TechSpot

Malware that randomly opens documents and disables mouse buttons

By Astronerd
Apr 29, 2010
  1. The symptoms are:
    Randomly opening documents and programs (like RealAudio/Video)
    Disabling the mouse buttons so nothing can be clicked

    I've updated Adobe Reader and Java but when the machine is trying to update Windows, the three updates fail over and over. One was a Windows Security Update and the other two are Office Security Updates.
    This machine runs McAfee Security Center.

    All of the 8 Step tasks have been run (had to run GMER a third time because I missed saving the log).
    The files are attached.

    Thanks,
    The Astronerd
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You has a full dose of MyWebSearch! But the symptoms you describe are unusual for malware. What is displaying in these Windows that open? Is there a video running? Are there ads showing??

    Can you define the mouse problem please. Does the screen freeze? Can you move the cursor around but when you click on something, nothing happens? Is this right and left mouse buttons as well as the scroll wheel? Have you checked out the pointer device driver in the device manager?

    I'm going to check the rest of the logs. While I do, please run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please leave the logs from both in your next reply.
     
  3. Astronerd

    Astronerd TS Rookie Topic Starter Posts: 64

    When the RealPlayer pops up, no video or audio is running.
    The other documents that pop up are random... an .xls or a .doc
    The mouse problem happened after a few minutes. Neither mouse button worked afterward. You could still move the cursor (After the MalwareBytes cleanup, this hasn't re-occured).
    When the mouse buttons quit working, the only way to shut down was to hold the case switch down for 6 seconds.
    This machine is used for the Peraus Design Landscape Company Billing. I would like to keep from re-formatting if possible.

    The two files you requested are attached.

    Thanks,
    The Astronerd
     

    Attached Files:

  4. Astronerd

    Astronerd TS Rookie Topic Starter Posts: 64

    It also looks as if the same three Windows Updates are failing to complete.

    Thanks,
    The Astronerd
     
  5. Astronerd

    Astronerd TS Rookie Topic Starter Posts: 64

    Upon further investigation, I've found that the copy of Microsoft Office on this machine is not valid. Would that cause ALL updates to fail?

    Thanks,
    The Astronerd
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\docume~1\Family\LOCALS~1\Temp\J8DLjMK
    c:\docume~1\Family\LOCALS~1\Temp\1q8xgUo0 
    c:\docume~1\Family\LOCALS~1\Temp\YN4o03
    C:\WINDOWS\CouponBarIE.dll
    
    Folder::
    Registry::
    
    Driver::
    3158bta6
    5069b3w6
    c4wdb4af
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    =====================
    Please download HijackThis from here.
    • Save it to a permanent folder (such as C:\HJT).
    • Next, open HijackThis, and select Do a system scan and save a logfile.
    • A Notepad document will open. Please post the log.
    =============================
    By the way, when I ask you to leave a log, please include all the contents of the log. Example: in Eset log, you just copied the one malware entry.

    Questions:
    1. Are you currently running both an HP and a Lexmark printer? If not, which one are you now using. You have processes running from an HP printer installed in 2002, but you also have a Lexmark printer installed in 2007.
    2. Microsoft Baseline Security Analyzer (MBSA) with date of 2010-04-29 is running. this is usually for an IT in en enterprise setting. Did you know that?
    3. There is a folder c:\documents and settings\Family\SecurityScans. What is this? Date is same as the MBSA.

    Thanks for your patience. I've been away from the computer most of last couple of days.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Do you mean would it cause both the Windows updates AND the Office update to fail? Possibly, I don't know. When Windows run the WGA tool, I guess it would be up against what it finds.
     
  8. Astronerd

    Astronerd TS Rookie Topic Starter Posts: 64

    Here are the logs you requested. The MBSA will be deleted shortly. The HP printer has been deleted.

    The invalid copy of Office 2007 will shortly be deleted. Maybe that will allow the Windows Update to complete sucessfully? I don't know.
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Here are some left-overs from HP:

    Please reopen HijackThis to 'do system scan only'. Check each of the following entries if present:

    C:\WINDOWS\system32\hphmon04.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?ptnrS=ZKxdm021YYUS&ptb=ebER3YJD8hAfVDuOj3NI5Q&n=77c0c73c
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe


    Close all Windows except for Hijackthis and click on "Fix Checked."
    ==========================
    Please open Notepad and copy the following text into a new file:

    Code:
    sc config Pml Driver HPH11 start= disabled
    sc stop Pml Driver HPH11
    sc delete Pml Driver HPH11
    
    • Save the file to the desktop as remove.bat Make sure the "Save as type"field says "All files".
    • Double-click on remove.bat to run it.
    • A DOS box will open and close, that is normal.
    • If any errors errors encountered please post.
    • When done you can delete the remove.bat file.
    =======================
    How is the system running now?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.