Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wmsncs.exe worm rudely will not leave


  • Please log in to reply
17 replies to this topic

#1 toddly

toddly

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA USA
  • Local time:11:01 AM

Posted 10 December 2008 - 12:49 PM

Hi,
My computer ate something that gave it a bad case of the worm wmsncs. I don't know which processes to delete and which ones I need to quarantine or keep. My various logs are posted below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:13 PM, on 12/9/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\Fonts\wmsncs.exe
C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe "C:\WINNT\Fonts\wmsncs.exe"
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINNT\system32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINNT\system32\wins\wmsncs.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spool Driver Service] C:\WINNT\system32\spool\drivers\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Wins Service] C:\WINNT\system32\wins\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: wmsncs.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133604207849
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 5347 bytes
--------------------------------------------

info.txt logfile of random's system information tool 1.04 2008-12-10 09:33:24

======Uninstall list======

-->C:\WINNT\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0\Uninst.dll"
Adobe Flash Player 10 Plugin-->C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player-->C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Advanced SystemCare 3-->"C:\Program Files\IObit\Advanced SystemCare 3\unins000.exe"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
DirectX 8.1 Hotfix - KB839643-->C:\WINNT\$NtUninstallKB839643-DirectX81$\spuninst\spuninst.exe
EasyCleaner-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
Eusing Free Registry Cleaner-->C:\PROGRA~1\Eusing Free Registry Cleaner\UNWISE.EXE C:\PROGRA~1\Eusing Free Registry Cleaner\INSTALL.LOG
Glary Registry Repair 3.0-->"C:\Program Files\Glary Registry Repair\unins000.exe"
GrabPro - Toolbar-->regsvr32 /u /s "C:\Program Files\Orbitdownloader\GrabPro.dll"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for MDAC 2.53 (KB911562)-->"C:\WINNT\$SQLUninstallMDAC25SP3-KB911562-x86-ENU$\spuninst\spuninst.exe"
Hotfix for MDAC 2.53 (KB927779)-->"C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$\spuninst\spuninst.exe"
IEEE 802.11g Wireless Cardbus/PCI Adapter-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{29F15D3F-5B37-44DB-BB89-390B3AD1404E}
K-Lite Codec Pack 4.1.7 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Moyea FLV Player version 1.5.2.7-->"C:\Program Files\Moyea\FLV Player\unins000.exe"
Norton SystemWorks 2001-->C:\WINNT\NSUNINST.EXE
Orbit Downloader-->"C:\Program Files\Orbitdownloader\unins000.exe"
RamBooster-->C:\Program Files\RamBooster 2.0\Uninst.exe /pid:{ADE3CACC-EC31-480C-83A0-587EE60CE8DF} /asd
Security Update for DirectX 8 (KB941568)-->"C:\WINNT\$NtUninstallKB941568_DX8$\spuninst\spuninst.exe"
Security Update for DirectX 8 (KB951698)-->"C:\WINNT\$NtUninstallKB951698_DX8$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689)-->"C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569)-->"C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINNT\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINNT\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 7.1 (KB917734)-->"C:\WINNT\$NtUninstallKB917734_WMP7$\spuninst\spuninst.exe"
Security Update for Windows Media Player 7.1 (KB936782)-->"C:\WINNT\$NtUninstallKB936782_WMP7$\spuninst\spuninst.exe"
Update Rollup 1 for Windows 2000 SP4-->"C:\WINNT\$NtUpdateRollupPackUninstall$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB842773-->C:\WINNT\$NtUninstallKB842773$\spuninst\spuninst.exe
Windows 2000 Hotfix - KB890046-->"C:\WINNT\$NtUninstallKB890046$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB893756-->"C:\WINNT\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896358-->"C:\WINNT\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896422-->"C:\WINNT\$NtUninstallKB896422$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896423-->"C:\WINNT\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896424-->"C:\WINNT\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB901017-->"C:\WINNT\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB901214-->"C:\WINNT\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905749-->"C:\WINNT\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905915-->"C:\WINNT\$NtUninstallKB905915-IE501SP4-20051122.191609$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908519-->"C:\WINNT\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908523-->"C:\WINNT\$NtUninstallKB908523$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908531-->"C:\WINNT\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB910620-->"C:\WINNT\$NtUninstallKB910620-IE501SP4-20060112.143924$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB911280-->"C:\WINNT\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB911567-->"C:\WINNT\$NtUninstallKB911567-OE55SP2-20060317.162653$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB912812-->"C:\WINNT\$NtUninstallKB912812-IE501SP4-20060322.172831$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB912919-->"C:\WINNT\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB913580-->"C:\WINNT\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB914388-->"C:\WINNT\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB914389-->"C:\WINNT\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB916281-->"C:\WINNT\$NtUninstallKB916281-IE501SP4-20060519.173353$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917008-->"C:\WINNT\$NtUninstallKB917008$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917159-->"C:\WINNT\$NtUninstallKB917159$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917344-->"C:\WINNT\$NtUninstallKB917344$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917422-->"C:\WINNT\$NtUninstallKB917422$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917537-->"C:\WINNT\$NtUninstallKB917537$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917736-->"C:\WINNT\$NtUninstallKB917736$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917953-->"C:\WINNT\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB918118-->"C:\WINNT\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB918899-->"C:\WINNT\$NtUninstallKB918899-IE501SP4-20060725.072042$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920213-->"C:\WINNT\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920670-->"C:\WINNT\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920683-->"C:\WINNT\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920685-->"C:\WINNT\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920958-->"C:\WINNT\$NtUninstallKB920958$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB921398-->"C:\WINNT\$NtUninstallKB921398$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB921883-->"C:\WINNT\$NtUninstallKB921883$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB922582-->"C:\WINNT\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB922616-->"C:\WINNT\$NtUninstallKB922616$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB922760-->"C:\WINNT\$NtUninstallKB922760-IE501SP4-20060918.104713$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923191-->"C:\WINNT\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923414-->"C:\WINNT\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923694-->"C:\WINNT\$NtUninstallKB923694-OE55SP2-20061106.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923810-->"C:\WINNT\$NtUninstallKB923810$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923980-->"C:\WINNT\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB924191-->"C:\WINNT\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB924270-->"C:\WINNT\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB924667-->"C:\WINNT\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB925454-->"C:\WINNT\$NtUninstallKB925454-IE501SP4-20061116.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB925486-->"C:\WINNT\$NtUninstallKB925486-IE501SP4-20060918.174951$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB925902-->"C:\WINNT\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB926122-->"C:\WINNT\$NtUninstallKB926122$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB926436-->"C:\WINNT\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB927891-->"C:\WINNT\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB928090-->"C:\WINNT\$NtUninstallKB928090-IE501SP4-20070125.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB928843-->"C:\WINNT\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB929969-->"C:\WINNT\$NtUninstallKB929969-IE501SP4-20061220.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB930178-->"C:\WINNT\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB931784-->"C:\WINNT\$NtUninstallKB931784$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB932168-->"C:\WINNT\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB933729-->"C:\WINNT\$NtUninstallKB933729$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB935839-->"C:\WINNT\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB935840-->"C:\WINNT\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB936021-->"C:\WINNT\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB937894-->"C:\WINNT\$NtUninstallKB937894$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB938827-->"C:\WINNT\$NtUninstallKB938827$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB942831-->"C:\WINNT\$NtUninstallKB942831$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB943055-->"C:\WINNT\$NtUninstallKB943055$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB943485-->"C:\WINNT\$NtUninstallKB943485$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB944338-->"C:\WINNT\$NtUninstallKB944338$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB945553-->"C:\WINNT\$NtUninstallKB945553$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB948590-->"C:\WINNT\$NtUninstallKB948590$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB950749-->"C:\WINNT\$NtUninstallKB950749$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Player 7.1-->C:\Program Files\Windows Media Player\setup_wm.exe /Uninstall
Windows Media Player Hotfix [See Q828026 for more information]-->C:\WINNT\$NtUninstallQ828026$\spuninst\spuninst.exe
ZipCentral 4.01-->"C:\Program Files\ZipCentral\unins000.exe"
ZoneAlarm Spy Blocker-->rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Os2LibPath"=%SystemRoot%\system32\os2\dll;
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 6 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=060a
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"tvdumpflags"=8

-----------------EOF-----------------
-----------------------------------------------

Logfile of random's system information tool 1.04 (written by random/random)
Run by Todd Putnam at 2008-12-10 09:32:27
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 2 GB (20%) free of 10 GB
Total RAM: 128 MB (3% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:33, on 2008-12-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\Fonts\wmsncs.exe
C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Documents and Settings\Todd Putnam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Todd Putnam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe "C:\WINNT\Fonts\wmsncs.exe"
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINNT\system32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINNT\system32\wins\wmsncs.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spool Driver Service] C:\WINNT\system32\spool\drivers\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Wins Service] C:\WINNT\system32\wins\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: wmsncs.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133604207849
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 5485 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Program Files\Orbitdownloader\orbitcth.dll [2008-08-22 130248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-20 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - ZoneAlarm Spy Blocker - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-20 262144]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Program Files\Orbitdownloader\GrabPro.dll [2008-08-22 433272]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"Wmsncs Service"=C:\WINNT\Fonts\wmsncs.exe [2008-08-08 189990]
"NvidMediaCenter"=C:\Program Files\Common Files\System\wmsncs.exe [2008-08-08 189990]
"Spool Driver Service"=C:\WINNT\system32\spool\drivers\wmsncs.exe [2008-08-08 189990]
"Wins Service"=C:\WINNT\system32\wins\wmsncs.exe [2008-08-08 189990]
"Synchronization Manager"=mobsync.exe /logon []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2008-11-15 2235920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
C:\PROGRA~1\ORBITD~1\orbitdm.exe [2008-08-22 1707208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^wmsncs.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmsncs.exe [2008-08-08 189990]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
wmsncs.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoResolveSearch"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Orbitdownloader\orbitdm.exe"="C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Program Files\Orbitdownloader\orbitnet.exe"="C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"
"wmsncs.exe"="wmsncs.exe:*:Enabled:SYSTEM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-12-10 09:32:27 ----D---- C:\rsit
2008-12-09 22:15:44 ----A---- C:\WINNT\zip.exe
2008-12-09 22:15:44 ----A---- C:\WINNT\SWREG.exe
2008-12-09 22:15:44 ----A---- C:\WINNT\NIRCMD.exe
2008-12-09 22:15:44 ----A---- C:\WINNT\grep.exe
2008-12-09 22:15:43 ----A---- C:\WINNT\VFIND.exe
2008-12-09 22:15:43 ----A---- C:\WINNT\sed.exe
2008-12-09 22:15:43 ----A---- C:\WINNT\fdsv.exe
2008-12-09 22:15:42 ----A---- C:\WINNT\SWXCACLS.exe
2008-12-09 22:15:42 ----A---- C:\WINNT\SWSC.exe
2008-12-09 22:15:07 ----D---- C:\WINNT\ERDNT
2008-12-09 22:15:07 ----D---- C:\Qoobox
2008-12-09 22:14:58 ----D---- C:\ComboFix
2008-12-09 22:14:52 ----A---- C:\WINNT\system32\CF5185.exe
2008-12-09 22:14:52 ----A---- C:\WINNT\system32\CF5179.exe
2008-12-09 22:13:55 ----D---- C:\32788R22FWJFW
2008-12-09 21:45:11 ----D---- C:\Documents and Settings\Todd Putnam\Application Data\Malwarebytes
2008-12-09 21:44:22 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-09 21:44:21 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-09 21:11:30 ----D---- C:\Program Files\Trend Micro
2008-12-09 19:52:50 ----A---- C:\WINNT\ntbtlog.txt
2008-12-09 10:06:48 ----A---- C:\WINNT\SchedLgU.Txt
2008-12-09 09:23:31 ----D---- C:\WINNT\pss
2008-11-28 19:35:37 ----ASHD---- C:\Config.Msi

