|
|
|
Mouse behaving strangely after trojan infection
|
|
|
laputomi
Junior Member
|
22. October 2012 @ 01:50 |
Link to this message
|
Hello folks,
My mouse has been behaving erratically ever since I had a trojan infection (identified by Malwarebytes' Anti-Malware (henceforth: MAM) as: Trojan.Delf and Trojan Ransom.Gen) a few days ago. Seemingly, the trojan has been successfully vanquished by MAM, as in there are no traces left and the computer works normally again.
However, my mouse has gone crazy: at random intervals, it seems that my clicks get "stuck" and get repeated in a quick succession for a short duration, messing up anything I do at the given time. I have noticed this strange behaviour both in Windows Explorer, when handling files, as well as when playing Skyrim. At first I though it was a bug with the game only (even though it never occured previously), but when I noticed the same thing several times in Windows Explorer too, I thought that something was fishy.
I have run scans with MAM, avast and even Trend Micro's House Call - all of them updated to the current version -, yet the strange behaviour persists. Also, my HJT log seems suspicious to me:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:12, on 2012.10.22.
Platform: Windows XP Szervizcsomag 3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Optimization Client\bmctl.exe
C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'HÁLÓZATI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda...b?1311799177468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso...b?1311863800718
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidConverterPDFv4ReadSpool (SCPDFV4ReadSpool) - Solid Documents, LLC - C:\WINDOWS\Installer\MSIC.tmp
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
--
End of file - 6108 bytes
I normally use Google Chrome for browsing the web.
Looking forward to your helpful reply and if you need any more info, please let me know.
Thank you.
|
|
Advertisement
|
|
|
|
Senior Member
|
22. October 2012 @ 02:36 |
Link to this message
|
i would run hjt again and check fix on the following.
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
also review your mouse settings.download,update and run superantispyware and delete anything it comes up with.then post a new hjt log and let us know if anything changed.
|
|
laputomi
Junior Member
|
22. October 2012 @ 03:51 |
Link to this message
|
Hi aldan, thanks for your quick reaction.
Punkbuster is a legit service, but since I'm not using it any more, I'll just uninstall it. I've reviewed my mouse settings (via Control Panel) and nothing seems to have been altered. The mouse I'm using is a pretty basic model, a Genius NetScroll+ Eye. I've had it for years now and have had no problems so far. Downloading Super Antispyware at the moment, and will get back to you soon.
In the meantime, can you please tell me about these 2 entries in hjt? I thought they were malicious items:
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\MICROS~1\Office14\URLREDIR.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Edit: JFYI, here's the SAS log (mius the adware cookies which I'm removing anyway):
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/22/2012 at 09:58 AM
Application Version : 5.6.1012
Core Rules Database Version : 9446
Trace Rules Database Version: 7258
Scan type : Quick Scan
Total Scan Time : 00:02:41
Operating System Information
Windows XP Professional 32-bit, Szervizcsomag 3 (Build 5.01.2600)
Administrator
Memory items scanned : 513
Memory threats detected : 0
Registry items scanned : 31785
Registry threats detected : 9
File items scanned : 6537
File threats detected : 234
Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY
Security.HiJack[ImageFileExecutionOptions]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AMCAP.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AMCAP.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JAVAWS.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JAVAWS.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PRESENTATIONHOST.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PRESENTATIONHOST.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SKYPE.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SKYPE.EXE#Debugger
I have Update notifications turned off deliberately because I'm on mobile Internet, which is unreliable in terms of downloads. So I've just set it to ignore and cleaned the rest.
This message has been edited since posting. Last time this message was edited on 22. October 2012 @ 04:04
|
|
laputomi
Junior Member
|
22. October 2012 @ 04:31 |
Link to this message
|
Here's the fresh hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:06, on 2012.10.22.
Platform: Windows XP Szervizcsomag 3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Tomi\Application Data\U3\0000183FA770B1E0\LaunchPad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'HÁLÓZATI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda...b?1311799177468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso...b?1311863800718
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidConverterPDFv4ReadSpool (SCPDFV4ReadSpool) - Solid Documents, LLC - C:\WINDOWS\Installer\MSIC.tmp
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
--
End of file - 5446 bytes
I'll have to wait and see if my mouse problem persists as it doesn't happen periodically but rather, randomly, so I can't reproduce it. Will definitely get back to you later today. Thank you for your kind assistance!
|
Senior Member
|
22. October 2012 @ 11:13 |
Link to this message
|
|
sorry,i missed the redirect bho.while it is low risk and probably not your problem i would get rid of it anyway.thats a lot of crap that sas picked up.depending on system specs that can cause some erratic behaviour.after you run malwarebytes let us know how things are running.
|
|
laputomi
Junior Member
|
22. October 2012 @ 12:19 |
Link to this message
|
|
Yeah, the BHO is not it. I've run yet another scan with both MAM and SAS, but nothing came up. I'm starting to think this might be a hardware problem, i.e. the mouse has been worn out. I've had it for like 5-6 years now. While playing Skyrim this afternoon, I noticed that the left click seems to get stuck. Also, I had to press the left mouse button real hard to get any effect. I'll disassemble the mouse, clean it out thoroughly and see whether it helps.
|
|
JST1946
Senior Member
|
22. October 2012 @ 12:37 |
Link to this message
|
|
Sounds like both of the microswitches are worn out on the left and right buttons.I would just buy another mouse.They don't cost much.
20 Year U.S.Army Veteran.Vietnam 1969-1972 101st Abn.Div.
|
|
ddp
Moderator
|
22. October 2012 @ 14:40 |
Link to this message
|
|
can try a system restore to before the trojan to see if mouse still erratic or not.
|
Senior Member
|
22. October 2012 @ 15:13 |
Link to this message
|
yeah your hjt looks clean to me.ive had my old lg keyboard and wireless mouse for almost 7 years now.the keyboard has had 2 beers spilt on it and some of the letters are worn off.it just keeps on going.good thing i touch type tho.lol.
|
|
laputomi
Junior Member
|
22. October 2012 @ 15:20 |
Link to this message
|
|
Thanks a lot for your help, folks, especially aldan. Yeah, my system seems clean now. I deleted the old restore points this morning, so there's nowhere to roll back to. :-) I''ll see what I can do about the mouse tomorrow, but if it still fails to work properly after a thorough cleaning, I'll simply replace it. By the way, my 20-year-old keyboard also needs replacing, lol.
This message has been edited since posting. Last time this message was edited on 22. October 2012 @ 15:21
|
|
JST1946
Senior Member
|
22. October 2012 @ 15:22 |
Link to this message
|
|
Maybe you can donate it to your local museum.
20 Year U.S.Army Veteran.Vietnam 1969-1972 101st Abn.Div.
|
AfterDawn Addict
|
22. October 2012 @ 18:35 |
Link to this message
|
Originally posted by laputomi:
Thanks a lot for your help, folks, especially aldan. Yeah, my system seems clean now. I deleted the old restore points this morning, so there's nowhere to roll back to. :-) I''ll see what I can do about the mouse tomorrow, but if it still fails to work properly after a thorough cleaning, I'll simply replace it. By the way, my 20-year-old keyboard also needs replacing, lol.
laputomi: Just for S&G (sh**s & Grins) try re-seating your memory sticks. I have found that a bad connection on a memory stick can drive a mouse nutso....
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
laputomi
Junior Member
|
3. November 2012 @ 09:49 |
Link to this message
|
|
Hey guys, just some feedback: for several days now, my mouse has been working perfectly again. Whether it's due to the malware cleaning, the manual, mechanical cleaning of the mouse, or both -- I know not. But I'm happy with the result. :-)
Thanks to all of you for your help and input!
|
Senior Member
|
3. November 2012 @ 12:20 |
Link to this message
|
|
glad it all worked out for you.
|
|
Advertisement
|
|
|
|
ddp
Moderator
|
3. November 2012 @ 15:21 |
Link to this message
|
|
no problem.
|
|
