Nasty virus hit......can only work in safe mode, need urgent help

Discussion in 'Software Q&A' started by ranjan2001, Aug 1, 2006.

Thread Status:
Not open for further replies.
  1. ranjan2001

    ranjan2001 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    1,486
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Delhi
    Solved-Nasty virus hit......can only work in safe mode, need urgent help

    I downloaded a doc file from CEOdelhi.nic.in & since then I got a problem, my mouse is left clicking on its own. It is not responding when I click so all clicks accumulate & then suddenly it will open 10 times the same file.Icons on my desktop are being select & clicked on its own.

    I did a system restore too but strangely I cant get rid of it, so I did avirus scan & got rid of it, but its still creating me the same problem, I changed 2 mouses even tried a different brand & a wireless one but the same problem, so mouse is not creating the problem, could it be the driver????

    I boot to safe mode then things are working fine but as I go back to normal mode its back again.

    Is there anyone help me with this, I have already done a spybot check, antivirus check, Zonealarm is installed & functioning.
     
    Last edited: Aug 3, 2006
  2. Venom

    Venom New Member

    Joined:
    Jun 13, 2006
    Messages:
    240
    Likes Received:
    2
    Trophy Points:
    0
    There's probably some fun script residing on your comp, look in your startup and disable all fishy and unwanted looking stuff. Also, post a HJT log here.
     
  3. JGuru

    JGuru Well-Known Member

    Joined:
    Dec 25, 2005
    Messages:
    1,726
    Likes Received:
    32
    Trophy Points:
    48
    Location:
    Space-time continuum
    Beyond doubt, it's a malicious virus that got downloaded with the 'doc' file from
    website!! Don't expect your antivirus to detect all the viruses in the world!! It can't!!
    There's nothing wrong with your mouse. So changing the mouse won't help!!
    Format the drive in which you have installed Windows O.S, and reinstall Windows again.
    See if this works. Based on your feedback I'll tell you what to do.
    Remember the virus is causing all the problem, and it has attached itself to a
    executable file (com, exe). So formatting your Windows partition is the best solution.
     
  4. Ishan

    Ishan New Member

    Joined:
    Jun 12, 2005
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Bharuch,Gujarat,India
    also try HijackThis!
     
  5. OP
    OP
    ranjan2001

    ranjan2001 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    1,486
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Delhi
    I checked all the items in start up folder are known applications, nothing new there, I am doing a mcafee scan & it has found (even AVG found earlier , could not remove) the following.

    C:\...\loaderadv540.jar-1b819912-603bed5f.zip being reported as exploit byte verify

    There 13 of them in my java cache folder, I have deleted the cache but these are still being reported.

    More info onthis link I http://www.symantec.com/security_response/writeup.jsp?docid=2003-090514-4048-99&tabid=3


    HJ log here
    ---------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 4:04:41 PM, on 01-Aug-06
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\owner\My Documents\Downloads\Compressed\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download

    Manager\IDMIECC.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP

    Professional\wsbho2k0.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI

    RoboForm\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

    Files\Java\jre1.5.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

    files\google\googletoolbar1.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI

    RoboForm\roboform.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
    O4 - Global Startup: basICColor display4 VideoLUT Loader.lnk = C:\Program Files\basICColor Software\basICColor display

    4.0\LUTLoader.exe
    O4 - Global Startup: MyVitalAgent.lnk = C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Save Flash - res://C:\Program Files\Flash Saving Plugin\FlashSButton.dll/210
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

    Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

    Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

    C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

    C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Flash Saving

    Plugin\FlashSButton.dll (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O15 - Trusted Zone: http://lightzone.bloggoing.com
    O15 - Trusted Zone: http://linktrader.cyberspacehq.com
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) -

    http://picasaweb.google.com/s/v/1b37/uploader2.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

    http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8F53B1FC-93A1-4B95-8EA4-37ECF2F02CCE} (OmniViewer Control) -

    http://www.imatronics.com/activex/omniviewer/OmniViewer.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

    http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4815/mcfscan.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

    Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
    O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
    O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

    ----------------------------------------------------
    I Dont find any thing suspious here.
     
    Last edited: Aug 1, 2006
  6. Venom

    Venom New Member

    Joined:
    Jun 13, 2006
    Messages:
    240
    Likes Received:
    2
    Trophy Points:
    0
    Whats that LUTLoader.exe thing? I found no info on that at all, if its useless remove it immediately.
     
  7. OP
    OP
    ranjan2001

    ranjan2001 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    1,486
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Delhi
    Thats the monitor calibration icc profile loader, I need it.
     
  8. Venom

    Venom New Member

    Joined:
    Jun 13, 2006
    Messages:
    240
    Likes Received:
    2
    Trophy Points:
    0
    Oh ok, just that even google didnt have Info on it...

    I dont see anything malicious, did you mention a reformat too?
     
  9. OP
    OP
    ranjan2001

    ranjan2001 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    1,486
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Delhi
    NO not as of now no reformat, but online scanner found few more of them so I am looking into it.
     
  10. amargupta

    amargupta New Member

    Joined:
    Aug 1, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Pune
    dear friend,
    the best thing you do is format your hard disk partition on which you have installed os. same problem was there with me once. this virus attacks directly the exe file . before it erases all. you erase everthing from that partition.
     
  11. src2206

    src2206 New Member

    Joined:
    Jun 19, 2006
    Messages:
    352
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Kolkata
    Dont Format !
    I am analysing your log and I shall provide a fix ina short while.
     
  12. OP
    OP
    ranjan2001

    ranjan2001 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    1,486
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Delhi
    Thanks for the help, but in the log I dont find anything which I am not aware of, so there is something which is not getting logged, but meanwhile I found one solution to the problem & now its not happening.
    In window explorer> tools> folder options> restore default
    (my selection was to use single click to open the file)

    The moment I select "single click to open the windows" the problem start again, so got a temperory fix as of now finally booted to the normal mode now since morning.

    ---------------------------------------
    NO ITS BACK AGAIN after I reboot it has reset my setting back as they were earlier.

    I must say a smart virus, who ever made this must have done lot of research. Imagine you cant use your mouse, you will fear that if the pointer touches the file ikon it will explode into 10 windows & even after than you get it to start button it will automatically start giving commands to open the programs.

    I will wait for some other solution else will try another system restore to a back date, hope that might solve the issue.
     
    Last edited: Aug 1, 2006
  13. src2206

    src2206 New Member

    Joined:
    Jun 19, 2006
    Messages:
    352
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Kolkata
    Hi there is not much showing in your log.
    Still to be completely sure please do the following:
    Using msconfig enable all the startup entries. Move HJT to C:\Hijackthis or something which you preffer. Reboot into normal mode and run the scan again.

    I would advice you to post your log at www.techsupportforum.com. They have one dedicated subforum for HJT log analysis. I am suggesting this site because here you are sure to get a response within 24 hrs of your post. I've been there and I know how good they are! You need to register there and that is for free too.

    If you would like to continue here plese folow the above step regarding HJT along with the following:
    1. Download Ewido 4.0 and update it. Ewido Anti-Malware. Remember to disable the guard.

    2. Download Cleanup! and install it. You will use this later. Do not install if you are using the 64 bit version of windows.

    Boot in safe mode.

    Open Cleanup!.
    Set the program up as follows:

    Click "Options..."
    Move the arrow down to "Custom CleanUp!"
    Put a check next to the following (Make sure nothing else is checked!):
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files (if present)
    • Cleanup! All Users
    • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
    Click OK
    Press the CleanUp! button to start the program .
    Do not logoff or reboot when prompted.

    Run Ewido.(...it's important that all windows must be closed)
    • Click Scanner
    • Click on the Scan tab
    • Click Complete System Scan to begin scanning.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
    Restart in normal mode.

    Perform an online scan with Internet Explorer with Panda ActiveScan
    ** click on "Free use ActiveScan" located on the top right hand corner
    1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
    2. Click Scan Now
    3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
    Begin the scan by selecting My Computer
    • If it finds any malware, it will offer you a report. [*] Click on see report.

      If you decide to continue here then please provide the following in your next post:

      A fresh HJT Log
      Ewido Report
      Panda Scan Report


      Hope that this will help you.

      Ok Ranjan even if its a smart virus there is a way to reveal that no matter how smart that is.

      Along with above set of instructions please do the following BEFORE YOU BOOT IN SAFE MODE.

      Download and run Blacklight

      *Note that you must have local administrative privileges to run the program.

      Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

      When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

      BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log from this tool along with three others I requested.
      [​IMG]
     
    Last edited: Aug 1, 2006
  14. OP
    OP
    ranjan2001

    ranjan2001 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    1,486
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Delhi
    See Attached active scan report from Panda.

    It seems I have to attach files in seperate post, its not letting me upload all 4 files at 1 time.
     