======List of files/folders modified in the last 1 months======

2008-12-10 09:32:37 ----AD---- C:\WINNT\system32
2008-12-10 09:32:30 ----AD---- C:\WINNT\Internet Logs
2008-12-10 08:57:05 ----AD---- C:\WINNT\security
2008-12-10 08:57:03 ----D---- C:\Program Files\Mozilla Firefox
2008-12-10 08:54:00 ----D---- C:\WINNT\system32\inetsrv
2008-12-10 08:53:02 ----AD---- C:\WINNT\Temp
2008-12-10 08:50:29 ----D---- C:\WINNT\system32\NtmsData
2008-12-10 08:50:19 ----AD---- C:\WINNT\Debug
2008-12-09 22:30:44 ----D---- C:\Program Files\QuickTime
2008-12-09 22:30:41 ----D---- C:\Program Files\Orbitdownloader
2008-12-09 22:30:35 ----D---- C:\Program Files\Notepad++
2008-12-09 22:30:24 ----D---- C:\Program Files\Norton SystemWorks
2008-12-09 22:29:59 ----D---- C:\Program Files\Moyea
2008-12-09 22:29:34 ----D---- C:\Program Files\Microsoft Office
2008-12-09 22:29:30 ----D---- C:\Program Files\Memory
2008-12-09 22:29:27 ----D---- C:\Program Files\Java
2008-12-09 22:29:26 ----D---- C:\Program Files\Japanese
2008-12-09 22:29:25 ----D---- C:\Program Files\IObit
2008-12-09 22:29:19 ----D---- C:\Program Files\internet
2008-12-09 22:29:18 ----D---- C:\Program Files\IE55
2008-12-09 22:29:17 ----D---- C:\Program Files\Grisoft
2008-12-09 22:29:14 ----D---- C:\Program Files\Greatis
2008-12-09 22:29:12 ----D---- C:\Program Files\Google
2008-12-09 22:29:10 ----D---- C:\Program Files\Glary Registry Repair
2008-12-09 22:29:08 ----D---- C:\Program Files\Eusing Free Registry Cleaner
2008-12-09 22:29:04 ----D---- C:\Program Files\Eltima Software
2008-12-09 22:29:00 ----D---- C:\Program Files\DivX
2008-12-09 22:28:57 ----D---- C:\Program Files\directx
2008-12-09 22:28:56 ----RAD---- C:\Program Files
2008-12-09 22:28:55 ----D---- C:\Program Files\DAP
2008-12-09 22:28:54 ----D---- C:\Program Files\CCleaner
2008-12-09 22:28:32 ----D---- C:\Program Files\Adobe
2008-12-09 22:28:16 ----D---- C:\Program Files\Adaptec
2008-12-09 22:28:14 ----D---- C:\Program Files\Accessories
2008-12-09 22:28:13 ----D---- C:\Program Files\802.11 Wireless LAN
2008-12-09 22:27:56 ----D---- C:\Program Files\2nd Story Software
2008-12-09 22:27:55 ----D---- C:\KPCMS
2008-12-09 22:26:33 ----D---- C:\icr
2008-12-09 22:26:32 ----D---- C:\Downloads
2008-12-09 22:26:30 ----D---- C:\Download
2008-12-09 22:26:29 ----D---- C:\backreg
2008-12-09 22:26:25 ----D---- C:\ALDUS
2008-12-09 22:24:31 ----AD---- C:\WINNT\system32\drivers
2008-12-09 22:24:30 ----AD---- C:\WINNT
2008-12-09 22:24:29 ----AD---- C:\WINNT\AppPatch
2008-12-09 22:24:29 ----AD---- C:\Program Files\Common Files
2008-12-09 22:24:23 ----SHD---- C:\RECYCLER
2008-12-09 22:20:28 ----SD---- C:\WINNT\Web
2008-12-09 20:08:05 ----AD---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-09 14:05:54 ----A---- C:\WINNT\ModemLog_Standard PCMCIA Card Modem.txt
2008-12-09 13:01:16 ----HD---- C:\WINNT\inf
2008-12-09 09:49:09 ----SD---- C:\Documents and Settings\Todd Putnam\Application Data\Microsoft
2008-12-09 08:54:33 ----D---- C:\Documents and Settings\Todd Putnam\Application Data\Orbit
2008-12-08 13:45:38 ----AD---- C:\WINNT\system32\wins
2008-12-08 13:45:37 ----RSHD---- C:\Program Files\Common Files\System
2008-12-08 13:45:00 ----RASD---- C:\WINNT\Fonts
2008-12-05 20:31:28 ----D---- C:\Program Files\ZipCentral
2008-11-30 21:04:22 ----D---- C:\Documents and Settings\Todd Putnam\Application Data\IObit
2008-11-28 19:36:31 ----SHD---- C:\WINNT\Installer
2008-11-28 19:26:15 ----AD---- C:\Program Files\Common Files\Microsoft Shared
2008-11-28 19:26:14 ----D---- C:\WINNT\winsxs
2008-11-18 10:08:03 ----AD---- C:\WINNT\Help
2008-11-18 10:07:23 ----RASHDC---- C:\WINNT\system32\dllcache
2008-11-14 18:44:36 ----SHD---- C:\WINNT\CSC
2008-11-14 18:02:46 ----D---- C:\Program Files\ToniArts
2008-11-14 18:01:56 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-14 11:35:50 ----AD---- C:\WINNT\system32\ZoneLabs
2008-11-14 10:03:25 ----AD---- C:\WINNT\system32\mui
2008-11-14 10:03:21 ----D---- C:\Program Files\Internet Explorer
2008-11-14 10:02:08 ----RSD---- C:\WINNT\assembly
2008-11-14 09:55:47 ----D---- C:\WINNT\Registration
2008-11-11 21:29:02 ----D---- C:\Todd

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2001-03-02 52720]
R1 vsdatant;vsdatant; C:\WINNT\System32\vsdatant.sys [2008-07-09 394952]
R2 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2001-03-02 22585]
R2 HidUsb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [1999-10-04 13904]
R2 irda;IrDA Protocol; C:\WINNT\System32\DRIVERS\irda.sys [2003-06-19 57296]
R3 atirage3;atirage3; C:\WINNT\System32\DRIVERS\atimpab.sys [1999-11-10 71632]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINNT\System32\DRIVERS\CmBatt.sys [2003-06-19 9904]
R3 ess;ESS Audio Driver (WDM); C:\WINNT\system32\drivers\ess.sys [1999-09-30 64144]
R3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2003-06-19 11632]
R3 NPDriver;Norton Unerase Protection Driver; \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS []
R3 Rasirda;WAN Miniport (IrDA Modem); C:\WINNT\System32\DRIVERS\rasirda.sys [2003-06-19 19920]
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINNT\System32\DRIVERS\smcirda.sys [1999-09-24 36112]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-19 40176]
R3 W8335PCI;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51; C:\WINNT\system32\DRIVERS\Mrv8000c.sys [2004-09-17 253568]
S1 kbdhid;Keyboard HID Driver; C:\WINNT\System32\DRIVERS\kbdhid.sys [1999-10-04 13744]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2001-10-08 15264]
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2001-10-16 13952]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2001-10-30 4896]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\system32\DRIVERS\NABTSFEC.sys [2001-10-08 86016]
S3 Partizan;Partizan; C:\WINNT\system32\drivers\Partizan.sys [2008-09-02 30946]
S3 RegGuard;RegGuard; \??\C:\WINNT\system32\Drivers\regguard.sys []
S3 SDdriver;SDdriver; \??\C:\WINNT\system32\Drivers\sddriver.sys []
S3 sermouse;Serial Mouse Driver; C:\WINNT\System32\DRIVERS\sermouse.sys [1999-09-25 17136]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2001-10-16 10368]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2001-10-16 14400]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2003-06-19 21872]
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2001-10-08 18208]
S4 dmload;dmload; C:\WINNT\System32\drivers\dmload.sys [2003-06-19 7312]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 HidServ;HID Input Service; C:\WINNT\system32\hidserv.exe [2003-06-19 19728]
R2 IISADMIN;IIS Admin Service; C:\WINNT\system32\inetsrv\inetinfo.exe [2003-06-19 14608]
R2 Irmon;Infrared Monitor; C:\WINNT\System32\svchost.exe [1999-12-06 7952]
R2 MSFTPSVC;FTP Publishing Service; C:\WINNT\system32\inetsrv\inetinfo.exe [2003-06-19 14608]
R2 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86; C:\WINNT\Fonts\wmsncs.exe [2008-08-08 189990]
R2 Norton Program Scheduler;Norton Program Scheduler; C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe [2000-08-25 36864]
R2 NProtectService;Norton Unerase Protection; C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2000-08-27 126976]
R2 Speed Disk service;Speed Disk service; C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe [2000-08-17 172065]
R2 vsmon;TrueVector Internet Monitor; C:\WINNT\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
R2 W3SVC;World Wide Web Publishing Service; C:\WINNT\system32\inetsrv\inetinfo.exe [2003-06-19 14608]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINNT\system32\mspmspsv.exe [2001-05-01 53248]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 NAV Alert;NAV Alert; C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe [2000-08-25 81920]
S3 NAV Auto-Protect;NAV Auto-Protect; C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe [2000-08-25 90112]

-----------------EOF-----------------


Thanks for your help!!
Todd

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:01 PM

Posted 17 December 2008 - 07:45 AM

Hello toddly

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please post a new Rsit log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 toddly

toddly
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA USA
  • Local time:11:01 AM

Posted 18 December 2008 - 01:48 AM

Thank you, Kahdah,
and yes, I am still in need of help. I would be happy to repost an Rsit log. Could you please tell me what it is; I am not familiar with it.
Thanks again. I will try to get it posted soon.

