Hello all. First of all, I don't use this computer much, as I commute from my mom's to my dad's, so this was probably the work of my excessive-downloading little brother.

I'd just gotten over here and jumped into my seat, opened up process explorer, as usual, and I noticed that a weird process named "ipwins.exe" was using up 50% of my cpu. I knew that this wasn't normal, so I immediately killed it and waited for something to happen, as I've experienced follow-up processes that reopen it.

Nothing happened for a while, so i googled that process and stumbled upon this forum and read a topic about it. Just as I was verifying my registration moments ago, my cpu jumped up to 97%. I immediately opened process explorer and saw and "update.exe" and "b104.exe" under it, a "command.exe" (that I've yet to be able to kill, so I just suspended it) with two or three other processes under it.

Well, you're probably tired of this essay, so here's my HJT log.


~~~~~~~~~~~~~~~~~~~~~~~


Logfile of HijackThis v1.99.1
Scan saved at 8:24:36 AM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\svchosts.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\WINDOWS\system32\HPZipm12.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\alg.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\CursorXP\CursorXP.exe
E:\Documents and Settings\STEPHEN ROBERTS\Desktop\procexp.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\TUFJTiBVU0VS\command.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Documents and Settings\STEPHEN ROBERTS\Desktop\HijackThis.exe
E:\WINDOWS\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDzJ8gIalwXoxfe5b35lWKKN6OpmPvWheK+JhcgbqEKGrtOaNysTKCvGxmrAwJy54DfUCyc6gxgf++oL+XtI5qyY5Z9JmiAxVnaHqSQVmO59oiQXIP+/+/tXSe7igyxmF2fwKlv+uP2U7OREGTRIMAkQZYsWz2Dn1VIxmgoY2n/eSVjAvxYMXZMxnASIZlOFliWLh8BZZ7rmuMZztxy7uzTe0JfPFX0JjlOrtsBJoPIBSrzCmQDT5XWTffYA/a30vJrIbVAL+tCbnHoL4YENhbtWXjp3OQJzSclK2pArPCRRwRWLUDYTK+lkPF+0/hmMkTeRAZlQczRBIUtCdAds2zSKN+4kIjqiWHhFKy6yJHxCKQ2uhTigLX4caoluaTKYOU3M9F4eRrJok5822kpofbIA==
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.xanga.com/megugrl18
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C2E1197D9DAB75760EA83FA5EF80752B94E2DE79557D402037C6 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - E:\PROGRA~1\COMMON~1\{3444D~1\Bar888.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - E:\PROGRA~1\COMMON~1\{3444D~1\Bar888.dll
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{6444D3E1-012B-1033-0918-979708050001}] "E:\Program Files\Common Files\{6444D3E1-012B-1033-0918-979708050001}\Update.exe" mc-110-12-0001032
O4 - HKLM\..\Run: [IpWins] E:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [CursorXP] E:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Aim6] "E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - E:\WINDOWS\TUFJTiBVU0VS\command.exe
O23 - Service: COM+ Messages - Unknown owner - E:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001032 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - E:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


~~~~~~~~~~~~

I'm looking forward to your help, and if this goes through okay, I'll be coming back again on my computer back at home! :)

Hi Rankz

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Send:

- a fresh HijackThis log
- combofix report

Wow, from the looks of things, that combofix thing helped alot.

