Virus Hijacking Mouse Pointer

I visted a site which downloaded a virus onto my computer system while I was viewing it. This virus causes my mouse pointer to zig zag across the screen. Has anyone had this problem? If so, what tools can I use to remove it?

I tried to remove it using Norton Antivirus, Adaware, F-Prot Antivirus, Pest Patrol, and The Cleaner, but had no luck.

Please help.

Run HijackThis and post the log file here. Let us have a look. You can find HJT if you click the link in my signature. If you wish to do so, you may follow all instructions on that page. But for now, I don’t think it is needed.

Here are the contents of the HijackThis log file for my computer.

Logfile of HijackThis v1.97.7
Scan saved at 10:07:07 PM, on 8/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\WINDOWS\System32\MMTray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ASHAMPOO\ASHAMP~1\UNINST~2\UIWatcher.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\KEYWAL~1\KWallet.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\FSI\F-Prot\F-STOPW.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Download Manager\IDMan.exe
D:\Downloads\Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://home.netscape.com/bookmark/7_0/home.html”); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\0jxi5hb8.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\0jxi5hb8.slt\prefs.js)
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtPDF.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SolidConverter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtPDF.dll
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM..\Run: [BCWipeTM Startup] “C:\Program Files\Jetico\BCWipe\BCWipeTM.exe” startup
O4 - HKLM..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM..\Run: [THGuard] “C:\Program Files\TrojanHunter 3.8\THGuard.exe”
O4 - HKLM..\Run: [MMTray] MMTray.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [UIWatcher] C:\PROGRA~1\ASHAMPOO\ASHAMP~1\UNINST~2\UIWatcher.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [KeyWallet] C:\PROGRA~1\KEYWAL~1\KWallet.exe
O4 - HKCU..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38082.8459490741
O17 - HKLM\System\CCS\Services\Tcpip..{0F22BD1F-CB66-4E5D-8BC0-B665A6BBD66A}: NameServer = 64.7.158.10 64.7.158.17
O17 - HKLM\System\CS1\Services\Tcpip..{0F22BD1F-CB66-4E5D-8BC0-B665A6BBD66A}: NameServer = 64.7.158.10 64.7.158.17

Look HERE for the result. Fix all bad things and investigate the unknown ones.

I checked all of the items such as idmmbc.dll and Keywallet that were flagged as nasty and determined that all of these flagged items are legitimate.

I would like to get rid of the following entries because of incorrrect IP address:

O17 - HKLM\System\CCS\Services\Tcpip..{0F22BD1F-CB66-4E5D-8BC0-B665A6BBD66A}: NameServer = 64.7.15

O17 - HKLM\System\CS1\Services\Tcpip..{0F22BD1F-CB66-4E5D-8BC0-B665A6BBD66A}: NameServer = 64.7.15

Would I use a registry editor to get rid of these entries? If so, how would I do it?

I suspect I got this virus from this site www.phazeddl.com… After visiting this site, my mouse pointer began to move on its own.

Thanks.

Logfile of HijackThis v1.97.7

The newist version of HJT is v1.80.0
You should get the newer version and see if there is any difference.

–lee

Lee have you been drinking or smoking? :smiley: Latest version of HJT is 1.98.1 :wink:

I guess Lee is smoking way too much home made grass from mowing the lawn. ;D

I’m just wondering since HijackThis, Norton Antivirus, F-Prot Antivirus, Spybot Search and Destroy, The Cleaner, and Adaware didn’t detect the virus on my computer, could I assume that my mouse driver has been compromised by the virus program? My mouse starts to move across the screen once the system is booted. If my mouse driver is infected by this virus, how would I be able to replace all of the mouse drivers on my system without having to reformat my entire hard drive and re-installing everything - I don’t want to spend hours re-installing everything since my drive image has significantly changed?

I did use the current version of HijackThis as suggested and it produced the same result as before.

HINT: Use the keyboard instead of the mouse. In fact, you can even do more with a keyboard than with a mouse. Are you sure it isn’t just your mouse that is broken? (try it on another system) If the mouse works fine on another system, reinstall the drivers.