Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 28

Thread: suspected malware/spyware mouse hangs regularly, cpu @100% when it happens.

  1. #11
    Junior Member
    Join Date
    Jun 2009
    Location
    Dublin Ireland
    Posts
    16

    Default mbam log

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4580

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    9/9/2010 12:17:15 PM
    mbam-log-2010-09-09 (12-17-15).txt

    Scan type: Quick scan
    Objects scanned: 139344
    Time elapsed: 16 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  2. #12
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,


    You need to enable windows to show all files and folders, instructions Here

    Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


    c:\windows\system32\drivers\cyyw.sys
    c:\windows\system32\drivers\SjyPkt.sys

    If the site is busy you can try this one

    http://virusscan.jotti.org/en
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #13
    Junior Member
    Join Date
    Jun 2009
    Location
    Dublin Ireland
    Posts
    16

    Default Virustotal report, c:\windows\system32\drivers\SjyPkt.sys

    I could not find c:\windows\system32\drivers\cyyw.sys

    This is the report for c:\windows\system32\drivers\SjyPkt.sys
    Is this what you wanted?

    SjyPkt.sys
    Submission date:
    2010-09-09 16:14:00 (UTC)
    Current status:
    queued (#3) queued (#3) analysing finished
    Result:
    0/ 43 (0.0%)

    VT Community

    goodware
    Safety score: 100.0%
    Compact
    Print results
    Antivirus Version Last Update Result
    AhnLab-V3 2010.09.09.01 2010.09.09 -
    AntiVir 8.2.4.50 2010.09.09 -
    Antiy-AVL 2.0.3.7 2010.09.09 -
    Authentium 5.2.0.5 2010.09.09 -
    Avast 4.8.1351.0 2010.09.09 -
    Avast5 5.0.594.0 2010.09.09 -
    AVG 9.0.0.851 2010.09.09 -
    BitDefender 7.2 2010.09.09 -
    CAT-QuickHeal 11.00 2010.09.09 -
    ClamAV 0.96.2.0-git 2010.09.09 -
    Comodo 6026 2010.09.09 -
    DrWeb 5.0.2.03300 2010.09.09 -
    Emsisoft 5.0.0.37 2010.09.09 -
    eSafe 7.0.17.0 2010.09.07 -
    eTrust-Vet 36.1.7844 2010.09.09 -
    F-Prot 4.6.1.107 2010.09.01 -
    F-Secure 9.0.15370.0 2010.09.09 -
    Fortinet 4.1.143.0 2010.09.09 -
    GData 21 2010.09.09 -
    Ikarus T3.1.1.88.0 2010.09.09 -
    Jiangmin 13.0.900 2010.09.09 -
    K7AntiVirus 9.63.2483 2010.09.09 -
    Kaspersky 7.0.0.125 2010.09.09 -
    McAfee 5.400.0.1158 2010.09.09 -
    McAfee-GW-Edition 2010.1B 2010.09.09 -
    Microsoft 1.6103 2010.09.09 -
    NOD32 5437 2010.09.09 -
    Norman 6.06.05 2010.09.09 -
    nProtect 2010-09-09.03 2010.09.09 -
    Panda 10.0.2.7 2010.09.08 -
    PCTools 7.0.3.5 2010.09.09 -
    Prevx 3.0 2010.09.09 -
    Rising 22.64.03.01 2010.09.09 -
    Sophos 4.57.0 2010.09.09 -
    Sunbelt 6852 2010.09.09 -
    SUPERAntiSpyware 4.40.0.1006 2010.09.09 -
    Symantec 20101.1.1.7 2010.09.09 -
    TheHacker 6.7.0.0.012 2010.09.09 -
    TrendMicro 9.120.0.1004 2010.09.09 -
    TrendMicro-HouseCall 9.120.0.1004 2010.09.09 -
    VBA32 3.12.14.0 2010.09.08 -
    ViRobot 2010.9.8.4031 2010.09.09 -
    VirusBuster 12.64.25.0 2010.09.09 -
    Additional information
    Show all
    MD5 : 3d7ef286e806f9bd9339aa52e28dcd67
    SHA1 : 431d2dd1c273a1bbf59fd50fa277fc0c1ebfb29f
    SHA256: 24d602b7ddf7718a1f149d35b24c2345d0dde6e8b8a7fdf35062c24a6d13226d
    ssdeep: 192:X7xBY2LAtt25rdSEPkVijpmBrl+sJCdk+NI04u+Pt:X7xBY2+45aVijpmBRCkJO+Pt
    File size : 13532 bytes
    First seen: 2008-12-15 17:41:33
    Last seen : 2010-09-09 16:14:00
    TrID:
    Win64 Executable Generic (95.5%)
    Generic Win/DOS Executable (2.2%)
    DOS Executable Generic (2.2%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:
    publisher....: Windows (R) 2000 DDK provider
    copyright....: Copyright (C) Microsoft Corp. 1981-1999
    product......: Windows (R) 2000 DDK driver
    description..: Sample NDIS 5.0 Protocol Driver
    original name: PACKET.SYS
    internal name: PACKET.SYS
    file version.: 5.00.2195.1
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x3A0
    timedatestamp....: 0x3D9A4467 (Wed Oct 02 00:57:11 2002)
    machinetype......: 0x14c (I386)

