0

I dont know if I have a virus or trojan. My left mouse button works normally on startup but after 10 -30 minutes instead of say opening a file or starting a program it will show the shortcuts properties and the keyboard stops responding at all.

I ran Kaspersky antivirus 7 which found and removed a trojan Win32.SdBot.cic but the problem remains. I have run AVG anti spyware, spybot search and destroy and adaware but they found nothing. I have even tried a new mouse, but it behaves the same way.

Please help

Freefall123


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:38:15, on 19/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
E:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\SLEE503.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
E:\Program Files\Creative\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
E:\Program Files\Down2Home\Down2Home.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - e:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CTSysVol] e:\Program Files\Creative\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [SSS6_Suite] "E:\Program Files\Steganos Security Suite 6\sss.exe" /booting (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [SSS6_SAFE] "E:\Program Files\Steganos Security Suite 6\safe.exe" /booting (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [SSS6_SPM] "E:\Program Files\Steganos Security Suite 6\spm.exe" /booting (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Down2Home.lnk = E:\Program Files\Down2Home\Down2Home.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://E:\Program Files\canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://E:\Program Files\canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://E:\Program Files\canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Program Files\canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - e:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - e:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194805497161
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194805469702
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://M:\Resources\IntraLaunch.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - E:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Steganos Live Encryption Engine (Version 503) [Service] (SLEE_503_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE503.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

5
Contributors
17
Replies
18
Views
9 Years
Discussion Span
Last Post by jholland1964
0

I don't guarantee that I've found everything (or indeed anything) in a very long HJT file. But the below extract is potentially dodgy IMO:
---------------------------------------------------------
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - e:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

---------------------------------------------------------

I wouldn't have expected in a normal system the IE start page to be null, but you may well have blanked it for security reasons.

The other entries need invetigating and the process involving HJT/ComboFix and other tools as per many posts in this forum would seem in order.

0

Thanks for the reply.

You are correct I set internet explorer to a blank page - I cant remember when I used this last.

I looked for combo fix but some say dont use it now.

My mouse and keyboard work fine initially on bootup and it only seems to be after a while ( a certain number of clicks?) that the left mouse button acts as if the Alt key is pressed - showing a filoes properties rather than opening it, and then the whole keyboard locks.

0

The wisest thing you can do, IMHO, is to look up whatever Crunchie does in the Virus forum and do the same yourself. That includes ComboFix and a number of other tools used in a structured way.

There is always my famous post of 3rd September (search under the mis-spelt name "Virtunonde") which provides a sound alternative method - which I personally feel is rather applicable to your case.

You've got to get rid NOW of the stuff I#ve pointed out to you.

0

The wisest thing you can do, IMHO, is to look up whatever Crunchie does in the Virus forum and do the same yourself. That includes ComboFix and a number of other tools used in a structured way.

There is always my famous post of 3rd September (search under the mis-spelt name "Virtunonde") which provides a sound alternative method - which I personally feel is rather applicable to your case.

You've got to get rid NOW of the stuff I#ve pointed out to you.

Sorry to step in again, but don't get rid of those BHOs only one of them is actually malware, the others are legit.

This is the one that is malicious an we'll remove it later.

For now though please do the following.

Please download Combofix.exe from here to your desktop. Double click it to run and and when prompted type 1 and enter. Now DO NOT touch the mouse or keyboard until the scan is done completely. It should finish shortly after it restarts the computer. After its done it will open up notepad, copy and paste the contents here in your next post.

Post the combofix log and a new hjt log in your next post.

0

Sorry to step in again, but don't get rid of those BHOs only one of them is actually malware, the others are legit.

.....

In the earlier post I did say that the entries need investigating and proposed the method. Anyway you're welcome to go through the ComboFix stuff with Freefall123. Btw, I like ComboFix because it provides date and time for the various entries which helps to pinpoint dormant files with the same time signature. Not many peole use this approach - if they did, there'd be a lot less toing and froing of posted logs as people sort themselves out.

