Viruses and Keyboard and Mouse Dead

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Nancy123, Dec 13, 2011.

  1. Nancy123

    Nancy123 Private E-2

    Hey all,

    My computer got infected with some nasty stuff. There was this website that was redirecting to a fake PayPal page. on of those .in extensions.

    Even though I was able to use the computer I knew it was filled with viruses because of how slow it was and because I was the only one being redirected. My friend went to the same website and did not get redirected.

    First I used malwarebytes to scan the PC and it only detected 2 PUP which were harmless. I still removed them just in case. I decided to go deeper and used the TDSSKiller it caught 8 threats. 1 of them was the sptd usually related to the google redirect virus. I don't remember the name of the other 7.
    I deleted all of them and I was told to reboot the system. I rebooted, everything booted normally, however, my keyboard and mouse do not work. They are completely frozen and only work before windows starts in BIOS.

    I realized that the only thing I could use was my DVD/CD so I used Avira rescue disk. Unfortunately, I can't copy the log to this PC exactly how it looks like but I copied the most important things and will list them below in a sec.

    Avira was able to rename a couple of HTML/IFrame.JA.1 and Trojans such as TR/Dropper.GEN

    But other it says archive scan aborted. I decided to try the AVG rescue disk next. I used the scan I could only due it half way because the light went off...yeah I know lucky me.

    I will leave the half report below right after the Avira one. After all of this I'm still in the situation and my keyboard and mouse (USB) still don't work. I tried using an old non USB keyboard but no luck.

    I'm going to use the bit defender rescue disk next meanwhile I leave the reports since I'm not very good at handling these things I was hopping for assistance.

    Thank you.

    AVIRA SCAN:

    TR/Crypt-XPACK.Gen [archive scan abort]
    TR/Dropper.GEN [renamed]
    BDS/Gendal-654428 - renamed
    BDS/Gendal-683423.2 - renamed
    Java/Fester.L - archive scan abort
    Java/Exdoer.DH.2 - archive scan abort
    JAVA/Exdoer.EX - archive scan abort
    SPR/Autolt.Gen - renamed
    HTML/IFrame.JA.1 - renamed
    HTML/IFrame.JA.1 - renamed
    HTML/IFrame.JA.1 - renamed
    HTML/IFrame.JA.1 - renamed
    HTML/IFrame.JA.1 - renamed
    HTML/IFrame.JA.1 - renamed
    HTML/IFrame.JA.1 - renamed
    HTML/IFrame.JA.1 - renamed
    SPR/Hacktool.231936 - archive scan abort
    TR/Gendal.kdv.294349 - archive scan abort
    TR/Agent.339896 - renamed
    TR/Agent.155648.30 - renamed
    TR/Gendal 6690843 - renamed
    TR/Gendal 6690843 - archive scan abort
    BDS/Gendal.662620 - archive scan abort


    invalid or corrupt - rarnew.dat
    archive type- left 4 dead
    end of file - keyword elite uninstallexe
    bad compressed data- proxy checker unistallexe
    end of file- gamers first uninstall exe
    end of file - GrindSoft/Lines/Uninstall
    A malformed archive header was detected - Serif/WebPlus Starter Edition/3-0/Data/FillTableconical.zip
    end of file - SpeedFan/uninstall.exe
    end of file - StumbleUpon/PostInstall.exe
    end of file - StumbleUpon/PreUninstall.exe
    bad archive header - AppData Plus500


    AVG HALF SCAN:

    AVG command line Anti-Virus scanner


    /mnt/sdd1/


    PUP Tool.LN
    /Program Files/Counter-Strike/platform/Friends/friendsUI.dll Runtime packed nspack
    /Program Files/HideMyMac/mxid.dll Runtime packed nspack
    /AppData/Local/Microsoft/Windows Defender/Filetracker/{051080FB-A0F8-4A77-B818-580411353E41} Virus Found Hosts
    /AppData/Local/Microsoft/Windows Defender/Filetracker/{CED2FB3F-C2D8-474B-A179-2DA772753A80} Virus Found Hosts
    Trojan Horse Generic3_c.CLFX
    Trojan Horse Backdoor.Generic14.NAX
    Trojan Horse Java/Agent.GX
    Trojan Horse Java/Agent.FL
    Trojan Horse Java/Agent.GX
    Trojan Horse Java/Exploit.LJ
    Trojan Horse Java/Agent.FB
    Trojan Horse Java/Agent.FA
    Trojan Horse Java/Exploit.LJ
    Trojan Horse Java/Exploit.HS
    Trojan Horse Java/Exploit.HP
    Trojan Horse Java/Exploit.HS
    Trojan Horse Java/Agent.EW
    Trojan Horse Java/Agent.EW
    /AppData/Local/Roaming/Octoshape/ Corrupeted executable file
    /AppData/Local/Roaming/Octoshape/ Corrupeted executable file
    PUP Tool.LN
    PUP Tool.LN
    Trojan Horse Generic3_c.CJNK
    Trojan Horse Generic3_c.CJNK
    hosts.txt Virus Found Hosts
    PUP Tool.LN
    PUP Tool.LN

    ALL RENAMED SUCCESS ACCORDING TO AVG.
     
  2. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, Nancy!

    sptd.sys is related to Daemon Tools.
    Which operating system are you running? Do you have a USB flash drive?
    It sounds like TDSSKiller potentially removed some needed drivers. Are you able to attach the log from TDSSKiller?
    Logs from TDSSKiller are kept at the root of the OS drive.

    The logs from Avira and AVG do not reflect on why your keyboard and mouse are not working. Most likely it was the doing of TDSSKiller.
     
  3. Nancy123

    Nancy123 Private E-2

    Hey everyone, first things first, here is the bit defender scan:

    BIT DEFENDER SCAN:

    4 threats in 25 still present in your system


    Backdoor.Generic.654428
    joke.NoClose.IS.A
    Trojan.Generic.6690843
    Trojan.HTML.Iframe.T

    --------------------------------------------


    I then clicked disinfect all 4 but only Backdoor.Generic.654428 and Trojan.Generic.6690843 were success.


    I than clicked delete both joke.Noclose.IS.A and Trojan.HTML.Iframe.T and they were deleted successfully.


    All 25 success.

    I tried logging in in safe mode. Booted successfully as always but again as always mouse and keyboard do not work inside windows vista.

    I ran a second bit defender scan and it came out clean.

    In order to try and fix the keyboard and mouse issues, I copied the USB drivers from my friends PC (who also runs Vista) and copied them into my PC but with no luck. Mouse and keyboard still not working inside windows vista.

    I am, however, able to use mouse and keyboard and internet on my PC using bitdefender. I was able to get the TDSSKiller logs.

    Thank you for the response! I already feel at home. :)

    I believe you may be right regarding...well everything you said. :p

    I have windows vista. USB flash drives are only working inside bitdefender, I can't make them run inside windows vista not even in safe mode.

    Attached TDSSKiller logs.

    Thank you in advance.
     

    Attached Files:

  4. thisisu

    thisisu Malware Consultant

    Code:
    03:09:01.0145 5240	HKLM\SYSTEM\ControlSet001\services\libusb0 - will be deleted on reboot
    03:09:01.0150 5240	HKLM\SYSTEM\ControlSet012\services\libusb0 - will be deleted on reboot
    03:09:01.0151 5240	C:\Windows\system32\drivers\libusb0.sys - will be deleted on reboot
    03:09:01.0151 5240	libusb0 ( UnsignedFile.Multi.Generic ) - User select action: Delete 
    It looks like you deleted the driver instead of quarantining it.

    I would make sure that libusb0.sys is not in the following folder (if it exists):
    • C:\TDSSKiller_Quarantine

    Otherwise we'll have to try to find another copy that we can use.
    If it wasn't in C:\TDSSKiller_Quarantine then proceed with the below:
    _________________________________________________________________________

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    Type the following in the edit box after "Search:".

    libusb0.sys

    Click Search button and post the log (Search.txt) it makes to your reply.
    Search.txt can be found in the same directory FSRT.exe was run from.
     
  5. Nancy123

    Nancy123 Private E-2

    All that I find is 7 folders named "susp0000" "susp0001" "..." "susp0007"


    Inside each of them I have a object.ini and a folder named svc0000. Inside this folder there is another object.ini and 1 tsk0000.ini and a windows executable file named tsk0000.dta

    I don't which file is the driver since they all have the same names.


