Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

PC Optimizer Pro - HELP!!

This is a discussion on PC Optimizer Pro - HELP!! within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category.


Reply
 
Thread Tools Search this Thread
Old 04-11-2012, 02:29 PM   #1
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Hi


I posted yesterday about what appears to be an infection by a piece of malware called PC Optimizer Pro. It appeared out of nowhere in the form of a “pop up” in the bottom right of my screen. It stated that there were 3,000 or so factors slowing down my machine, but as it was an unsolicited pop-up I wondered whether it was malware, which one of your members, Amateur, confirmed. It has even installed a desktop logo, which needless to say I have not clicked!


Amateur suggested I undertook the “Pre-Posting” process,. Although I am not hugely computer-literate, I think I have managed to complete this – with one proviso; BitDefender. I was unable to disable this because the process said to “On the left panel click >> Virus Shield”, but there is no such option so I can only hope this hasn't been a problem when I went on to do the scan. I had SuperAntiSpyware and MalwareBytes, which I have now disabled, and u-torrent whioch I uninstalled from the Control Panel.


I should also point out (I don't know whether it's related) but I have had intermittent interruptions to my broadband connection, and whenever I scan with one of the above utilities, scores of “tracking” malware, which the software assures me are not serious, are always detected.


As requested, I have pasted the text of DDS.txt below and attached the other two logs. The checklist asks whether I have access to a Windows Install disk or Boot CD - the answer, I'm afraid, is "No".


Many thanks in advance for any assistance. I am desperate to become more “PC-savvy” and would also appreciate any suggestions to “beginner tutorials” which would assist me in understanding basic security issues to avoid these kinds of issues recurring.


All the best,


Peter.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 22:37:54 on 2012-04-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1136 [GMT 3:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\BitDefender\BitDefender 2011\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\BitDefender\BitDefender 2011\pchooklaunch32.exe
C:\Program Files\Optimizer Pro\OptProReminder.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.google.co.uk/
mStart Page = about:blank
uURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Bitdefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2011\IEToolbar.dll
TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Optimizer Pro] c:\program files\optimizer pro\OptProLauncher.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2011\ieshow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2011\bdagent.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Lexmark 3100 Series] "c:\program files\lexmark 3100 series\lxbrbmgr.exe"
mRun: [LXBRKsk] c:\progra~1\lexmar~1\LXBRKsk.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] ctfmon.exe
dRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{046D1E8B-33EF-45C7-B40D-439E58C7BA29} : DhcpNameServer = 194.168.4.100 194.168.8.100
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: schannel.dll, credssp.dll, digest.dll
.
============= SERVICES / DRIVERS ===============
.
R1 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [2006-1-10 12960]
R1 Bdvedisk;BDVEDISK;c:\windows\system32\drivers\bdvedisk.sys [2010-1-19 85128]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2006-1-10 2253120]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2006-1-10 583640]
R2 Updatesrv;BitDefender Desktop Update Service;c:\program files\bitdefender\bitdefender 2011\updatesrv.exe [2011-3-24 43936]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-4-22 153440]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf.sys [2010-8-20 111696]
S3 Update Server;BitDefender Update Server v2;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2010-11-30 307544]
S4 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2010-11-29 535824]
S4 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2010-11-29 1066232]
.
=============== Created Last 30 ================
.
2012-04-10 18:31:43 178176 ------w- c:\windows\system32\dllcache\wintrust.dll
2012-04-10 18:31:43 148480 ------w- c:\windows\system32\dllcache\imagehlp.dll
2012-04-10 18:23:06 -------- d-----w- c:\documents and settings\administrator\application data\Optimizer Pro
2012-04-10 18:16:09 -------- d-----w- c:\documents and settings\all users\application data\Premium
2012-04-10 18:16:01 -------- d-----w- c:\program files\Optimizer Pro
2012-04-10 18:15:20 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2012-04-02 01:27:21 -------- d-----w- c:\windows\system32\C2MP
2012-04-02 01:17:14 -------- d-----w- C:\DECCHECK
2012-04-01 17:55:17 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Identities
2012-03-31 12:11:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-03-31 12:09:28 286720 ----a-w- c:\windows\system32\lxbrf2k.dll
2012-03-31 12:09:28 155648 ----a-w- c:\windows\system32\flashshl.dll
2012-03-31 12:09:27 4608 ----a-w- c:\windows\DelShell.exe
2012-03-31 12:09:27 21504 ----a-w- c:\windows\LXBRSET.EXE
2012-03-31 12:09:27 208896 ----a-w- c:\windows\system32\smshell.dll
2012-03-31 12:09:27 -------- d-----w- c:\program files\Lexmark 3100 Series
2012-03-31 12:09:25 306688 ----a-w- c:\windows\IsUninst.exe
2012-03-31 1234 299520 ----a-w- c:\windows\uninst.exe
2012-03-31 1233 -------- d-----w- c:\documents and settings\administrator\WINDOWS
2012-03-31 1221 -------- d-----w- C:\Lxk3100Series
2012-03-28 16:22:54 -------- d-----w- c:\program files\IrfanView
2012-03-18 11:12:47 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe
.
==================== Find3M ====================
.
2012-04-05 12:11:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-05 12:11:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-08 12:21:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 10:58:17 919552 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 10:58:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 10:58:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:08:49 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:08:49 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:30:16 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:26:17 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-15 20:47:20 3478016 ----a-w- c:\windows\system32\ffdshow.ax
2012-01-15 20:44:50 4354048 ----a-w- c:\windows\system32\ffmpeg.dll
2010-07-08 08:37:14 101544 ----a-w- c:\program files\common files\LinkInstaller.exe
.
============= FINISH: 22:39:26.76 ===============
Attached Files
File Type: zip ark.zip (782 Bytes, 12 views)
File Type: zip attach.zip (2.3 KB, 10 views)

__________________
peter.ward is offline   Reply With Quote
Old 04-14-2012, 11:13 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Hello peter.ward,

Please download ComboFix from one of these locations:

Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how, please look in here:

    How to disable your security applications
    To disable Bitdefender real-time antivirus protection:
    • Open the Bitdefender window.
    • Click the Settings button in the upper toolbar.
    • Click Antivirus on the left-side menu and then the Shield tab.
    • Click the switch to turn off on-access scanning.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you get an 'Illegal operation attempted on a Registry key which has been marked for deletion' error message, please reboot your machine.


Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done that.

__________________

amateur is offline   Reply With Quote
Old 04-15-2012, 07:56 AM   #3
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Hi, thanks for the reply - unfortunately things aren't quite going to plan!

I have followed the instructions, and as you predicted was prompted to install the Recovery Console, which was done successfully.

However, after scanning for about 20 minutes, the ComboFix window simply disappears - it doesn't produce a log so I have no "ComboFix.txt" file to attach.

Help!!

Thanks, Peter
__________________
peter.ward is offline   Reply With Quote
Old 04-15-2012, 08:12 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Did it complete all the stages? Make sure BitDefender real-time protection remains disabled for appropriate amount of time for Combofix to finish its job. If there's an option to disable it permanently, please choose that. You can reset it after Combofix has produced its log.

Double click on Combofix and run it again please.
__________________

amateur is offline   Reply With Quote
Old 04-16-2012, 07:18 AM   #5
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Hi thanks for the prompt reply. Frankly, because I don't know what al the stages are supposed to be, it's difficult for me to know whether it completed them all. So I'll outline in detail what happens.

As you suggested I disabled Bit Defender Real Time Protection permanantly (I'd set it to one hour yesterday) and re-ran Combofix. Thiiiiiiiiiiiiiis what happens:

A black screen with green text appears for about a minute, then disappears. Nearly 10 minutes later a white on blue scren appears and seems to do nothing for 2-3 minutes. It then tells me it is prepaio run, then that it's attempting to create a new System Restore Point.

It then starts scanning, telling me it will take 10 minutes, more if there is a bad infection. This remains for 15-20 mmmmmmmmmmmmmiuttttttttttttttsafter which the PC reboots itself. At no point is any log produced that I can see - unless it's hidden somewhere that's not obvious?

By the way, since rebooting, the keyboard has started playing up - see the words "minutes", "this" and "preparing to" above, which were typed correctly. Could this be virus related? Is there any hope for this PC????
__________________
peter.ward is offline   Reply With Quote
Old 04-16-2012, 07:44 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Please refer to my previous post and run Combofix again.
__________________

amateur is offline   Reply With Quote
Old 04-16-2012, 01:25 PM   #7
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



OK, have done again.

This time I noted something I could have easily missed before because it just popped up for a couple of seconds in the bottom right of the screen. I paraphrase because I didn't have time to write it down but it something like: "CF18004 was terminated because it was deemed a threat by anti virus software."

To reiterate though, Bit Defender is disabled and SuperAntiSpyware and MalwareBytes are free versions only which don't have real time updates. To my knowledge there is no other relevant software on the machine.

Have I missed something?
__________________
peter.ward is offline   Reply With Quote
Old 04-16-2012, 01:43 PM   #8
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Oh, and I was also asked whether I wanted to install a "newer version" of combofix. Given that I'd been given two specific links to choose from to download it, I clicked "No" - hope that was correct.
__________________
peter.ward is offline   Reply With Quote
Old 04-16-2012, 10:28 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Hi,

Since it's a free version, I guess SuperAntiSpyware is just an antispyware, but needs to be disabled just the same. But if it also has the antivirus component, please uninstall it. Having two antivirus application installed is never recommended.

If it's the BitDefender that's giving Combofix the problem, perhaps disabling it is not enough. Please uninstall it for now. You can install it again when we are done.

Meanwhile, please do not surf the net without the protection of antivirus. Use the machine to communicate with us only.

Delete the present copy of Combofix from your desktop. Download a fresh copy from the links in my post above, double click to run it and follow the prompts.

If you're still having problem running it, try it in Safe Mode although Combofix performs best in Normal Mode.
Safe Mode:

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login to your usual account. Make sure to close any open browsers.
__________________

amateur is offline   Reply With Quote
Old 04-18-2012, 02:23 PM   #10
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Ok, we have takeoff! I completely removed BitDefender, Malwarebytes and Superantispyware and Combofix ran immediately. The log is below. In terms of ongoing protection, what do you recommend I install/reinstall?

