Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Some Virus Makes My Mouse go backwards, also have fake virus detected message


  • Please log in to reply
3 replies to this topic

#1 cathleenkelly

cathleenkelly

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 21 August 2009 - 02:37 PM

Hi. My mouse half the time is doing right click on left click (and I did ensure that it was set correctly). I use AVG and it indicates I have a virus but cannot remove it. Also, have a red X in the clock near the task bar that keeps telling me "windows has detected spyware"

I did down load the recommended files from bleeping computer, started to use the root repeal, but it disappearred and won't let me open it again - says i do not have permissions.

Running windows XP Please help me!

Also, a new file called "settings.dat" appeared after I tried the root repeal.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Tom Kelly at 15:18:04.59 on Fri 08/21/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1411 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTW07.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Documents and Settings\Tom Kelly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [braviax] c:\windows\system32\braviax.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: cru629.dat

============= SERVICES / DRIVERS ===============

R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2007-3-26 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [2007-3-26 52224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-2 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-2 108552]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-6-24 13696]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-2 297752]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-2 908056]

=============== Created Last 30 ================

2009-08-21 14:32 189,791 a------- c:\windows\system32\wisdstr.exe
2009-08-21 14:23 16,548 a------- c:\windows\system32\pepid.dl
2009-08-20 09:10 <DIR> --d----- c:\docume~1\tomkel~1\applic~1\AVG8
2009-08-20 08:10 17,145 a------- c:\windows\system32\umaro.dl
2009-08-20 08:10 16,161 a------- c:\windows\xabo.scr
2009-08-20 08:10 14,629 a------- c:\program files\common files\lopo.com
2009-08-20 08:10 11,595 a------- c:\windows\fumifip.ban
2009-08-20 08:10 18,576 a------- c:\windows\system32\dubomaso.reg
2009-08-20 08:10 13,370 a------- c:\docume~1\tomkel~1\applic~1\sanope.com
2009-08-20 08:10 13,072 a------- c:\windows\abuviwi._dl
2009-08-20 08:10 12,368 a------- c:\docume~1\alluse~1.win\applic~1\civuwyq.vbs
2009-08-20 08:10 11,896 a------- c:\docume~1\tomkel~1\applic~1\wijile.exe
2009-08-20 08:10 18,670 a------- c:\windows\gudodi.vbs
2009-08-20 08:10 13,468 a------- c:\program files\common files\zaji.vbs
2009-08-20 08:10 <DIR> --d----- c:\program files\PC_Antispyware2010
2009-08-19 22:28 19,875 a------- c:\windows\pufymyv.dat
2009-08-19 22:28 19,314 a------- c:\docume~1\alluse~1.win\applic~1\usygalysyq.com
2009-08-19 22:28 18,739 a------- c:\docume~1\alluse~1.win\applic~1\osawuluga.scr
2009-08-19 22:28 17,918 a------- c:\program files\common files\otojepy.bat
2009-08-19 22:28 17,339 a------- c:\docume~1\tomkel~1\applic~1\jyhuhuzy.exe
2009-08-19 22:28 16,990 a------- c:\windows\moxaveto.bin
2009-08-19 22:28 14,650 a------- c:\windows\rynusasezu.com
2009-08-19 22:28 14,351 a------- c:\program files\common files\vypixozu.dll
2009-08-19 22:28 13,549 a------- c:\program files\common files\yfojefiku.exe
2009-08-19 22:28 13,321 a------- c:\docume~1\tomkel~1\applic~1\afyzu.reg
2009-08-19 22:28 12,757 a------- c:\windows\rugat._sy
2009-08-19 22:28 12,088 a------- c:\windows\system32\zygixoneq.vbs
2009-08-19 22:28 10,807 a------- c:\windows\system32\odaco.bin
2009-08-19 22:28 10,474 a------- c:\windows\system32\yzacete.dat
2009-08-19 22:01 10,240 a------- c:\windows\braviax.exe
2009-08-19 22:01 6,144 a------- c:\windows\system32\cru629.dat
2009-08-19 22:01 6,144 a------- c:\windows\cru629.dat
2009-08-19 22:00 142 a------- c:\windows\system32\delself.bat
2009-08-19 22:00 10,240 a------- c:\windows\system32\braviax.exe
2009-08-19 21:39 140,288 a------- c:\windows\msa.exe
2009-08-14 00:44 <DIR> --d----- c:\docume~1\tomkel~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

==================== Find3M ====================

2009-08-20 09:16 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 09:16 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-20 09:15 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-20 08:10 13,210 a------- c:\program files\common files\cobajew.inf
2009-08-19 22:28 15,458 a------- c:\program files\common files\jyro._dl
2009-08-19 22:28 14,756 a------- c:\program files\common files\itoqehig._dl
2009-08-19 22:00 28,160 a------- c:\windows\system32\drivers\beep.sys

============= FINISH: 15:18:15.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:54 PM

Posted 23 August 2009 - 04:23 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 cathleenkelly

cathleenkelly
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 23 August 2009 - 07:34 PM

hi downloaded that file but it will not let me run it, in safe or normal modes. i did post also about i downloaded the malbytes and when i click scan it gets to 1 second and closes. :thumbup2: i'm wondering if it's one of those rootkit things

oh and sam thank you!

Edited by cathleenkelly, 23 August 2009 - 07:34 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:54 PM

Posted 24 August 2009 - 11:03 AM

We're definitely dealing with a rootkit here.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users