Ipwins.exe, b104.exe and a few more problems.

Rankz

New member
Hello all. First of all, I don't use this computer much, as I commute from my mom's to my dad's, so this was probably the work of my excessive-downloading little brother.

I'd just gotten over here and jumped into my seat, opened up process explorer, as usual, and I noticed that a weird process named "ipwins.exe" was using up 50% of my cpu. I knew that this wasn't normal, so I immediately killed it and waited for something to happen, as I've experienced follow-up processes that reopen it.

Nothing happened for a while, so i googled that process and stumbled upon this forum and read a topic about it. Just as I was verifying my registration moments ago, my cpu jumped up to 97%. I immediately opened process explorer and saw and "update.exe" and "b104.exe" under it, a "command.exe" (that I've yet to be able to kill, so I just suspended it) with two or three other processes under it.

Well, you're probably tired of this essay, so here's my HJT log.


~~~~~~~~~~~~~~~~~~~~~~~


Logfile of HijackThis v1.99.1
Scan saved at 8:24:36 AM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\svchosts.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\WINDOWS\system32\HPZipm12.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\alg.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\CursorXP\CursorXP.exe
E:\Documents and Settings\STEPHEN ROBERTS\Desktop\procexp.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\TUFJTiBVU0VS\command.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Documents and Settings\STEPHEN ROBERTS\Desktop\HijackThis.exe
E:\WINDOWS\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...Q2uhTigLX4caoluaTKYOU3M9F4eRrJok5822kpofbIA==
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.xanga.com/megugrl18
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C2E1197D9DAB75760EA83FA5EF80752B94E2DE79557D402037C6 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - E:\PROGRA~1\COMMON~1\{3444D~1\Bar888.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - E:\PROGRA~1\COMMON~1\{3444D~1\Bar888.dll
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{6444D3E1-012B-1033-0918-979708050001}] "E:\Program Files\Common Files\{6444D3E1-012B-1033-0918-979708050001}\Update.exe" mc-110-12-0001032
O4 - HKLM\..\Run: [IpWins] E:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [CursorXP] E:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Aim6] "E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - E:\WINDOWS\TUFJTiBVU0VS\command.exe
O23 - Service: COM+ Messages - Unknown owner - E:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001032 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - E:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


~~~~~~~~~~~~

I'm looking forward to your help, and if this goes through okay, I'll be coming back again on my computer back at home! :)
 
Hi Rankz

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Send:

- a fresh HijackThis log
- combofix report
 
Wow, from the looks of things, that combofix thing helped alot.