ComboFix 12-04-15.01 - Administrator 19/04/2012 0:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1311 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS15D.tmp
c:\documents and settings\Administrator\Application Data\oembios.exe
c:\documents and settings\Administrator\Application Data\twex.exe
c:\documents and settings\Administrator\Application Data\twext.exe
c:\documents and settings\Administrator\Local Settings\Temp\SAS15D.tmp
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\Toolbar
c:\windows\dasetup.log
c:\windows\system\VB40032.DLL
.
.
((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
.
.
2012-04-18 21:04 . 2012-04-18 21:07 -------- d-----w- c:\windows\LastGood
2012-04-15 16:25 . 2011-03-03 06:53 149504 ------w- c:\windows\system32\dllcache\dnsapi.dll
2012-04-15 16:25 . 2009-04-20 17:06 45568 ------w- c:\windows\system32\dllcache\dnsrslvr.dll
2012-04-15 16:25 . 2008-06-20 17:43 245248 ------w- c:\windows\system32\dllcache\mswsock.dll
2012-04-15 16:25 . 2008-06-20 11:59 361600 ------w- c:\windows\system32\dllcache\tcpip.sys
2012-04-15 16:25 . 2008-06-20 11:16 225856 ------w- c:\windows\system32\dllcache\tcpip6.sys
2012-04-10 18:31 . 2012-02-29 14:08 178176 ------w- c:\windows\system32\dllcache\wintrust.dll
2012-04-10 18:31 . 2012-02-29 14:08 148480 ------w- c:\windows\system32\dllcache\imagehlp.dll
2012-04-10 18:23 . 2012-04-10 18:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Optimizer Pro
2012-04-10 18:16 . 2012-04-10 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Premium
2012-04-10 18:16 . 2012-04-10 18:16 -------- d-----w- c:\program files\Optimizer Pro
2012-04-10 18:15 . 2012-04-10 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-04-05 12:12 . 2012-04-05 12:12 -------- d-----w- c:\program files\Common Files\Java
2012-04-02 01:27 . 2012-04-03 19:58 -------- d-----w- c:\windows\system32\C2MP
2012-04-02 01:17 . 2012-04-02 01:21 -------- d-----w- C:\DECCHECK
2012-04-01 17:55 . 2012-04-01 17:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2012-03-31 12:11 . 2008-04-13 21:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-03-31 12:09 . 2003-06-14 09:12 286720 ----a-w- c:\windows\system32\lxbrf2k.dll
2012-03-31 12:09 . 2003-03-26 07:11 155648 ----a-w- c:\windows\system32\flashshl.dll
2012-03-31 12:09 . 2012-03-31 12:13 -------- d-----w- c:\program files\Lexmark 3100 Series
2012-03-31 12:09 . 2003-06-14 08:20 208896 ----a-w- c:\windows\system32\smshell.dll
2012-03-31 12:09 . 2002-10-30 12:20 21504 ----a-w- c:\windows\LXBRSET.EXE
2012-03-31 12:09 . 2001-03-15 05:06 4608 ----a-w- c:\windows\DelShell.exe
2012-03-31 12:09 . 1998-10-29 13:45 306688 ----a-w- c:\windows\IsUninst.exe
2012-03-31 12:06 . 1997-04-08 17:08 299520 ----a-w- c:\windows\uninst.exe
2012-03-31 12:06 . 2012-03-31 12:09 -------- d-----w- C:\Lxk3100Series
2012-03-28 16:22 . 2012-03-28 16:22 -------- d-----w- c:\program files\IrfanView
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-18 21:09 . 2006-01-10 13:12 451595 ----a-w- c:\documents and settings\All Users\Application Data\bdinstall.bin
2012-04-05 12:11 . 2006-01-09 00:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-05 12:11 . 2006-01-09 00:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-08 12:21 . 2012-03-08 12:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 10:58 . 2011-02-22 23:27 919552 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 10:58 . 2011-02-22 23:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 10:58 . 2006-01-09 00:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:08 . 2009-12-24 06:42 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:08 . 2008-04-14 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:30 . 2011-02-18 12:31 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:26 . 2011-03-03 13:27 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2012-03-03 19:50 237072 ------w- c:\windows\system32\MpSigStub.exe
2010-07-08 08:37 . 2010-07-08 08:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-04-13 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3GDR\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro"="c:\program files\Optimizer Pro\OptProLauncher.exe" [2012-01-02 81912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2006-03-21 296056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"LinkInstaller"="c:\program files\Common Files\LinkInstaller.exe" [2010-07-08 101544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [10/01/2006 15:19 2253120]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [10/01/2006 15:46 583640]
RUnknown SASKUTIL;SASKUTIL; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Bdvedisk
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-884357618-1606980848-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-08 10:05]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-884357618-1606980848-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-08 10:05]
.
2012-04-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-507921405-884357618-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 15:45]
.
2012-04-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-507921405-884357618-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 15:45]
.
2012-04-18 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2006-01-10 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.co.uk/
mStart Page = about:blank
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
HKU-Default-Run-IDMan - c:\program files\Internet Download Manager\IDMan.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-19 00:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\SetId\Internal]
@Denied: (A 2) (LocalSystem)
"DATA2"="<settings accountStatus=\"3\" oldDevice=\"\" timeDiff=\"19\" expireTime=\"1327315426\" productStatus=\"3\" obSize=\"2\" InstallTS=\"1289332796\" isSubsc=\"0\" authStat_ts=\"0\" version=\"14.1\" keyType=\"195\" prodId=\"1\" moduleId1=\"7\" moduleId2=\"10\" relType=\"0\" />\0a"
.
[HKEY_USERS\S-1-5-21-507921405-884357618-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,30,d9,0c,af,78,aa,46,8d,23,9f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c1,bb,35,ac,1f,a5,ce,45,a9,18,67,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,30,d9,0c,af,78,aa,46,8d,23,9f,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4151075a-d735-4f04-abf4-b36a2c42e914}]
@Denied: (Full) (Everyone)
"Model"=dword:00000058
"Therad"=dword:00000001
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ae,64,ee,2d,84,75,7d,59,85,5c,47,dd,c5,b3,9a,93,97,40,9b,cb,f8,
3e,59,92,f8,33,a1,5d,1a,10,4f,3a,43,d7,6a,a1,26,22,e3,15,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1056)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-04-19 00:19:01
ComboFix-quarantined-files.txt 2012-04-18 21:18
.
Pre-Run: 288,629,927,936 bytes free
Post-Run: 289,092,292,608 bytes free
.
- - End Of File - - 1DE165E8457461DBC26B190A011F5C27
__________________
peter.ward is offline   Reply With Quote
Old 04-19-2012, 01:10 AM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Quote:
Ok, we have takeoff!


