Hello folks, My mouse has been behaving erratically ever since I had a trojan infection (identified by Malwarebytes' Anti-Malware (henceforth: MAM) as: Trojan.Delf and Trojan Ransom.Gen) a few days ago. Seemingly, the trojan has been successfully vanquished by MAM, as in there are no traces left and the computer works normally again. However, my mouse has gone crazy: at random intervals, it seems that my clicks get "stuck" and get repeated in a quick succession for a short duration, messing up anything I do at the given time. I have noticed this strange behaviour both in Windows Explorer, when handling files, as well as when playing Skyrim. At first I though it was a bug with the game only (even though it never occured previously), but when I noticed the same thing several times in Windows Explorer too, I thought that something was fishy. I have run scans with MAM, avast and even Trend Micro's House Call - all of them updated to the current version -, yet the strange behaviour persists. Also, my HJT log seems suspicious to me: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:45:12, on 2012.10.22. Platform: Windows XP Szervizcsomag 3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\AVAST Software\Avast\avastUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe C:\Program Files\Vodafone\Vodafone Mobile Connect\Optimization Client\bmctl.exe C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Documents and Settings\Tomi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\totalcmd\TOTALCMD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\MICROS~1\Office14\URLREDIR.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'HELYI SZOLGÁLTATÁS') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'HÁLÓZATI SZOLGÁLTATÁS') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1311799177468 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1311863800718 O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: SolidConverterPDFv4ReadSpool (SCPDFV4ReadSpool) - Solid Documents, LLC - C:\WINDOWS\Installer\MSIC.tmp O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- End of file - 6108 bytes I normally use Google Chrome for browsing the web. Looking forward to your helpful reply and if you need any more info, please let me know. Thank you.
i would run hjt again and check fix on the following. O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe also review your mouse settings.download,update and run superantispyware and delete anything it comes up with.then post a new hjt log and let us know if anything changed.
Hi aldan, thanks for your quick reaction. Punkbuster is a legit service, but since I'm not using it any more, I'll just uninstall it. I've reviewed my mouse settings (via Control Panel) and nothing seems to have been altered. The mouse I'm using is a pretty basic model, a Genius NetScroll+ Eye. I've had it for years now and have had no problems so far. Downloading Super Antispyware at the moment, and will get back to you soon. In the meantime, can you please tell me about these 2 entries in hjt? I thought they were malicious items: O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\MICROS~1\Office14\URLREDIR.DLL O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL Edit: JFYI, here's the SAS log (mius the adware cookies which I'm removing anyway): SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 10/22/2012 at 09:58 AM Application Version : 5.6.1012 Core Rules Database Version : 9446 Trace Rules Database Version: 7258 Scan type : Quick Scan Total Scan Time : 00:02:41 Operating System Information Windows XP Professional 32-bit, Szervizcsomag 3 (Build 5.01.2600) Administrator Memory items scanned : 513 Memory threats detected : 0 Registry items scanned : 31785 Registry threats detected : 9 File items scanned : 6537 File threats detected : 234 Disabled.SecurityCenterOption HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY Security.HiJack[ImageFileExecutionOptions] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AMCAP.EXE HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AMCAP.EXE#Debugger HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JAVAWS.EXE HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JAVAWS.EXE#Debugger HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PRESENTATIONHOST.EXE HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PRESENTATIONHOST.EXE#Debugger HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SKYPE.EXE HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SKYPE.EXE#Debugger I have Update notifications turned off deliberately because I'm on mobile Internet, which is unreliable in terms of downloads. So I've just set it to ignore and cleaned the rest.
Here's the fresh hjt log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:13:06, on 2012.10.22. Platform: Windows XP Szervizcsomag 3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\SUPERAntiSpyware\SASCORE.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\AVAST Software\Avast\avastUI.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Documents and Settings\Tomi\Application Data\U3\0000183FA770B1E0\LaunchPad.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\MICROS~1\Office14\URLREDIR.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'HELYI SZOLGÁLTATÁS') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'HÁLÓZATI SZOLGÁLTATÁS') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1311799177468 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1311863800718 O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SolidConverterPDFv4ReadSpool (SCPDFV4ReadSpool) - Solid Documents, LLC - C:\WINDOWS\Installer\MSIC.tmp O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- End of file - 5446 bytes I'll have to wait and see if my mouse problem persists as it doesn't happen periodically but rather, randomly, so I can't reproduce it. Will definitely get back to you later today. Thank you for your kind assistance!
sorry,i missed the redirect bho.while it is low risk and probably not your problem i would get rid of it anyway.thats a lot of crap that sas picked up.depending on system specs that can cause some erratic behaviour.after you run malwarebytes let us know how things are running.
Yeah, the BHO is not it. I've run yet another scan with both MAM and SAS, but nothing came up. I'm starting to think this might be a hardware problem, i.e. the mouse has been worn out. I've had it for like 5-6 years now. While playing Skyrim this afternoon, I noticed that the left click seems to get stuck. Also, I had to press the left mouse button real hard to get any effect. I'll disassemble the mouse, clean it out thoroughly and see whether it helps.
Sounds like both of the microswitches are worn out on the left and right buttons.I would just buy another mouse.They don't cost much.
yeah your hjt looks clean to me.ive had my old lg keyboard and wireless mouse for almost 7 years now.the keyboard has had 2 beers spilt on it and some of the letters are worn off.it just keeps on going.good thing i touch type tho.lol.
Thanks a lot for your help, folks, especially aldan. Yeah, my system seems clean now. I deleted the old restore points this morning, so there's nowhere to roll back to. I''ll see what I can do about the mouse tomorrow, but if it still fails to work properly after a thorough cleaning, I'll simply replace it. By the way, my 20-year-old keyboard also needs replacing, lol.
laputomi: Just for S&G (sh**s & Grins) try re-seating your memory sticks. I have found that a bad connection on a memory stick can drive a mouse nutso.... 2oG
Hey guys, just some feedback: for several days now, my mouse has been working perfectly again. Whether it's due to the malware cleaning, the manual, mechanical cleaning of the mouse, or both -- I know not. But I'm happy with the result. Thanks to all of you for your help and input!