Here it is...

~~~~~~~~~~

"STEPHEN ROBERTS" - 07-02-11 18:37:22 Service Pack 2
ComboFix 07-02-11 - Running from: "E:\Documents and Settings\STEPHEN ROBERTS\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\WINDOWS\system32\atmtd.dll
E:\WINDOWS\system32\atmtd.dll._
E:\WINDOWS\uninstall_nmon.vbs
E:\Program Files\Ipwindows\ipwins.dll
E:\Program Files\Ipwindows\ipwins.exe
E:\WINDOWS\system32\unsvchosts.lzma
E:\DOCUME~1\LOCALS~1\Application Data\NetMon
E:\Program Files\Common Files\{3444D~1
E:\Program Files\InetGet2
E:\Program Files\Ipwindows
E:\WINDOWS\TUFJTiBVU0VS
E:\Program Files\Network Monitor


((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-11 18:48 <DIR> d-------- E:\DOCUME~1\LOCALS~1\Application Data\NetMon
2007-02-11 18:46 <DIR> d-------- E:\WINDOWS\ERDNT
2007-02-11 04:00 <DIR> d-------- E:\DOCUME~1\ANTHON~1\Contacts
2007-02-10 11:54 <DIR> d-------- E:\Program Files\One Piece Grand Line-BETA
2007-02-10 09:13 24 --a------ E:\WINDOWS\system32\pavdr_actions.sys
2007-02-10 09:01 <DIR> d-------- E:\WINDOWS\system32\ActiveScan
2007-02-10 08:52 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-02-05 22:20 <DIR> d-------- E:\WINDOWS\pss
2007-02-05 19:13 <DIR> d-------- E:\Program Files\Gpotato
2007-01-27 22:04 <DIR> d-------- E:\DOCUME~1\ANTHON~1\Application Data\Winamp
2007-01-27 17:32 2,560 --------- E:\WINDOWS\system32\drivers\cdralw2k.sys
2007-01-27 17:32 2,432 --------- E:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-01-27 17:32 129,784 --------- E:\WINDOWS\system32\pxafs.dll
2007-01-27 17:31 <DIR> d-------- E:\Program Files\Winamp
2007-01-27 17:31 <DIR> d-------- E:\DOCUME~1\STEPHE~1\Application Data\Winamp
2007-01-27 17:30 <DIR> d-------- E:\Program Files\DFX
2007-01-27 17:29 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-01-27 17:20 <DIR> d-------- E:\Program Files\File Scavenger 3.1
2007-01-27 17:16 <DIR> d-------- E:\Program Files\zabkat
2007-01-27 14:00 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\Winamp
2007-01-27 13:38 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\acccore
2007-01-27 12:28 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\Adobe
2007-01-25 20:19 524,288 --a------ E:\WINDOWS\system32\DivXsm.exe
2007-01-25 20:19 3,596,288 --a------ E:\WINDOWS\system32\qt-dx331.dll
2007-01-25 20:18 200,704 --a------ E:\WINDOWS\system32\ssldivx.dll
2007-01-25 20:18 1,044,480 --a------ E:\WINDOWS\system32\libdivx.dll
2007-01-25 20:13 823,296 --a------ E:\WINDOWS\system32\divx_xx0c.dll
2007-01-25 20:13 823,296 --a------ E:\WINDOWS\system32\divx_xx07.dll
2007-01-25 20:13 802,816 --a------ E:\WINDOWS\system32\divx_xx11.dll
2007-01-25 20:13 738,906 --a------ E:\WINDOWS\system32\DivX.dll
2007-01-25 20:13 73,728 --a------ E:\WINDOWS\system32\dpl100.dll
2007-01-25 20:13 593,920 --a------ E:\WINDOWS\system32\dpuGUI11.dll
2007-01-25 20:13 57,344 --a------ E:\WINDOWS\system32\dpv11.dll
2007-01-25 20:13 53,248 --a------ E:\WINDOWS\system32\dpuGUI10.dll
2007-01-25 20:13 344,064 --a------ E:\WINDOWS\system32\dpus11.dll
2007-01-25 20:13 294,912 --a------ E:\WINDOWS\system32\dpu11.dll
2007-01-25 20:13 294,912 --a------ E:\WINDOWS\system32\dpu10.dll
2007-01-25 20:13 196,608 --a------ E:\WINDOWS\system32\dtu100.dll
2007-01-21 10:37 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\Talkback
2007-01-21 10:35 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\Real
2007-01-21 10:34 786,432 --ah----- E:\DOCUME~1\Guest\NTUSER.DAT
2007-01-17 21:16 144,812 --a------ E:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-01-15 23:08 <DIR> d-------- E:\Program Files\WishRealm


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-11 18:32 -------- d-------- E:\Program Files\mozilla firefox
2007-02-11 18:19 -------- d-------- E:\Program Files\Common Files\symantec shared
2007-02-10 09:11 -------- d-------- E:\Program Files\norton antivirus
2007-02-10 09:11 -------- d-------- E:\Program Files\cursorxp
2007-02-10 09:09 -------- d-------- E:\Program Files\messenger
2007-02-10 07:57 1636 --a------ E:\WINDOWS\system32\d3d9caps.dat
2007-02-05 18:46 -------- d-------- E:\Program Files\dofus
2007-02-05 18:43 -------- d-------- E:\Program Files\eudemons online
2007-01-28 19:00 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\winamp
2007-01-27 22:14 -------- d-------- E:\Program Files\divx
2007-01-27 20:31 218624 --a------ E:\WINDOWS\system32\uxtheme.dll
2007-01-27 17:30 -------- d---s---- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\microsoft
2007-01-21 17:37 83160 --a------ E:\WINDOWS\system32\drivers\scskusbs.sys
2007-01-21 17:37 6784 --a------ E:\WINDOWS\system32\drivers\scsk4.sys
2007-01-21 17:37 19504 --a------ E:\WINDOWS\system32\drivers\scskusbf.sys