  15. OP
    OP
    ranjan2001

    ranjan2001 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    1,486
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Delhi
    see attached files
     
    Last edited: Aug 2, 2006
  16. src2206

    src2206 New Member

    Joined:
    Jun 19, 2006
    Messages:
    352
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Kolkata
    You could have easily used cut pest feature :)
    Nways I am in process of reviewing please give me some time. Most probably by tomorrow evening I can put my comment on the table.
    So please hold on a little.
     
  17. OP
    OP
    ranjan2001

    ranjan2001 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    1,486
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Delhi
    Thanks,
    I will wait till if we can find that nasty script.
    Meanwhile I have deleted the following

    C:\WINDOWS\system32\klozer.exe
    C:\WINDOWS\system32\ntboot.dll

    & kept these 2 files zipped on C drive (assuming they wont be working from a zipped file)

    After that I have rescanned with EWIDO & Panda online nothing has been found out except the 2 files which I deleted but kept under a zip file.

    Some mischief is happening within startup folder, bcoz in safe mode its working fine only when I boot in normal mode its creating trouble.
    Here is a screenshot of what its doing, opening 100's of windows on its own.
    [​IMG]


    Some ammusing thing happened when I attached a new hard disk which had another installation of XP (I keep a backup) C & D were disconnected completely so it cannot affect the new HDD. Now its time for me to look into mouse driver or the mouse itself. I have tested 2 mouse & 1 cordless too, all are behaving the same, so I have now more problems to take care...........................formating is not going to solve this issue if its hardware related.
    ---------------------------------------------
    FINAL UPDATE
    ____________________________________________________________________

    Khodha pahar nikli chuhia..........................yes sorry for all that trouble I gave to anyone.

    I consulted my hardware supplier & had a chat with him & concluded that I should make a list of all the things which are not loading when in safe mode, as then it works all fine.

    One of them was my mouse, in safe mode I have to use my USB cordless mouse the other one does not work for some reason.

    I borrowed friends mouse & keyboard & changed the keyboard & mouse both just to check.....................................hurray:D!!!!!!!!:D!!!!!!!!!!!:D it all worked fine. So it was not the virus but I still had to figure out if its mouse or keyboard. I plugged the old keyboard with the replaced mouse & it worked all fine.

    Just got a new PS2 optical mouse & last 24 hours ordeal is finally over.

    Moral of the story.........................................dont rush to format, you surely can track a virus if you know how to do it, which In my case "src2206" helped me upto the last point he could.

    Thanks a lot for taking your time.
    Ranjan
     
    Last edited: Aug 2, 2006
  18. src2206

    src2206 New Member

    Joined:
    Jun 19, 2006
    Messages:
    352
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Kolkata
    Thats OK ranjan. I love to do this type of analysis and so I work in the forum, that I've already mentioned, as a security analyst.
    Its good to know your problem is solved still I would suggest that you clear your cookies and delete all the previous restore points. Your logs were more or less clean and I had a feeling that the main problem was hardware related.
    Good that you found it out yourself and have a good time with your PC.

    You are absolutely correct. There is no virus yet available which can not be tracked and which is not shown directly or indirectly in a HJT Log. Only thing is that you need to know how to interpret the log.
     
    Last edited: Aug 3, 2006
  19. OP
    OP
    ranjan2001

    ranjan2001 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    1,486
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Delhi
    Your step by step instruction boosted my confidence that we can track it, I was not aware of those 4 tools which you mentioned.................................using them was a good learning for future.

    But reformatting would have still not required as I always keep a backup HDD & advice to other stoo do the same. Here is what I do.

    Take any old HDD 20-40GB don't worry if its old.

    1. Install THE OS 2000/XP or whatever
    2. Then install all the software your will need for yourself.
    3. Most software & the OS will need to configure as per your requirements> configure them
    4. use this HDD for 2-5 days until you feel all the things are running fine as per your requirement & your system is clean without any worm/virus etc.
    5. Now use Arconics true image to clone this HDD to another new & larger 80-250 GB HDD, what it does is that it will expand the partition to the new disk as per your choice. It sounds complicated but very easy to do.

    Now use your new HDD & keep the backup in a safe place whenever your are in hell...........you know u have a working disk with same set of settings so just do the step 5 once again & you are back in heaven.

    Hope this will save you in the time of crises.
    Thanks once again for your time.
     
Thread Status:
Not open for further replies.

Share This Page