    I tried to To enter System Recovery Options from the Advanced Boot Options but I can't find the option "Repair your computer"

    I'm going to try using the windows vista home premium dvd.

    Thank you for all your help so far.
     
  6. Nancy123

    Nancy123 Private E-2

    Okay I ran frst with the windows vista 32 installation disk. Report is attached. I believe it found nothing, would be very thankfull if you could help me figure out what to do next.

    Thank you for all your help so far!
     

    Attached Files:

  7. thisisu

    thisisu Malware Consultant

    Get back into FRST, but this time, press the Scan button.
    It will make a log (FRST.txt) on the flash drive. Please attach this log to your reply. (How to attach)
     
  8. Nancy123

    Nancy123 Private E-2

    I have attached the log of the scan.

    Thank you for everything so far.
     

    Attached Files:

  9. thisisu

    thisisu Malware Consultant

    I don't see anything that I can do with that log.

    Let's try something else.
    We will need your Windows Vista DVD for this.
    Go back into Command Prompt just as you did before when launching FRST.exe.
    However this time, type in the following command and press ENTER.
    • sfc /scannow /offbootdir=c:\ /offwindir=c:\windows

    Note: replace c with the drive letter of your Windows installation. It is not always c:
    Remember you can use Notepad to see where your OS drive is at.
     
  10. Nancy123

    Nancy123 Private E-2

    Hey thisisu,

    I used the comand and windows reported that it fixed a couple of damaged files, keyboard and mouse still don't work inside windows vista though.

    I tried to attach the cbs.log but it's giving me an error. Is there any other way I can attach this?

    Thank you once again for helping out on all of this.
     
    Last edited by a moderator: Dec 14, 2011
  11. thisisu

    thisisu Malware Consultant

    What error? File size too big? Try zipping it using 7zip.
     
  12. Nancy123

    Nancy123 Private E-2

    I tried zipping the file but I get this error "Your submission could not be processed because a security token was missing."

    Thank you.
     
  13. thisisu

    thisisu Malware Consultant

    I'm honestly not sure what that error message means.

    It sounds like this libusb-win32 software/driver has the ability to take control of all USB devices. Since it was deleted and there are no backup copies of the driver on the system... I'm afraid I'm out of ideas on how to fix this for you. :(

    From what I've read, that software is intended for developers and power users of Windows.

    Source: http://sourceforge.net/apps/trac/libusb-win32/wiki
     
  14. Nancy123

    Nancy123 Private E-2

    That's okay at least you tried :)

    Just one question...if I were to use a system restore point using the windows vista install cd and if I returned to a point before deleting the file...could this work?

    Thank you for all your help so far!
     
  15. thisisu

    thisisu Malware Consultant

    It could work :) Worth a try if you have restore points.
     
  16. Nancy123

    Nancy123 Private E-2

    Hey thisisu,

    So I tried the system restore point and it's been running for about 6 hours now...My PC has 232 disk space and only 9GB free space. So I excepted to take longer than usual but I feel like this is too long.

    I was wondering from your experience is it best to keep waiting or is should I just stop the restore point.

    Also in order to stop the restore point is it best to just shut down the PC or is there some Command line I can use?

    Thank you for all your help, I know you guys do this for free and I'm really appreciative.
     
  17. Nancy123

    Nancy123 Private E-2

    Okay, I ended up shutting down the PC...mouse and keyboard still not working but at least nothing was damaged with the restore point (at least nothing that I can tell).

    I was wondering can't I try to copy and paste the missing driver from a flash drive? I would not know where copy it too though...would c:\windows\drivers be the right place?

    Thank you for all your help!
     
  18. thisisu

    thisisu Malware Consultant

    It is too long, but it probably also due to the fact that you only have 3.88% free disk space available.

    I would not recommend stopping it midway. It sounds like in your case it was OK.

    I don't think there is a command you can use while using the Vista DVD. Not to my knowledge at least. It's all GUI based.

    No problem.

    If you have a copy of it from another PC I guess it couldn't hurt to try to copy it to the compromised PC.

    It should be placed in the following folder: C:\Windows\system32\drivers

    Good luck!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds