Nasty virus hit......can only work in safe mode, need urgent help

[ranjan2001]

Solved-Nasty virus hit......can only work in safe mode, need urgent help

I downloaded a doc file from CEOdelhi.nic.in & since then I got a problem, my mouse is left clicking on its own. It is not responding when I click so all clicks accumulate & then suddenly it will open 10 times the same file.Icons on my desktop are being select & clicked on its own.

I did a system restore too but strangely I cant get rid of it, so I did avirus scan & got rid of it, but its still creating me the same problem, I changed 2 mouses even tried a different brand & a wireless one but the same problem, so mouse is not creating the problem, could it be the driver????

I boot to safe mode then things are working fine but as I go back to normal mode its back again.

Is there anyone help me with this, I have already done a spybot check, antivirus check, Zonealarm is installed & functioning.

 

[Venom]

There's probably some fun script residing on your comp, look in your startup and disable all fishy and unwanted looking stuff. Also, post a HJT log here.

 

[JGuru]

Beyond doubt, it's a malicious virus that got downloaded with the 'doc' file from
website!! Don't expect your antivirus to detect all the viruses in the world!! It can't!!
There's nothing wrong with your mouse. So changing the mouse won't help!!
Format the drive in which you have installed Windows O.S, and reinstall Windows again.
See if this works. Based on your feedback I'll tell you what to do.
Remember the virus is causing all the problem, and it has attached itself to a
executable file (com, exe). So formatting your Windows partition is the best solution.

 

[Ishan]

also try HijackThis!

 

[ranjan2001]

I checked all the items in start up folder are known applications, nothing new there, I am doing a mcafee scan & it has found (even AVG found earlier , could not remove) the following.

C:\...\loaderadv540.jar-1b819912-603bed5f.zip being reported as exploit byte verify

There 13 of them in my java cache folder, I have deleted the cache but these are still being reported.

More info onthis link I *www.symantec.com/security_response/writeup.jsp?docid=2003-090514-4048-99&tabid=3


HJ log here
---------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:04:41 PM, on 01-Aug-06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\owner\My Documents\Downloads\Compressed\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download

Manager\IDMIECC.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP

Professional\wsbho2k0.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI

RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI

RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: basICColor display4 VideoLUT Loader.lnk = C:\Program Files\basICColor Software\basICColor display

4.0\LUTLoader.exe
O4 - Global Startup: MyVitalAgent.lnk = C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Flash Saving

Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O15 - Trusted Zone: *lightzone.bloggoing.com
O15 - Trusted Zone: *linktrader.cyberspacehq.com
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) -

*picasaweb.google.com/s/v/1b37/uploader2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

*security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8F53B1FC-93A1-4B95-8EA4-37ECF2F02CCE} (OmniViewer Control) -

*www.imatronics.com/activex/omniviewer/OmniViewer.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

*download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4815/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

----------------------------------------------------
I Dont find any thing suspious here.

 

[Venom]

Whats that LUTLoader.exe thing? I found no info on that at all, if its useless remove it immediately.

 

[ranjan2001]

Thats the monitor calibration icc profile loader, I need it.

 

[Venom]

Oh ok, just that even google didnt have Info on it...

I dont see anything malicious, did you mention a reformat too?

 

[ranjan2001]

NO not as of now no reformat, but online scanner found few more of them so I am looking into it.

 

[amargupta]

dear friend,
the best thing you do is format your hard disk partition on which you have installed os. same problem was there with me once. this virus attacks directly the exe file . before it erases all. you erase everthing from that partition.

 

[src2206]

Dont Format !
I am analysing your log and I shall provide a fix ina short while.

 

[ranjan2001]

Thanks for the help, but in the log I dont find anything which I am not aware of, so there is something which is not getting logged, but meanwhile I found one solution to the problem & now its not happening.
In window explorer> tools> folder options> restore default
(my selection was to use single click to open the file)

The moment I select "single click to open the windows" the problem start again, so got a temperory fix as of now finally booted to the normal mode now since morning.

---------------------------------------
NO ITS BACK AGAIN after I reboot it has reset my setting back as they were earlier.

I must say a smart virus, who ever made this must have done lot of research. Imagine you cant use your mouse, you will fear that if the pointer touches the file ikon it will explode into 10 windows & even after than you get it to start button it will automatically start giving commands to open the programs.

I will wait for some other solution else will try another system restore to a back date, hope that might solve the issue.

 

[src2206]

Hi there is not much showing in your log.
Still to be completely sure please do the following:
Using msconfig enable all the startup entries. Move HJT to C:\Hijackthis or something which you preffer. Reboot into normal mode and run the scan again.

I would advice you to post your log at www.techsupportforum.com. They have one dedicated subforum for HJT log analysis. I am suggesting this site because here you are sure to get a response within 24 hrs of your post. I've been there and I know how good they are! You need to register there and that is for free too.

If you would like to continue here plese folow the above step regarding HJT along with the following:
1. Download Ewido 4.0 and update it. Ewido Anti-Malware. Remember to disable the guard.