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:01 PM

Posted 18 December 2008 - 08:18 AM

Hi it is the first log that you posted if you no longer have the Rsit icon on your desktop then do the following:
=========
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 toddly

toddly
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA USA
  • Local time:11:01 AM

Posted 19 December 2008 - 12:55 AM

Kahdah,
Thanks. Okay, here's the log; I hopeit has what is needed:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Todd Putnam at 2008-12-18 21:53:44
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 2 GB (16%) free of 10 GB
Total RAM: 128 MB (5% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:54, on 2008-12-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\Fonts\wmsncs.exe
C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Documents and Settings\Todd Putnam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Todd Putnam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe "C:\WINNT\Fonts\wmsncs.exe"
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINNT\system32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINNT\system32\wins\wmsncs.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spool Driver Service] C:\WINNT\system32\spool\drivers\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Wins Service] C:\WINNT\system32\wins\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: wmsncs.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133604207849
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 5369 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Program Files\Orbitdownloader\orbitcth.dll [2008-08-22 130248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-20 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - ZoneAlarm Spy Blocker - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-20 262144]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Program Files\Orbitdownloader\GrabPro.dll [2008-08-22 433272]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"Wmsncs Service"=C:\WINNT\Fonts\wmsncs.exe [2008-08-08 189990]
"NvidMediaCenter"=C:\Program Files\Common Files\System\wmsncs.exe [2008-08-08 189990]
"Spool Driver Service"=C:\WINNT\system32\spool\drivers\wmsncs.exe [2008-08-08 189990]
"Wins Service"=C:\WINNT\system32\wins\wmsncs.exe [2008-08-08 189990]
"Synchronization Manager"=mobsync.exe /logon []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2008-11-15 2235920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
C:\PROGRA~1\ORBITD~1\orbitdm.exe [2008-08-22 1707208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^wmsncs.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmsncs.exe [2008-08-08 189990]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
wmsncs.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoResolveSearch"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Orbitdownloader\orbitdm.exe"="C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Program Files\Orbitdownloader\orbitnet.exe"="C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"
"wmsncs.exe"="wmsncs.exe:*:Enabled:SYSTEM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-12-10 09:32:27 ----D---- C:\rsit
2008-12-09 22:15:44 ----A---- C:\WINNT\zip.exe
2008-12-09 22:15:44 ----A---- C:\WINNT\SWREG.exe
2008-12-09 22:15:44 ----A---- C:\WINNT\NIRCMD.exe
2008-12-09 22:15:44 ----A---- C:\WINNT\grep.exe
2008-12-09 22:15:43 ----A---- C:\WINNT\VFIND.exe
2008-12-09 22:15:43 ----A---- C:\WINNT\sed.exe
2008-12-09 22:15:43 ----A---- C:\WINNT\fdsv.exe
2008-12-09 22:15:42 ----A---- C:\WINNT\SWXCACLS.exe
2008-12-09 22:15:42 ----A---- C:\WINNT\SWSC.exe
2008-12-09 22:15:07 ----D---- C:\WINNT\ERDNT
2008-12-09 22:15:07 ----D---- C:\Qoobox
2008-12-09 22:14:58 ----D---- C:\ComboFix
2008-12-09 22:14:52 ----A---- C:\WINNT\system32\CF5185.exe
2008-12-09 22:14:52 ----A---- C:\WINNT\system32\CF5179.exe
2008-12-09 22:13:55 ----D---- C:\32788R22FWJFW
2008-12-09 21:45:11 ----D---- C:\Documents and Settings\Todd Putnam\Application Data\Malwarebytes
2008-12-09 21:44:22 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-09 21:44:21 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-09 21:11:30 ----D---- C:\Program Files\Trend Micro
2008-12-09 19:52:50 ----A---- C:\WINNT\ntbtlog.txt
2008-12-09 10:06:48 ----A---- C:\WINNT\SchedLgU.Txt
2008-12-09 09:23:31 ----D---- C:\WINNT\pss
2008-11-28 19:35:37 ----ASHD---- C:\Config.Msi

======List of files/folders modified in the last 1 months======

2008-12-18 21:53:51 ----AD---- C:\WINNT\system32
2008-12-18 21:51:52 ----AD---- C:\WINNT\Internet Logs
2008-12-18 21:36:18 ----D---- C:\Program Files\Mozilla Firefox
2008-12-18 21:34:02 ----D---- C:\WINNT\system32\inetsrv
2008-12-18 21:32:50 ----AD---- C:\WINNT\Temp
2008-12-18 21:30:30 ----D---- C:\WINNT\system32\NtmsData
2008-12-18 21:30:22 ----AD---- C:\WINNT\security
2008-12-18 21:30:17 ----AD---- C:\WINNT\Debug
2008-12-16 16:12:59 ----A---- C:\WINNT\ModemLog_Standard PCMCIA Card Modem.txt
2008-12-09 22:30:44 ----D---- C:\Program Files\QuickTime
2008-12-09 22:30:41 ----D---- C:\Program Files\Orbitdownloader
2008-12-09 22:30:35 ----D---- C:\Program Files\Notepad++
2008-12-09 22:30:24 ----D---- C:\Program Files\Norton SystemWorks
2008-12-09 22:29:59 ----D---- C:\Program Files\Moyea
2008-12-09 22:29:34 ----D---- C:\Program Files\Microsoft Office
2008-12-09 22:29:30 ----D---- C:\Program Files\Memory
2008-12-09 22:29:27 ----D---- C:\Program Files\Java
2008-12-09 22:29:26 ----D---- C:\Program Files\Japanese
2008-12-09 22:29:25 ----D---- C:\Program Files\IObit
2008-12-09 22:29:19 ----D---- C:\Program Files\internet
2008-12-09 22:29:18 ----D---- C:\Program Files\IE55
2008-12-09 22:29:17 ----D---- C:\Program Files\Grisoft
2008-12-09 22:29:14 ----D---- C:\Program Files\Greatis
2008-12-09 22:29:12 ----D---- C:\Program Files\Google
2008-12-09 22:29:10 ----D---- C:\Program Files\Glary Registry Repair
2008-12-09 22:29:08 ----D---- C:\Program Files\Eusing Free Registry Cleaner
2008-12-09 22:29:04 ----D---- C:\Program Files\Eltima Software
2008-12-09 22:29:00 ----D---- C:\Program Files\DivX
2008-12-09 22:28:57 ----D---- C:\Program Files\directx
2008-12-09 22:28:56 ----RAD---- C:\Program Files
2008-12-09 22:28:55 ----D---- C:\Program Files\DAP
2008-12-09 22:28:54 ----D---- C:\Program Files\CCleaner
2008-12-09 22:28:32 ----D---- C:\Program Files\Adobe
2008-12-09 22:28:16 ----D---- C:\Program Files\Adaptec
2008-12-09 22:28:14 ----D---- C:\Program Files\Accessories
2008-12-09 22:28:13 ----D---- C:\Program Files\802.11 Wireless LAN
2008-12-09 22:27:56 ----D---- C:\Program Files\2nd Story Software
2008-12-09 22:27:55 ----D---- C:\KPCMS
2008-12-09 22:26:33 ----D---- C:\icr
2008-12-09 22:26:32 ----D---- C:\Downloads
2008-12-09 22:26:30 ----D---- C:\Download
2008-12-09 22:26:29 ----D---- C:\backreg
2008-12-09 22:26:25 ----D---- C:\ALDUS
2008-12-09 22:24:31 ----AD---- C:\WINNT\system32\drivers
2008-12-09 22:24:30 ----AD---- C:\WINNT
2008-12-09 22:24:29 ----AD---- C:\WINNT\AppPatch
2008-12-09 22:24:29 ----AD---- C:\Program Files\Common Files
2008-12-09 22:24:23 ----SHD---- C:\RECYCLER
2008-12-09 22:20:28 ----SD---- C:\WINNT\Web
2008-12-09 20:08:05 ----AD---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-09 13:01:16 ----HD---- C:\WINNT\inf
2008-12-09 09:49:09 ----SD---- C:\Documents and Settings\Todd Putnam\Application Data\Microsoft
2008-12-09 08:54:33 ----D---- C:\Documents and Settings\Todd Putnam\Application Data\Orbit
2008-12-08 13:45:38 ----AD---- C:\WINNT\system32\wins
2008-12-08 13:45:37 ----RSHD---- C:\Program Files\Common Files\System
2008-12-08 13:45:00 ----RASD---- C:\WINNT\Fonts
2008-12-05 20:31:28 ----D---- C:\Program Files\ZipCentral
2008-11-30 21:04:22 ----D---- C:\Documents and Settings\Todd Putnam\Application Data\IObit
2008-11-28 19:36:31 ----SHD---- C:\WINNT\Installer
2008-11-28 19:26:15 ----AD---- C:\Program Files\Common Files\Microsoft Shared
2008-11-28 19:26:14 ----D---- C:\WINNT\winsxs

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2001-03-02 52720]
R1 vsdatant;vsdatant; C:\WINNT\System32\vsdatant.sys [2008-07-09 394952]
R2 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2001-03-02 22585]
R2 HidUsb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [1999-10-04 13904]
R2 irda;IrDA Protocol; C:\WINNT\System32\DRIVERS\irda.sys [2003-06-19 57296]
R3 atirage3;atirage3; C:\WINNT\System32\DRIVERS\atimpab.sys [1999-11-10 71632]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINNT\System32\DRIVERS\CmBatt.sys [2003-06-19 9904]
R3 ess;ESS Audio Driver (WDM); C:\WINNT\system32\drivers\ess.sys [1999-09-30 64144]
R3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2003-06-19 11632]
R3 NPDriver;Norton Unerase Protection Driver; \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS []
R3 Rasirda;WAN Miniport (IrDA Modem); C:\WINNT\System32\DRIVERS\rasirda.sys [2003-06-19 19920]
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINNT\System32\DRIVERS\smcirda.sys [1999-09-24 36112]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-19 40176]
R3 W8335PCI;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51; C:\WINNT\system32\DRIVERS\Mrv8000c.sys [2004-09-17 253568]
S1 kbdhid;Keyboard HID Driver; C:\WINNT\System32\DRIVERS\kbdhid.sys [1999-10-04 13744]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2001-10-08 15264]
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2001-10-16 13952]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2001-10-30 4896]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\system32\DRIVERS\NABTSFEC.sys [2001-10-08 86016]
S3 Partizan;Partizan; C:\WINNT\system32\drivers\Partizan.sys [2008-09-02 30946]
S3 RegGuard;RegGuard; \??\C:\WINNT\system32\Drivers\regguard.sys []
S3 SDdriver;SDdriver; \??\C:\WINNT\system32\Drivers\sddriver.sys []
S3 sermouse;Serial Mouse Driver; C:\WINNT\System32\DRIVERS\sermouse.sys [1999-09-25 17136]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2001-10-16 10368]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2001-10-16 14400]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2003-06-19 21872]
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2001-10-08 18208]
S4 dmload;dmload; C:\WINNT\System32\drivers\dmload.sys [2003-06-19 7312]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 HidServ;HID Input Service; C:\WINNT\system32\hidserv.exe [2003-06-19 19728]
R2 IISADMIN;IIS Admin Service; C:\WINNT\system32\inetsrv\inetinfo.exe [2003-06-19 14608]
R2 Irmon;Infrared Monitor; C:\WINNT\System32\svchost.exe [1999-12-06 7952]
R2 MSFTPSVC;FTP Publishing Service; C:\WINNT\system32\inetsrv\inetinfo.exe [2003-06-19 14608]
R2 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86; C:\WINNT\Fonts\wmsncs.exe [2008-08-08 189990]
R2 Norton Program Scheduler;Norton Program Scheduler; C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe [2000-08-25 36864]
R2 NProtectService;Norton Unerase Protection; C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2000-08-27 126976]
R2 Speed Disk service;Speed Disk service; C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe [2000-08-17 172065]
R2 vsmon;TrueVector Internet Monitor; C:\WINNT\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
R2 W3SVC;World Wide Web Publishing Service; C:\WINNT\system32\inetsrv\inetinfo.exe [2003-06-19 14608]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINNT\system32\mspmspsv.exe [2001-05-01 53248]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 NAV Alert;NAV Alert; C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe [2000-08-25 81920]
S3 NAV Auto-Protect;NAV Auto-Protect; C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe [2000-08-25 90112]

-----------------EOF-----------------

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:01 PM

Posted 19 December 2008 - 08:02 AM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the C:\Drive. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 toddly

toddly
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA USA
  • Local time:11:01 AM

Posted 22 December 2008 - 04:14 PM

Kahdah,
Thank you!! Below I have posted the sdfix Report.txt, and the new HijackThis.log. I also have a question. I notice that at the end of the Report, it says that I have files with hidden attributes. What does that mean? Can I open these files? Also, I notice that there are two files in my root directory that might be implicated in my infection: wmsofto8735.exe, and wmsoft86147.exe. Both begin with the same first three letters as the wmsncs.exe which seems to have been at the heart of the problem. What are these programs? Can I delete them? I did a search for other files that were created on the same date --5/26/2008-- and it seems that I had downloaded a new version of Adobe on hat date, and a pdf file. Are these likely to be a problem in the future? Should I delete them?

Thanks again for all your help!! Below are the Report.txt and HijackThis log:

SDFix: Version 1.240
Run by Todd Putnam on Sun 2008-12-21 at 21:52

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\sdfix

Checking Services :

Name :
NET Runtime Optimization Service v2.1.41329_X86

Path :
"C:\WINNT\Fonts\wmsncs.exe"

NET Runtime Optimization Service v2.1.41329_X86 - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\system32\eraseme_88883.exe - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmsncs.exe - Deleted
C:\Program Files\Common Files\System\wmsncs.exe - Deleted
C:\WINNT\Fonts\wmsncs.exe - Deleted
C:\WINNT\System32\spool\drivers\wmsncs.exe - Deleted
C:\WINNT\system32\wins\wmsncs.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 22:07:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"NoPopUpsOnBoot"=dword:00000001
"LoadAppInit_DLLs"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\sdfix\backups\backups.zip

Files with Hidden Attributes :

Mon 26 May 2008 161,792 A.SHR --- "C:\WINNT\wmsoft08735.exe"
Mon 6 Dec 1999 60,688 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Thu 19 Jun 2003 42,768 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 19 Jun 2003 4,639 ..SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Tue 12 Feb 2008 144,384 ...H. --- "C:\Todd\cons\~WRL0004.tmp"
Wed 29 Oct 2008 311,296 ...H. --- "C:\Todd\cons\~WRL0445.tmp"
Mon 8 Dec 2008 43,008 ...H. --- "C:\Todd\cons\~WRL1133.tmp"
Thu 30 Oct 2008 461,824 ...H. --- "C:\Todd\cons\~WRL1747.tmp"
Mon 21 Apr 2008 138,240 ...H. --- "C:\Todd\cons\~WRL2743.tmp"
Tue 22 Aug 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 14 Feb 2008 63,488 ...H. --- "C:\Todd\Camp Long\Camp Long\~WRL3352.tmp"

Finished!

-------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58, on 2008-12-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133604207849
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4506 bytes

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:01 PM

Posted 22 December 2008 - 09:56 PM

Kahdah,
Thank you!! Below I have posted the sdfix Report.txt, and the new HijackThis.log. I also have a question. I notice that at the end of the Report, it says that I have files with hidden attributes. What does that mean? Can I open these files? Also, I notice that there are two files in my root directory that might be implicated in my infection: wmsofto8735.exe, and wmsoft86147.exe. Both begin with the same first three letters as the wmsncs.exe which seems to have been at the heart of the problem. What are these programs? Can I delete them? I did a search for other files that were created on the same date --5/26/2008-- and it seems that I had downloaded a new version of Adobe on hat date, and a pdf file. Are these likely to be a problem in the future? Should I delete them?

You are welcome.

Files with hidden attributes simply means they are hidden files.
Meaning you cannot see them unless to uncheck show hidden files\folders.
Adobe is legit it would be very hard to say where it came from.
==========================
Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.

C:\WINNT\wmsoft08735.exe
C:\WINNT\wmsoft86147.exe



Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to samples.

Click Here to upload the files please.
===============
AFter that delete these files:
C:\WINNT\wmsoft08735.exe
C:\WINNT\wmsoft86147.exe
==========================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
============
AFter that post these logs in your next reply:

MAlwareBytes log
New Rsit log
(it was the first thing I had you download)
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 toddly

toddly
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA USA
  • Local time:11:01 AM

Posted 23 December 2008 - 05:14 PM

Thanks yet again, Kahdah. You are a life saver!
Alright, here's my new logs:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Todd Putnam at 2008-12-23 14:08:37
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 1 GB (14%) free of 10 GB
Total RAM: 128 MB (11% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09, on 2008-12-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\CMMON32.EXE
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Todd Putnam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Todd Putnam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133604207849
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F35FE857-B882-45B7-B031-AFB5E51BF381}: NameServer = 64.40.40.51 209.102.96.10
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4729 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Program Files\Orbitdownloader\orbitcth.dll [2008-08-22 130248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-20 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - ZoneAlarm Spy Blocker - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-20 262144]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Program Files\Orbitdownloader\GrabPro.dll [2008-08-22 433272]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"Synchronization Manager"=mobsync.exe /logon []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2008-11-15 2235920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
C:\PROGRA~1\ORBITD~1\orbitdm.exe [2008-08-22 1707208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^wmsncs.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmsncs.exe []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoResolveSearch"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Orbitdownloader\orbitdm.exe"="C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Program Files\Orbitdownloader\orbitnet.exe"="C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"
"wmsncs.exe"="wmsncs.exe:*:Enabled:SYSTEM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-12-23 11:10:57 ----D---- C:\Submit Files Packer
2008-12-21 21:47:22 ----D---- C:\WINNT\ERUNT
2008-12-21 21:33:38 ----D---- C:\New Folder
2008-12-21 21:33:14 ----D---- C:\sdfix
2008-12-10 09:32:27 ----D---- C:\rsit
2008-12-09 22:15:44 ----A---- C:\WINNT\zip.exe
2008-12-09 22:15:44 ----A---- C:\WINNT\SWREG.exe
2008-12-09 22:15:44 ----A---- C:\WINNT\NIRCMD.exe
2008-12-09 22:15:44 ----A---- C:\WINNT\grep.exe
2008-12-09 22:15:43 ----A---- C:\WINNT\VFIND.exe
2008-12-09 22:15:43 ----A---- C:\WINNT\sed.exe
2008-12-09 22:15:43 ----A---- C:\WINNT\fdsv.exe
2008-12-09 22:15:42 ----A---- C:\WINNT\SWXCACLS.exe
2008-12-09 22:15:42 ----A---- C:\WINNT\SWSC.exe
2008-12-09 22:15:07 ----D---- C:\WINNT\ERDNT
2008-12-09 22:15:07 ----D---- C:\Qoobox
2008-12-09 22:14:58 ----D---- C:\ComboFix
2008-12-09 22:14:52 ----A---- C:\WINNT\system32\CF5185.exe
2008-12-09 22:14:52 ----A---- C:\WINNT\system32\CF5179.exe
2008-12-09 22:13:55 ----D---- C:\32788R22FWJFW
2008-12-09 21:45:11 ----D---- C:\Documents and Settings\Todd Putnam\Application Data\Malwarebytes
2008-12-09 21:44:22 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-09 21:44:21 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-09 21:11:30 ----D---- C:\Program Files\Trend Micro
2008-12-09 19:52:50 ----A---- C:\WINNT\ntbtlog.txt
2008-12-09 10:06:48 ----A---- C:\WINNT\SchedLgU.Txt
2008-12-09 09:23:31 ----D---- C:\WINNT\pss
2008-11-28 19:35:37 ----ASHD---- C:\Config.Msi