2007-01-20 13:10 -------- d-------- E:\Program Files\illutia
2006-12-31 16:57 -------- d-------- E:\Program Files\windows media connect 2
2006-12-31 12:54 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\talkback
2006-12-30 23:41 -------- d-------- E:\Program Files\bittorrent
2006-12-30 23:41 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\bittorrent
2006-12-30 05:12 -------- d-------- E:\Program Files\dofus-arena
2006-12-30 04:19 -------- d-------- E:\Program Files\kru
2006-12-29 17:48 -------- d-------- E:\Program Files\historysweep
2006-12-28 00:59 -------- d-------- E:\Program Files\symantec
2006-12-24 19:30 -------- d-------- E:\Program Files\yountel_ums_driver
2006-12-24 17:40 -------- d-------- E:\Program Files\viewpoint
2006-12-24 17:05 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\byond
2006-12-22 10:21 -------- d-------- E:\Program Files\aim gadgets
2006-12-22 08:21 -------- d-------- E:\Program Files\seekmo programs
2006-12-22 08:19 -------- d-------- E:\Program Files\conquer 2.0
2006-12-22 08:12 -------- d-------- E:\Program Files\aim
2006-12-22 08:11 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\aim
2006-12-20 19:35 1524 --a------ E:\WINDOWS\system32\d3d8caps.dat
2006-12-19 15:15 -------- d-------- E:\Program Files\Common Files\aol
2006-12-17 19:36 -------- d-------- E:\Program Files\byond
2006-12-17 09:36 -------- d-------- E:\Program Files\msn messenger
2006-12-17 08:38 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\jams
2006-12-16 16:39 -------- d-------- E:\Program Files\aim6
2006-12-16 11:56 -------- d-------- E:\Program Files\java
2006-12-12 11:24 12288 --a------ E:\WINDOWS\system32\divxwmpexttype.dll
2006-12-12 11:24 118784 --a------ E:\WINDOWS\system32\divxcodecupdatechecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CursorXP"="E:\\Program Files\\CursorXP\\CursorXP.exe"
"Aim6"="\"E:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp /HIDEBL"
"SpybotSD TeaTimer"="E:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="E:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="E:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"Advanced Tools Check"="E:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"Symantec NetDriver Monitor"="E:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="\"E:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TkBellExe"="\"E:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"E:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"iTunesHelper"="\"E:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="E:\\Program Files\\Winamp\\winampa.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="E:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"MSMSGS"="\"E:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="E:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"MSMSGS"="\"E:\\Program Files\\Messenger\\msmsgs.exe\" /background"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
"Debugger"="\"E:\\DOCUMENTS AND SETTINGS\\STEPHEN ROBERTS\\DESKTOP\\PROCEXP.EXE\""
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\AppleSoftwareUpdate.job
E:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
E:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-11 18:57:28

~~~~~

And here's the HJT log...

~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:06:13 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\WINDOWS\system32\HPZipm12.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\CursorXP\CursorXP.exe
E:\Program Files\AIM6\aim6.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Documents and Settings\STEPHEN ROBERTS\Desktop\procexp.exe
E:\Program Files\AIM6\aolsoftware.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Documents and Settings\STEPHEN ROBERTS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.xanga.com/megugrl18
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C2E1197D9DAB75760EA83FA5EF80752B94E2DE79557D402037C6 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CursorXP] E:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Aim6] "E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hi

Yes, it did :)

Open HijackThis, click do a system scan only and checkmark this:

O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C2E1197D9DAB75760EA83FA5EF80752B94E2DE79557D402037C6 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - (no file)
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)

Close all windows including browser and press fix checked.

Delete this folder:

E:\Program Files\seekmo programs

Empty Recycle Bin

Reboot.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Send:

- a fresh HijackThis log
- kaspersky report

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.