0

In the earlier post I did say that the entries need investigating and proposed the method. Anyway you're welcome to go through the ComboFix stuff with Freefall123. Btw, I like ComboFix because it provides date and time for the various entries which helps to pinpoint dormant files with the same time signature. Not many peole use this approach - if they did, there'd be a lot less toing and froing of posted logs as people sort themselves out.

Yes its a very good program with dates it also has the nice added feature of running scripts to delete most files.

0

Err, theres a blank where you name the malicious entry

Sorry to step in again, but don't get rid of those BHOs only one of them is actually malware, the others are legit.

This is the one that is malicious an we'll remove it later.

For now though please do the following.

Please download Combofix.exe from here to your desktop. Double click it to run and and when prompted type 1 and enter. Now DO NOT touch the mouse or keyboard until the scan is done completely. It should finish shortly after it restarts the computer. After its done it will open up notepad, copy and paste the contents here in your next post.

Post the combofix log and a new hjt log in your next post.

0

Sorry bout that.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

Thats the malicious one, however still run the scan with combofix please. :)

0

ok ran combofix, heres log

Attachments
ComboFix 07-11-19.3 - Martin 2007-11-22 22:32:51.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.420 [GMT 0:00]
Running from: D:\desktop\ComboFix.exe
Command switches used :: D:\desktop\CFScript.txt
 * Created a new restore point

FILE
C:\Documents and Settings\Martin\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\qoobox
C:\qoobox\BackEnv\appdata.folder.dat
C:\qoobox\BackEnv\cache.folder.dat
C:\qoobox\BackEnv\desktop.folder.dat
C:\qoobox\BackEnv\favorites.folder.dat
C:\qoobox\BackEnv\local appdata.folder.dat
C:\qoobox\BackEnv\local settings.folder.dat
C:\qoobox\BackEnv\my pictures.folder.dat
C:\qoobox\BackEnv\personal.folder.dat
C:\qoobox\BackEnv\profiles.folder.dat
C:\qoobox\BackEnv\programs.folder.dat
C:\qoobox\BackEnv\setpath.bat
C:\qoobox\BackEnv\setpath.dat
C:\qoobox\BackEnv\start menu.folder.dat
C:\qoobox\BackEnv\startup.folder.dat
C:\qoobox\BackEnv\templates.folder.dat
C:\qoobox\CFScript_used_2007-11-22@22.32.txt
C:\qoobox\ComboFix-quarantined-files.txt
C:\qoobox\Hiv-backup\default
C:\qoobox\Hiv-backup\ERDNT.CON
C:\qoobox\Hiv-backup\ERDNT.EXE
C:\qoobox\Hiv-backup\ERDNT.INF
C:\qoobox\Hiv-backup\ERDNTDOS.LOC
C:\qoobox\Hiv-backup\ERDNTWIN.LOC
C:\qoobox\Hiv-backup\SAM
C:\qoobox\Hiv-backup\SECURITY
C:\qoobox\Hiv-backup\software
C:\qoobox\Hiv-backup\system
C:\qoobox\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
C:\qoobox\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
C:\qoobox\Hiv-backup\Users\[u]0[/u]0000003\ntuser.dat
C:\qoobox\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
C:\qoobox\Hiv-backup\Users\[u]0[/u]0000005\ntuser.dat
C:\qoobox\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
C:\qoobox\snapshot@2007-11-21_18.45.44.17.dat
C:\qoobox\snapshot@2007-11-21_18.45.44.17_B.dat
C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

.
(((((((((((((((((((((((((   Files Created from 2007-10-22 to 2007-11-22  )))))))))))))))))))))))))))))))
.

2007-11-21 18:25	<DIR>	d--------	C:\Program Files\CCleaner
2007-11-21 18:13	31,616	--a------	C:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-21 18:13	21,504	--a------	C:\WINDOWS\system32\hidserv.dll
2007-11-18 22:15	<DIR>	d--------	C:\Documents and Settings\Martin\Application Data\Grisoft
2007-11-18 22:15	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-18 22:15	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-18 08:57	<DIR>	d--------	C:\Documents and Settings\Martin\Application Data\InstallShield
2007-11-18 08:57	163,840	--a------	C:\WINDOWS\system32\kemutb.dll
2007-11-18 08:57	135,168	--a------	C:\WINDOWS\system32\KemUtil.dll
2007-11-18 08:57	110,592	--a------	C:\WINDOWS\system32\KemWnd.dll
2007-11-18 08:57	69,632	--a------	C:\WINDOWS\system32\KemXML.dll
2007-11-18 07:59	<DIR>	d--------	C:\Documents and Settings\Martin\Application Data\Yahoo!
2007-11-16 19:59	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-11-16 19:56	<DIR>	d--------	C:\Program Files\Common Files\Scanner
2007-11-16 19:55	<DIR>	d--------	C:\Program Files\Yahoo!
2007-11-16 19:55	56,080	--a------	C:\WINDOWS\KHALMNPR.Exe
2007-11-15 21:38	<DIR>	d--------	C:\Documents and Settings\Martin\Application Data\Comodo
2007-11-15 21:38	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-15 21:35	<DIR>	d--------	C:\Program Files\Comodo
2007-11-15 21:26	11,001,120	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-15 21:26	153,704	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-15 21:26	85,024	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-15 21:26	82,061	--a------	C:\WINDOWS\system32\drivers\klick.dat
2007-11-15 21:26	81,549	--a------	C:\WINDOWS\system32\drivers\klin.dat
2007-11-15 21:26	12,548	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-15 21:00	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-15 20:18	<DIR>	d--------	C:\Program Files\Kaspersky Lab
2007-11-15 19:28	<DIR>	d--------	C:\Program Files\Kaspersky Lab(2)
2007-11-10 23:18	<DIR>	d--------	C:\Documents and Settings\Martin\Application Data\Corel
2007-11-10 23:18	952	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-10 23:17	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Corel
2007-11-10 23:13	<DIR>	d--------	C:\Program Files\Common Files\Corel
2007-11-10 18:43	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2007-11-10 18:43	5,387	--a------	C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-04 12:32	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-04 12:27	<DIR>	d--------	C:\Program Files\Common Files\Macrovision Shared
2007-11-04 12:23	129,784	---------	C:\WINDOWS\system32\pxafs.dll
2007-11-04 12:23	9,464	---------	C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-04 12:23	9,336	---------	C:\WINDOWS\system32\drivers\cdr4_xp.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 22:27	---------	d-----w	C:\Documents and Settings\Martin\Application Data\Azureus
2007-11-22 09:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 22:06	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 18:56	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 14:10	---------	d-----w	C:\Documents and Settings\Martin\Application Data\Vso
2007-11-18 08:57	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-18 08:57	---------	d-----w	C:\Program Files\Common Files\Logitech
2007-11-16 17:25	---------	d-----w	C:\Documents and Settings\Martin\Application Data\uTorrent
2007-11-10 18:43	---------	d-----w	C:\Program Files\Java
2007-11-04 12:27	---------	d-----w	C:\Program Files\Common Files\Adobe
2007-10-04 15:49	---------	d-----w	C:\Program Files\Common Files\ParallelGraphics
2007-09-30 15:00	---------	d-----w	C:\Program Files\uTorrent
2007-09-27 17:37	---------	d-----w	C:\Documents and Settings\Martin\Application Data\Media Player Classic
2007-09-25 18:55	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2007-09-24 19:33	---------	d-----w	C:\Documents and Settings\Martin\Application Data\MPEG Streamclip
2007-09-24 19:32	---------	d-----w	C:\Program Files\QuickTime Alternative
2007-09-24 19:32	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-23 11:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\The Learning Company
2007-09-20 20:44	98,304	----a-w	C:\WINDOWS\system32CmdLineExt.dll
2007-08-30 06:33	118,520	------w	C:\WINDOWS\system32\pxinsi64.exe
2007-08-30 06:33	118,056	------w	C:\WINDOWS\system32\pxcpyi64.exe
2007-07-31 20:36	47,360	----a-w	C:\Documents and Settings\Martin\Application Data\pcouffin.sys
2003-04-16 07:38	447,488	----a-w	C:\WINDOWS\inf\EL2K_N64.sys
2003-04-16 07:37	147,200	----a-w	C:\WINDOWS\inf\EL2K_XP.sys
2003-04-16 07:37	147,200	----a-w	C:\WINDOWS\inf\EL2K_2K.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCASUTIEXE"="TCAUDIAG.exe" [2003-02-12 09:55 C:\WINDOWS\system32\TCAUDIAG.EXE]
"CTSysVol"="e:\Program Files\Creative\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 C:\WINDOWS\system32\CTHELPER.EXE]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-06-29 00:09]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 20:12]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 20:17]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 20:13]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-15 21:35]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56]
"SSS6_Suite"="E:\Program Files\Steganos Security Suite 6\sss.exe" [2004-01-29 18:46]
"SSS6_SAFE"="E:\Program Files\Steganos Security Suite 6\safe.exe" [2004-02-02 18:43]
"SSS6_SPM"="E:\Program Files\Steganos Security Suite 6\spm.exe" [2004-01-29 18:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-06-29 00:09:28]
Down2Home.lnk - E:\Program Files\Down2Home\Down2Home.exe [2003-03-11 22:26:22]
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [2007-08-16 11:15:07]
Logitech SetPoint.lnk - E:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-18 08:57:31]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2007-08-16 11:04:28]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= E:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
C:\WINDOWS\system32\klogon.dll 2007-06-28 12:51 206088 C:\WINDOWS\system32\klogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\soft
0

Well unfortunetly I couldn't find anything malicious in the combofix log or the hjt log except for that one BHO which you can remove anytime.

This happened on my computer once or twice and this is what I found out.

Usually when this occurs wmiprvse.exe or something similar appeared in task manager. It is a valid process but it seems to cause that problem. So next time it starts happening check if wmiprvse.exe is running in the processes tab of task manager, and if it is end it. This solved my problem...I don't think it was malicious.

0

Just thought I would post an update. All of the problems with mouse and keyboard where not due to a trojan it was Kaspersky antivirus 7! removed this and all of the problems went.

Thanks for all of the help, its still nice to know my PC is clean.

0

Hi Freefall123.

If I understood your report correctly, the Kaspersky AV7 system itself was the cause of your problem with the mouse button and keyboard.

Now, that would worry a lot of people! Is there any further detail you could provide on this? For example, did you uninstall and re-install Kaspersky and then suffer the same effect after it was reinstalled?

It would be very serious if there was a built-in instability with Kaspersky.

Thanks if you take the trouble to elucidate further.

1

Yes, I had Kaspersky AV6 and it ran no problem for a year, I tried to Install version 7 and it clashed with Zone Alarm. Uninstalled zone alarm, still wouldnt install until I ran a removal tool from Kaspersky. It then installed and seemed fine - then I had all of the problems above , not thinking it was kaspersky. In the end I used Acronis to install an image taken a month previously of my drive c ( first uninstalling version 7). No problems. Re-install 7 says its not compatible with Comodo firewall either ( thats 2 free firewalls it doesnt like), problems come back. Uninstall 7 , problems go away. Now using Comodo and AVG, with no problems.

Votes + Comments
Seems to know what he's doing.
0

Very clearly explained thanks.

I'd have thought that Kaspersky was compatible with Windows Firewall. I have Kaspersky 7 with Windows Firewall on my Quaddie and no problems.

Anyway - you're back in business. Great.
Anyway, AVG is a trusted solution

0

I am experiencing the same problem (left mouse button and keyboard behaving erratically) but I am not computer savy. Can anyone give me instructions on how to fix it? Thanks!

0

blondie10, this thread is over three years old. You will receive NO answers in this one. You must begin your own thread, stating ALL of your problems, giving all important information about your system and stating all the steps you have taken to solve it. Somebody will be happy to assist.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.