Possibly backdoor win32 optix

Hi,
I have a malware problem. It started about 3 weeks ago, when I started Adaware and a message popped up saying "System shutdown initiated by NT Authority. System must restart because DCOM server process launcher terminated unexpectedly. I tried to run it several times, with the same result. I ran Spybot Search & Destroy, and I got this message

This application has been changed since it was created.

Since Spybot-S&D does not change itself, we recommend you check you system for malware and viruses instantly!. I have reformatted my computer and reinstalled windows 4 times, and have repaired it twice. During these fresh starts, I ran every online scan and free trial scan that I could find that was suggested on majorgeeks, geekstogo, bleeping computer, and castlecops. I posted on Geekstogo, and went through all the steps and was pronounced clean, but the problem kept regenerating and is very hard to find. After downloading Spybot during my many reformattings, I believe that in Spybots "ignore products, the checkmarks were reversed, but appears to be as they were supposed to be, and I also think that the tea timer setting is reversed also. In my posting on geekstogo, they kept telling me to turn off the teatimer, but I had already disabled it before I started posting. But it was still working. I downloaded Ad-Aware SE again and updated it. After a restart, I started it and it worked ok, but didn't find anything. Again, after another restart, all of the difinition files had been removed. This little malware is messing with all of the virus checkers and firewalls.

My last reformat was on August 8th. I downloaded and ran Hijackthis, and got a log that indicates that my Avast Service, file is missing. Now, when I do a search for Hijackthis, it finds nothing, yet I still have the hijackthis.log. I redownloaded hijackthis and renamed it. I get the occasional popup/popunder (saw it on your "Microsoft Windows Defender" download page, advertising Earthlink.net/cybercheck; www.securetactics.com; and r.wipe.com). Before this problem, I used McAfee AV and Firewall, Spybot, and Ad-Aware. I always updated all programs, other than McAfee, which was set to update itself. When I tried to do the Panda online, I got the false positive from Avast, that my computer was downloading WIN32.CTX. I just closed the window and exited Avast, and finished the scan, but of course, didn't find anything. I have had to reformat because this worm, or whatever it is, is infecting files, such as my keyboard software, nvidia evga, nwiz, etc. I started looking around on regedit. I found a Software Program that I don't recognize, and don't know where it came from. HKLM, Software, The Silicon Realms Toolworks, Armadillo. After the third format, I also found what appeared to be a server network set up in regedit. I suspect that my problem may be Backdoor Win32 Optix Pro 1 3. Before my Spybot was hijacked this last time, something kept trying to add a BHO EFA24E64-B078-11D0-89E4-00c04FC9E26I, which I denied and told Spybot to remember the setting. I also had several winlogon errors during setting up my computer this last time. During one of the errors (which I reported to Microsoft), a window popped up and said it may be a winlogon worm and I ran their fairly new "Live Security Center" scan. It said I had 2 viruses while it was checking, but when it finished, it said I had none. Others in their forum suggested it may be a system restore folder, or a cabinet folder. Since my computer was just starting out again, I didn't think it was in the restore folder. Then on the lastest forum, it states that they are kind-of false positives. That there are virus entries that appear to be leftover after a removal, but not the full blown virus. I have followed your steps to do before posting a new log. Please tell me where to start. Thanks.

 

Hi,
Here are the runkeys text and newfiles text. The first time I tried to run Panda, the page opened with errors, and would not start. I was finally able to get the online scan, but failed to copy the results. It did not find anything. I tried to run the scan again, and I got an error message saying that I was not allowing the application's Active X control to be downloaded. (by the way, I did download it and did run the online scan one time). Also attached is the bit defender file. I had to change the ext to .txt from .html before it allowed me to attach it. I will attach the hijackthis log on the next post.
Thanks

 

Here is the hijackthis log.

 

Hi,
Actually, I have teatimer turned off, but it is running as a result of the malware. I will turn it back on again, and that should actually turn it off.

 

Does this mean you are not going to help me? I do have malware as stated in first posting. It cannot be found by the conventional means. Did you notice that the files are missing for my Avast? I did not remove it. I did not change Spybot. I did not disable my firewall. Yet they have all changed.
Thank you.

 

Hi,
I checked on windows explorer, and both of the Avast program files are there. I uninstalled Spybot from the Add/Remove programs, but had to physically remove the folder in windows explorer. I reinstalled it, and it appears to be working correctly right now. (After this last reformatting and repairing of my windows OS, it took about 3 days for it to be changed and I get the message listed in my first post.) Teatimer is disabled. About the firewall, when I went to do the panda online scan, it said my firewall should alert me that it was trying to access my computer. I did not receive an alert. I have not received an alert and there have been no blocked inbound events since 8:56 on August 11th, which is about the time that my Spybot was changed. In the firewall settings itself, there is a checkmark in the box for "allow restricted users to change personal firewall settings". Since I am the only user, I unchecked the box. In "allowed internet settings", there is a program called "Generic Host Process for WIN32 Services = svchost.exe". which I have no idea what this is for. When I click on the "Test my Firewall", I receive this Message:
Unable to Probe
The IP address requesting this page is different from the IP address of your computer. This indicates that your computer is behind a proxy or NAT. These devices allow you to access the Internet by relaying traffic, typically from multiple computers, through a single IP address.

We are unable to directly probe your computer, you should take comfort from this. You have that much more protection between your computer and the Internet.

I am not on a proxy server. It is just a desktop computer connected directly to dsl, and does not go through another computer. I have attached a new hijackthis log and a kaspersky log.
Thank you.

 

Hi,
This was the first time I had ran the Panda online scan since reformatting. My computer is connected to my DSL modem and connected directly into the telephone line. I don't use a router. The applications that are allowed full access are: Ad-Aware.exe, alg.exe, ashServ.exe, ashMai5v.exe, ashWebSv.exe, svchost.exe, GoogleToolbarNotifier.exe, IEXPLORE.EXE, jucheck.exe, MpfConsole.exe, MpfService.exe, MpfTray.exe, mghtml.exe, mcupdate.exe, mcinfo.exe, mcupdmgr.exe, mvtx.exe, mcregwiz.exe, dwwin.exe, and services.exe (Services and Controller app). So far, everything has been quiet here (Spybot hasn't been changed), other than not being able to test my firewall. I have left the teatimer off for now, because when something changes Spybot, it reverses the setting for teatimer, and then starts trying to change other settings. If it gets changed again, then I will start seeing the notices about the registry changes. I have not installed my printer or other hardware yet, nor installed any other programs I use because of the problem with Spybot. I am sure that other people out there have had this problem also, but I haven't been able to find a solution online. I have not been surfing the internet after this last format to try to cut down on the number of adware and spyware that was being downloaded to my computer when Spybot had been changed. If you are satisfied that I don't have a problem, you can close this post, and I will wait to see if my problem recurs.

 

Hi,
Spybot was changed again. I tried to install my Logitech Keyboard software that allows you additional protection against keyloggers, and could not get the keyboard secure. I uninstalled and reinstalled several times without being able to set the security. I finally went to edit the registry and deleted a file in the HKCU\Software\Local AppWizard-Generated Applications\ called Logitech Secure Encription Wizard. I reinstalled the software and received an error that the KEM.EXE application had failed to start because "logscroll.dll" was not found. At this time, my "internet connections" box popped up and showed an internet connection that I have never seen before, and said it was disabled. It was an Internet Connection in Application Gateway Layer. I enabled it again. I got a notice that the system had changed and needed to reboot. At this time I checked Spybot and found it had changed. I rebooted and I uninstalled Spybot and reinstalled, and reinstalled my keyboard software. Now I have many duplicate files in my registry in HKCR, with the duplicate being named with a .1 after it. So far everything appears to be working, except (still) being unable to test the firewall. You guys have any info on the logscroll.dll? I looked on the internet but didn't find anything.

 

When I opened Spybot, I received the message: "This application has been
changed since it was created. Since Spybot-S&D does not change itself,
we recommend you check you system for malware and viruses instantly!"

The Firewall test: I right click on the McAfee Icon that is in my taskbar, and scroll to "Personal Firewall", and click on "Test Firewall".

I have used the Logitech Software for about a year and a half, and have
never had this trouble. I installed the Software from a CD that came
with my Logitech Keyboard. The logscroll.dll is not part of my
Logitech Software. When I search for it (from My Computer, Tools,
Folder Options, View, with check by show hidden files and folders; and
unchecked by Hide extensions for known file types; and unchecked by
Hide protected operating system files (Recommended)), I do not find it.

I was able to set my security settings without the logscroll.dll file.
When it was there, I could not set the security settings. By the way,
when I search for something, it defaults to "Start Menu" to search, and
I have to change it to search from "C".

Some of the duplicate files in HKCR are AcroPDF.PDF; Action
Bvf.ActionBvr; ActiveScan; ActiveSkin4, Adbanner.adbanner;
ADODB.Command; AutoDiscovery.EmailAssociation; AutoDiscovery.Mail;
AutoplayHandler; AVGeneralNotification.AVGeneral Notification;
BehaviorFactory.Microsoft.DXTFilter; bidispl.bidrequest;
Browse.BrowseWM; CertificateAuthority.Config;
CertificateAuthority.GetConfig; etc.

I'm not sure what these files are, but I don't believe they would be
associated with my Logitech Keyboard Software. An example of the
duplicated entries:

Folder: Behavior.Microsoft.DXTFilterBehavior
Folder: CLSID (Name is (Default), REG_SZ, and data (numbers)
Folder: CurVer (Name is (Default), REG_SZ, and data is:
Behavior.Microsoft.DXTFilterBehavior.1)

Folder: Behavior.Microsoft.DXTFilterBehavior.1
Folder: CLSID (Name is (Default), REG_SZ, and data (numbers)

All of the duplicated files, in the Folder without the .1 after it,
have the extra "CurVer" Folder, and the indicator to refer to the folder with the .1 on it. The folders without the .1 only have the CLSID Folder.

 

Hi,
I ran the Avast VirusScan now, after the system changes, and it said I had the Win32.CTX virus, and it says it successfully deleted it.

 

Yes, it was a false positive. I uninstalled Avast and reinstalled it, and it finally completed the boot scan successfully without the BSOD. Anyway, I think you are misunderstanding about the logscroll.dll, or maybe I'm not making it clear. The logscroll.dll is not part of my Logitech Software. When it was there, I could not "Secure my Keyboard". After it was deleted, I was able to secure it. It also was associated with numerous other files evidently, because the files I listed showed up as duplicated files in the registry. The computer advised me that system changes had been made. It disconnected an internet connection in Application Layer Gateway. I only deleted entries that were labeled logitech, which is my keyboard software (2 entries, one being the one I previously told you about, and the other in Software). I have no other software made by logitech on my computer at this time. Once I set the settings in Spybot, at the time I install it, I do not change the settings again. My McAfee Firewall would not have anything to do with Spybot's settings. And, hey guys, I'm really not stupid. So far, everything appears to be working OK, so you can close the post. But just a "heads up", this problem is happening to other computer users and they may be asking you the same questions.