6 replies to this topic

[Ron.M]

Mr. Tomk:....


Here are the logs & info you requested from the other thread:.....

1st,..DDS Log;...

DDS (Ver_09-06-26.01) - NTFSx86
Run by Ron.M at 11:24:51.31 on Tue 11/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.614 [GMT -8:00]

AV: avast! antivirus 4.8.1356 [VPS 091110-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Ron.M\Desktop\New Folder\NetZero\exec.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Greenshot\Greenshot.exe
C:\Documents and Settings\Ron.M\Desktop\New Folder\NetZero\exec.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Documents and Settings\Ron.M\Desktop\New Folder\NetZero\qsacc\x1exec.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ron.M\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uSearch Bar = hxxp://my.netzero.net/s/search?r=minisearch
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&ClientVersion=8.4.0&mem=ron.m&login=3a0ba2a1607571fd0cce61dbca618e1b/ron.m:netzero.net/1239416131/30/sss.8.48463/&ts=49dffd43&A=739741990000009&B=1212476400000&C=1212476400000&D=1222153200000&I=8.NH4&N=PLHSNAVUSERSSUSER&O=I&UT=
uInternet Settings,ProxyServer = http=127.0.0.1:7900
uInternet Settings,ProxyOverride = searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.
windows.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkass
ociates.com;cf.netzero.net;qs.netzero.net;*.quicken.com;*.pogo.com;<local>
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
mSearchAssistant = hxxp://my.netzero.net/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\documents and settings\ron.m\desktop\new folder\netzero\SearchEnh1.dll
BHO: GetGo URLCatch: {0315aa2c-10c7-4504-a1c4-f552aba8a095} - c:\program files\getgo software\getgo download manager\URLCatch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\documents and settings\ron.m\desktop\new folder\netzero\qsacc\X1IEBHO.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: TBSB00982 Class: {da3d342f-ff20-4e31-9e82-22334155730c} - c:\program files\antbar\ant.com toolbar\tbcore3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\documents and settings\ron.m\desktop\new folder\netzero\Toolbar.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: GetGo Toolbar: {075bbe29-fec0-404a-a459-ff58713616fa} - c:\program files\getgo software\getgo download manager\GGToolBand.dll
TB: Ant.com Toolbar: {6cd56c02-cb4d-41b5-a0fe-b479061ccb41} - c:\program files\antbar\ant.com toolbar\tbcore3.dll
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [NetZero_uoltray] c:\documents and settings\ron.m\desktop\new folder\netzero\exec.exe regrun
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PC Pitstop Optimize Reminder] c:\program files\pcpitstop\optimize3\Reminder-Optimize3.exe
StartupFolder: c:\docume~1\ron~1\startm~1\programs\startup\cnette~1.lnk - c:\documents and settings\ron.m\application data\cbs interactive\cnet techtracker\TechTracker.exe
StartupFolder: c:\docume~1\ronald~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\ronald~1\startm~1\programs\startup\greens~1.lnk - c:\program files\greenshot\Greenshot.exe
IE: &Down&load &Link& Us&ing Ge&tGo - c:\program files\getgo software\getgo download manager\GGCatch.htm
IE: &Down&load All &Links& Us&ing Ge&tGo - c:\program files\getgo software\getgo download manager\GGCatchAll.htm
IE: &GetGo Toolbar Search - c:\program files\getgo software\getgo download manager\GGToolBand.dll/MENUSEARCH.HTM
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Display All Images with Full Quality - c:\documents and settings\ron.m\desktop\new folder\netzero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\documents and settings\ron.m\desktop\new folder\netzero\qsacc\appres.dll/227
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {01A13E40-2F55-4397-B39B-7851BCFB8008} - c:\program files\getgo software\getgo download manager\GetGoDM.exe
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\progra~1\speedb~1\sblsp.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/pcpitstop.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240693214421
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
TCP: {F4D53855-1F88-4FE7-873A-E5693E89EF5E} = 64.136.52.73 64.136.44.73
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-11 138680]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-11 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-11 352920]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-5-18 12672]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-11-9 90352]

=============== Created Last 30 ================

2009-11-09 09:54 82 a------- c:\windows\wininit.ini
2009-11-07 17:25 <DIR> --d----- c:\windows\pss
2009-10-31 15:49 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-10-31 15:48 <DIR> --d----- c:\program files\WindoFix
2009-10-31 15:48 <DIR> --d----- c:\program files\Antbar
2009-10-31 15:46 <DIR> --d----- c:\program files\JPEG to PDF
2009-10-31 15:46 <DIR> --d----- c:\windows\CD95F661A5C444F5A6AAECDD91C240B8.TMP
2009-10-31 15:46 <DIR> --d----- c:\docume~1\ron~1\applic~1\GetGo Software
2009-10-31 15:46 <DIR> --d----- C:\DownloaderData
2009-10-31 15:46 <DIR> --d----- c:\docume~1\ron~1\applic~1\GrabPro
2009-10-31 15:46 <DIR> --d----- c:\windows\system32\drivers\SLDRV
2009-10-31 15:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Canneverbe Limited
2009-10-31 15:45 <DIR> --d----- c:\program files\Perfect Uninstaller
2009-10-31 15:14 <DIR> --d----- c:\windows\LastGood(2)
2009-10-17 17:04 1,679,952 a------- C:\JPEG Power.PDF
2009-10-17 17:02 1,679,949 a------- C:\JPEG Power t.PDF
2009-10-17 16:57 25,029 a------- C:\JPEG_Output.PDF
2009-10-17 16:32 <DIR> --d----- c:\program files\AZ PNG to PDF Converter
2009-10-13 15:58 0 ac------ c:\windows\system32\FOXIT_PDF
2009-10-12 18:57 <DIR> --d----- c:\program files\IrfanView

==================== Find3M ====================

2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-01 09:29 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-28 20:57 7,168 a------- c:\windows\system32\drivers\StarOpen.sys
2009-09-11 06:13 136,704 a------- c:\windows\system32\msv1_0.dll
2009-09-04 13:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-28 23:36 832,512 a------- c:\windows\system32\wininet.dll
2009-08-28 23:36 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-28 23:36 17,408 a------- c:\windows\system32\corpol.dll
2009-08-26 00:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-05-28 17:23 70,984 a------- c:\documents and settings\ron.m\g2mdlhlpx.exe

============= FINISH: 11:25:18.92 ===============



2nd;....Kaspersky Log;....

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, November 8, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 09, 2009 02:41:58
Records in database: 3179435
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 42438
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 00:58:38


File name / Threat / Threats count
C:\Documents and Settings\Ron.M\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{60B71BEA-9772-4445-BEE7-744AC19A8F28} Infected: Trojan.Win32.Qhost.mcf 1
C:\Documents and Settings\Ron.M\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{64B05E9B-9AA8-45B9-B737-9AACB66448D7} Infected: Trojan.Win32.Qhost.mcf 1
C:\Documents and Settings\Ron.M\My Documents\dolphin.exe Infected: Worm.Win32.AutoRun.azsz 1

Selected area has been scanned.

3rd;...Rootrepeal Log

 Attach_Rootrepeal.txt   11.87KB   625 downloads

I did not uninstall the "dolphin" file yet...
I don't know if you can get rid of the worm only or if the file has to go...


Can you also help me with this;....

Yesterday I ran SpyBot & Avast....
SpyBot found 45 problems that I went ahead & fixed....
1 nasty cookie , etc....
Avast found nothing before I fixed them with SpyBot....
But there are 2 infected files in the "chest"....(Avast)
I can delete those files , but I'm VERY concerned what would happen if I did....
I have some questions to ask about this stuff....
#1=...How safe is it to delete the 2 infected files found on Avast ???..ANY complications to worry about ???
#2=...If I did delete those 2 files , & had a problem develop , how would I correct it ???

Mr TomK, ..You have NO idea how much I appreciate your help...THANK YOU.... ....



Later...Ron.M.... ....

[Tomk]

Ron.M,

The windows defender files are part of windows defender so they're a non issue. I just can't tell about the dolphin file.

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\Documents and Settings\Ron.M\My Documents\dolphin.exe <===this file

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

[Ron.M]

Mr. TomK;...

Here's the results from virusscan.jotti:...

2009-11-10 Worm.Win32.Autorun.Atwp 2009-11-10 Found nothing
2009-11-10 Found nothing 2009-11-10 Found nothing
2009-11-10 Found nothing 2009-11-10 Worm.Win32.AutoRun.azsz
2009-11-10 Found nothing 2009-11-10 Found nothing
2009-11-10 Found nothing 2009-11-10 Found nothing
2009-11-10 Found nothing 2009-11-09 Found nothing
2009-11-10 Found nothing 2009-11-06 Worm.AutoRun.azsz
2009-11-10 Found nothing 2009-11-10 Found nothing
2009-11-10 Found nothing 2009-11-10 Worm.Win32.AutoRun.azsz
2009-11-10 Found nothing 2009-11-10 Found nothing
2009-11-10 Worm.Win32.AutoRun.azsz



5 of 21 scanners say,
Ta Da , it's a worm !!.....
I'm convinced , how about you ???


Later...Ron.M... .....

[Tomk]

Ron.M,

I'm convinced if you are. It's hard to tell from partial results but Prevx and Kaspersky appear to call any file called dolphin Worm.Win32.AutoRun.azsz . It doesn't matter if its the screen saver, the game emulator, or there is a few more out there.

However, it's not important so better to be safe than sorry. Go ahead and delete it.

Then, I'm not seeing anything in your log to mess with so I suggest you return to Doug and appleoddity in the Tech forum for continued help.

Oops. You had a couple questions I didn't answer.

Basically, the reason for the chest is a place to store the files where they can't hurt anything until such time as you can determine if anything detrimental happened with their removal. If something "funny" happens when they go into the chest, they can be restored. If those files have been in the chest for some period of time with no deleterious effect, then you should be fine to trash them.

If the files have been placed there recently (that would be a judgement call on your part) then leave them there awhile until you are comfortable that they were indeed bad and you won't be needing them. As long as they are in quarantine, they have been neutralized and cannot hurt you.

[Ron.M]

Mr. TomK;....

I deleted fully the "dolphin" file.....
Much to my chagrin , the problem is still there....
I was hoping that was the cause....
Anywhooo ,

THANK you VERY much for your fast & courteous help....

Have a GREAT week & beyond.....



Later...Ron.M... ...

Edited by Ron.M, 10 November 2009 - 07:08 PM.

[Tomk]

Good luck an be well.

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.