HJT LOG KRC Analyzed

stupidmaid · 03-15-2005, 07:49 AM

Had the problems yesterday. Tried everything I could think of, and even went as far as to do a system restore back to January 4th! Seems to be working fine now, but I am still seeing some garbage when running Ad-Aware, and SpyBot.

Can someone look at this and tell me if I am alright? Or what I need to do.

THANKS!!

Colin

Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:34:57 AM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winbook.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gateway:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nt10;172.16.90.10;172.0.0.0;5.5.3.224;5.6.0.0;<local>
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097683936030
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O17 - HKLM\Software\..\Telephony: DomainName = ch1.corninghospital.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

End of KRC HijackThis Analyzer Log.

stupidmaid · 03-15-2005, 11:29 AM

btt btt

kworley517 · 03-15-2005, 01:24 PM

Hi stupidmaid and welcome to TSF. In order for our Analysts to help you better, please follow the following directions:

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Please post the entire LOG file in this forum and someone will assist you ASAP.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Also, quick questions, are you familiar with or work with corninghospital.com. This will be pertinent information with your fix.

stupidmaid · 03-16-2005, 09:32 AM

YES, I do work at Corning Hospital - !! I am currently logged onto their system through a laptop which I use at two sites. Yesterday I didn't have all these problems like I am today, but was logged in through a different location - Hornell, NY Roadrunner..

I am the Physicist at the Cancer Center on Columbia Street. ! Damn

Thanks for the help here.

here is the complete file!

Logfile of HijackThis v1.99.1
Scan saved at 12:29:01 PM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winbook.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gateway:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nt10;172.16.90.10;172.0.0.0;5.5.3.224;5.6.0.0;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097683936030
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O17 - HKLM\Software\..\Telephony: DomainName = ch1.corninghospital.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

kworley517 · 03-16-2005, 09:43 AM

Hi Stupidmaid and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

kworley517 · 03-17-2005, 06:56 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if the main link doesn't work) and install it. Do not run it yet.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint or Viewpoint Manager

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\zrbpf.dll

C:\Program Files\Viewpoint\

Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and post the contents of the LOG file in the forum.

stupidmaid · 03-17-2005, 10:58 AM

Aboutbuster was clean.

Here's my HiJackThis Log File

Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 1:57:20 PM, on 3/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winbook.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gateway:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nt10;172.16.90.10;172.0.0.0;5.5.3.224;5.6.0.0;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097683936030
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O17 - HKLM\Software\..\Telephony: DomainName = ch1.corninghospital.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

kworley517 · 03-17-2005, 12:51 PM

Hi again Stupidmaid...

I am currently reviewing your lnewest log. Please realize that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

kworley517 · 03-17-2005, 07:35 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\zrbpf.dll

Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and post the contents of the LOG file in the forum.

stupidmaid · 03-22-2005, 06:29 AM

Log file:

08:28:31 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
08:28:31 [Init] Started 22-03-05 08:28:31 Eastern Standard Time (UTC: 5), Internet Time @603.14
08:28:31 [Init] Loading TDS-3 Systems ...
08:28:31 [Init] Token successfully adjusted.
08:28:31 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
08:28:32 [Init] • Plugins : OK. Loaded 13
08:28:32 [Init] • Exec Protection : Not Installed
08:28:32 [Init] WARNING: Your Radius.TD3 database needs to be updated!
08:28:32 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
08:28:32 [Init] Licensed users can use the Update facility from the TDS menu
08:28:32 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
08:28:39 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
08:28:40 [Init] • Systems Initialised [50108 references - 25153 primaries/12759 traces/12196 variants/other]
08:28:40 [Init] Radius Systems loaded. <Databases updated 22-03-2005>
08:28:40 [Init] TDS-3 Ready. <Bailey_c@127.0.0.1, 150.1.65.152 - United States>
08:28:40 [Tip Of The Day] Do you think TDS-3 is missing something that you'd like to see built in? If so, email tech@diamondcs.com.au - TDS-3 was built on customer requests and feedback, and we'd love to hear from you.
08:28:40 [TDS] Good morning Bailey_c.
08:28:44 [Mutex Memory Scan] Started...
08:28:46 [Mutex Memory Scan] Finished (no trojan mutexes found).
08:28:46 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
08:28:53 [CRC32] Started - verifying 29 files ...
08:28:58 [CRC32] Test finished.
08:29:58 [Memory Scan] Memory scan started, please wait a moment ...
08:30:01 [Memory Scan] Memory scan complete.
08:30:01 [Mutex Memory Scan] Started...
08:30:03 [Mutex Memory Scan] Finished (no trojan mutexes found).
08:30:03 [Trace Scan] Started...
08:30:08 [Trace Scan] Finished.
08:30:08 [ServiceScan] Scanning for services and drivers ...
08:30:12 [ServiceScan] Scanned 323 services and drivers.
08:30:12 [File Scan] Scanning in C:\ ...
09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\accwiz.exe for read access, file is locked
09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\hh.exe for read access, file is locked
09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\locator.exe for read access, file is locked
09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\magnify.exe for read access, file is locked
09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\migwiz.exe for read access, file is locked
09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\narrator.exe for read access, file is locked
09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntkrnlpa.exe for read access, file is locked
09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntoskrnl.exe for read access, file is locked
09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\osk.exe for read access, file is locked
09:08:18 [Locked File] Couldn't open c:\windows\$ntuninstallkb828741$\comrepl.exe for read access, file is locked
09:08:18 [Locked File] Couldn't open c:\windows\$ntuninstallkb828741$\migregdb.exe for read access, file is locked
09:08:20 [Locked File] Couldn't open c:\windows\$ntuninstallkb835732$\helpctr.exe for read access, file is locked
09:21:37 [File Scan] Scanned 62751 files: 5 alarms in 3085.428 seconds (Avg 21.34 files/sec)
09:21:37 [File Scan] Scanning in D:\ ...
09:21:37 [File Scan] Scanned 0 files: 5 alarms in 8.203125E-02 seconds (Avg 1. files/sec)
09:21:37 [File Scan] Scanning in G:\ ...
09:21:42 [File Scan] Scanned 0 files: 5 alarms in 4.816406 seconds (Avg 1. files/sec)
09:21:42 [Scan] Finished.

Alarm File:

Scan Control Dumped @ 09:28:43 22-03-05
Suspicious Filename: Dual extensions
File: c:\documents and settings\bailey_c\desktop\morgan hill physics\agreement for provision of physics services.wpd.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\morgan hill physics\desktop\backup 4-7-04\physics\agreement for provision of physics services.wpd.doc

Positive identification (DLL): Adware.MiniBug (dll)
File: c:\program files\aws\weatherbug\minibugtransporter.dll

Suspicious Filename: Dual extensions
File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe

Suspicious Filename: Dual extensions
File: c:\program files\hewlett-packard\hp instant support di\temp\install.wse.exe

Rebooting in Safe mode now to complete instructions..

kworley517 · 03-22-2005, 07:27 AM

Please post a new HJT Log for review.

stupidmaid · 03-22-2005, 07:31 AM

I ran HJT in safe mode, checked the zrbpf, and checked to see if it was in c:WINDOWS\system32\zrbpf.dll and that wasn't there, so I restarted, when I re-ran HJT in normal mode, the zrbpf file showed up again, so I checked it for deletion in normal mode, fixed it, rebooted and ran another HJT and this is the log I got:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:00 AM, on 3/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\userinit.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winbook.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gateway:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nt10;172.16.90.10;172.0.0.0;5.5.3.224;5.6.0.0;<local>
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097683936030
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O17 - HKLM\Software\..\Telephony: DomainName = ch1.corninghospital.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

kworley517 · 03-22-2005, 08:03 AM

I am currently reviewing your latest log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

kworley517 · 03-22-2005, 09:10 AM

Good job Stupidmaid…

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

stupidmaid · 03-22-2005, 09:12 AM

Thanks a million! Greatly appreciated..

03-15-2005, 07:49 AM	#1 (permalink)
stupidmaid Registered User Join Date: Mar 2005 Location: Southern Tier, NY Posts: 7 OS: XP PRO	HJT LOG KRC Analyzed Had the problems yesterday. Tried everything I could think of, and even went as far as to do a system restore back to January 4th! Seems to be working fine now, but I am still seeing some garbage when running Ad-Aware, and SpyBot. Can someone look at this and tell me if I am alright? Or what I need to do. THANKS!! Colin Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:34:57 AM, on 3/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\HiJackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winbook.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gateway:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nt10;172.16.90.10;172.0.0.0;5.5.3.224;5.6.0.0;<local> O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097683936030 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O17 - HKLM\Software\..\Telephony: DomainName = ch1.corninghospital.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe End of KRC HijackThis Analyzer Log.

03-15-2005, 01:24 PM	#3 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	Hi stupidmaid and welcome to TSF. In order for our Analysts to help you better, please follow the following directions: Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Please post the entire LOG file in this forum and someone will assist you ASAP. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". Also, quick questions, are you familiar with or work with corninghospital.com. This will be pertinent information with your fix. Last edited by kworley517; 03-15-2005 at 01:29 PM.

03-16-2005, 09:32 AM	#4 (permalink)
stupidmaid Registered User Join Date: Mar 2005 Location: Southern Tier, NY Posts: 7 OS: XP PRO	Corning Hosp! YES, I do work at Corning Hospital - !! I am currently logged onto their system through a laptop which I use at two sites. Yesterday I didn't have all these problems like I am today, but was logged in through a different location - Hornell, NY Roadrunner.. I am the Physicist at the Cancer Center on Columbia Street. ! Damn Thanks for the help here. here is the complete file! Logfile of HijackThis v1.99.1 Scan saved at 12:29:01 PM, on 3/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SM1BG.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\HiJackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winbook.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gateway:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nt10;172.16.90.10;172.0.0.0;5.5.3.224;5.6.0.0;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097683936030 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O17 - HKLM\Software\..\Telephony: DomainName = ch1.corninghospital.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

03-16-2005, 09:43 AM	#5 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	Sounds good... Working on your fix... Hi Stupidmaid and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time.

03-17-2005, 06:56 AM	#6 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	Here we go... Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if the main link doesn't work) and install it. Do not run it yet. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Viewpoint or Viewpoint Manager Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001 O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\zrbpf.dll C:\Program Files\Viewpoint\ Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and post the contents of the LOG file in the forum.

03-15-2005, 11:29 AM	#2 (permalink)
stupidmaid Registered User Join Date: Mar 2005 Location: Southern Tier, NY Posts: 7 OS: XP PRO	btt btt

03-17-2005, 10:58 AM	#7 (permalink)
stupidmaid Registered User Join Date: Mar 2005 Location: Southern Tier, NY Posts: 7 OS: XP PRO	Done Aboutbuster was clean. Here's my HiJackThis Log File Thanks!! Logfile of HijackThis v1.99.1 Scan saved at 1:57:20 PM, on 3/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SM1BG.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winbook.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gateway:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nt10;172.16.90.10;172.0.0.0;5.5.3.224;5.6.0.0;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097683936030 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O17 - HKLM\Software\..\Telephony: DomainName = ch1.corninghospital.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

03-17-2005, 12:51 PM	#8 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	Looking at the newest log... Hi again Stupidmaid... I am currently reviewing your lnewest log. Please realize that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time.

03-17-2005, 07:35 PM	#9 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	Next fix... Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrbpf.dll/sp.html#10001 Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\zrbpf.dll Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and post the contents of the LOG file in the forum.

03-22-2005, 06:29 AM	#10 (permalink)
stupidmaid Registered User Join Date: Mar 2005 Location: Southern Tier, NY Posts: 7 OS: XP PRO	Tds -3 Log file: 08:28:31 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 08:28:31 [Init] Started 22-03-05 08:28:31 Eastern Standard Time (UTC: 5), Internet Time @603.14 08:28:31 [Init] Loading TDS-3 Systems ... 08:28:31 [Init] Token successfully adjusted. 08:28:31 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 08:28:32 [Init] • Plugins : OK. Loaded 13 08:28:32 [Init] • Exec Protection : Not Installed 08:28:32 [Init] WARNING: Your Radius.TD3 database needs to be updated! 08:28:32 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 08:28:32 [Init] Licensed users can use the Update facility from the TDS menu 08:28:32 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 08:28:39 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 08:28:40 [Init] • Systems Initialised [50108 references - 25153 primaries/12759 traces/12196 variants/other] 08:28:40 [Init] Radius Systems loaded. <Databases updated 22-03-2005> 08:28:40 [Init] TDS-3 Ready. <Bailey_c@127.0.0.1, 150.1.65.152 - United States> 08:28:40 [Tip Of The Day] Do you think TDS-3 is missing something that you'd like to see built in? If so, email tech@diamondcs.com.au - TDS-3 was built on customer requests and feedback, and we'd love to hear from you. 08:28:40 [TDS] Good morning Bailey_c. 08:28:44 [Mutex Memory Scan] Started... 08:28:46 [Mutex Memory Scan] Finished (no trojan mutexes found). 08:28:46 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 08:28:53 [CRC32] Started - verifying 29 files ... 08:28:58 [CRC32] Test finished. 08:29:58 [Memory Scan] Memory scan started, please wait a moment ... 08:30:01 [Memory Scan] Memory scan complete. 08:30:01 [Mutex Memory Scan] Started... 08:30:03 [Mutex Memory Scan] Finished (no trojan mutexes found). 08:30:03 [Trace Scan] Started... 08:30:08 [Trace Scan] Finished. 08:30:08 [ServiceScan] Scanning for services and drivers ... 08:30:12 [ServiceScan] Scanned 323 services and drivers. 08:30:12 [File Scan] Scanning in C:\ ... 09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\accwiz.exe for read access, file is locked 09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\hh.exe for read access, file is locked 09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\locator.exe for read access, file is locked 09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\magnify.exe for read access, file is locked 09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\migwiz.exe for read access, file is locked 09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\narrator.exe for read access, file is locked 09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntkrnlpa.exe for read access, file is locked 09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntoskrnl.exe for read access, file is locked 09:08:17 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\osk.exe for read access, file is locked 09:08:18 [Locked File] Couldn't open c:\windows\$ntuninstallkb828741$\comrepl.exe for read access, file is locked 09:08:18 [Locked File] Couldn't open c:\windows\$ntuninstallkb828741$\migregdb.exe for read access, file is locked 09:08:20 [Locked File] Couldn't open c:\windows\$ntuninstallkb835732$\helpctr.exe for read access, file is locked 09:21:37 [File Scan] Scanned 62751 files: 5 alarms in 3085.428 seconds (Avg 21.34 files/sec) 09:21:37 [File Scan] Scanning in D:\ ... 09:21:37 [File Scan] Scanned 0 files: 5 alarms in 8.203125E-02 seconds (Avg 1. files/sec) 09:21:37 [File Scan] Scanning in G:\ ... 09:21:42 [File Scan] Scanned 0 files: 5 alarms in 4.816406 seconds (Avg 1. files/sec) 09:21:42 [Scan] Finished. Alarm File: Scan Control Dumped @ 09:28:43 22-03-05 Suspicious Filename: Dual extensions File: c:\documents and settings\bailey_c\desktop\morgan hill physics\agreement for provision of physics services.wpd.doc Suspicious Filename: Dual extensions File: c:\documents and settings\morgan hill physics\desktop\backup 4-7-04\physics\agreement for provision of physics services.wpd.doc Positive identification (DLL): Adware.MiniBug (dll) File: c:\program files\aws\weatherbug\minibugtransporter.dll Suspicious Filename: Dual extensions File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe Suspicious Filename: Dual extensions File: c:\program files\hewlett-packard\hp instant support di\temp\install.wse.exe Rebooting in Safe mode now to complete instructions..

03-22-2005, 07:27 AM	#11 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	An HJT Log please... Please post a new HJT Log for review.

03-22-2005, 07:31 AM	#12 (permalink)
stupidmaid Registered User Join Date: Mar 2005 Location: Southern Tier, NY Posts: 7 OS: XP PRO	HJT Log I ran HJT in safe mode, checked the zrbpf, and checked to see if it was in c:WINDOWS\system32\zrbpf.dll and that wasn't there, so I restarted, when I re-ran HJT in normal mode, the zrbpf file showed up again, so I checked it for deletion in normal mode, fixed it, rebooted and ran another HJT and this is the log I got: Logfile of HijackThis v1.99.1 Scan saved at 10:28:00 AM, on 3/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\SM1BG.EXE C:\WINDOWS\system32\userinit.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winbook.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gateway:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nt10;172.16.90.10;172.0.0.0;5.5.3.224;5.6.0.0;<local> O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097683936030 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O17 - HKLM\Software\..\Telephony: DomainName = ch1.corninghospital.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ch1.corninghospital.com O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

03-22-2005, 08:03 AM	#13 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	Good job so far... I am currently reviewing your latest log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time.

03-22-2005, 09:10 AM	#14 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	Good to go... Good job Stupidmaid… Your log is clean. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go.

03-22-2005, 09:12 AM	#15 (permalink)
stupidmaid Registered User Join Date: Mar 2005 Location: Southern Tier, NY Posts: 7 OS: XP PRO	Thanks a million! Greatly appreciated..