Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected System.Mouse moves on its own


  • This topic is locked This topic is locked
2 replies to this topic

#1 BashHackers

BashHackers

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 01 June 2011 - 06:46 AM

hey,

recently,the mouse moved on its own and made a few rapid clicks on the screen and my screen froze.At the end of it cmd/cpanel/admin settings etc were all open so im guessing the guy who hacked my system must have been up to no good.

i have not been able to remove the virus at all.Neither Avira Pro nor MBAM find anything so please someone have a look at my DDS log and let me know how i should be going about removing this malware


.
DDS (Ver_11-05-19.01) - FAT32x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Welcome at 17:13:20 on 2011-06-01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.530 [GMT 5.5:30]
.
AV: AntiVir Desktop *Enabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: ZoneAlarm Pro Firewall *Disabled*
FW: AVG Firewall *Disabled*
FW: Avira FireWall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
SVCHOST.EXE
C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Welcome\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.ask.com/?o=102866&l=dis&gct=hp
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Prize Live Toolbar BHO: {a4d3eb65-a437-449e-b7ef-203afb312f46} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Prize Live Toolbar: {594d6baf-faa1-4ff1-beff-e4f1674c22c5} - mscoree.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\welcome\application data\mozilla\firefox\profiles\l9qtid8b.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2011-5-17 102856]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-3-29 11608]
R1 ggc;ggc;c:\windows\system32\drivers\ggc.sys [2011-2-22 46664]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-3-3 528128]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\avira\antivir desktop\avfwsvc.exe [2011-5-17 539304]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2011-5-17 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-29 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-29 269480]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2011-5-17 421032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-29 61960]
R2 catflt;catflt;c:\windows\system32\drivers\catflt.sys [2011-2-22 110024]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2011-5-17 79432]
S0 mscank;mscank;c:\windows\system32\drivers\mscank.sys --> c:\windows\system32\drivers\mscank.sys [?]
S2 EMLSS;EMLSS;c:\windows\system32\drivers\emltdi.sys --> c:\windows\system32\drivers\emltdi.sys [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 ugldqpog;ugldqpog;\??\c:\docume~1\welcome\locals~1\temp\ugldqpog.sys --> c:\docume~1\welcome\locals~1\temp\ugldqpog.sys [?]
S3 wsnf;Network Filter Service;c:\windows\system32\drivers\wsnf.sys --> c:\windows\system32\drivers\wsnf.sys [?]
S3 wsnfmp;Network Filter Miniport;c:\windows\system32\drivers\wsnf.sys --> c:\windows\system32\drivers\wsnf.sys [?]
.
=============== Created Last 30 ================
.
2011-06-01 11:13:55 388096 ----a-r- c:\documents and settings\welcome\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-01 11:13:52 -------- d-----w- c:\program files\Trend Micro
2011-06-01 10:20:54 -------- d-----w- c:\program files\ESET
2011-06-01 03:40:12 -------- d-sh--w- C:\FOUND.006
2011-05-30 14:14:12 -------- d-sh--w- C:\Recycled
2011-05-30 11:26:38 -------- d-----w- C:\ComboFix
2011-05-29 07:13:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 07:13:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-29 07:13:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-28 11:06:16 -------- d-----w- C:\FOUND.005
2011-05-27 13:12:50 -------- d-----w- c:\documents and settings\welcome\application data\SUPERAntiSpyware.com
2011-05-27 13:12:50 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-05-22 06:37:38 -------- d-----w- C:\FOUND.002
2011-05-17 10:29:28 -------- d-----w- C:\FOUND.001
2011-05-17 10:01:41 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
2011-05-17 10:01:41 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
2011-05-16 05:49:09 -------- d-----w- C:\Upload
2011-05-16 05:49:09 -------- d-----w- C:\Customize
2011-05-16 04:43:48 -------- d-----w- C:\FOUND.000
2011-05-16 04:34:14 -------- d-----w- c:\windows\pss
2011-05-15 11:08:48 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan
2011-05-15 04:31:06 -------- d-----w- C:\FOUND.004
2011-05-08 07:06:16 -------- d-----w- C:\FOUND.003
.
==================== Find3M ====================
.
2011-04-27 10:25:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-27 10:25:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-04 09:07:14 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
============= FINISH: 17:14:36.95 ===============



I have also attached the 'attach.txt' file if you need it

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:58 PM

Posted 09 June 2011 - 05:37 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:58 PM

Posted 13 June 2011 - 06:57 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users