    [[ 6 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x2C0, 0x112A, 0x1140, 6.21, f812a1ddb11d35f538820fbf430d9a9f
    .rdata, 0x1400, 0xE4, 0x100, 2.54, 524eadd31e9c3f9b8116648a754eb3eb
    .data, 0x1500, 0x1426, 0x1440, 0.00, 599c0a883d09e059b38411330fd1794c
    INIT, 0x2940, 0x398, 0x3A0, 4.98, aca4f180ad1f43fcab776be5cdef9741
    .rsrc, 0x2CE0, 0x3B8, 0x3C0, 3.42, 89fe2fc24016f5e4fbff2a11f757817e
    .reloc, 0x30A0, 0x156, 0x160, 4.95, 419aa13ee2f6298223ae58a82e844361

    [[ 3 import(s) ]]
    ntoskrnl.exe: KeInitializeSpinLock, IoFreeMdl, KeInitializeDpc, KeCancelTimer, KeSetTimer, KeInitializeTimer, MmMapLockedPages, RtlQueryRegistryValues, RtlCompareUnicodeString, IoCreateDevice, ExfInterlockedRemoveHeadList, ExfInterlockedInsertTailList, IofCompleteRequest, IoDeleteDevice, RtlInitUnicodeString, ExAllocatePoolWithTag, ExFreePool, MmMapLockedPagesSpecifyCache, IoBuildPartialMdl, IoAllocateMdl
    HAL.dll: KfAcquireSpinLock, KfReleaseSpinLock
    NDIS.SYS: NdisUnchainBufferAtFront, NdisAllocatePacket, NdisCloseAdapter, NdisFreePacketPool, NdisAllocatePacketPool, NdisOpenAdapter, NdisRegisterProtocol, NdisDeregisterProtocol, NdisFreePacket

    VT Community

    1

    User:
    Anonymous
    Reputation:
    1 credits
    Comment date:
    2010-08-27 18:43:21 (UTC)
    It's part of Realtec Wireless Driver.
    For example: RTL8187 Wireless 802.11g
    Tags: Goodware,

  4. #14
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Download SystemLook to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      c:\windows\system32\drivers\cyyw.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


    How are things running now ?
    Last edited by ken545; 2010-09-09 at 19:32.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #15
    Junior Member
    Join Date
    Jun 2009
    Location
    Dublin Ireland
    Posts
    16

    Default systemlook log for cyyw.sys

    SystemLook 04.09.10 by jpshortstuff
    Log created at 17:33 on 09/09/2010 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "c:\windows\system32\drivers\cyyw.sys"
    No files found.

    -= EOF =-

  6. #16
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    It may be gone.

    Please run this free online virus scanner from ESET
    • Note: You will need to use Internet explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
    • Click Scan
    • Wait for the scan to finish
    • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic and let me know how things are running now ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #17
    Junior Member
    Join Date
    Jun 2009
    Location
    Dublin Ireland
    Posts
    16

    Default est scan log.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    esets_scanner_update returned -1 esets_gle=1
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=22c390739fe3db47ad09a07355772a30
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-09-09 06:45:45
    # local_time=2010-09-09 07:45:45 (+0000, GMT Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 529456 529456 0 0
    # compatibility_mode=1024 16777215 100 0 25836887 25836887 0 0
    # compatibility_mode=5891 16776533 100 100 55135 14508015 0 0
    # compatibility_mode=6401 16777214 66 100 57116 15600021 0 0
    # compatibility_mode=8192 67108863 100 0 559 559 0 0
    # scanned=57222
    # found=0
    # cleaned=0
    # scan_time=4508


    Things seem to be running a little better but still freezing up regularly.

  8. #18
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    I would like you to try and run GMER again since we removed some bad stuff it may run better now

    Drag GMER to the trash and lets start fresh, try it in normal windows and if you have problems than try Safemode

    Download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
    • Double click GMER.exe.
    • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
    • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)

        Click the image to enlarge it
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
    • Save the log where you can easily find it, such as your desktop.
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Please copy and paste the report into your Post.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #19
    Junior Member
    Join Date
    Jun 2009
    Location
    Dublin Ireland
    Posts
    16

    Default gmer scan fail

    Tried in safe and normal modes, pc rebooted.

  10. #20
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Well we tried, GMER is about the best rootkit detection tool out there, Try this one , it wont be so hard on your system.

    Please download Rooter Rootkit Detector to your Desktop
    • Doubleclick it to start the tool.
    • A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt.
    • Post the report for me to see.



    Then run this scan, it wont take long


    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Under the Custom Scan box paste this in

      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      mv61xx.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
        Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •