Mouse Issue

[mal-the-falconer]

Hi To start I am new to this site so please bare with me!!I am running a PC on "Windows XP Pro" the other day My mouse started to play up after I had booted the PC up! half way through the Booting the mouse shot to the 'Top middle' of the sreen and stated bounsing around, I can not take control of the mouse, it seems to have a mind of it's own! I have tried booting up in "Safe Mode" an the mouse works perfectly well! I have checked the setting in the control panel and tried resetting the Drivers I have also tried changing the mouse 3 times (I now have a USB Mouse attached) but the Probel continues each time I boot up in 'Normal' mode. I have run a Virus check using Norton 360 gold but that has not resolved the problem although it did find and fix some High rated Virouses (must add I am not on the pc now!!)Can anyone help please as I can't use that PC while it is like this and ther is information on there that I need urgently!!

[KenB]

Hi again

 

Go to Device Manager

Start > Run ....type in .....devmgmt.msc .....ENTER

Click the + next to "Mice & Other Pointing Devices"

1. What is listed?

 

2. Are there any yellow exclamation marks or red Xs ?

[mal-the-falconer]

can only access this in 'Safe Mode' as this is the only place where I can use the 'Mouse' and there are No Exclamation marks or Red Xs thank for this it proves I was doing the right thing, cos I had alread done this before lol!! Edited January 19, 2012 by mal-the-falconer

[KenB]

You never said what was listed ??

 

Go back to Device Manager > click the + next to "Mice & Other ...." > right click on the mouse that is listed > uninstall.

Reboot the computer.

 

Windows should detect new hardware and re-install the drivers for your mouse.

 

===============

 

Is it PS2 or USB ?

[mal-the-falconer]

I have tried both and the something happens each time I boot up in "Normal Mode" It works great till I get passed the Account page and then half way through the rest of the boot sequence then 'Mouse shoots to the top of the screen and bounces around eratically and I have No control over it!!

I have carryout your instruction in 'Safe Mode' where the mouse works perfectly!!

I have tried your instruction 3 times and each time I have booted the PC up in normal mode but the same thing happens I has totally stumped me!!

I don't really want to Format my PC but am begining to think that is my only option!!

Someone has suggested that it could be a a shortage of 'Ram' that is coursing the problem is this true as I have never heard of that before!

[KenB]

Is it PS2 or USB ?

You didn't answer this.

PS2 is a round connection.

Whichever one you have - can you borrow the other type to see if you get the same problem.

 

Someone has suggested that it could be a a shortage of 'Ram'

I have not come across this before. It is highly unlikely - and it wouldn't cause the erratic behaviour.

 

Is this an optical mouse?

If it is - it could be due to dying batteries or using it on a reflective surface.

 

Malware can cause this condition.

 

Download MBAM from here - click on Products > you want the free version

click here

 

You will be re-directed to a mirror site - this is to stop malware blocking the download.

 

Install > Update > Run it.

It will produce a log in Notepad. Copy the complete log and post it here.

If it finds anything one of our security experts will advise further.

[mal-the-falconer]

since this problem started I have switched and spoped the mouse with an SP2 with a wheel, without a wheel, changed it for a USB and used a 'optical mouse' (if you mean a light type) each time getting the same result I am going to try and video what is happening on my Mobile phone, If you send me your email address I will send you the result so you can see for youself. It might give you some idea of what is coursing it I can't think of any thing else to do short of Formating My PC and I don't really want to do that! just yet!

[RandyL]

As KenB said above run MBAM.

 

Since everything works OK in safemode this does point to malware or software. I've seen mouse software cause this. Sometimes they come with a driver suite which includes addition softare. Setpoint comes to mind. If you uninstall the software then Windows will run it off the generic drivers which work just fine.

[mal-the-falconer]

Thanks Randyl to bring you up to date, I am running the mouse on the 'Widows Gineric software' now! they are All standard 'Mouse Hardware that I have tried and bin unsing pror to this happening been using and none of them hve didn't come with any software. But thanks fore the suggestion any helpis welcome!! I am getting desprate now as I have to regester my Baby Barns and I can't access the Forms which is one reason I don't want to format the PCAs a point as soon as I get this sorted and sell my Baby Barns I can regester a donation to the site too!! (so we all win lol) Edited January 22, 2012 by mal-the-falconer

[KenB]

I am getting desprate now

We have suggested twice that you download MBAM and check for malware.

[mal-the-falconer]

I can't access the internet on the PC with the problem on it soo I can't get the programme you have advised I go for! any other suggestions Edited January 23, 2012 by mal-the-falconer

[KenB]

Switch on > constantly tap F8 about once per second > from the list of options select "Safemode with Networking "

You should have internet access now.

 

 

Failing that:

Download MBAM to a memory stick ( pendrive ) > install on the problem computer > run the scan > copy the log and save it to the pendrive > open Notepad on the second computer and open the saved log > copy it and paste it here.

[mal-the-falconer]

Hi Ken Just an update!!Have Now (after following your distructions) downloaded MBAM and am running the 'Scan' will lett you know if it resolves the problem!! Fingers and Toes Crossed!! lol

[KenB]

Post the results here.

If it shows anything at all I will ask one of our security experts to take a look and advise further.

[mal-the-falconer]

Hi Ken.

Here is the report from the very first Scan I did after finally getting the program onto the PC (Thanks again to your help) Hope thi help!!

 

 

 

 

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

www.malwarebytes.org

Database version: v2011.12.24.05

Windows XP Service Pack 3 x86 NTFS (Safe Mode)

Internet Explorer 7.0.5730.11

Mal :: [administrator]

Protection: Disabled

23/01/2012 01:26:03

mbam-log-2012-01-23 (01-26-03).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 354439

Time elapsed: 3 hour(s), 11 minute(s), 45 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 12

HKCR\Interface\{937A764E-*****-4FD5-A431-2B*****AEF3E} (PUP.FunWebProducts) -> No action taken.

HKCR\DictionaryBossInstaller.Start.1 (PUP.FunWebProducts) -> No action taken.

HKCR\DictionaryBossInstaller.Start (PUP.FunWebProducts) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{*****-EF97-4A4E-BFC2-8C*******D0CA} (PUP.FunWebProducts) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{*********-499C-A11F-23*******7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-************-42D5-8C85-******A897AB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Dropper) -> Quarantined and deleted successfully.

HKCR\CLSID\{********4a4e-bfc2-8c89fa69d0ca} (PUP.FunWebProducts) -> Quarantined and deleted successfully.

HKCR\TypeLib\{d4c38221-*********-609ef0793902} (PUP.FunWebProducts) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\ReFog Software (Refog.Keylogger) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search| (Adware.Hotbar) -> Data: http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk278JXGB -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|PremierOpinion (Adware.PremierOpinion) -> Data: c:\program files\premieropinion\pmropn.exe -boot -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 5

C:\Program Files\PremierOpinion (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\PremierOpinion\components (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\RECYCLER\S-**********-1085031214-7253*******-500 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Detected: 41

C:\Documents and Settings\Mal & Dee\My Documents\software\Dictionary.exe (Adware.FunWeb) -> Quarantined and deleted successfully.

C:\Documents and Settings\Mal & Dee\My Documents\software\aol rEPIRE\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Program Files\DictionaryBossEI\Installr\1.bin\v4EZSETP.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.

C:\Program Files\PremierOpinion\pmph.dll (Adware.PremierOpinion) -> Quarantined and deleted successfully.

C:\Program Files\PremierOpinion\pmservice.exe (Adware.PremierOpinion) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-******45-1085031214-*******543-500\a_friend.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-******145-108503******-725345543-500\svchost.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D94******-0216-4CE0-A03E-1C*******CED4}\RP2229\A0641080.dll (Adware.PremierOpinion) -> Quarantined and deleted successfully.

C:\WINDOWS\010***********103.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\010112464850.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\0101120101465755.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\fdgg343*******gdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\(Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\(Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\(Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\(Worm.Koobface) -> Quarantined and deleted successfully.

C:\Program Files\PremierOpinion\pmoci.bin (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\PremierOpinion\pmxf.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\RegTool\definitions.db (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\Program Files\RegTool\privacy.db (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\Program Files\RegTool\RegTool.exe (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RegTool\RegTool Help.lnk (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RegTool\RegTool on the Web.lnk (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RegTool\RegTool.lnk (Rogue.RegTool) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21************085031214-725345543-500\aliases.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-606747145********-500\control.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-*********-725345543-500\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-**********-725345543-500\fullname.txt (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-*********-725345543-500\hallmark.gif (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-********-725345543-500\ident.txt (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-********-725345543-500\identd.txt (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-********-725345543-500\instsrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-**********-725345543-500\mirc.ico (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-*********-725345543-500\mirc.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-*********-725345543-500\nicks.txt (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-************085031214-725345543-500\notify.txt (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-**********-725345543-500\popups.txt (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-*************-725345543-500\remote.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-***********-725345543-500\script.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-605-108**********5031214-725345543-500\servers.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-***********-725345543-500\users.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

(end)

[KenB]

You have had quite a lot of malware on there by the look of it.