======List of files/folders modified in the last 1 months======

2008-12-23 14:08:44 ----AD---- C:\WINNT\system32
2008-12-23 14:08:00 ----AD---- C:\WINNT\Internet Logs
2008-12-23 13:54:07 ----A---- C:\WINNT\ModemLog_Standard PCMCIA Card Modem.txt
2008-12-23 12:59:40 ----D---- C:\Program Files\Mozilla Firefox
2008-12-23 12:46:35 ----D---- C:\WINNT\system32\inetsrv
2008-12-23 12:45:08 ----AD---- C:\WINNT\Temp
2008-12-23 12:42:52 ----D---- C:\WINNT\system32\NtmsData
2008-12-23 12:42:46 ----AD---- C:\WINNT\Debug
2008-12-23 12:40:30 ----AD---- C:\WINNT\security
2008-12-23 11:12:04 ----D---- C:\Program Files\ZipCentral
2008-12-21 21:57:35 ----AD---- C:\WINNT\system32\wins
2008-12-21 21:57:34 ----RSHD---- C:\Program Files\Common Files\System
2008-12-21 21:57:34 ----RASD---- C:\WINNT\Fonts
2008-12-21 21:47:22 ----AD---- C:\WINNT
2008-12-09 22:30:44 ----D---- C:\Program Files\QuickTime
2008-12-09 22:30:41 ----D---- C:\Program Files\Orbitdownloader
2008-12-09 22:30:35 ----D---- C:\Program Files\Notepad++
2008-12-09 22:30:24 ----D---- C:\Program Files\Norton SystemWorks
2008-12-09 22:29:59 ----D---- C:\Program Files\Moyea
2008-12-09 22:29:34 ----D---- C:\Program Files\Microsoft Office
2008-12-09 22:29:30 ----D---- C:\Program Files\Memory
2008-12-09 22:29:27 ----D---- C:\Program Files\Java
2008-12-09 22:29:26 ----D---- C:\Program Files\Japanese
2008-12-09 22:29:25 ----D---- C:\Program Files\IObit
2008-12-09 22:29:19 ----D---- C:\Program Files\internet
2008-12-09 22:29:18 ----D---- C:\Program Files\IE55
2008-12-09 22:29:17 ----D---- C:\Program Files\Grisoft
2008-12-09 22:29:14 ----D---- C:\Program Files\Greatis
2008-12-09 22:29:12 ----D---- C:\Program Files\Google
2008-12-09 22:29:10 ----D---- C:\Program Files\Glary Registry Repair
2008-12-09 22:29:08 ----D---- C:\Program Files\Eusing Free Registry Cleaner
2008-12-09 22:29:04 ----D---- C:\Program Files\Eltima Software
2008-12-09 22:29:00 ----D---- C:\Program Files\DivX
2008-12-09 22:28:57 ----D---- C:\Program Files\directx
2008-12-09 22:28:56 ----RAD---- C:\Program Files
2008-12-09 22:28:55 ----D---- C:\Program Files\DAP
2008-12-09 22:28:54 ----D---- C:\Program Files\CCleaner
2008-12-09 22:28:32 ----D---- C:\Program Files\Adobe
2008-12-09 22:28:16 ----D---- C:\Program Files\Adaptec
2008-12-09 22:28:14 ----D---- C:\Program Files\Accessories
2008-12-09 22:28:13 ----D---- C:\Program Files\802.11 Wireless LAN
2008-12-09 22:27:56 ----D---- C:\Program Files\2nd Story Software
2008-12-09 22:27:55 ----D---- C:\KPCMS
2008-12-09 22:26:33 ----D---- C:\icr
2008-12-09 22:26:32 ----D---- C:\Downloads
2008-12-09 22:26:30 ----D---- C:\Download
2008-12-09 22:26:29 ----D---- C:\backreg
2008-12-09 22:26:25 ----D---- C:\ALDUS
2008-12-09 22:24:31 ----AD---- C:\WINNT\system32\drivers
2008-12-09 22:24:29 ----AD---- C:\WINNT\AppPatch
2008-12-09 22:24:29 ----AD---- C:\Program Files\Common Files
2008-12-09 22:24:23 ----SHD---- C:\RECYCLER
2008-12-09 22:20:28 ----SD---- C:\WINNT\Web
2008-12-09 20:08:05 ----AD---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-09 13:01:16 ----HD---- C:\WINNT\inf
2008-12-09 09:49:09 ----SD---- C:\Documents and Settings\Todd Putnam\Application Data\Microsoft
2008-12-09 08:54:33 ----D---- C:\Documents and Settings\Todd Putnam\Application Data\Orbit
2008-11-30 21:04:22 ----D---- C:\Documents and Settings\Todd Putnam\Application Data\IObit
2008-11-28 19:36:31 ----SHD---- C:\WINNT\Installer
2008-11-28 19:26:15 ----AD---- C:\Program Files\Common Files\Microsoft Shared
2008-11-28 19:26:14 ----D---- C:\WINNT\winsxs

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2001-03-02 52720]
R1 vsdatant;vsdatant; C:\WINNT\System32\vsdatant.sys [2008-07-09 394952]
R2 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2001-03-02 22585]
R2 HidUsb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [1999-10-04 13904]
R2 irda;IrDA Protocol; C:\WINNT\System32\DRIVERS\irda.sys [2003-06-19 57296]
R3 atirage3;atirage3; C:\WINNT\System32\DRIVERS\atimpab.sys [1999-11-10 71632]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINNT\System32\DRIVERS\CmBatt.sys [2003-06-19 9904]
R3 ess;ESS Audio Driver (WDM); C:\WINNT\system32\drivers\ess.sys [1999-09-30 64144]
R3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2003-06-19 11632]
R3 NPDriver;Norton Unerase Protection Driver; \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS []
R3 Rasirda;WAN Miniport (IrDA Modem); C:\WINNT\System32\DRIVERS\rasirda.sys [2003-06-19 19920]
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINNT\System32\DRIVERS\smcirda.sys [1999-09-24 36112]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-19 40176]
R3 W8335PCI;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51; C:\WINNT\system32\DRIVERS\Mrv8000c.sys [2004-09-17 253568]
S1 kbdhid;Keyboard HID Driver; C:\WINNT\System32\DRIVERS\kbdhid.sys [1999-10-04 13744]
S3 catchme;catchme; \??\C:\DOCUME~1\TODDPU~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2001-10-08 15264]
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2001-10-16 13952]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2001-10-30 4896]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\system32\DRIVERS\NABTSFEC.sys [2001-10-08 86016]
S3 Partizan;Partizan; C:\WINNT\system32\drivers\Partizan.sys [2008-09-02 30946]
S3 RegGuard;RegGuard; \??\C:\WINNT\system32\Drivers\regguard.sys []
S3 SDdriver;SDdriver; \??\C:\WINNT\system32\Drivers\sddriver.sys []
S3 sermouse;Serial Mouse Driver; C:\WINNT\System32\DRIVERS\sermouse.sys [1999-09-25 17136]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2001-10-16 10368]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2001-10-16 14400]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2003-06-19 21872]
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2001-10-08 18208]
S4 dmload;dmload; C:\WINNT\System32\drivers\dmload.sys [2003-06-19 7312]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 HidServ;HID Input Service; C:\WINNT\system32\hidserv.exe [2003-06-19 19728]
R2 IISADMIN;IIS Admin Service; C:\WINNT\system32\inetsrv\inetinfo.exe [2003-06-19 14608]
R2 Irmon;Infrared Monitor; C:\WINNT\System32\svchost.exe [1999-12-06 7952]
R2 MSFTPSVC;FTP Publishing Service; C:\WINNT\system32\inetsrv\inetinfo.exe [2003-06-19 14608]
R2 Norton Program Scheduler;Norton Program Scheduler; C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe [2000-08-25 36864]
R2 NProtectService;Norton Unerase Protection; C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2000-08-27 126976]
R2 Speed Disk service;Speed Disk service; C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe [2000-08-17 172065]
R2 vsmon;TrueVector Internet Monitor; C:\WINNT\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
R2 W3SVC;World Wide Web Publishing Service; C:\WINNT\system32\inetsrv\inetinfo.exe [2003-06-19 14608]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINNT\system32\mspmspsv.exe [2001-05-01 53248]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 NAV Alert;NAV Alert; C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe [2000-08-25 81920]
S3 NAV Auto-Protect;NAV Auto-Protect; C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe [2000-08-25 90112]

-----------------EOF-----------------


Malwarebytes' Anti-Malware 1.31
Database version: 1537
Windows 5.0.2195 Service Pack 4

2008-12-23 12:38:28
mbam-log-2008-12-23 (12-38-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 54911
Time elapsed: 30 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:01 PM

Posted 23 December 2008 - 06:51 PM

Looks better please do the following.
====================
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 toddly

toddly
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA USA
  • Local time:11:01 AM

Posted 27 December 2008 - 07:28 PM

Kahdah,
Okay, I ran Kaspersky, and apparently have many infected files. What is next? Lt me know if you want me to attach the Kaspersky report as a file attachment? Thank you so much!!

-Todd

Kaspersky Scan Report:
Saturday, December 27, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 27, 2008 03:56:04
Records in database: 1519612
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
Scan statistics
Files scanned 21686
Threat name 3
Infected objects 177
Suspicious objects 0
Duration of the scan 03:10:35

File name Threat name Threats count
C:\icr\rainforest\Roundtable on Sustainable Palmoil.htm Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\a0home.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\a1home.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\a2home.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\a3home.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\colortest.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\dollarvoting.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\home.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\images\Unused menus\MenuPageSaved\menusample67.php.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\images\Unused menus\MenuPageSaved\menusample67.php_files\menu_data.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\images\Unused menus\MenuPageSaved\menutesty1.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\images\Unused menus\MenuPageSaved\menutesty2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\images\Unused menus\menutest1.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\images\Unused menus\menutest2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\index2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\isshumanrts.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\isshumanrtsX.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\issues.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\issues1.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\issues2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\issues3.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\issues4.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\issues5.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\celltest.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\Good Menu\demo.htm Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\Good Menu\demo1.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\Good Menu\demo2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\Good Menu\goodmenutest1.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\Good Menu\goodmenutest2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\Good Menu\goodmenutest3.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\other menus\This one\goodmenu1.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\other menus\This one\goodmenu2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\other menus\This one\goodmenu3.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files\cascading-menus.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files\dhtml-cascading-menus2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files\menus2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\menutest4.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\terrorism.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\2007\Times.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\aboutus.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\altmark.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\boycotts.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\business.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\calendar.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\choices.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\community.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\consumer.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\corporate.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\corporateprofiles.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\culture.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\directaction.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\enviro-category.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\government.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\hr-categorybrown.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\httpsdocs\index.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\httpsdocs\index2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\httpsdocs\index5.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\images\corporate.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\index.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\index2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\index3.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\index9.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\industries.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\institutions.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\issuelist.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\issues.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\lifestyle.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\media.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\movement.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\movement2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\movement3.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\movement4.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\movement5.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\movement6.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\movement7.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\organizations.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\real_index.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\victories.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\volform.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\volform2.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\volform_test.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\volform_test1.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\volunteer.htm Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\volunteerform.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\volunteerq.html Infected: Worm.Win32.Fujack.ap 1
C:\icr\website\whatycdo.html Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Mozilla Firefox\defaults\profile\bookmarks.html Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Mozilla Firefox\res\hiddenWindow.html Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Norton SystemWorks\Norton Utilities\README.HTM Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\QuickTime\QuickTime Read Me.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\auto.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\autoopt.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\basic.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\bhopt.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\blank.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\changemtu.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\changerwin.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\crash.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\edit.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\help.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\help1.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\help2.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\help3.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\help4.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\help5.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\helpmenu.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\htmlhelp.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\internet.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\ipaddress.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\keynum.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\keyselect.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mdm-combo.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mdm-edit.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mdm-reread.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mdm-write.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mss.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mtu.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mtubox.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mtuhelp.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mtuopt.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mtupopup.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\mult.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\ndiopt.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\nummodem.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\opt.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\pingbox.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\question.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\readme.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\register.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\remove.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\reread.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\reward.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\rwin.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\rwinbox.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\rwinopt.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\rwrd-txt.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\slider.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\tellme.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\testgood1.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\testgood2.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\testgood3.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\testgood4.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\testing.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\testpoor1.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\ttl2opt.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\ttlopt.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\update.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\help\whatsnew.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\_private\page1.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\_private\page2.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\_private\page3.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\_private\page4.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Registry\MTUSpeed\_private\page5.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Security\Zone Labs\ZoneAlarm\readme.html Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Security\Zone Labs\ZoneAlarm\zl_priv.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\freeregcode.html Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\howtoorder.html Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\localaboutfree.html Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\register.html Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\welcome.html Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\WinRAR\Order.htm Infected: Worm.Win32.Fujack.ap 1
C:\Program Files\ZoneAlarmSB\bar\Settings\prevcfg2.htm Infected: Worm.Win32.Fujack.ap 1
C:\Qoobox\Quarantine\C\WINNT\system32\i.vir Infected: Trojan-Downloader.BAT.Ftp.ab 1
C:\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000\Dc4.htm Infected: Worm.Win32.Fujack.ap 1
C:\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000\Dc5.htm Infected: Worm.Win32.Fujack.ap 1
C:\sdfix\backups\backups.zip Infected: Net-Worm.Win32.Kolabc.bkf 1
C:\Todd\bush\Bush Administration Fact Sheet.htm Infected: Worm.Win32.Fujack.ap 1
C:\Todd\conspiracy\research companion\flight93.html Infected: Worm.Win32.Fujack.ap 1
C:\Todd\conspiracy\research companion\introduction.html Infected: Worm.Win32.Fujack.ap 1
C:\Todd\conspiracy\research companion\oddities.html Infected: Worm.Win32.Fujack.ap 1
C:\Todd\conspiracy\research companion\pentagon.html Infected: Worm.Win32.Fujack.ap 1
C:\Todd\conspiracy\research companion\wtc.html Infected: Worm.Win32.Fujack.ap 1
C:\Todd\folks\Steve\empty\Interactive Media Awards _ Web Design Awards for Excellence.html Infected: Worm.Win32.Fujack.ap 1
C:\Todd\stuff\default.asp Infected: Worm.Win32.Fujack.ap 1
C:\WINNT\pss\wmsncs.exeCommon Startup Infected: Net-Worm.Win32.Kolabc.bkf 1
The selected area was scanned.

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:01 PM

Posted 27 December 2008 - 07:51 PM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\icr\rainforest\Roundtable on Sustainable Palmoil.htm   
    C:\icr\website\2007\a0home.html	
    C:\icr\website\2007\a1home.html	
    C:\icr\website\2007\a2home.html	
    C:\icr\website\2007\a3home.html  
    C:\icr\website\2007\colortest.html  
    C:\icr\website\2007\dollarvoting.html   
    C:\icr\website\2007\home.html   
    C:\icr\website\2007\images\Unused menus\MenuPageSaved\menusample67.php.html	
    C:\icr\website\2007\images\Unused menus\MenuPageSaved\menusample67.php_files\menu_data.html  
    C:\icr\website\2007\images\Unused menus\MenuPageSaved\menutesty1.html	  
    C:\icr\website\2007\images\Unused menus\MenuPageSaved\menutesty2.html	 
    C:\icr\website\2007\images\Unused menus\menutest1.html  
    C:\icr\website\2007\images\Unused menus\menutest2.html	
    C:\icr\website\2007\index2.html   
    C:\icr\website\2007\isshumanrts.html	  
    C:\icr\website\2007\isshumanrtsX.html	 
    C:\icr\website\2007\issues.html   
    C:\icr\website\2007\issues1.html	  
    C:\icr\website\2007\issues2.html	   
    C:\icr\website\2007\issues3.html	  
    C:\icr\website\2007\issues4.html	   
    C:\icr\website\2007\issues5.html	  
    C:\icr\website\2007\menutest\celltest.html   
    C:\icr\website\2007\menutest\Good Menu\demo.htm	
    C:\icr\website\2007\menutest\Good Menu\demo1.html	 
    C:\icr\website\2007\menutest\Good Menu\demo2.html	 
    C:\icr\website\2007\menutest\Good Menu\goodmenutest1.html   
    C:\icr\website\2007\menutest\Good Menu\goodmenutest2.html	
    C:\icr\website\2007\menutest\Good Menu\goodmenutest3.html	
    C:\icr\website\2007\menutest\other menus\This one\goodmenu1.html	   
    C:\icr\website\2007\menutest\other menus\This one\goodmenu2.html	   
    C:\icr\website\2007\menutest\other menus\This one\goodmenu3.html	 
    C:\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files\cascading-menus.html   
    C:\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files\dhtml-cascading-menus2.html	  
    C:\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files\menus2.html  
    C:\icr\website\2007\menutest.html   
    C:\icr\website\2007\menutest2.html	 
    C:\icr\website\2007\menutest4.html	
    C:\icr\website\2007\terrorism.html	
    C:\icr\website\2007\Times.html
    C:\icr\website\aboutus.html	
    C:\icr\website\altmark.html  
    C:\icr\website\boycotts.html	 
    C:\icr\website\business.html	  
    C:\icr\website\calendar.html	  
    C:\icr\website\choices.html	
    C:\icr\website\community.html	  
    C:\icr\website\consumer.html	   
    C:\icr\website\corporate.html	 
    C:\icr\website\corporateprofiles.html	 
    C:\icr\website\culture.html	
    C:\icr\website\directaction.html	  
    C:\icr\website\enviro-category.html 
    C:\icr\website\government.html	
    C:\icr\website\hr-categorybrown.html	  
    C:\icr\website\httpsdocs\index.html	
    C:\icr\website\httpsdocs\index2.html	  
    C:\icr\website\httpsdocs\index5.html	 
    C:\icr\website\images\corporate.html	 
    C:\icr\website\index.html	  
    C:\icr\website\index2.html	
    C:\icr\website\index3.html   
    C:\icr\website\index9.html	 
    C:\icr\website\industries.html	
    C:\icr\website\institutions.html	 
    C:\icr\website\issuelist.html	
    C:\icr\website\issues.html   
    C:\icr\website\lifestyle.html   
    C:\icr\website\media.html	  
    C:\icr\website\movement.html	
    C:\icr\website\movement2.html   
    C:\icr\website\movement3.html	
    C:\icr\website\movement4.html	 
    C:\icr\website\movement5.html	
    C:\icr\website\movement6.html	
    C:\icr\website\movement7.html	 
    C:\icr\website\organizations.html	
    C:\icr\website\real_index.html	 
    C:\icr\website\victories.html	 
    C:\icr\website\volform.html  
    C:\icr\website\volform2.html	 
    C:\icr\website\volform_test.html	  
    C:\icr\website\volform_test1.html	
    C:\icr\website\volunteer.htm	   
    C:\icr\website\volunteerform.html   
    C:\icr\website\volunteerq.html	 
    C:\icr\website\whatycdo.html   
    C:\Program Files\Mozilla Firefox\defaults\profile\bookmarks.html	
    C:\Program Files\Mozilla Firefox\res\hiddenWindow.html	
    C:\Program Files\Norton SystemWorks\Norton Utilities\README.HTM   
    C:\Program Files\QuickTime\QuickTime Read Me.htm	  
    C:\Program Files\Registry\MTUSpeed\help\auto.htm	 
    C:\Program Files\Registry\MTUSpeed\help\autoopt.htm	
    C:\Program Files\Registry\MTUSpeed\help\basic.htm	  
    C:\Program Files\Registry\MTUSpeed\help\bhopt.htm	  
    C:\Program Files\Registry\MTUSpeed\help\blank.htm	 
    C:\Program Files\Registry\MTUSpeed\help\changemtu.htm	 
    C:\Program Files\Registry\MTUSpeed\help\changerwin.htm  
    C:\Program Files\Registry\MTUSpeed\help\crash.htm	 
    C:\Program Files\Registry\MTUSpeed\help\edit.htm	 
    C:\Program Files\Registry\MTUSpeed\help\help.htm	 
    C:\Program Files\Registry\MTUSpeed\help\help1.htm	 
    C:\Program Files\Registry\MTUSpeed\help\help2.htm	 
    C:\Program Files\Registry\MTUSpeed\help\help3.htm	  
    C:\Program Files\Registry\MTUSpeed\help\help4.htm	 
    C:\Program Files\Registry\MTUSpeed\help\help5.htm	 
    C:\Program Files\Registry\MTUSpeed\help\helpmenu.htm	  
    C:\Program Files\Registry\MTUSpeed\help\htmlhelp.htm	   
    C:\Program Files\Registry\MTUSpeed\help\internet.htm	   
    C:\Program Files\Registry\MTUSpeed\help\ipaddress.htm	 
    C:\Program Files\Registry\MTUSpeed\help\keynum.htm   
    C:\Program Files\Registry\MTUSpeed\help\keyselect.htm	
    C:\Program Files\Registry\MTUSpeed\help\mdm-combo.htm	 
    C:\Program Files\Registry\MTUSpeed\help\mdm-edit.htm	   
    C:\Program Files\Registry\MTUSpeed\help\mdm-reread.htm	
    C:\Program Files\Registry\MTUSpeed\help\mdm-write.htm	
    C:\Program Files\Registry\MTUSpeed\help\mss.htm   
    C:\Program Files\Registry\MTUSpeed\help\mtu.htm	
    C:\Program Files\Registry\MTUSpeed\help\mtubox.htm  
    C:\Program Files\Registry\MTUSpeed\help\mtuhelp.htm   
    C:\Program Files\Registry\MTUSpeed\help\mtuopt.htm   
    C:\Program Files\Registry\MTUSpeed\help\mtupopup.htm	 
    C:\Program Files\Registry\MTUSpeed\help\mult.htm	  
    C:\Program Files\Registry\MTUSpeed\help\ndiopt.htm	
    C:\Program Files\Registry\MTUSpeed\help\nummodem.htm	   
    C:\Program Files\Registry\MTUSpeed\help\opt.htm   
    C:\Program Files\Registry\MTUSpeed\help\pingbox.htm   
    C:\Program Files\Registry\MTUSpeed\help\question.htm	  
    C:\Program Files\Registry\MTUSpeed\help\readme.htm   
    C:\Program Files\Registry\MTUSpeed\help\register.htm	  
    C:\Program Files\Registry\MTUSpeed\help\remove.htm	
    C:\Program Files\Registry\MTUSpeed\help\reread.htm	
    C:\Program Files\Registry\MTUSpeed\help\reward.htm	 
    C:\Program Files\Registry\MTUSpeed\help\rwin.htm	   
    C:\Program Files\Registry\MTUSpeed\help\rwinbox.htm	
    C:\Program Files\Registry\MTUSpeed\help\rwinopt.htm	
    C:\Program Files\Registry\MTUSpeed\help\rwrd-txt.htm	   
    C:\Program Files\Registry\MTUSpeed\help\slider.htm	 
    C:\Program Files\Registry\MTUSpeed\help\tellme.htm	
    C:\Program Files\Registry\MTUSpeed\help\testgood1.htm  
    C:\Program Files\Registry\MTUSpeed\help\testgood2.htm	 
    C:\Program Files\Registry\MTUSpeed\help\testgood3.htm	  
    C:\Program Files\Registry\MTUSpeed\help\testgood4.htm	
    C:\Program Files\Registry\MTUSpeed\help\testing.htm  
    C:\Program Files\Registry\MTUSpeed\help\testpoor1.htm	
    C:\Program Files\Registry\MTUSpeed\help\ttl2opt.htm   
    C:\Program Files\Registry\MTUSpeed\help\ttlopt.htm	
    C:\Program Files\Registry\MTUSpeed\help\update.htm   
    C:\Program Files\Registry\MTUSpeed\help\whatsnew.htm	  
    C:\Program Files\Registry\MTUSpeed\_private\page1.htm	 
    C:\Program Files\Registry\MTUSpeed\_private\page2.htm	
    C:\Program Files\Registry\MTUSpeed\_private\page3.htm   
    C:\Program Files\Registry\MTUSpeed\_private\page4.htm	 
    C:\Program Files\Registry\MTUSpeed\_private\page5.htm	 
    C:\Program Files\Security\Zone Labs\ZoneAlarm\readme.html   
    C:\Program Files\Security\Zone Labs\ZoneAlarm\zl_priv.htm  
    C:\Program Files\Visicom Media\AceFTP 3 freeware\help\freeregcode.html	 
    C:\Program Files\Visicom Media\AceFTP 3 freeware\help\howtoorder.html	 
    C:\Program Files\Visicom Media\AceFTP 3 freeware\help\localaboutfree.html	 
    C:\Program Files\Visicom Media\AceFTP 3 freeware\help\register.html	
    C:\Program Files\Visicom Media\AceFTP 3 freeware\help\welcome.html   
    C:\Program Files\WinRAR\Order.htm   
    C:\Program Files\ZoneAlarmSB\bar\Settings\prevcfg2.htm  
    C:\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000\Dc4.htm  
    C:\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000\Dc5.htm	   
    C:\Todd\bush\Bush Administration Fact Sheet.htm   
    C:\Todd\conspiracy\research companion\flight93.html	
    C:\Todd\conspiracy\research companion\introduction.html
    C:\Todd\conspiracy\research companion\oddities.html   
    C:\Todd\conspiracy\research companion\pentagon.html   
    C:\Todd\conspiracy\research companion\wtc.html   
    C:\Todd\folks\Steve\empty\Interactive Media Awards _ Web Design Awards for Excellence.html 
    C:\Todd\stuff\default.asp	
    C:\WINNT\pss\wmsncs.exe
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
After that let me know how it is running?

Also do another Kaspersky scan and see if anything is left.
Post that log and the OT move it log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 toddly

toddly
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA USA
  • Local time:11:01 AM

Posted 29 December 2008 - 02:29 PM

Kahdah,
Thank you again. The wmsncs worm does not seem to be running anymore, so my computer is again puttering along at its usual speed. I tried seven times to run a new Kaspersky scan, but it always stalls before it reaches 20% complete --sometimes after 15 minutes, sometimes after an hour. Apparently it needs 4.5 hours to complete. I'm wondering if it is stalling because I do not have sufficient available RAM, only about 60 MB.

Also, a question about the MoveIt files: I presume they have been quarantined to some other file. Does this mean they are inaccessible? Some of those files held information that I would like to retrieve. Is there any way to do that?

I will continue to try the Kaspersky scan. In the meantime, here is the log from the MoveIt program:

========== FILES ==========
C:\icr\rainforest\Roundtable on Sustainable Palmoil.htm moved successfully.
C:\icr\website\2007\a0home.html moved successfully.
C:\icr\website\2007\a1home.html moved successfully.
C:\icr\website\2007\a2home.html moved successfully.
C:\icr\website\2007\a3home.html moved successfully.
C:\icr\website\2007\colortest.html moved successfully.
C:\icr\website\2007\dollarvoting.html moved successfully.
C:\icr\website\2007\home.html moved successfully.
C:\icr\website\2007\images\Unused menus\MenuPageSaved\menusample67.php.html moved successfully.
File/Folder C:\icr\website\2007\images\Unused menus\MenuPageSaved\menusample67.php_files\menu_data.html not found.
C:\icr\website\2007\images\Unused menus\MenuPageSaved\menutesty1.html moved successfully.
C:\icr\website\2007\images\Unused menus\MenuPageSaved\menutesty2.html moved successfully.
C:\icr\website\2007\images\Unused menus\menutest1.html moved successfully.
C:\icr\website\2007\images\Unused menus\menutest2.html moved successfully.
C:\icr\website\2007\index2.html moved successfully.
C:\icr\website\2007\isshumanrts.html moved successfully.
C:\icr\website\2007\isshumanrtsX.html moved successfully.
C:\icr\website\2007\issues.html moved successfully.
C:\icr\website\2007\issues1.html moved successfully.
C:\icr\website\2007\issues2.html moved successfully.
C:\icr\website\2007\issues3.html moved successfully.
C:\icr\website\2007\issues4.html moved successfully.
C:\icr\website\2007\issues5.html moved successfully.
C:\icr\website\2007\menutest\celltest.html moved successfully.
C:\icr\website\2007\menutest\Good Menu\demo.htm moved successfully.
C:\icr\website\2007\menutest\Good Menu\demo1.html moved successfully.
C:\icr\website\2007\menutest\Good Menu\demo2.html moved successfully.
C:\icr\website\2007\menutest\Good Menu\goodmenutest1.html moved successfully.
C:\icr\website\2007\menutest\Good Menu\goodmenutest2.html moved successfully.
C:\icr\website\2007\menutest\Good Menu\goodmenutest3.html moved successfully.
C:\icr\website\2007\menutest\other menus\This one\goodmenu1.html moved successfully.
C:\icr\website\2007\menutest\other menus\This one\goodmenu2.html moved successfully.
C:\icr\website\2007\menutest\other menus\This one\goodmenu3.html moved successfully.
C:\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files\cascading-menus.html moved successfully.
C:\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files\dhtml-cascading-menus2.html moved successfully.
C:\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files\menus2.html moved successfully.
C:\icr\website\2007\menutest.html moved successfully.
C:\icr\website\2007\menutest2.html moved successfully.
C:\icr\website\2007\menutest4.html moved successfully.
C:\icr\website\2007\terrorism.html moved successfully.
C:\icr\website\2007\Times.html moved successfully.
C:\icr\website\aboutus.html moved successfully.
C:\icr\website\altmark.html moved successfully.
C:\icr\website\boycotts.html moved successfully.
C:\icr\website\business.html moved successfully.
C:\icr\website\calendar.html moved successfully.
C:\icr\website\choices.html moved successfully.
C:\icr\website\community.html moved successfully.
C:\icr\website\consumer.html moved successfully.
C:\icr\website\corporate.html moved successfully.
C:\icr\website\corporateprofiles.html moved successfully.
C:\icr\website\culture.html moved successfully.
C:\icr\website\directaction.html moved successfully.
C:\icr\website\enviro-category.html moved successfully.
C:\icr\website\government.html moved successfully.
C:\icr\website\hr-categorybrown.html moved successfully.
C:\icr\website\httpsdocs\index.html moved successfully.
C:\icr\website\httpsdocs\index2.html moved successfully.
C:\icr\website\httpsdocs\index5.html moved successfully.
C:\icr\website\images\corporate.html moved successfully.
C:\icr\website\index.html moved successfully.
C:\icr\website\index2.html moved successfully.
C:\icr\website\index3.html moved successfully.
C:\icr\website\index9.html moved successfully.
C:\icr\website\industries.html moved successfully.
C:\icr\website\institutions.html moved successfully.
C:\icr\website\issuelist.html moved successfully.
C:\icr\website\issues.html moved successfully.
C:\icr\website\lifestyle.html moved successfully.
C:\icr\website\media.html moved successfully.
C:\icr\website\movement.html moved successfully.
C:\icr\website\movement2.html moved successfully.
C:\icr\website\movement3.html moved successfully.
C:\icr\website\movement4.html moved successfully.
C:\icr\website\movement5.html moved successfully.
C:\icr\website\movement6.html moved successfully.
C:\icr\website\movement7.html moved successfully.
C:\icr\website\organizations.html moved successfully.
C:\icr\website\real_index.html moved successfully.
C:\icr\website\victories.html moved successfully.
C:\icr\website\volform.html moved successfully.
C:\icr\website\volform2.html moved successfully.
C:\icr\website\volform_test.html moved successfully.
C:\icr\website\volform_test1.html moved successfully.
C:\icr\website\volunteer.htm moved successfully.
C:\icr\website\volunteerform.html moved successfully.
C:\icr\website\volunteerq.html moved successfully.
C:\icr\website\whatycdo.html moved successfully.
C:\Program Files\Mozilla Firefox\defaults\profile\bookmarks.html moved successfully.
C:\Program Files\Mozilla Firefox\res\hiddenWindow.html moved successfully.
C:\Program Files\Norton SystemWorks\Norton Utilities\README.HTM moved successfully.
C:\Program Files\QuickTime\QuickTime Read Me.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\auto.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\autoopt.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\basic.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\bhopt.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\blank.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\changemtu.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\changerwin.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\crash.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\edit.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\help.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\help1.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\help2.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\help3.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\help4.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\help5.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\helpmenu.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\htmlhelp.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\internet.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\ipaddress.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\keynum.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\keyselect.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mdm-combo.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mdm-edit.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mdm-reread.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mdm-write.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mss.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mtu.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mtubox.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mtuhelp.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mtuopt.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mtupopup.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\mult.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\ndiopt.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\nummodem.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\opt.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\pingbox.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\question.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\readme.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\register.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\remove.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\reread.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\reward.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\rwin.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\rwinbox.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\rwinopt.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\rwrd-txt.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\slider.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\tellme.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\testgood1.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\testgood2.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\testgood3.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\testgood4.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\testing.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\testpoor1.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\ttl2opt.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\ttlopt.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\update.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\help\whatsnew.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\_private\page1.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\_private\page2.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\_private\page3.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\_private\page4.htm moved successfully.
C:\Program Files\Registry\MTUSpeed\_private\page5.htm moved successfully.
C:\Program Files\Security\Zone Labs\ZoneAlarm\readme.html moved successfully.
C:\Program Files\Security\Zone Labs\ZoneAlarm\zl_priv.htm moved successfully.
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\freeregcode.html moved successfully.
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\howtoorder.html moved successfully.
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\localaboutfree.html moved successfully.
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\register.html moved successfully.
C:\Program Files\Visicom Media\AceFTP 3 freeware\help\welcome.html moved successfully.
C:\Program Files\WinRAR\Order.htm moved successfully.
C:\Program Files\ZoneAlarmSB\bar\Settings\prevcfg2.htm moved successfully.
C:\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000\Dc4.htm moved successfully.
C:\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000\Dc5.htm moved successfully.
C:\Todd\bush\Bush Administration Fact Sheet.htm moved successfully.
C:\Todd\conspiracy\research companion\flight93.html moved successfully.
C:\Todd\conspiracy\research companion\introduction.html moved successfully.
C:\Todd\conspiracy\research companion\oddities.html moved successfully.
C:\Todd\conspiracy\research companion\pentagon.html moved successfully.
C:\Todd\conspiracy\research companion\wtc.html moved successfully.
C:\Todd\folks\Steve\empty\Interactive Media Awards _ Web Design Awards for Excellence.html moved successfully.
C:\Todd\stuff\default.asp moved successfully.
File/Folder C:\WINNT\pss\wmsncs.exe not found.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12272008_184935

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:01 PM

Posted 29 December 2008 - 09:10 PM

Yes the files are in the C:\_OTMove it folder on your computer.
They are infected with a worm so I do not recommend Trying to retrieve any info from those but yes they have not been deleted.
I would like to see if maybe we could disinfect the files so maybe you could retrieve some data back (if the cleaning is successful)
To clean the files you will need to do the following instead of Kaspersky:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post that log in your next reply.
(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 toddly

toddly
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA USA
  • Local time:11:01 AM

Posted 09 January 2009 - 02:50 PM

Kahdah,
Thank you, yet again. Sorry about my delay in getting back to you, but after running DrWeb.CureIt twice unsuccessfully, I finally found the hours needed for me to watch it run and give it the proper responses.
It seems that I am infected with a bug that CureIt cannot cure: Win32.HLLP.Whboy. Although in the report it claims that the infected file has been cured, the infected file immediately becomes reinfected and then CureIt cures it again. The first time I ran the program, the same file was cured over 8000 times, and CureIt was still curing the same file. I am wondering if this is happening because the bug is already running somewhere in memory, but where CureIt didn't find it.

So, my question is: Should I try running CureIt in safe mode to see whether these files can be cured? I'd really prefer not to delete them as they represent over a year's work and I suspect my back-ups have the same infection. What happens when one of the infected files is opened? Also, what are the implications if I open them and attempt to find the virus, or if I allow it to remain?

In any case, thanks again. I was not sure the best way to paste the contents of the DrWeb.csv file, but below is my attempt:

DrWeb.CSV
Note to Kahdah: where the file is labeled as CURED, then the same file immediately is listed again as nothing (not cured), I told the program to not cure the file, and essentially skipped it as being incurable.

psexec.cfexe;C:\ComboFix;Program.PsExec.171;;
Process.exe;C:\Documents and Settings\Todd Putnam\Desktop\SmitfraudFix;Tool.Prockill;;
Process.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.Prockill;;
Accelerator.dll;C:\Program Files\SpeedBit Video Accelerator;Probably DLOADER.Trojan;;
Dc71.html;C:\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000;Win32.HLLP.Whboy;Cured.;
Dc71.html;C:\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000;Win32.HLLP.Whboy;Cured.;
Dc71.html;C:\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000;Win32.HLLP.Whboy;;
Process.exe;C:\sdfix\apps;Tool.Prockill;;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
altmark.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;; <<I stopped the "cure">>
boycotts.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;Cured.;
boycotts.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;<<I stopped the cure">>
business.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;<<ditto, on most below>>
calendar.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
choices.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
community.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
consumer.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
corporate.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
corporateprofiles.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
culture.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
directaction.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
enviro-category.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
government.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
hr-categorybrown.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
index.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
index2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
index3.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
index9.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
industries.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
institutions.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
issuelist.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
issues.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
lifestyle.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
media.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
movement.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
movement2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
movement3.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
movement4.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
movement5.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
movement6.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
movement7.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
organizations.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
real_index.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
victories.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
volform.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
volform2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
volform_test.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
volform_test1.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
volunteer.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
volunteerform.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
volunteerq.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
whatycdo.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website;Win32.HLLP.Whboy;;
a0home.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
a1home.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
a2home.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
a3home.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
colortest.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
dollarvoting.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
home.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
index2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
isshumanrts.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
isshumanrtsX.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
issues.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
issues1.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
issues2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
issues3.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
issues4.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
issues5.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
menutest.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
menutest2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
menutest4.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
terrorism.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
Times.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007;Win32.HLLP.Whboy;;
menutest1.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\images\Unused menus;Win32.HLLP.Whboy;;
menutest2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\images\Unused menus;Win32.HLLP.Whboy;;
menusample67.php.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\images\Unused menus\MenuPageSaved;Win32.HLLP.Whboy;Cured.;
menusample67.php.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\images\Unused menus\MenuPageSaved;Win32.HLLP.Whboy;Cured.;
menusample67.php.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\images\Unused menus\MenuPageSaved;Win32.HLLP.Whboy;;
menutesty1.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\images\Unused menus\MenuPageSaved;Win32.HLLP.Whboy;;
menutesty2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\images\Unused menus\MenuPageSaved;Win32.HLLP.Whboy;;
menu_data.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\images\Unused menus\MenuPageSaved\menusample67.php_files;Win32.HLLP.Whboy;;
celltest.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest;Win32.HLLP.Whboy;;
demo.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\Good Menu;Win32.HLLP.Whboy;;
demo1.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\Good Menu;Win32.HLLP.Whboy;;
demo2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\Good Menu;Win32.HLLP.Whboy;;
goodmenutest1.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\Good Menu;Win32.HLLP.Whboy;;
goodmenutest2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\Good Menu;Win32.HLLP.Whboy;;
goodmenutest3.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\Good Menu;Win32.HLLP.Whboy;;
goodmenu1.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\other menus\This one;Win32.HLLP.Whboy;;
goodmenu2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\other menus\This one;Win32.HLLP.Whboy;;
goodmenu3.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\other menus\This one;Win32.HLLP.Whboy;;
cascading-menus.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files;Win32.HLLP.Whboy;;
dhtml-cascading-menus2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files;Win32.HLLP.Whboy;;
menus2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\2007\menutest\other menus\This one\newMenusaved\cascading-menus_files;Win32.HLLP.Whboy;;
index.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\httpsdocs;Win32.HLLP.Whboy;;
index2.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\httpsdocs;Win32.HLLP.Whboy;;
index5.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\httpsdocs;Win32.HLLP.Whboy;;
corporate.html;C:\_OTMoveIt\MovedFiles\12272008_184935\icr\website\images;Win32.HLLP.Whboy;;
bookmarks.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Mozilla Firefox\defaults\profile;Win32.HLLP.Whboy;;
hiddenWindow.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Mozilla Firefox\res;Win32.HLLP.Whboy;;
README.HTM;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Norton SystemWorks\Norton Utilities;Win32.HLLP.Whboy;Cured.;
README.HTM;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Norton SystemWorks\Norton Utilities;Win32.HLLP.Whboy;Cured.;
README.HTM;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Norton SystemWorks\Norton Utilities;Win32.HLLP.Whboy;Cured.;
README.HTM;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Norton SystemWorks\Norton Utilities;Win32.HLLP.Whboy;;
QuickTime Read Me.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\QuickTime;Win32.HLLP.Whboy;;
auto.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
autoopt.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
basic.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
bhopt.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
blank.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
changemtu.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
changerwin.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
crash.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
edit.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
help.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
help1.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
help2.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
help3.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
help4.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
help5.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
helpmenu.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
htmlhelp.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
internet.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
ipaddress.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
keynum.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
keyselect.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mdm-combo.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mdm-edit.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mdm-reread.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mdm-write.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mss.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mtu.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mtubox.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mtuhelp.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mtuopt.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mtupopup.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
mult.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
ndiopt.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
nummodem.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
opt.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
pingbox.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
question.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
readme.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
register.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
remove.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
reread.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
reward.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
rwin.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
rwinbox.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
rwinopt.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
rwrd-txt.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
slider.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
tellme.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
testgood1.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
testgood2.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
testgood3.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
testgood4.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
testing.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
testpoor1.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
ttl2opt.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
ttlopt.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
update.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
whatsnew.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\help;Win32.HLLP.Whboy;;
page1.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\_private;Win32.HLLP.Whboy;;
page2.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\_private;Win32.HLLP.Whboy;;
page3.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\_private;Win32.HLLP.Whboy;;
page4.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\_private;Win32.HLLP.Whboy;;
page5.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Registry\MTUSpeed\_private;Win32.HLLP.Whboy;;
readme.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Security\Zone Labs\ZoneAlarm;Win32.HLLP.Whboy;;
zl_priv.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Security\Zone Labs\ZoneAlarm;Win32.HLLP.Whboy;;
freeregcode.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Visicom Media\AceFTP 3 freeware\help;Win32.HLLP.Whboy;;
howtoorder.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Visicom Media\AceFTP 3 freeware\help;Win32.HLLP.Whboy;;
localaboutfree.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Visicom Media\AceFTP 3 freeware\help;Win32.HLLP.Whboy;;
register.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Visicom Media\AceFTP 3 freeware\help;Win32.HLLP.Whboy;;
welcome.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\Visicom Media\AceFTP 3 freeware\help;Win32.HLLP.Whboy;;
Order.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\WinRAR;Win32.HLLP.Whboy;;
prevcfg2.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Program Files\ZoneAlarmSB\bar\Settings;Win32.HLLP.Whboy;;
Dc4.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000;Win32.HLLP.Whboy;;
Dc5.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\RECYCLER\S-1-5-21-1390067357-764733703-1060284298-1000;Win32.HLLP.Whboy;;
Bush Administration Fact Sheet.htm;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\bush;Win32.HLLP.Whboy;;
flight93.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion;Win32.HLLP.Whboy;;
introduction.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion;Win32.HLLP.Whboy;;
oddities.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion;Win32.HLLP.Whboy;;
pentagon.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion;Win32.HLLP.Whboy;;
wtc.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion;Win32.HLLP.Whboy;;
Desktop_.ini;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion\flight93_files;Win32.HLLW.Gavir.ini;;
Desktop_.ini;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion\introduction_files;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion\oddities_files;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion\pentagon_files;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\conspiracy\research companion\wtc_files;Win32.HLLW.Gavir.ini;Deleted.;
Interactive Media Awards _ Web Design Awards for Excellence.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\folks\Steve\empty;Win32.HLLP.Whboy;Cured.;
Interactive Media Awards _ Web Design Awards for Excellence.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\folks\Steve\empty;Win32.HLLP.Whboy;Cured.;
Interactive Media Awards _ Web Design Awards for Excellence.html;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\folks\Steve\empty;Win32.HLLP.Whboy;;
Desktop_.ini;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\folks\Steve\empty\Interactive Media Awards _ Web Design Awards for Excellence_file;Win32.HLLW.Gavir.ini;Deleted.;
default.asp;C:\_OTMoveIt\MovedFiles\12272008_184935\Todd\stuff;Win32.HLLP.Whboy;;




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users