Jump to content


Photo

Mouse issues, hijack?


  • Please log in to reply
1 reply to this topic

#1 jath87

jath87

    Member

  • New Member
  • Pip
  • 1 posts

Posted 03 July 2004 - 12:09 PM

Suddenly my mouse started to act on it´s own. While surfing or using the computer for other purposes the mouse pointer can suddenly run away and start clicking anywhere on the screen. It can be the start button, it can be right clicking on the desktop or close an open window or the like.

I have probable installed something improper but since I don´t know what it is I need help finding it.

Here is my Hijack log.

Logfile of HijackThis v1.97.7
Scan saved at 18:42:41, on 2004-07-03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\CPQS\BWTOOLS\BWTRAY.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM\ICLOGIN.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\PROGRAM\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\PROGRAM\WINAMP\WINAMPA.EXE
C:\PROGRAM\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\PWSTRAY.EXE
C:\PROGRAM\WINZIP\WZQKPICK.EXE
C:\PROGRAM\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=sve
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=sve
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=sve
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presar...&query=%s&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: MSN Verktygslåda - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\SV\MSNTB.DLL
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\bwtray.exe
O4 - HKLM\..\Run: [Aktivitetsfältet] SysTray.Exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IC Login] "C:\PROGRAM\ICLOGIN.EXE"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [cupdate] C:\WINDOWS\TEMP\SFXE056.TMP\CUPDATE.exe
O4 - HKLM\..\Run: [bcray] C:\WINDOWS\TEMP\SFXE056.TMP\1002\BCRAY.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRAM\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [winlogin] C:\WINDOWS\SYSTEM\winlogin.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe -I
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRAM\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRAM\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office Snabbsökning.lnk = C:\Program\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZS
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8134.1881944444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {426F81A5-0B8C-4948-8115-11606FD3F389} - http://www.serialspo...als/serials.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downlo...ervice_4_EN.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/ieplug.cab
O16 - DPF: {12B574CE-A702-E7AD-358C-597D3BCEA9FA} - http://www.mrketing.biz/IE_plugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downlo...ervice_5_EN.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab

Thanks

#2 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 04 July 2004 - 08:28 AM

Hi
Please run hijack and place a check in the following entries.
R3 - URLSearchHook: (no name) - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)

O4 - HKLM\..\Run: [cupdate] C:\WINDOWS\TEMP\SFXE056.TMP\CUPDATE.exe
O4 - HKLM\..\Run: [bcray] C:\WINDOWS\TEMP\SFXE056.TMP\1002\BCRAY.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRAM\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRAM\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Startup: Microsoft Office Snabbsökning.lnk = C:\Program\Microsoft Office\Office\FINDFAST.EXE

O16 - DPF: {426F81A5-0B8C-4948-8115-11606FD3F389} - http://www.serialspo...als/serials.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downlo...ervice_4_EN.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/ieplug.cab
O16 - DPF: {12B574CE-A702-E7AD-358C-597D3BCEA9FA} - http://www.mrketing.biz/IE_plugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downlo...ervice_5_EN.cab

Ensure All IE. browsers and windows explorers are closed,
Then have hijackthis fix them:

These items below in blue can be fixed if you choose, they are unnecessary programs running at start and/or that hog resources: Having hijack fix it does not remove the program, just their start up command.
O4 - Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
Launches common MS Office components to run in the background, hogging resources.

O4 - Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
Adds the system tray icon for WinZip.


Also these entries of My Web, is not malware but it allows and attracts malware to be installed. I would remove it.
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZS


To unhide hidden files,
  • On desktop doubleclick My Computer and select View and click Details
  • Again select View >Folder Options
  • Under the View tab,
  • Tick show all files
  • Untick hide file extensions for all file types. Select Apply then OK]
Restart in Safe mode and open an IE and select Tools> Internet options and delete all temporary internet files and tick "delete offline content"
Then find and delete the following files
C:\ temp <--delete all possible files in this folder
C:\windows\ temp <--delete all possible files in this folder

Select Start-> Settings-> Control panel-> add/remove and select and remove the following programs if present: -My Search Bar \MyWay Speed Bar\My Web Search Bar\Fun Web Products Easy Installer
While still in safe mode, find and delete the following files/folders if they still exist:
C:\PROGRAM\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE <--delete only this file

Restart your system, do a free online virus scan and delete anything it finds from:To complete your clean up, do a free online trojan scan as well and delete anything it finds from:and repost here with a new log from hijack.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button