I will ask our security experts to take a look - and advise further.

[Starbuck]

Hi mal,

 

:\RECYCLER\S-1-5-21************085031214-725345543-500\aliases.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-606747145********-500\control.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-*********-725345543-500\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-**********-725345543-500\fullname.txt (Backdoor.Bot) -> Quarantined and deleted successfully.

 

It is known that these trojans can communicate with remote computers, download and run code, send emails, steal your personal data and redirect browser requests. Unfortunately we cannot be sure about what they have done.

 

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

 

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

 

For more information read ....Here

If you choose to format and reinstall read...... Here

 

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again.

 

Let me know if you decide to continue with trying to clean this system.

[mal-the-falconer]

For once I have some GOOD news!!!! I have run the MBAM and run it and run it as I said in my last post but not realising it, although I thought that nothing was happening after the initial Find it must have been sorting something as I Now have the mouse so I have started to run the MBAM in the Normal Mode and will run it a number of time But it seems THANK TO ALL YOUR HELP!!!! I am starting to get somewhere !

 

Will keep you informed of my progress.

 

Thanks again for all your help!!

[KenB]

run the MBAM in the Normal Mode and will run it a number of time

 

Post this log. There is no benefit in running MBAM multiple times.

Starbuck has given you advice - which you seem to have missed.

 

You have a serious threat on your system.

 

Please reply and acknowledge starbuck's post.

[mal-the-falconer]

Hi again sorry for not getting back sooner I have had a lot on with sorting my Birds I have 2 baby Barns which has taken up most of my time this weekend!I have taken on board what ' Starbuck' has said but am reluctant to 'Format My PC as I have lost a lot of my Product keys over the years (Not very organised) and don't know how to retreave them before I do the , although it is running very slow! I do have another problem though which concerns both my laptop (this One I am on now) and my PC that is that I can't access IPCONFIG in the 'Run window it just flashes on the screen for a second then disapears, This problem has been around for quite some time, just never bothered my before!

[Starbuck]

Hi mal.

 

I'll move this thread to the Malware Removal forum.

 

but am reluctant to 'Format My PC as I have lost a lot of my Product keys over the years

Ok, so let's try and clean up what we can see.

 

I can't access IPCONFIG in the 'Run window it just flashes on the screen for a second then disapears,

This may or may not be related to the malware on your system

 

Continue these steps on the system that you originally mentioned at the start of the thread. ( the one that the MBAM scan came from)

 

 

Step 1

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

This is easier with Internet Explorer.

 

Link 1

Link 2

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

 

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

 

This is an example, you may rename ComboFix to anything you want.

 

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
  For more information read:
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
   
  Then:
   
  Double click on Combo-Fix.exe & follow the prompts.
   
  Vista/Win7 users should right click on the icon and select Run as Administrator.
   
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
   
  If running Vista/Win7, you will not see the recovery console screens as they are Win XP related
   
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v708/starbuck50/cf1.png

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

 

 

Step 2

• Download OTL to your desktop.
  right click on the link and select 'Save Link/Target As'.
   
  if you have problems, try this download link:
  OTL
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/Otllatest.png

 

Now copy the lines in bold below.

 

netsvcs

msconfig

%SYSTEMDRIVE%\*.*

%systemroot%\system32\Spool\prtprocs\w32x86\*.dll

%systemroot%\*. /mp /s

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\system32\*.exe /lockedfiles

%systemroot%\System32\config\*.sav

%PROGRAMFILES%\*

%USERPROFILE%\..|smtmp;true;true;true /FP

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

hklm\software\clients\startmenuinternet|command /rs

hklm\software\clients\startmenuinternet|command /64 /rs

CREATERESTOREPOINT

 

• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
  .
  
• Click the Run Scan button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runscan.png
   
  
• Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

 

 

In your next reply, please submit:

Combofix.txt

and both reports from OTL

 

 

Thanks.

[RandyL]

I can't access IPCONFIG in the 'Run window it just flashes on the screen for a second then disapears

I think you need to run it from the command prompt not the Run box.

[Starbuck]

RandyL is right.... ipconfig is a commmand line utility.

I should have spotted that.:(