2. Download Cleanup! and install it. You will use this later. Do not install if you are using the 64 bit version of windows.

Boot in safe mode.

Open Cleanup!.
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program .
Do not logoff or reboot when prompted.

Run Ewido.(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report. [*] Click on see report.
  
  If you decide to continue here then please provide the following in your next post:
  
  A fresh HJT Log
  Ewido Report
  Panda Scan Report
  
  Hope that this will help you.
  
  Ok Ranjan even if its a smart virus there is a way to reveal that no matter how smart that is.
  
  Along with above set of instructions please do the following BEFORE YOU BOOT IN SAFE MODE.
  
  Download and run Blacklight
  
  *Note that you must have local administrative privileges to run the program.
  
  Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this
  
  When it finishes, click Next. You may get a screen similar to the picture below. Click on Close
  
  BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log from this tool along with three others I requested.
  *www.f-secure.com/blacklight/bl_cleaning.gif

 

[ranjan2001]

See Attached active scan report from Panda.

It seems I have to attach files in seperate post, its not letting me upload all 4 files at 1 time.

 

[ranjan2001]

see attached files

 

[src2206]

You could have easily used cut pest feature
Nways I am in process of reviewing please give me some time. Most probably by tomorrow evening I can put my comment on the table.
So please hold on a little.

 

[ranjan2001]

Thanks,
I will wait till if we can find that nasty script.
Meanwhile I have deleted the following

C:\WINDOWS\system32\klozer.exe
C:\WINDOWS\system32\ntboot.dll

& kept these 2 files zipped on C drive (assuming they wont be working from a zipped file)

After that I have rescanned with EWIDO & Panda online nothing has been found out except the 2 files which I deleted but kept under a zip file.

Some mischief is happening within startup folder, bcoz in safe mode its working fine only when I boot in normal mode its creating trouble.
Here is a screenshot of what its doing, opening 100's of windows on its own.
*img132.imageshack.us/img132/6866/desktopmultidf8.jpg


Some ammusing thing happened when I attached a new hard disk which had another installation of XP (I keep a backup) C & D were disconnected completely so it cannot affect the new HDD. Now its time for me to look into mouse driver or the mouse itself. I have tested 2 mouse & 1 cordless too, all are behaving the same, so I have now more problems to take care...........................formating is not going to solve this issue if its hardware related.
---------------------------------------------
FINAL UPDATE
____________________________________________________________________

Khodha pahar nikli chuhia..........................yes sorry for all that trouble I gave to anyone.

I consulted my hardware supplier & had a chat with him & concluded that I should make a list of all the things which are not loading when in safe mode, as then it works all fine.

One of them was my mouse, in safe mode I have to use my USB cordless mouse the other one does not work for some reason.

I borrowed friends mouse & keyboard & changed the keyboard & mouse both just to check.....................................hurray!!!!!!!!!!!!!!!!!!! it all worked fine. So it was not the virus but I still had to figure out if its mouse or keyboard. I plugged the old keyboard with the replaced mouse & it worked all fine.

Just got a new PS2 optical mouse & last 24 hours ordeal is finally over.

Moral of the story.........................................dont rush to format, you surely can track a virus if you know how to do it, which In my case "src2206" helped me upto the last point he could.

Thanks a lot for taking your time.
Ranjan

 

[src2206]

Thats OK ranjan. I love to do this type of analysis and so I work in the forum, that I've already mentioned, as a security analyst.
Its good to know your problem is solved still I would suggest that you clear your cookies and delete all the previous restore points. Your logs were more or less clean and I had a feeling that the main problem was hardware related.
Good that you found it out yourself and have a good time with your PC.

Moral of the story.........................................dont rush to format, you surely can track a virus if you know how to do it, which In my case "src2206" helped me upto the last point he could.

You are absolutely correct. There is no virus yet available which can not be tracked and which is not shown directly or indirectly in a HJT Log. Only thing is that you need to know how to interpret the log.

 

[ranjan2001]

Your step by step instruction boosted my confidence that we can track it, I was not aware of those 4 tools which you mentioned.................................using them was a good learning for future.

But reformatting would have still not required as I always keep a backup HDD & advice to other stoo do the same. Here is what I do.

Take any old HDD 20-40GB don't worry if its old.

1. Install THE OS 2000/XP or whatever
2. Then install all the software your will need for yourself.
3. Most software & the OS will need to configure as per your requirements> configure them
4. use this HDD for 2-5 days until you feel all the things are running fine as per your requirement & your system is clean without any worm/virus etc.
5. Now use Arconics true image to clone this HDD to another new & larger 80-250 GB HDD, what it does is that it will expand the partition to the new disk as per your choice. It sounds complicated but very easy to do.

Now use your new HDD & keep the backup in a safe place whenever your are in hell...........you know u have a working disk with same set of settings so just do the step 5 once again & you are back in heaven.

Hope this will save you in the time of crises.
Thanks once again for your time.