Nasty virus attack

Left my computer alone for a few hours and when I got back, my firewall was down and I was infected by a mean virus.

The main problem is that my mouse doesn’t work…

Avast cleaned up some 19000 files!!! Now it doesn’t find any virus but my mouse still doesn’t work… I suspect the virus is still there somewhere.

Anyone knows about this problem?

(HELP!!!)

Hi Krazypal,

Were these 19000 files many different viruses, Trojans, worms, spyware, adware etc. or many files containing the same malware? Was the computer clean before the attack?

What is your operating system and firewall?

Here are some free scanners you can try. Download, install and update, then go off line and run scans with all of them. When you have finished, please post a HijackThis! log for us to look at:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

AVG Anti-Spyware (Requires Win2k/XP):

http://www.ewido.net/en/

a-Squared Free:

http://www.emsisoft.com/en/software/free/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Spybot Search & Destroy:

http://www.safer-networking.org/en/download/index.html

If you find many instances of malware with each scanner, I would suggest backing up your files and reinstalling you OS/system recovery disc, especially if you’re finding Trojan backdoors, worms etc.

Don’t forget to update your system if you do reinstall.

What is it doing (or not doing)?

In addition to what FreewheelinFrank says do you have another mouse you can try?

Thanx for the ultra fast reply! Unfortunately, without a mouse I’m not that fast… and scanning 700 000 files a couple of times takes a while. It’s all done now and I’ve posted the Hijackthis-log.

I’m running XP and use windows firewall and zonealarm.

I hope I don’t have to reinstall… please…

Well… The virus runs a lot of svchost… I think - but I haven’t figured out exactly what it does right now (before it replicated itself to 19000 files, mainly setup.exe in my upload-folder and system restore folder).

My mouse is dead and I don’t know if the cleaning killed the mouse driver… or something…

I get the impression its one piece of malware creating many files.

What was the name of the malware detected by avast!?

That’s what I was guessing, so if you have another mouse from a different manufacturer maybe there would be a functioning driver for that one still on your computer. It won’t solve the underlying problem but might make the process easier.

Well… I downloaded and reinstalled the mousedrivers and it still doesn’t work. Sometimes when I reboot, the mouse works for a few secs and then it freezes. That’s why I suspect a virus process that’s shutting it down… I’m looking for an old mouse now :slight_smile: (Geez it’s annoying to browse the web with the keyboard)

FreewheelinFrank - I could not see the full name or paths of the files because of the small window… but some names except the setup.exe was; wmidext.dll, def.dat and install.sss

When I run Avast now it detects 74 files and the comment “could not scan” hmmm… and I can’t do anything with them.

(I’m going nuts here)

Thank u both for helping me out here!

:slight_smile: Hi Krazy :

 Should STOP thinking "virus"; you have something a lot worse than a "virus". Other than Avast
 and an unnamed firewall, what other security programs do you have on your computer ?

 And those 74 "could not scan" are most likely answered at 
 http://www.avast.com/eng/faq-other-questions.html

 where it says : "Q: When the file scanning is finished, avast! comes up with a number of files listed as "unable to scan", even though I have used a thorough scan. Should I be concerned?

A: Some files are permanently locked by the system or they are in password-protected archives. These files cannot be scanned. It is normal and you don´t have to be worried about that. "

Hiya Spirit!

Well, I use zonealarm… and the windows firewall. Besides that… nothing? I use the adAware, Hijackthis and other small programs frequently. Before I changed my internet-provider I never had any probs…

nervous worse than virus???

Someone found a backdoor and uses my computer???

But the mouse prob is funny - it is working for a few secs, then the hourglass pops up next to the pionter and it freezes… driving me crazy.

HEEEEELP!!!

Spiritsongs, if you have some insight please share it but let’s not cause undue worry.

@ Krazypal - after running the scans mentioned by FreewheelingFrank please post the hjt log he suggested. Toss in an F-Secure Blacklight scan while you’re at it

http://www.f-secure.com/blacklight/

Thx Mauser

Did the Blacklight but it didn’t find anything… I’ll post my Hijackthis log here if it helps… There must be a process that’s shutting my mouse down - because it works for those few secs after rebooting.

Logfile of HijackThis v1.99.1
Scan saved at 11:22:03, on 2007-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\D-Link\AirPlus G\AirGCFG.exe
C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Java\jre1.5.0_09\bin\jusched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\Program\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
D:\Program 1\Internet\Maxthon\Maxthon.exe
C:\Documents and Settings\Ägaren\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program 1\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [D-Link AirPlus G] C:\Program\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program\Java\jre1.5.0_09\bin\jusched.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [IntelliPoint] “C:\Program\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [WheelMouse] C:\Program\A4Tech\Mouse\Amoumain.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [E-MU USB Audio Control Panel] “C:\Program\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe”
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all links using BitComet - res://D:\Program 1\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://D:\Program 1\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://D:\Program 1\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip..{EFA1D4E7-D30E-4856-ABB0-64943CD722B5}: NameServer = 84.246.88.10,84.246.88.20
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

My computer is “calm” now but there’s something out there…

I can’t see anything in the log, but wmidext.dll looks like it might be an adware infection, maybe NSIS. Have you run Ad-Aware and Spybot? I’ve seen Spybot clean up an NSIS infection recently, so that might be work a try.

Have you seen any pop-up ads.

I’ll post again later when I have time to do a bit more research.

Silly question but you do know you have TWO mouse drivers running

C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\Program\A4Tech\Mouse\Amoumain.exe

There may be problems with ipoint.exe

If you disbale it in your startups does the problem go away?

Well I instelled the wrong driver for my mouse and now I’ve got rid of it. Still doesn’t work.

I use Maxthon browser and no popups at all.

The mouse works fine 3-5 secs untill a process starts and kills it. I have no idea which one though…

Have tried all spybot, adaware, avast scans and they don’t find anything. strange…

When you say the wrong driver, was it ipoint.exe that you removed? That’s the one that seems to be a problem driver for many people, and this really does seem more like a driver conflict than malware imho. You have no other symptoms other than mouse problems now, right?

Yes the mouse is a my problem now. A funny thing happened when I changed the msconfig - removed the EMU (soundcard controlpanel) from startup. When I rebooted the mouse worked but suddenly it got a life of its own. Randomly moving and clicking around. The start → program opened. I thought I was hijacked so I pulled the line and rebooted. Now it’s back to what it was before - dead mouse.

Don’t know what happened when I changed the msconfig…

Maxthon is running from an unusual location. Did you change the default location to D:\Program 1\Internet\Maxthon\Maxthon.exe on purpose when you installed it?

:slight_smile: Hi “Crazy” :

Did notice from your HJT log that your Sun Java is 2-3 Updates behind, a somewhat serious
security risk . If possible, should uninstall it ASAP; the latest for your XP SP2 OS is at
www.majorgeeks.com/download4648.html .

And since you use Zone Alarm as your firewall, the built-in one in XP SP2 has hopefully been
disabled !? If not, do so .