Here it is...

~~~~~~~~~~

"STEPHEN ROBERTS" - 07-02-11 18:37:22 Service Pack 2
ComboFix 07-02-11 - Running from: "E:\Documents and Settings\STEPHEN ROBERTS\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\WINDOWS\system32\atmtd.dll
E:\WINDOWS\system32\atmtd.dll._
E:\WINDOWS\uninstall_nmon.vbs
E:\Program Files\Ipwindows\ipwins.dll
E:\Program Files\Ipwindows\ipwins.exe
E:\WINDOWS\system32\unsvchosts.lzma
E:\DOCUME~1\LOCALS~1\Application Data\NetMon
E:\Program Files\Common Files\{3444D~1
E:\Program Files\InetGet2
E:\Program Files\Ipwindows
E:\WINDOWS\TUFJTiBVU0VS
E:\Program Files\Network Monitor


((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-11 18:48 <DIR> d-------- E:\DOCUME~1\LOCALS~1\Application Data\NetMon
2007-02-11 18:46 <DIR> d-------- E:\WINDOWS\ERDNT
2007-02-11 04:00 <DIR> d-------- E:\DOCUME~1\ANTHON~1\Contacts
2007-02-10 11:54 <DIR> d-------- E:\Program Files\One Piece Grand Line-BETA
2007-02-10 09:13 24 --a------ E:\WINDOWS\system32\pavdr_actions.sys
2007-02-10 09:01 <DIR> d-------- E:\WINDOWS\system32\ActiveScan
2007-02-10 08:52 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-02-05 22:20 <DIR> d-------- E:\WINDOWS\pss
2007-02-05 19:13 <DIR> d-------- E:\Program Files\Gpotato
2007-01-27 22:04 <DIR> d-------- E:\DOCUME~1\ANTHON~1\Application Data\Winamp
2007-01-27 17:32 2,560 --------- E:\WINDOWS\system32\drivers\cdralw2k.sys
2007-01-27 17:32 2,432 --------- E:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-01-27 17:32 129,784 --------- E:\WINDOWS\system32\pxafs.dll
2007-01-27 17:31 <DIR> d-------- E:\Program Files\Winamp
2007-01-27 17:31 <DIR> d-------- E:\DOCUME~1\STEPHE~1\Application Data\Winamp
2007-01-27 17:30 <DIR> d-------- E:\Program Files\DFX
2007-01-27 17:29 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-01-27 17:20 <DIR> d-------- E:\Program Files\File Scavenger 3.1
2007-01-27 17:16 <DIR> d-------- E:\Program Files\zabkat
2007-01-27 14:00 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\Winamp
2007-01-27 13:38 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\acccore
2007-01-27 12:28 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\Adobe
2007-01-25 20:19 524,288 --a------ E:\WINDOWS\system32\DivXsm.exe
2007-01-25 20:19 3,596,288 --a------ E:\WINDOWS\system32\qt-dx331.dll
2007-01-25 20:18 200,704 --a------ E:\WINDOWS\system32\ssldivx.dll
2007-01-25 20:18 1,044,480 --a------ E:\WINDOWS\system32\libdivx.dll
2007-01-25 20:13 823,296 --a------ E:\WINDOWS\system32\divx_xx0c.dll
2007-01-25 20:13 823,296 --a------ E:\WINDOWS\system32\divx_xx07.dll
2007-01-25 20:13 802,816 --a------ E:\WINDOWS\system32\divx_xx11.dll
2007-01-25 20:13 738,906 --a------ E:\WINDOWS\system32\DivX.dll
2007-01-25 20:13 73,728 --a------ E:\WINDOWS\system32\dpl100.dll
2007-01-25 20:13 593,920 --a------ E:\WINDOWS\system32\dpuGUI11.dll
2007-01-25 20:13 57,344 --a------ E:\WINDOWS\system32\dpv11.dll
2007-01-25 20:13 53,248 --a------ E:\WINDOWS\system32\dpuGUI10.dll
2007-01-25 20:13 344,064 --a------ E:\WINDOWS\system32\dpus11.dll
2007-01-25 20:13 294,912 --a------ E:\WINDOWS\system32\dpu11.dll
2007-01-25 20:13 294,912 --a------ E:\WINDOWS\system32\dpu10.dll
2007-01-25 20:13 196,608 --a------ E:\WINDOWS\system32\dtu100.dll
2007-01-21 10:37 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\Talkback
2007-01-21 10:35 <DIR> d-------- E:\DOCUME~1\Guest\Application Data\Real
2007-01-21 10:34 786,432 --ah----- E:\DOCUME~1\Guest\NTUSER.DAT
2007-01-17 21:16 144,812 --a------ E:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-01-15 23:08 <DIR> d-------- E:\Program Files\WishRealm


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-11 18:32 -------- d-------- E:\Program Files\mozilla firefox
2007-02-11 18:19 -------- d-------- E:\Program Files\Common Files\symantec shared
2007-02-10 09:11 -------- d-------- E:\Program Files\norton antivirus
2007-02-10 09:11 -------- d-------- E:\Program Files\cursorxp
2007-02-10 09:09 -------- d-------- E:\Program Files\messenger
2007-02-10 07:57 1636 --a------ E:\WINDOWS\system32\d3d9caps.dat
2007-02-05 18:46 -------- d-------- E:\Program Files\dofus
2007-02-05 18:43 -------- d-------- E:\Program Files\eudemons online
2007-01-28 19:00 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\winamp
2007-01-27 22:14 -------- d-------- E:\Program Files\divx
2007-01-27 20:31 218624 --a------ E:\WINDOWS\system32\uxtheme.dll
2007-01-27 17:30 -------- d---s---- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\microsoft
2007-01-21 17:37 83160 --a------ E:\WINDOWS\system32\drivers\scskusbs.sys
2007-01-21 17:37 6784 --a------ E:\WINDOWS\system32\drivers\scsk4.sys
2007-01-21 17:37 19504 --a------ E:\WINDOWS\system32\drivers\scskusbf.sys
2007-01-20 13:10 -------- d-------- E:\Program Files\illutia
2006-12-31 16:57 -------- d-------- E:\Program Files\windows media connect 2
2006-12-31 12:54 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\talkback
2006-12-30 23:41 -------- d-------- E:\Program Files\bittorrent
2006-12-30 23:41 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\bittorrent
2006-12-30 05:12 -------- d-------- E:\Program Files\dofus-arena
2006-12-30 04:19 -------- d-------- E:\Program Files\kru
2006-12-29 17:48 -------- d-------- E:\Program Files\historysweep
2006-12-28 00:59 -------- d-------- E:\Program Files\symantec
2006-12-24 19:30 -------- d-------- E:\Program Files\yountel_ums_driver
2006-12-24 17:40 -------- d-------- E:\Program Files\viewpoint
2006-12-24 17:05 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\byond
2006-12-22 10:21 -------- d-------- E:\Program Files\aim gadgets
2006-12-22 08:21 -------- d-------- E:\Program Files\seekmo programs
2006-12-22 08:19 -------- d-------- E:\Program Files\conquer 2.0
2006-12-22 08:12 -------- d-------- E:\Program Files\aim
2006-12-22 08:11 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\aim
2006-12-20 19:35 1524 --a------ E:\WINDOWS\system32\d3d8caps.dat
2006-12-19 15:15 -------- d-------- E:\Program Files\Common Files\aol
2006-12-17 19:36 -------- d-------- E:\Program Files\byond
2006-12-17 09:36 -------- d-------- E:\Program Files\msn messenger
2006-12-17 08:38 -------- d-------- E:\Documents and Settings\STEPHEN ROBERTS\Application Data\jams
2006-12-16 16:39 -------- d-------- E:\Program Files\aim6
2006-12-16 11:56 -------- d-------- E:\Program Files\java
2006-12-12 11:24 12288 --a------ E:\WINDOWS\system32\divxwmpexttype.dll
2006-12-12 11:24 118784 --a------ E:\WINDOWS\system32\divxcodecupdatechecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CursorXP"="E:\\Program Files\\CursorXP\\CursorXP.exe"
"Aim6"="\"E:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp /HIDEBL"
"SpybotSD TeaTimer"="E:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="E:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="E:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"Advanced Tools Check"="E:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"Symantec NetDriver Monitor"="E:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="\"E:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TkBellExe"="\"E:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"E:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"iTunesHelper"="\"E:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="E:\\Program Files\\Winamp\\winampa.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="E:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"MSMSGS"="\"E:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="E:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"MSMSGS"="\"E:\\Program Files\\Messenger\\msmsgs.exe\" /background"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
"Debugger"="\"E:\\DOCUMENTS AND SETTINGS\\STEPHEN ROBERTS\\DESKTOP\\PROCEXP.EXE\""
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\AppleSoftwareUpdate.job
E:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
E:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-11 18:57:28

~~~~~

And here's the HJT log...

~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:06:13 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\WINDOWS\system32\HPZipm12.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\CursorXP\CursorXP.exe
E:\Program Files\AIM6\aim6.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Documents and Settings\STEPHEN ROBERTS\Desktop\procexp.exe
E:\Program Files\AIM6\aolsoftware.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Documents and Settings\STEPHEN ROBERTS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.xanga.com/megugrl18
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C2E1197D9DAB75760EA83FA5EF80752B94E2DE79557D402037C6 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CursorXP] E:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Aim6] "E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Hi

Yes, it did :)

Open HijackThis, click do a system scan only and checkmark this:

O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C2E1197D9DAB75760EA83FA5EF80752B94E2DE79557D402037C6 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - (no file)
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)


Close all windows including browser and press fix checked.

Delete this folder:

E:\Program Files\seekmo programs

Empty Recycle Bin

Reboot.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Send:

- a fresh HijackThis log
- kaspersky report
 
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
Back
Top