them, one at a time, open them with notepad, save it to your desktop. Please save them with the name they come up with. Then on the reply page, use the additional options button to attach them to your reply.

After you have done that open HJT, run a system scan only an check mark this nasty line >:(

O4 - HKLM..\Run:[WinupdateEngine]C:\WINDOWS\system32\wupeng.exe

click fix and close HT.

Do a search for this file and let me know if it is present. If it is, I’ll kill it from here.

C:\WINDOWS\system32\wupeng.exe

In windows explorer set the folder options like this

At the top of windows explorer, click tools, folder options, click the
view tab

check Show hidden files and folders
uncheck “Hide extensions for known file types” box
uncheck “Hide protecting operating system files” box

Then check for the presence of these files, they are good guys, providing they don’t have a space in front of the . . Use the windows search and when reviewing the results, look for the name followed by exe. Let me know if you found them and if they had a space. Make a note of the ones with a space and where they where located.

issch
isuspm
DVDLauncher
quickset
GoogleDesktop
avgcc
hpgs2wnd
lxdjamon
MSKDetct
SynTPEnh
YahooMessenger

Now we should be able to determine what got fixed and which programs you will have to reinstall.

There are a lot of files in the backups folder, including a couple .dll Here’s a screenshot, but do you still want me to attach all of the files?

I can’t find the wupeng.exe

I found all the others but avgcc (But I did uninstall avg recently) and none with the space.

I have a quick question about NicConfigSvc.exe that’s been running on startup. Are there supposed to be two NicConfigSvc.cpl? I have one in C:\i386 and another in C:\WINDOWS\system32

Also, one more thing, whenever I right click a file and chose to scan it, the Avast! screen will pop up and then dissapear. Is it supposed to do that?

Thanks again.

The lines in HJT backup are only the reg keys, not the files themselves.

Finding none without a space is good, it means that all the files we tried to repair got repaired.

I’ll go through the lines by their numbers

the 02 lines browser helper objects, things that load with your browser, enabling you to access certain features. for example, the 1st one will give you access to some of your printer’s features from within the browser.

1. lexmark printer - restore,
2. spybot - restore
3. megaup load your choice, if you keep the toobar, restore it
   http://www.castlecops.com/tk30914-Megaupload_Toolbar.html
4. adobe - restore
5. yahoo - restore
6. empty key - leave it
7. drive letter access - restore

the 03 lines toolbars, different search/address boxes etc, you’ve seen them.

1. megaupload same as above
2. lexmark - restore if you like it
3. yahoo - depending if you like it

the 04 lines autoload from the registy

1. macromedia updater - the backup is pointed at an infected file that was cleaned. I’m not sure how windows will read it, you may get an error message “file not found” if you restore it, or the key will correct itself. Your computer will still start. You can try it and see what happens. I can give you a reg fix if the key doesn’t correct itself.
2. quicktime - leave it, uninstall and reinstall quicktime
3. avp related to kaspersky - the file wasn’t on the list combofix was goint to repair, so I’d say the file is gone, so leave it , BTW what kaspersky product do you have?
4. messenger, that key starts messenger running in the back ground - restore
5. winupdate engine leave it

the 020 lines auotrun application’s .dll

1. winlogon notify was a nasty file, gone now - leave
2. same thing
3. google - restore

the R3 start/search page

1. yahoo the file is missing so leave it

I can't find the wupeng.exe

Good, must have been a stray key.

I have a quick question about NicConfigSvc.exe that's been running on startup. Are there supposed to be two NicConfigSvc.cpl? I have one in C:\i386 and another in C:\WINDOWS\system32

I don’t know. It’s a dell file and could have been placed in the i386 folder as a backup.

http://www.castlecops.com/o23list-1028.html for the exe

http://www.internetsecurityzone.com/Entities/?_7%2C+0%2C+10%2C+0 for the .dll

Also, one more thing, whenever I right click a file and chose to scan it, the Avast! screen will pop up and then dissapear. Is it supposed to do that? :|

They don’t call it ashquick for nothing.
;D Yes, it’s normal. If you want to see what it scans, right click the “a” icon, select program settings and put a checkmark beside "show results of explorer extention "

Now, are you still having problems, strange behavior of programs?