Good job. However, we still have more work to do. No permission to land yet. So, please stay with me until the end.

I'll reply to your queries shortly, but let's look for available copies of a missing file in the system first.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:
    :filefind
    wscntfy.ex*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
__________________

amateur is offline   Reply With Quote
Old 04-19-2012, 11:51 AM   #12
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Thanks. It's only now that I'm flying and you've refused me permission to land, that I've remebered I don't like hights....

Anyway, here's the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 21:50 on 19/04/2012 by Administrator
Administrator - Elevation successful
========== filefind ==========
Searching for "wscntfy.ex*"
No files found.
-= EOF =-
__________________
peter.ward is offline   Reply With Quote
Old 04-19-2012, 01:24 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Hi again,

How is the system behaving now?

It appears that a copy of wscntfy.exe is not available on the disk. If you have your XP installation disk, we can copy from it. Let me know.

=================

Please uninstall the following via Add or Remove Programs in Control Panel:
  • Java(TM) 6 Update 22=======> This is an older version of Java which may have some vulnerabilities that can be exploited. Leave Java(TM) 6 Update 31 alone though, as it's the latest version.
  • uTorrentControl2 Toolbar
  • Registry Mechanic 10.0======> We do not recommend the use of registry cleaners/optimizers/tweakers. Our colleague miekiemoes has an excellent writeup here
    Two other excellent articles: One by Bill Castner is located here and the other by Ed Bott is here

==================
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here

Code:
Folder::
c:\documents and settings\Administrator\Application Data\Optimizer Pro
c:\program files\Optimizer Pro

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro"=-
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.


====================

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Launch Malwarebyte's, and select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop.
Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

======================

It's important to run an online scan to search for any remnants that may be hiding. Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
__________________

amateur is offline   Reply With Quote
Old 04-19-2012, 04:26 PM   #14
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Hiya,


Thanks for the update and the ongoing help.


As for how the system is running now, I rebooted after doing everything you asked and for the first time in days the dreaded malware windows did not appear! There were two small puzzles which I hope you'll tell me are of no significance! :-


1. A warning box when I stsrted i.e. saying I was “about to leave a secure internet connection....” and confirming I wanted to continue.

2. A “New Hardware Wizard – I've not added any hardware!


No, I bought this machine from someone on eBay ad have no installation disks I am afraid.


I have done everything you suggested except Remove the u-torrent toolbar, as this was not listed in the Add/Remove programs of the Control Panel. Anywhere else I can find it?


Below are the various logs you requested. MalwareBytes seems to have nothing but ESET did.


Looking forward to your next update!!


Cheers, Peter



ComboFix 12-04-15.01 - Administrator 20/04/2012 1:24.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1317 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Optimizer Pro
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\Optimizer Pro
c:\program files\Optimizer Pro\English.ini
c:\program files\Optimizer Pro\file_id.diz
c:\program files\Optimizer Pro\HomePage.url
c:\program files\Optimizer Pro\OptimizerPro.chm
c:\program files\Optimizer Pro\OptimizerPro.exe
c:\program files\Optimizer Pro\OptProGuard.exe
c:\program files\Optimizer Pro\OptProLauncher.exe
c:\program files\Optimizer Pro\OptProReminder.exe
c:\program files\Optimizer Pro\OptProSchedule.exe
c:\program files\Optimizer Pro\OptProSmartScan.exe
c:\program files\Optimizer Pro\OptProStart.exe
c:\program files\Optimizer Pro\OptProUninstaller.exe
c:\program files\Optimizer Pro\scan.gif
c:\program files\Optimizer Pro\sqlite3.dll
c:\program files\Optimizer Pro\unins000.dat
c:\program files\Optimizer Pro\unins000.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-19 to 2012-04-19 )))))))))))))))))))))))))))))))
.
.
2012-04-18 21:04 . 2012-04-18 21:07 -------- d-----w- c:\windows\LastGood
2012-04-15 16:25 . 2011-03-03 06:53 149504 ------w- c:\windows\system32\dllcache\dnsapi.dll
2012-04-15 16:25 . 2009-04-20 17:06 45568 ------w- c:\windows\system32\dllcache\dnsrslvr.dll
2012-04-15 16:25 . 2008-06-20 17:43 245248 ------w- c:\windows\system32\dllcache\mswsock.dll
2012-04-15 16:25 . 2008-06-20 11:59 361600 ------w- c:\windows\system32\dllcache\tcpip.sys
2012-04-15 16:25 . 2008-06-20 11:16 225856 ------w- c:\windows\system32\dllcache\tcpip6.sys
2012-04-10 18:31 . 2012-02-29 14:08 178176 ------w- c:\windows\system32\dllcache\wintrust.dll
2012-04-10 18:31 . 2012-02-29 14:08 148480 ------w- c:\windows\system32\dllcache\imagehlp.dll
2012-04-10 18:16 . 2012-04-10 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Premium
2012-04-10 18:15 . 2012-04-10 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-04-05 12:12 . 2012-04-05 12:12 -------- d-----w- c:\program files\Common Files\Java
2012-04-02 01:27 . 2012-04-03 19:58 -------- d-----w- c:\windows\system32\C2MP
2012-04-02 01:17 . 2012-04-02 01:21 -------- d-----w- C:\DECCHECK
2012-04-01 17:55 . 2012-04-01 17:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2012-03-31 12:11 . 2008-04-13 21:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-03-31 12:09 . 2003-06-14 09:12 286720 ----a-w- c:\windows\system32\lxbrf2k.dll
2012-03-31 12:09 . 2003-03-26 07:11 155648 ----a-w- c:\windows\system32\flashshl.dll
2012-03-31 12:09 . 2012-03-31 12:13 -------- d-----w- c:\program files\Lexmark 3100 Series
2012-03-31 12:09 . 2003-06-14 08:20 208896 ----a-w- c:\windows\system32\smshell.dll
2012-03-31 12:09 . 2002-10-30 12:20 21504 ----a-w- c:\windows\LXBRSET.EXE
2012-03-31 12:09 . 2001-03-15 05:06 4608 ----a-w- c:\windows\DelShell.exe
2012-03-31 12:09 . 1998-10-29 13:45 306688 ----a-w- c:\windows\IsUninst.exe
2012-03-31 12:06 . 1997-04-08 17:08 299520 ----a-w- c:\windows\uninst.exe
2012-03-31 12:06 . 2012-03-31 12:09 -------- d-----w- C:\Lxk3100Series
2012-03-28 16:22 . 2012-03-28 16:22 -------- d-----w- c:\program files\IrfanView
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-18 21:09 . 2006-01-10 13:12 451595 ----a-w- c:\documents and settings\All Users\Application Data\bdinstall.bin
2012-04-05 12:11 . 2006-01-09 00:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-05 12:11 . 2006-01-09 00:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-08 12:21 . 2012-03-08 12:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 10:58 . 2011-02-22 23:27 919552 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 10:58 . 2011-02-22 23:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 10:58 . 2006-01-09 00:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:08 . 2009-12-24 06:42 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:08 . 2008-04-14 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:30 . 2011-02-18 12:31 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:26 . 2011-03-03 13:27 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2012-03-03 19:50 237072 ------w- c:\windows\system32\MpSigStub.exe
2010-07-08 08:37 . 2010-07-08 08:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-04-13 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3GDR\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-04-18_21.17.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-19 22:19 . 2012-04-19 22:19 16384 c:\windows\Temp\Perflib_Perfdata_cb8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2006-03-21 296056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"LinkInstaller"="c:\program files\Common Files\LinkInstaller.exe" [2010-07-08 101544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [10/01/2006 15:19 2253120]
RUnknown SASKUTIL;SASKUTIL; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - APPMGMT
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - Bdvedisk
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-884357618-1606980848-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-08 10:05]
.
2012-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-884357618-1606980848-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-08 10:05]
.
2012-04-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-507921405-884357618-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 15:45]
.
2012-04-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-507921405-884357618-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 15:45]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.co.uk/
mStart Page = about:blank
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-20 01:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\SetId\Internal]
@Denied: (A 2) (LocalSystem)
"DATA2"="<settings accountStatus=\"3\" oldDevice=\"\" timeDiff=\"19\" expireTime=\"1327315426\" productStatus=\"3\" obSize=\"2\" InstallTS=\"1289332796\" isSubsc=\"0\" authStat_ts=\"0\" version=\"14.1\" keyType=\"195\" prodId=\"1\" moduleId1=\"7\" moduleId2=\"10\" relType=\"0\" />\0a"
.
[HKEY_USERS\S-1-5-21-507921405-884357618-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,30,d9,0c,af,78,aa,46,8d,23,9f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c1,bb,35,ac,1f,a5,ce,45,a9,18,67,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,30,d9,0c,af,78,aa,46,8d,23,9f,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4151075a-d735-4f04-abf4-b36a2c42e914}]
@Denied: (Full) (Everyone)
"Model"=dword:00000058
"Therad"=dword:00000001
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ae,64,ee,2d,84,75,7d,59,85,5c,47,dd,c5,b3,9a,93,97,40,9b,cb,f8,
3e,59,92,f8,33,a1,5d,1a,10,4f,3a,43,d7,6a,a1,26,22,e3,15,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1056)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-04-20 01:29:56
ComboFix-quarantined-files.txt 2012-04-19 22:29
ComboFix2.txt 2012-04-18 21:19
.
Pre-Run: 289,119,424,512 bytes free
Post-Run: 289,113,894,912 bytes free

.
  • - End Of File - - 1848413C7C20CC06B97226311BE13AE1
MALWAREBYTES LOG:


Malwarebytes Anti-Malware 1.61.0.1400
Malwarebytes : Free anti-malware, anti-virus and spyware removal download


Database version: v2012.04.19.04


Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: USER-65C4C10B5A [administrator]


20/04/2012 01:35:56
mbam-log-2012-04-20 (01-35-56).txt


Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195375
Time elapsed: 3 minute(s), 32 second(s)


Memory Processes Detected: 0
(No malicious items detected)


Memory Modules Detected: 0
(No malicious items detected)


Registry Keys Detected: 0
(No malicious items detected)


Registry Values Detected: 0
(No malicious items detected)


Registry Data Items Detected: 0
(No malicious items detected)


Folders Detected: 0
(No malicious items detected)


Files Detected: 0
(No malicious items detected)


(end)


ESET LOG:


C:\Documents and Settings\Administrator\Desktop\cole2k.media.-.codec.pack.v7.9.8.-standard-.setup.exe probably a variant of Win32/Toolbar.Widgi application
__________________
peter.ward is offline   Reply With Quote
Old 04-20-2012, 12:17 AM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Hi again,

ESET detection is a codec/toolbar installer on the desktop. It's likely that the OptimizerPro came along with it. You can simply right click and delete it.

C:\Documents and Settings\Administrator\Desktop\cole2k.media.-.codec.pack.v7.9.8.-standard-.setup.exe

Quote:
I have done everything you suggested except Remove the u-torrent toolbar, as this was not listed in the Add/Remove programs of the Control Panel. Anywhere else I can find it?
It was listed in your Attach.txt and also showing in DDS.txt.

=================

Quote:
I bought this machine from someone on eBay
Did you buy it recently? It's possible that it was infected when you bought it. Some of the files Combofix removed belong to the familiy of password/info stealers. If you did any banking or other financial transactions on this PC, it would be prudent to get to a known clean computer and change all passwords where applicable, and contact those same financial institutions to be alert.

Quote:
no installation disks I am afraid.
"wscntfy.exe" is responsible for the Windows Security Center Notifications. It displays a tray icon indicating the status of Windows updates, virus protection, and firewall. I'm surprised that there isn't a replacement copy on board, although the system appears to be updated to SP3. You'll need to have an XP Pro SP2 or SP3 installation disk to copy it from.

=================

Quote:
1. A warning box when I stsrted i.e. saying I was “about to leave a secure internet connection....” and confirming I wanted to continue.
Does it come up as soon as you open Internet Explorer, or when you open another page in the IE? It's normal if you're going from a SSL encrypted login page ( you can tell when the page you're on is using SSL because the URL will begin with "https://" Notice the last letter, "s".) to a non encrypted page, i.e. "http".The message is simply telling you that you are leaving the extra secure page.

Quote:
2. A “New Hardware Wizard – I've not added any hardware!
What's the hardware it's detecting?

=========================

Please run Combofix again.
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here

Code:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"LinkInstaller"=-

Driver::
sptd
PCToolsSSDMonitorSvc
SASKUTIL
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.



===================

It's likely to come up clean, but I'd like to have this file scanned at VirusTotal as it's failing the signature verification.

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    c:\windows\system32\drivers\tcpip.sys
  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • If the file is analyzed before click Reanalyse file now button.
  • Wait until the file is analyzed.
  • Once scanned, copy and paste the link to the results page in your next reply.

=========================

Quote:
In terms of ongoing protection, what do you recommend I install/reinstall?
If your subscription to BitDefender has not expired or not about to expire soon, you can re-install that. Malwarebytes' Anti-Malware is an excellent application to keep, but it's not an antivirus. You'd still need an antivirus. Microsoft Security Essentials, Avira's AntivirFree and Avast are all excellent antivirus applications which are free. If you want to go for a paid one, ESET's Nod32 is an excellent one.
For more info: PC Safety and Security – What Do I Need?

Just make sure that you install only ONE antivirus.
__________________

amateur is offline   Reply With Quote
Old 04-20-2012, 02:43 AM   #16
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Hi again, I really do appreciate all the effort you're putting in here!


Comboxfix told me it was out of date and asked me to run at “Reduced Functionality”. I hope my response was correct – I said no, deleted Comboxfix, re-downloaded it and started again. It seemed to run fine.


Re VirusTotal – problem here I'm afraid. There isn't a “Browse” button as such but a “Choose File” button and a box saying “No File Selected” which has the appearance of a text box, but you can't write or paste into it, even though there's a flashing cursor there when you click in it. Perhaps you could advise? I tried the Choose File button but as you say it acts like a Browse button and just prompts me to download a file. I tried to attach a screen shot in case I'm seeing something I shouldn't butI couldn't get it below the max 3MB!


Have deleted the cole2k.media codec as suggested.


As for the u-torrent bar, I'm not sure what to do – it is definitely not in the control panel-Add or Remove Programs list and I tried searching for it using Start-Search but it found nothing. I can see it was listed but have no idea where to find it to delete it.


The machine was bought on eBay about 9 months ago but I only started using it for various reasons about three months ago. It's worrying that such serious malware was present and would love to know it it was pre-infected or whether it got on despite the spyware/malware products I had on! After years of avoiding it because I was worried about security, I started internet banking for the first time just two weeks ago – wish I hadn't bothered! Will this machine quality as a “known clean computer” when we've finished our flight? It's the only one I have so will have to close the internet account if not.


If "wscntfy.exe" just notifies about updates rather than being responsible for installing them, is it urgent for me to try to secure this file? Will do my best if you think it's urgent, but just wondered if it was necessary.


As for the warning box, I think you've hit the nail on the head – when I left my home page (Google – HTTPS) it came up but not when I'm within my destination site. Good!


Re the hardware, I don't know, I just deleted the notification, but when ComboxFix rebooted my machine just now I didn't see it again, so hopefully it was just a blip.


OK, the latest log:


ComboFix 12-04-20.02 - Administrator 20/04/2012 12:08:55.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1553 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SASKUTIL
-------\Legacy_SPTD
-------\Service_SASKUTIL
-------\Service_sptd
.
.
((((((((((((((((((((((((( Files Created from 2012-03-20 to 2012-04-20 )))))))))))))))))))))))))))))))
.
.
2012-04-19 23:18 . 2012-04-19 23:18 -------- d-----w- c:\windows\system32\xircom
2012-04-19 23:18 . 2012-04-19 23:18 -------- d-----w- c:\windows\system32\wbem\snmp
2012-04-19 23:18 . 2012-04-19 23:18 -------- d-----w- c:\windows\srchasst
2012-04-19 23:18 . 2012-04-19 23:18 -------- d-----w- c:\program files\microsoft frontpage
2012-04-19 22:43 . 2012-04-19 22:43 -------- d-----w- c:\program files\ESET
2012-04-19 22:35 . 2012-04-19 22:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-19 22:35 . 2012-04-04 12:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-15 16:25 . 2011-03-03 06:53 149504 ------w- c:\windows\system32\dllcache\dnsapi.dll
2012-04-15 16:25 . 2009-04-20 17:06 45568 ------w- c:\windows\system32\dllcache\dnsrslvr.dll
2012-04-15 16:25 . 2008-06-20 17:43 245248 ------w- c:\windows\system32\dllcache\mswsock.dll
2012-04-15 16:25 . 2008-06-20 11:59 361600 ------w- c:\windows\system32\dllcache\tcpip.sys
2012-04-15 16:25 . 2008-06-20 11:16 225856 ------w- c:\windows\system32\dllcache\tcpip6.sys
2012-04-10 18:31 . 2012-02-29 14:08 178176 ------w- c:\windows\system32\dllcache\wintrust.dll
2012-04-10 18:31 . 2012-02-29 14:08 148480 ------w- c:\windows\system32\dllcache\imagehlp.dll
2012-04-10 18:16 . 2012-04-10 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Premium
2012-04-10 18:15 . 2012-04-10 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-04-05 12:12 . 2012-04-05 12:12 -------- d-----w- c:\program files\Common Files\Java
2012-04-02 01:27 . 2012-04-03 19:58 -------- d-----w- c:\windows\system32\C2MP
2012-04-02 01:17 . 2012-04-02 01:21 -------- d-----w- C:\DECCHECK
2012-04-01 17:55 . 2012-04-01 17:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2012-03-31 12:11 . 2008-04-13 21:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-03-31 12:09 . 2003-06-14 09:12 286720 ----a-w- c:\windows\system32\lxbrf2k.dll
2012-03-31 12:09 . 2003-03-26 07:11 155648 ----a-w- c:\windows\system32\flashshl.dll
2012-03-31 12:09 . 2012-03-31 12:13 -------- d-----w- c:\program files\Lexmark 3100 Series
2012-03-31 12:09 . 2003-06-14 08:20 208896 ----a-w- c:\windows\system32\smshell.dll
2012-03-31 12:09 . 2002-10-30 12:20 21504 ----a-w- c:\windows\LXBRSET.EXE
2012-03-31 12:09 . 2001-03-15 05:06 4608 ----a-w- c:\windows\DelShell.exe
2012-03-31 12:09 . 1998-10-29 13:45 306688 ----a-w- c:\windows\IsUninst.exe
2012-03-31 12:06 . 1997-04-08 17:08 299520 ----a-w- c:\windows\uninst.exe
2012-03-31 12:06 . 2012-03-31 12:09 -------- d-----w- C:\Lxk3100Series
2012-03-28 16:22 . 2012-03-28 16:22 -------- d-----w- c:\program files\IrfanView
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-18 21:09 . 2006-01-10 13:12 451595 ----a-w- c:\documents and settings\All Users\Application Data\bdinstall.bin
2012-04-05 12:11 . 2006-01-09 00:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-05 12:11 . 2006-01-09 00:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-08 12:21 . 2012-03-08 12:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 10:58 . 2011-02-22 23:27 919552 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 10:58 . 2011-02-22 23:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 10:58 . 2006-01-09 00:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:08 . 2009-12-24 06:42 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:08 . 2008-04-14 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:30 . 2011-02-18 12:31 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:26 . 2011-03-03 13:27 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2012-03-03 19:50 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-04-13 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3GDR\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-04-18_21.17.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-20 09:14 . 2012-04-20 09:14 40960 c:\windows\temp\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2006-03-21 296056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [10/01/2006 15:19 2253120]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-884357618-1606980848-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-08 10:05]
.
2012-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-884357618-1606980848-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-08 10:05]
.
2012-04-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-507921405-884357618-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 15:45]
.
2012-04-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-507921405-884357618-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 15:45]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.co.uk/
mStart Page = about:blank
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-20 12:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\SetId\Internal]
@Denied: (A 2) (LocalSystem)
"DATA2"="<settings accountStatus=\"3\" oldDevice=\"\" timeDiff=\"19\" expireTime=\"1327315426\" productStatus=\"3\" obSize=\"2\" InstallTS=\"1289332796\" isSubsc=\"0\" authStat_ts=\"0\" version=\"14.1\" keyType=\"195\" prodId=\"1\" moduleId1=\"7\" moduleId2=\"10\" relType=\"0\" />\0a"
.
[HKEY_USERS\S-1-5-21-507921405-884357618-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,30,d9,0c,af,78,aa,46,8d,23,9f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c1,bb,35,ac,1f,a5,ce,45,a9,18,67,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,30,d9,0c,af,78,aa,46,8d,23,9f,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4151075a-d735-4f04-abf4-b36a2c42e914}]
@Denied: (Full) (Everyone)
"Model"=dword:00000058
"Therad"=dword:00000001
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ae,64,ee,2d,84,75,7d,59,85,5c,47,dd,c5,b3,9a,93,97,40,9b,cb,f8,
3e,59,92,f8,33,a1,5d,1a,10,4f,3a,43,d7,6a,a1,26,22,e3,15,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\RunDLL32.exe
c:\windows\stsystra.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2012-04-20 12:16:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-20 09:16
ComboFix2.txt 2012-04-19 22:29
ComboFix3.txt 2012-04-18 21:19
.
Pre-Run: 288,971,591,680 bytes free
Post-Run: 288,954,511,360 bytes free
.
- - End Of File - - A0D14404134ED54C63B26A97465C3715
__________________
peter.ward is offline   Reply With Quote
Old 04-20-2012, 04:10 AM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Hi,

Quote:
I said no, deleted Comboxfix, re-downloaded it and started again.
You did fine.

Please use normal font going forward. Bolded text is a bit hard on the eyes. We only use it to emphasize a file or an important notice.

Quote:
Re VirusTotal – problem here I'm afraid. There isn't a “Browse” button as such but a “Choose File” button and a box saying “No File Selected” which has the appearance of a text box, but you can't write or paste into it, even though there's a flashing cursor there when you click in it. Perhaps you could advise? I tried the Choose File button but as you say it acts like a Browse button and just prompts me to download a file. I tried to attach a screen shot in case I'm seeing something I shouldn't butI couldn't get it below the max 3MB!
Click on "Choose File". It will bring up a "File Upload" window. Please browse to the file:
Click on My Computer>Local Disk(C)>Windows>System32>Drivers>tcpip.sys, then click on "open". You'll now see the file in the Choose File box. Next, click on "Scan it". Once the scan is completed (it may take a while) please post back the link to the results page.

Quote:
As for the u-torrent bar, I'm not sure what to do – it is definitely not in the control panel-Add or Remove Programs list and I tried searching for it using Start-Search but it found nothing. I can see it was listed but have no idea where to find it to delete it.
Don't worry about it. It's not really malware, but not a desirable program. We'll check it later.

Quote:
It's worrying that such serious malware was present and would love to know it it was pre-infected or whether it got on despite the spyware/malware products I had on!
Unfortunately, it's not possible to know when it got into the system. However, I can say that it's not one of the latest infections. I haven't seen this around for the last two-three years, which makes me suspect that it may have been infected when you bought it.

Quote:
Will this machine quality as a “known clean computer” when we've finished our flight?
Because it's an old infection, it's quite likely that your information was not compromised, but I cannot say that with 100% certainty. In fact, I will never say any machine is completely clean - not even my own. We can only remove what we see after scanning with tools designed to scan the areas that malware invades, and what AV's may detect as malware. It doesn't mean that there can't still be something on a machine somewhere, that scanners don't detect as malware yet. The logs appear to be clean now. However, if you're really concerned, you could perhaps look into restoring the computer to the factory settings. The machine appears to be DELL. It may have a recovery partition, which is usually accessible from a F11 key stroke at startup, sometimes ctrl + F11. That will invoke a recovery of the machine, and take it back to factory condition. All data will be lost, but you'll have a clean and functioning machine again. Some machines have a non-destructive recovery, in which all data is not lost. You'll need to do a lot of updating afterwards, as well as re-installing non-microsoft programs, as the system seems to be installed in 2006.

If you are getting the blue bar showing www.dell.com when you power on, you have the system restore partition installed. If not, then, it means that the original Dell MBR is overwritten, and you may no longer have the recovery partition. However, this would be out of the scope of this forum. If you choose to go that route, you can ask for help in the XP forum.

==========================

Quote:
If "wscntfy.exe" just notifies about updates rather than being responsible for installing them, is it urgent for me to try to secure this file? Will do my best if you think it's urgent, but just wondered if it was necessary.
Not urgent, but you will not be notified if Windows needs to update, if virus protection or firewall is turned off.

========================

Please run DDS again, and post the fresh DDS.txt.
__________________

amateur is offline   Reply With Quote
Old 04-20-2012, 06:59 AM   #18
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Thanks for that - reassuring. I'll leave the online banking for now then - I'd be more concerned if there was ever any money in it to steal ;-)

OK, still a problem with Virus Total. As you'll see from the screenshots attached (in case I'm looking in the wrong place!), there's no tcpip.sys within system32, either in the folders or the individual files?

Cheers, Peter
Attached Images
File Type: bmp virus2.bmp (692.4 KB, 4 views)
File Type: bmp virus3.bmp (692.4 KB, 4 views)
__________________
peter.ward is offline   Reply With Quote
Old 04-20-2012, 08:21 AM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,777
OS: XP Win7 Ubuntu 10.10



Click on the Drivers folder in System32 folder. On the right hand panel, the files are listed alphabetically. You should be able to see tcpip.sys there.
__________________

amateur is offline   Reply With Quote
Old 04-20-2012, 08:56 AM   #20
Registered Member
 
Join Date: Apr 2012
Location: Edinburgh, Scotland
Posts: 23
OS: XP



Hi, sorry, yes my fault - I missed the Drivers bit out of the Pathname!

Right, here's the log:

More details
AntivirusResultUpdateAhnLab-V3-20120418AntiVir-20120419Antiy-AVL-20120419Avast-20120420AVG-20120419BitDefender-20120420ByteHero-20120420CAT-QuickHeal-20120419ClamAV-20120420Commtouch-20120419Comodo-20120420DrWeb-20120420Emsisoft-20120419eSafe-20120419eTrust-Vet-20120419F-Prot-20120420F-Secure-20120420Fortinet-20120419GData-20120419Ikarus-20120419Jiangmin-20120419K7AntiVirus-20120418Kaspersky-20120420McAfee-20120419McAfee-GW-Edition-20120419Microsoft-20120419NOD32-20120420Norman-20120420nProtect-20120419Panda-20120419PCTools-20120419Rising-20120419Sophos-20120420SUPERAntiSpyware-20120402Symantec-20120420TheHacker-20120418TrendMicro-20120419TrendMicro-HouseCall-20120420VBA32-20120419VIPRE-20120420ViRobot-20120420VirusBuster-20120418
No comments

__________________
peter.ward is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 07:36 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts