Computer infection

**niteloner** · May 18th, 2005, 12:07 AM

I need help. I have a DELL Dimension 2350 computer with Windows XP Home.

My Norton Antivirus today detected the following virus:

W32 Wallz in the following file:

C:WINDOWS\system32\mousehs.

Norton claims it cannot heal, access nor quarantine the file. It only gives deleting it as an option, but since i think it is a system file, i have not deleted it.

I need to know where i can obtain a removal tool to get rid of this worm. Please help.

Since i am not experienced in computers, please provide instructions i can understand and follow. Thanks a lot.

This help is needed urgent!!!

I have sarched but have not found any...

Joe

**Jarhed7276** · May 18th, 2005, 12:15 AM

Joe, try deleting it by running Norton in safe mode. To get into safe mode repeatedly tap your F8 key when you first start your pc. If that doesn't work let us know and we'll try something else.

Edit:

It is not a system file.

http://www.bleepingcomputer.com/star....exe-9016.html

If Norton in safe mode doesn't work do an online scan from Trendmicro at www.trendmicro.com.

**large_nostril** · May 18th, 2005, 12:21 AM

It's not a system file nor should it be in your system32 folder (or anywhere else for that matter). Malware typically installs itself into the WINDOWS or system32 folder for the sole purpose of fooling people into thinking it's a system file.

If you want to check if it's a system file, simply go into the folder where it's located, right click it and select Properties then Version. If it's a system file, it's copyright info should be either "Copyright (C) Microsoft Corporation..." or "© Microsoft Corporation. All rights reserved.".

Follow Jarhed's advice, it should be just what you need.

**RetroEvolute** · May 18th, 2005, 12:26 AM

What type of file is it?

moushs.exe? dll?

That'd help determine whether it's a system file... THen I could provide mroe info.

**niteloner** · May 18th, 2005, 02:07 AM

The name of the file is mousehs.exe. A search using the search feature of the computer gave no results.

I was not able to do what you asked in safe mode. The trendmacro online search was not done because it would not perform it on my computer. Don't know why.

My

**niteloner** · May 18th, 2005, 02:10 AM

The name of the file is mousehs.exe. A search using the search feature of the computer gave no results.

I was not able to do what you asked in safe mode. The trendmacro online search was not done because it would not perform it on my computer. Don't know why.

My question is....how do i get rid of it?

The blazing computer site confirms it is malaware dropped in the Windows system file by its parent Trojan.

Please answer these questions...Thanks...

Joe

**large_nostril** · May 18th, 2005, 02:34 AM

This is the only thing I was able to find on this trojan (from this site):

Originally Posted by marcosjose

Start your computer in secure mode (keep pressing F8 while the computer starts...)
Go to "start" menu and type "services.msc" in the run field.
Find the name "Mouse Hardware Sync" at the opened window.
Right click it and then click on "properties", and then go to "logon".
There just disable it!
In the "properties" window you can see the local of the file "mousehs.exe", like "C:\WINDOWS\System32\mousehs.exe"
Rebbot your pc, verify with CTRL+ALT+DEL if the "mousehs.exe" isn't running then go to the directory and delete it!
This file has come from internet because of a vulnerability of MS Windows. When you have some shared directory, these type of trojan come without any your action! The problem can be solved with stopping sharing all your shared directories in your pc.

Originally Posted by niteloner

The trendmacro online search was not done because it would not perform it on my computer. Don't know why.

Were you using Internet Explorer? If you were, you probably are gonna want to do some spyware scans. Check out this site (thanks to sr71000). It has some good links to anti-spyware proggies; espcially check out MS AntiSpyware.

**niteloner** · May 18th, 2005, 02:48 AM

I have Microsoft Antispyware Beta installed on my computer. Its last scans,,,done a couple of minutes ago...determined there is no spyware/adware....

Regarding the msservices operation you suggest, when I right click on it, it warns that disabling this could cause instability. i did not go through the other steps. please advise and...thanks...really grateful...!!!

Joe

**Dj-Icer** · May 18th, 2005, 02:49 AM

Look like a worm to me.

Norton can sometimes be a bit zealous.

**large_nostril** · May 18th, 2005, 02:53 AM

Regarding the msservices operation you suggest, when I right click on it, it warns that disabling this could cause instability. i did not go through the other steps.

Please follow through with the rest of the steps. This warning of instability only applies if you're disabling a true system file. And as we've concluded this is not a system file so you won't have any stability issues from disabling it.

**niteloner** · May 18th, 2005, 12:16 PM

I don't understand what you mean by going to the directory and deleting it after the safe mode procedure. Can you explain?

Also, what do you mean by avoid sharing files?

Please help. Please explain.

Is there an easier way for me to get rid of this infection? Maybe a removal tool??

Joe

**jpiermarini** · May 18th, 2005, 12:23 PM

W32.Wallz is a worm that attempts to exploit the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011). The worm spreads by randomly scanning IP addresses for computers vulnerable to this threat.

no removal tool needs to be done manually. below link has removal instructions. next time you have a virus go to sarc.com its symantecs security response page. type in the virus name and you will find info on what it does and how to remove it.

http://securityresponse.symantec.com...w32.wallz.html

tells you how to remove viruse. you need to turn off system restore. make sure your definitions are updated scan computer delete infected files if you can't delete said files boot into safe mode and run scan then delete files. followed by some registry edits and you are good to go.

**niteloner** · May 18th, 2005, 12:27 PM

Is there a patchand/or fix for this vulnerability? How can I get rid of the worm? That's what I want to know.

Joe

**jpiermarini** · May 18th, 2005, 12:31 PM

i just edited my message probably just as you were posting this so i missed it and you missed my edit. there is no removal tool you will need to do it manually

**niteloner** · May 18th, 2005, 03:42 PM

I think I have good news. i was able to quarantine the virus, using safe mode. i ran a Norton scan and no infection was found. I also disabled what you told me in msservices in safe mode.

If anyone has any comments, i would certainly appreciate them. Thanks a lot, again.

Hopefully, this will put an end to my problem...

Joe

**excuzzzeme** · May 18th, 2005, 03:59 PM

To prevent re-occurrance on startup... empty your internet temp files first. They often begin their launch in the temp folder and each subsequent boot will cause it to relaunch even though you thought you removed the file.

**niteloner** · May 18th, 2005, 04:30 PM

Thanks a lot. i have followed your suggestion...to the letter. Should i delete those files each time I'm about to restart or start my computer?

You suggest I do anything else to eliminate the prospects of virus re-appearing? thanks.

Joe

**sr71000** · May 18th, 2005, 04:33 PM

get something besided internet explorer...i personally use firefox but others such as mozilla or opera are good also. firefox and mozilla can both be found at www.mozilla.org !!

**niteloner** · May 18th, 2005, 04:56 PM

Guys:

Thanks again... Will download Firefox...

Joe

**large_nostril** · May 18th, 2005, 05:06 PM

Will download Firefox...

Smart choice

Also, one last thing, you might want to run CCleaner (not nessecary but could be beneficial). It'll help clean out temp files (in places you never knew existed) and free up some harddrive space.