Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My CPU is sick, help!


  • This topic is locked This topic is locked
26 replies to this topic

#1 bartodp

bartodp

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 03 March 2006 - 05:10 PM

My computer started to have a problem with the cursor, (mouse). It acts on it's own and performs operations by itself. I went ahead and system restored it with the cd that came with my HP. It was suppose to format the hard drive and reinstall Window Me and the rest of my computer programs, however I still have the same problem! Went and downloaded, (Spybot v1.4, Adware SE, and Panda Active scan), as mentioned in a post I read. Ran those programs and got rid of whatever it picked up. Still the same problems though. So got HiJack This and am posting it's results for your help. Thank You!


ActiveScan
Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\hp authorized customer@atdmt[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Cookies\hp authorized customer@realmedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\hp authorized customer@com[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Cookies\hp authorized customer@doubleclick[1].txt
Adware:Adware/WindowEnhancer Not disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Potentially unwanted tool:Application/KillApp.C Not disinfected C:\HP\bin\KillWind.exe
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\HP\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\HP\bin\KillIt.exe
Hacktool:HackTool/ProcLog.A Not disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Reboot.F Not disinfected C:\HP\bin\Rebooter.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\HP\bin\Terminator.exe
Potentially unwanted tool:Application/KillApp.C

-----------------------------------------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 5:03:23 PM, on 3/3/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 08 March 2006 - 04:51 PM

Hello bartodp, welcome to the forum.

You don't have a Anti-Virus program.

Click the link and Save, Install, Update and run a full scan.
http://free.grisoft....ree_375a691.exe

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 bartodp

bartodp

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 13 March 2006 - 10:44 AM

Thank you LDTate for your interest in my problem. I did as you said and installed AVG, which is running right now, however it did not detect anything wrong. As for the cpu behavior, it seems like the same however it seems to get worse as time goes on, on the cpu. Again thanks for the help, and I will be waiting for your response.


Logfile of HijackThis v1.99.1
Scan saved at 10:33:56 AM, on 3/13/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tomcoyote.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 March 2006 - 04:16 PM

Add/Remove Programs and if there is a program called Backweb remove it.

Let me know.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 bartodp

bartodp

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 14 March 2006 - 01:16 PM

There was a program called BackWeb so I remove it, as you said. Still behaving the same though.

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 March 2006 - 04:27 PM

1. Please download Stinger and save it to your desktop


2. When prompted, choose to save the file to a convenient location on your hard disk (such as your Desktop folder).

Posted Image


3. When the download is complete, navigate to the folder that contains the downloaded Stinger file, and run it.

4. The Stinger interface will be displayed.

Posted Image

5. If necessary, click the Add or Browse button to add additional drives/directories to scan. By default the C: drive will be scanned.
Click the Scan Now button to begin scanning the specified drives/directories.
By default Stinger will repair all infected files found.

6. Click the File menu and select Save report to file

7. Post the log file results here in this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 bartodp

bartodp

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 14 March 2006 - 06:13 PM

Ok, did as I was told and this is what the stinger program had to say. McAfee AVERT Stinger Version 2.5.9 built on Feb 2 2006 Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved. Virus data file v1000 created on Feb 2 2006. Ready to scan for 55 viruses, trojans and variants. Scan initiated on Tue Mar 14 17:58:54 2006 Number of clean files: 45372

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 March 2006 - 06:28 PM

Delete these files if listed:
C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
C:\HP\bin\KillWind.exe
C:\HP\bin\FondleWindow.exe
C:\HP\bin\KillIt.exe
C:\HP\bin\ProcessLogger.exe
C:\HP\bin\Rebooter.exe
C:\HP\bin\Terminator.exe

Empty Recycle Bin

Reboot, "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 bartodp

bartodp

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 14 March 2006 - 10:50 PM

Okay, deleted all seven of those files, that happen to be in those folders and emptied the trash bin & rebooted. Once I rebooted the cpu a screen box said that it detected new hardware and had a folder with paper transfering. Once windows opened up I couldn't use my mouse, so I rebooted again. After which I could use my mouse again however know it won't double-click, but yet bring down a dropbox as if I right-clicked, even though I didn't. Anyways, I wasn't sure if you wanted me to do a stinger scan again and report that of do a hijackthis report so I did both and here are the results. Oh, and also my mouse is still acting the same as going to different places on the screen on it's own. Again, Thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 10:37:45 PM, on 3/14/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tomcoyote.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab


McAfee AVERT Stinger Version 2.5.9 built on Feb 2 2006

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Feb 2 2006.

Ready to scan for 55 viruses, trojans and variants.



Scan initiated on Tue Mar 14 22:28:49 2006

Number of clean files: 45973

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 15 March 2006 - 04:07 PM

By chance do you have another mouse to try? Is the mouse wireless? If so, change the batteries.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 bartodp

bartodp

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 15 March 2006 - 05:29 PM

It's not wireless and I have checked the connection tons of times. Although I do have another wired mouse at work that I can bring home and try out on the cpu. However with the way the cpu is behaving since this virus took place, I seriously doubt its the mouse. Let me know what else if anything I can do. Thanks.

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 15 March 2006 - 05:32 PM

Blacklight

Download Blacklight Beta from here:
http://www.f-secure....light/try.shtml
  • Hit I accept. It will take you to download page.
  • Download blbeta.exe and save it to the Desktop.
  • Once saved... double click blbeta.exe to install the program.
  • Click accept agreement and Click scan
    This app too may fire off a warning from antivirus. Let the driver load.
    Wait for it to finish.
  • If it displays any items...don't do anything with them yet. Just hit exit (close)
  • It will drop a log on Desktop that starts with fsbl....big number
Please post contents of log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 bartodp

bartodp

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 16 March 2006 - 10:36 AM

Tried to download the Blacklight program from the website provided, however an Error Starting Program window pops up stating that "A required .DLL file, USERENV.DLL, was not found." Tried to re-download, but same error message appeared. Sorry.

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 16 March 2006 - 04:16 PM

Lets try this one then.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 bartodp

bartodp

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 18 March 2006 - 11:18 AM

Well with this program, we I went to run it in safe mode, it said that it was an unsupported or mismatch OS version and that it only works on windows 2000 and XP, I think. Anyways it wouldn't run on Me.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users