Sneaky Devils - This is Beyond My Ability

I have followed the steps in READ & RUN ME FIRST Before Asking for Support Sticky and have attached the files requested. No malware was found.

Hi guys – I think I have some issues here. I have been watching my COMODO Firewall log and it appears that there has been some suspicious activity. These are things I don’t understand – at all. Nevertheless, it sure seems suspicious. A lot of global hooks have been added – sorry, I didn’t keep track.. I didn’t understand it but I allowed it because the various programs like Firefox and Outlook would not function without permission to add the global hook.

The final straw for me was when Volumouse loaded a dll (vlmshlp.dll) into wcescomm.exe I cannot think of any reason Volumouse has any business fooling with my mobile synchronization. I think something nefarious is going on here.

I’ve been reading until my eyes are blood red and I still can’t figure what’s going on. Please help.

 

Here are the other attachments.
Thanx

 

Sorry, left out the Counterspy Log

 

Hi !
Looking at your logs. This can take awhile!
abri

 

Great! Thanks for letting me know.

 

Hi rgmax !!

sorry! This took longer than I wanted it to! Not sure this is a malware problem.

1) Did you download Event ID 4226 Patcher to increase your number of half-open TCP/IP connections for P2P?
If you rerun Counterspy and have it fix what it finds, it will probably get rid of this if you want it to. It may be directly related to the problem you described.


2) Please go to c:\Program Files\HijackThis\ and rename hijackthis.exe into analyse.exe


3) Once you've rerun Counterspy (or not!), we're finished with it. If you decided to rerun it, please move the log somewhere where you can find it once you get done or just post it in here before you continue. Otherwise it will be deleted during the uninstall. Then go to add/remove programs and and uninstall these two programs:

- Sunbelt CounterSpy
- Java(TM) SE Runtime Environment 6 Update 1


Then delete the below folders which may be left behind by the uninstall:

C:\Documents and Settings\RGS\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


4) First, if you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.



If you decided to rerun Counterspy and had it fix what it found, please post your counterspy log here. If so, plese tell me if the problem you reported has gone away or changed in any way.

abri

 

Hey Abri -- No worries, thank you very much for your effort - I'm afraid I'm a little slow too... 1.) Yes, I did download Event ID 4336 Patcher and I had it stored in 2 locations. All anti-spyware programs have identified it as a hacktool (of course, that's what it is). 2.) I have uninstalled Windows msgr (thankyou, I forgot and it was long overdue) 3.) I have allowed everything (usually disabled with autoruns) that wants to start with Windows to start. 4.) I have run Counterspy again and allowed it to delete the two files - nothing else found. 5.) I have done as you asked with Hijackthis and run again. [just an aside, didn't we use to run it from C:\ or is my memory failing me?] Oh, of course I cleaned stuff out with the ATF tool you recommended. I'm afraid there's a problem in that none of the message buttons are currently working and there is no button at all for attachments (not even in advanced or new thread). So, here's a couple URLs for you to retrieve my logs: http://boxstr.com/files/7389/Counterspy 8-28.txt http://boxstr.com/files/7389/hijackthis.log_8-28.txt Again, sincere thanks for your help.

 

Hi RGMAX!!

There's nothing in your logs to indicate the presence of malware. Volumous makes changes to your computer which could explain some of what you're seeing, but they aren't malicious changes. It changes the functionality of how the mouse works so it's possible it hooks into other applications to do this.

As for this:

What means did you use to determine this? Was it loaded by wcescomm.exe or was it already loaded by explorer.exe or winlogon.exe?


We've finished with the tools we need, so please do the following:

abri

 

Thank you very much for your help

I was alerted about suspicious behavior by COMODO Firewall. I'm not sure about the rest of your question. All I know is that it COMODO warned exactly as in the quote above. I know volumouse has to change some things but this makes no sense and it appears as if some kind of malware may be reproducing itself.

 

Did you do a search for vlmshlp.dll in your computer? If you can find it, would you see what size it is? Also, look for any *.vpl files and see if they are all in the Volumouse folder. The name vlmshlp.dll is a valid Volumouse file name, but the question is if it is the same file or if it simply uses the same name in a different location. Nirsoft allows you to make your own plugins for the Volumouse which involves making a dll. There is a file by that name which is part of the Volumouse helper. It's possible to contact Nirsoft directly if you go to the contact details towards the lower part of the following webpage. http://www.nirsoft.net/utils/volumouse.html If there's an easy answer to your question, that might be the best way to get it. It would be interesting to know if the file sizes match up and if the file in your computer is where it's supposed to be.

abri

 

Well....I'm afraid that I have deleted Volumouse due to it's suspicious behavior. I could not find any instances of vlmshlp.dll or any *.vpl files. i think I will contact Nirsoft however. I do still have the setup file that I used to install Volumouse and I'll reinstall and see if suspicious behavior returns.