Author Topic: Nasty virus attack (Read 13985 times)

Krazypal · « **on:** February 24, 2007, 12:16:48 PM »

Left my computer alone for a few hours and when I got back, my firewall was down and I was infected by a mean virus.

The main problem is that my mouse doesn't work...

Avast cleaned up some 19000 files!!! Now it doesn't find any virus but my mouse still doesn't work... I suspect the virus is still there somewhere.

Anyone knows about this problem?

(HELP!!!)

FreewheelinFrank · « **Reply #1 on:** February 24, 2007, 12:38:05 PM »

Hi Krazypal,

Were these 19000 files many different viruses, Trojans, worms, spyware, adware etc. or many files containing the same malware? Was the computer clean before the attack?

What is your operating system and firewall?

Here are some free scanners you can try. Download, install and update, then go off line and run scans with all of them. When you have finished, please post a HijackThis! log for us to look at:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

AVG Anti-Spyware (Requires Win2k/XP):

http://www.ewido.net/en/

a-Squared Free:

http://www.emsisoft.com/en/software/free/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Spybot Search & Destroy:

http://www.safer-networking.org/en/download/index.html

If you find many instances of malware with each scanner, I would suggest backing up your files and reinstalling you OS/system recovery disc, especially if you're finding Trojan backdoors, worms etc.

Don't forget to update your system if you do reinstall.

mauserme · « **Reply #2 on:** February 24, 2007, 02:53:32 PM »

Quote from: Krazypal on February 24, 2007, 12:16:48 PM

The main problem is that my mouse doesn't work...

What is it doing (or not doing)?

In addition to what FreewheelinFrank says do you have another mouse you can try?

Krazypal · « **Reply #3 on:** February 24, 2007, 03:42:37 PM »

Thanx for the ultra fast reply! Unfortunately, without a mouse I'm not that fast... and scanning 700 000 files a couple of times takes a while. It's all done now and I've posted the Hijackthis-log.

I'm running XP and use windows firewall and zonealarm.

I hope I don't have to reinstall... please...

Krazypal · « **Reply #4 on:** February 24, 2007, 03:57:44 PM »

Well... The virus runs a lot of svchost... I think - but I haven't figured out exactly what it does right now (before it replicated itself to 19000 files, mainly setup.exe in my upload-folder and system restore folder).

My mouse is dead and I don't know if the cleaning killed the mouse driver... or something...

FreewheelinFrank · « **Reply #5 on:** February 24, 2007, 05:24:46 PM »

I get the impression its one piece of malware creating many files.

What was the name of the malware detected by avast!?

mauserme · « **Reply #6 on:** February 24, 2007, 05:39:48 PM »

Quote from: Krazypal on February 24, 2007, 03:57:44 PM

My mouse is dead and I don't know if the cleaning killed the mouse driver... or something...

That's what I was guessing, so if you have another mouse from a different manufacturer maybe there would be a functioning driver for that one still on your computer. It won't solve the underlying problem but might make the process easier.

Krazypal · « **Reply #7 on:** February 24, 2007, 06:33:34 PM »

Well... I downloaded and reinstalled the mousedrivers and it still doesn't work. Sometimes when I reboot, the mouse works for a few secs and then it freezes. That's why I suspect a virus process that's shutting it down... I'm looking for an old mouse now

(Geez it's annoying to browse the web with the keyboard)

FreewheelinFrank - I could not see the full name or paths of the files because of the small window... but some names except the setup.exe was; wmidext.dll, def.dat and install.sss

When I run Avast now it detects 74 files and the comment "could not scan" hmmm... and I can't do anything with them.

(I'm going nuts here)

Thank u both for helping me out here!

Spiritsongs · « **Reply #8 on:** February 24, 2007, 07:44:36 PM »

Hi Krazy :

Should STOP thinking "virus"; you have something a lot worse than a "virus". Other than Avast
and an unnamed firewall, what other security programs do you have on your computer ?

And those 74 "could not scan" are most likely answered at
http://www.avast.com/eng/faq-other-questions.html

where it says : "Q: When the file scanning is finished, avast! comes up with a number of files listed as "unable to scan", even though I have used a thorough scan. Should I be concerned?

A: Some files are permanently locked by the system or they are in password-protected archives. These files cannot be scanned. It is normal and you don´t have to be worried about that. "

Krazypal · « **Reply #9 on:** February 24, 2007, 08:12:33 PM »

Hiya Spirit!

Well, I use zonealarm... and the windows firewall. Besides that... nothing? I use the adAware, Hijackthis and other small programs frequently. Before I changed my internet-provider I never had any probs...

*nervous* worse than virus???

Someone found a backdoor and uses my computer???

But the mouse prob is funny - it is working for a few secs, then the hourglass pops up next to the pionter and it freezes... driving me crazy.

HEEEEELP!!!

mauserme · « **Reply #10 on:** February 24, 2007, 08:36:24 PM »

Quote from: Spiritsongs on February 24, 2007, 07:44:36 PM

Should STOP thinking "virus"; you have something a lot worse than a "virus".

Spiritsongs, if you have some insight please share it but let's not cause undue worry.

@ Krazypal - after running the scans mentioned by FreewheelingFrank please post the hjt log he suggested. Toss in an F-Secure Blacklight scan while you're at it

http://www.f-secure.com/blacklight/

Krazypal · « **Reply #11 on:** February 25, 2007, 11:23:04 AM »

Thx Mauser

Did the Blacklight but it didn't find anything... I'll post my Hijackthis log here if it helps... There must be a process that's shutting my mouse down - because it works for those few secs after rebooting.

Logfile of HijackThis v1.99.1
Scan saved at 11:22:03, on 2007-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\D-Link\AirPlus G\AirGCFG.exe
C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Java\jre1.5.0_09\bin\jusched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\Program\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
D:\Program 1\Internet\Maxthon\Maxthon.exe
C:\Documents and Settings\Ägaren\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program 1\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\Program\A4Tech\Mouse\Amoumain.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all links using BitComet - res://D:\Program 1\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://D:\Program 1\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://D:\Program 1\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFA1D4E7-D30E-4856-ABB0-64943CD722B5}: NameServer = 84.246.88.10,84.246.88.20
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

My computer is "calm" now but there's something out there...

FreewheelinFrank · « **Reply #12 on:** February 25, 2007, 01:19:08 PM »

I can't see anything in the log, but wmidext.dll looks like it might be an adware infection, maybe NSIS. Have you run Ad-Aware and Spybot? I've seen Spybot clean up an NSIS infection recently, so that might be work a try.

Have you seen any pop-up ads.

I'll post again later when I have time to do a bit more research.

essexboy · « **Reply #13 on:** February 25, 2007, 02:51:24 PM »

Silly question but you do know you have TWO mouse drivers running

C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\Program\A4Tech\Mouse\Amoumain.exe

mauserme · « **Reply #14 on:** February 25, 2007, 02:58:00 PM »

There may be problems with ipoint.exe

If you disbale it in your startups does the problem go away?

Author Topic: Nasty virus attack (Read 13985 times)

Krazypal

Nasty virus attack

FreewheelinFrank

Re: Nasty virus attack

mauserme

Re: Nasty virus attack

Krazypal

Re: Nasty virus attack

Krazypal

Re: Nasty virus attack

FreewheelinFrank

Re: Nasty virus attack

mauserme

Re: Nasty virus attack

Krazypal

Re: Nasty virus attack

Spiritsongs

Re: Nasty virus attack

Krazypal

Re: Nasty virus attack

mauserme

Re: Nasty virus attack

Krazypal

Re: Nasty virus attack

FreewheelinFrank

Re: Nasty virus attack

essexboy

Re: Nasty virus attack

mauserme

Re: Nasty virus attack