Mouse-cursor moves by itself, even when the mouse is unplugged

hoofbite · 04-21-2009, 04:51 AM

Hi. The other day my mouse-cursor just started to move and wiggle, chaotically, and by itself towards the right side of the screen.. I have tried to switch mouse and unplug, but it doesn't help, so I figure it has to be some kind of virus or malware, yea? When it happened I installed Trend Micro Internet Security and ran a scan of my computer. It came up with one so called "generic Trojan" named "services.exe" located in C:/Windows AND one virus named "a.exe" located in C:/Windows/System32.

I went into the windows folder and found the trojan file "services.exe" to maybe try and delete it, dunno if I should've, but I was pretty aggrevated at the time, but anyway I couldn't because I needed "permission" from vista. I also looked up the virus file called "a.exe" in the system32 folder, where trend micro told me it was, but I could not find it in any searches.

Anyway, this is all very frustrating to me, because I use my computer for work, and obviously a chaotically, wiggly mouse makes it quite hard for me to do anything at all.. so I would highly appreciate some help with getting rid of whatever it is doing this!

Thanks!

DDS (Ver_09-03-16.01) - NTFSx86
Run by Christoffer at 12:12:25,78 on 21.04.2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_05
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1044.18.2047.849 [GMT 2:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Telenor\Online Start\Telenor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\mIRC\mirc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Users\Christoffer\Desktop\gmer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Christoffer\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: QXK Olive: {cf94dbf9-b064-4473-8c40-bc68145805da} - c:\windows\mesdxbrqetg.dll
BHO: Online Start Plugin: {db87cde1-ef9c-44eb-a42f-6d0b3c72c516} - c:\program files\telenor\online start\IEFixItNowPlugin.dll
TB: {2969BC53-0B3D-4043-9C3C-ED7D3945C23D} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Telenor Online Start] "c:\program files\telenor\online start\Telenor.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Sidebar] c:\program files\windows sidebar\SideBar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Resume copy] copyfstq.exe /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [services] c:\windows\services.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [Telenor Online Start] "c:\program files\telenor\online start\Telenor.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hurtig~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\christ~1\appdata\roaming\mozilla\firefox\profiles\7ju85325.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-4-20 145424]
R2 BcmSqlStartupSvc;Oppstartstjeneste for Business Contact Manager SQL Server;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-16 30312]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-4-20 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-4-20 256528]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-4-20 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-4-20 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-4-20 677128]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]

=============== Created Last 30 ================

2009-04-21 10:54 290 a------- C:\Partition_1 (C) - Snarvei.lnk
2009-04-20 16:29 3,636 a------- c:\windows\system32\drivers\nvphy.bin
2009-04-20 15:15 <DIR> --d-h--- c:\windows\PIF
2009-04-20 14:04 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-04-20 14:04 256,528 a------- c:\windows\system32\drivers\tmwfp.sys
2009-04-20 14:04 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-04-20 14:04 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-04-20 14:04 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-04-20 14:04 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-20 14:04 145,424 a------- c:\windows\system32\drivers\tmlwf.sys
2009-04-20 14:04 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-20 14:04 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-04-20 13:58 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-04-20 13:08 118 a------- c:\windows\system32\MRT.INI
2009-04-20 12:51 622,080 a------- c:\windows\system32\icardagt.exe
2009-04-20 12:51 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-04-20 12:51 97,800 a------- c:\windows\system32\infocardapi.dll
2009-04-20 12:51 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-04-20 12:51 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-04-20 12:51 11,264 a------- c:\windows\system32\icardres.dll
2009-04-20 12:51 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-04-20 12:51 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-04-20 12:45 96,760 a------- c:\windows\system32\dfshim.dll
2009-04-20 12:45 282,112 a------- c:\windows\system32\mscoree.dll
2009-04-20 12:45 41,984 a------- c:\windows\system32\netfxperf.dll
2009-04-20 12:45 158,720 a------- c:\windows\system32\mscorier.dll
2009-04-20 12:45 83,968 a------- c:\windows\system32\mscories.dll
2009-04-20 12:42 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-20 12:42 217,088 a------- c:\windows\system32\psisrndr.ax
2009-04-20 12:42 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-20 12:42 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-04-20 12:42 80,896 a------- c:\windows\system32\MSNP.ax
2009-04-20 12:40 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-04-20 12:40 38,912 a------- c:\windows\system32\xolehlp.dll
2009-04-20 12:38 268,288 a------- c:\windows\system32\schannel.dll
2009-04-20 12:37 2,033,152 a------- c:\windows\system32\win32k.sys
2009-04-20 12:23 <DIR> --d----- c:\program files\Microsoft IntelliPoint
2009-04-11 03:53 268 a---h--- C:\sqmdata08.sqm
2009-04-11 03:53 244 a---h--- C:\sqmnoopt08.sqm
2009-04-09 11:24 172 a---h--- C:\sqmdata07.sqm
2009-04-09 11:24 172 a---h--- C:\sqmnoopt07.sqm
2009-04-09 10:01 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-04-09 10:01 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-09 10:01 <DIR> --d----- c:\program files\iPod
2009-04-09 10:01 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-09 10:01 <DIR> --d----- c:\program files\iTunes
2009-04-09 10:01 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-09 10:00 <DIR> --d----- c:\program files\Bonjour
2009-04-09 09:59 <DIR> --d----- c:\programdata\Apple Computer
2009-04-09 00:05 268 a---h--- C:\sqmdata06.sqm
2009-04-09 00:05 244 a---h--- C:\sqmnoopt06.sqm
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-26 15:23 36,864 a------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-04-21 10:57 409,918 a------- c:\windows\system32\perfh014.dat
2009-04-21 10:57 66,236 a------- c:\windows\system32\perfc014.dat
2009-04-20 16:34 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-20 16:34 51,200 a------- c:\windows\inf\infpub.dat
2009-04-20 16:33 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 05:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 05:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 05:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-03 06:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 06:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 06:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-03 06:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 06:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-03 06:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 06:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-03 06:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 06:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 06:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 05:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 04:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-03 04:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-02-22 02:19 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-02-13 10:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 10:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2008-06-15 00:09 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-28 23:17 174 a--sh--- c:\program files\desktop.ini
2007-08-15 06:20 294,254 a------- c:\windows\inf\perflib\0414\perfi.dat
2007-08-15 06:20 294,254 a------- c:\windows\inf\perflib\0414\perfh.dat
2007-08-15 06:20 35,166 a------- c:\windows\inf\perflib\0414\perfd.dat
2007-08-15 06:20 35,166 a------- c:\windows\inf\perflib\0414\perfc.dat
2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-06-11 16:25 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 12:12:50,00 ===============

Jintan · 04-22-2009, 08:22 PM

Welcome to TSF hoofbite,

Noooo, you sure do not want to be deleting files you are not sure of, and especially those like "services.exe" which is usually an essential (and protected) system file. Not seeing any infection here so far - let's run a repair scan then check after.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

hoofbite · 04-23-2009, 09:16 AM

The "living" cursor suddenly stopped by the way, before I ran this scan, but I ran it anyway.. and it found like 31 infected files, so I guess it was about time I ran one. I pressed delete, and then I had to reboot.. but a lot of files is still quarantined in MBAM, should I delete these too?

Malwarebytes' Anti-Malware 1.36
Databaseversjon: 2029
Windows 6.0.6001 Service Pack 1

23.04.2009 17:07:56
mbam-log-2009-04-23 (17-07-56).txt

Skanntype: Rask Skann
Objekter skannet: 79660
Tid tilbakelagt: 7 minute(s), 24 second(s)

Minneprosesser infisert: 0
Minnemoduler infisert: 0
Registernøkler infisert: 5
Registerverdier infisert: 7
Registerfiler infisert: 3
Mapper infisert: 4
Filer infisert: 12

Minneprosesser infisert:
(Ingen mistenkelige filer funnet)

Minnemoduler infisert:
(Ingen mistenkelige filer funnet)

Registernøkler infisert:
HKEY_LOCAL_MACHINE\SOFTWARE\xp_securitycenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vwsrfton.bxwe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vwsrfton.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf94dbf9-b064-4473-8c40-bc68145805da} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cf94dbf9-b064-4473-8c40-bc68145805da} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registerverdier infisert:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> Quarantined and deleted successfully.

Registerfiler infisert:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Mapper infisert:
C:\Program Files\XPSecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\data (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPSecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.

Filer infisert:
C:\Program Files\XPSecurityCenter\comp.dat (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\htmlayout.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\pthreadVC2.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\un.ico (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\unzip32.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\data\daily.cvd (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPSecurityCenter\Uninstall.lnk (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPSecurityCenter\XPSecurityCenter.lnk (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.

Jintan · 04-23-2009, 06:25 PM

Quarantined means held harmless, so not really an issue there right now. Malwarebytes actually undid quite a few malware-related system changes and removed a rogue security software package. Let's check now to see what else might remain there.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Also disconnect from net access anytime you run ComboFix, reconnecting after it has completed it's scan.

Download the latest version of Combofix.exe from here and save it to your C folder (C:\ComboFix.exe).

Doubleclick on combofix.exe and the scan will start (go ahead and install the Recovery Console if you are asked to do so). When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

hoofbite · 04-27-2009, 03:10 AM

ComboFix 09-04-25.A3 - Christoffer 26.04.2009 17:38.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1044.18.2047.1192 [GMT 2:00]
Running from: c:\users\Christoffer\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf
d:\recycler\autorun.inf
d:\recycler\desktop.ini
d:\recycler\Folder.htt
d:\recycler\info.exe
d:\recycler\protect.ed
d:\recycler\warning.bmp
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-23 07:34 . 2009-04-23 07:34 -------- d-----w c:\users\Christoffer\AppData\Roaming\Malwarebytes
2009-04-23 07:34 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 07:34 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 07:34 . 2009-04-23 07:34 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 07:34 . 2009-04-23 07:34 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-23 07:34 . 2009-04-23 07:34 -------- d-----w c:\programdata\Malwarebytes
2009-04-21 08:54 . 2009-04-21 08:54 290 ----a-w C:\Partition_1 (C) - Snarvei.lnk
2009-04-20 14:29 . 2007-11-17 21:22 3636 ----a-w c:\windows\system32\drivers\nvphy.bin
2009-04-20 13:15 . 2009-04-20 13:15 -------- d--h--w c:\windows\PIF
2009-04-20 12:06 . 2009-04-20 12:06 -------- d-----w c:\users\Christoffer\AppData\Local\Trend Micro
2009-04-20 12:04 . 2009-04-20 12:04 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-20 12:04 . 2009-04-20 12:04 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-20 12:04 . 2009-04-20 12:04 256528 ----a-w c:\windows\system32\drivers\tmwfp.sys
2009-04-20 12:04 . 2009-04-20 12:04 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-20 12:04 . 2009-04-20 12:04 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-20 12:04 . 2009-04-20 12:04 145424 ----a-w c:\windows\system32\drivers\tmlwf.sys
2009-04-20 12:04 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-20 12:04 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-20 12:04 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-20 11:58 . 2009-04-20 11:58 -------- d-----w c:\users\All Users\Office Genuine Advantage
2009-04-20 11:58 . 2009-04-20 11:58 -------- d-----w c:\programdata\Office Genuine Advantage
2009-04-20 11:08 . 2009-04-20 11:08 118 ----a-w c:\windows\system32\MRT.INI
2009-04-20 10:51 . 2008-06-20 01:14 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll
2009-04-20 10:51 . 2008-06-20 01:14 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-04-20 10:51 . 2008-06-20 01:14 97800 ----a-w c:\windows\system32\infocardapi.dll
2009-04-20 10:51 . 2008-06-20 01:14 37384 ----a-w c:\windows\system32\infocardcpl.cpl
2009-04-20 10:51 . 2008-06-20 01:14 11264 ----a-w c:\windows\system32\icardres.dll
2009-04-20 10:51 . 2008-06-20 01:14 622080 ----a-w c:\windows\system32\icardagt.exe
2009-04-20 10:51 . 2008-06-20 01:14 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll
2009-04-20 10:51 . 2008-06-20 01:14 326160 ----a-w c:\windows\system32\PresentationHost.exe
2009-04-20 10:45 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll
2009-04-20 10:45 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll
2009-04-20 10:45 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-04-20 10:45 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll
2009-04-20 10:45 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll
2009-04-20 10:42 . 2008-12-05 04:32 428544 ----a-w c:\windows\system32\EncDec.dll
2009-04-20 10:42 . 2008-12-05 04:31 217088 ----a-w c:\windows\system32\psisrndr.ax
2009-04-20 10:42 . 2008-12-05 04:32 293376 ----a-w c:\windows\system32\psisdecd.dll
2009-04-20 10:42 . 2008-12-05 04:31 80896 ----a-w c:\windows\system32\MSNP.ax
2009-04-20 10:42 . 2008-12-05 04:31 177664 ----a-w c:\windows\system32\mpg2splt.ax
2009-04-20 10:40 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-20 10:40 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-20 10:38 . 2008-11-27 04:43 268288 ----a-w c:\windows\system32\schannel.dll
2009-04-20 10:37 . 2009-02-09 03:10 2033152 ----a-w c:\windows\system32\win32k.sys
2009-04-20 10:23 . 2009-04-20 10:23 -------- d-----w c:\program files\Microsoft IntelliPoint
2009-04-11 01:53 . 2009-04-11 01:53 268 ---ha-w C:\sqmdata08.sqm
2009-04-11 01:53 . 2009-04-11 01:53 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-09 09:24 . 2009-04-09 09:24 172 ---ha-w C:\sqmdata07.sqm
2009-04-09 09:24 . 2009-04-09 09:24 172 ---ha-w C:\sqmnoopt07.sqm
2009-04-09 08:02 . 2009-04-09 08:02 -------- d-----w c:\users\Christoffer\AppData\Roaming\Apple Computer
2009-04-09 08:01 . 2009-03-19 14:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-09 08:01 . 2008-04-17 10:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-09 08:01 . 2009-04-09 08:01 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-09 08:01 . 2009-04-09 08:01 -------- d-----w c:\program files\iPod
2009-04-09 08:01 . 2009-04-09 08:01 -------- d-----w c:\users\All Users\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-09 08:01 . 2009-04-09 08:01 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-09 08:01 . 2009-04-09 08:01 -------- d-----w c:\program files\iTunes
2009-04-09 08:00 . 2009-04-09 08:00 -------- d-----w c:\program files\Bonjour
2009-04-09 07:59 . 2009-04-09 08:00 -------- d-----w c:\program files\QuickTime
2009-04-09 07:59 . 2009-04-09 08:01 -------- d-----w c:\users\All Users\Apple Computer
2009-04-09 07:59 . 2009-04-09 08:01 -------- d-----w c:\programdata\Apple Computer
2009-04-09 07:56 . 2009-04-09 08:01 -------- d-----w c:\program files\Common Files\Apple
2009-04-08 22:05 . 2009-04-08 22:05 268 ---ha-w C:\sqmdata06.sqm
2009-04-08 22:05 . 2009-04-08 22:05 244 ---ha-w C:\sqmnoopt06.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 15:17 . 2007-10-20 21:25 -------- d-----w c:\program files\Betsson Poker
2009-04-26 13:36 . 2007-10-21 00:00 -------- d-----w c:\program files\World of Warcraft
2009-04-26 09:44 . 2008-12-29 15:38 -------- d-----w c:\program files\Steam
2009-04-21 14:52 . 2007-10-31 20:16 -------- d-----w c:\users\Christoffer\AppData\Roaming\mIRC
2009-04-21 08:57 . 2007-08-15 04:20 66236 ----a-w c:\windows\System32\perfc014.dat
2009-04-21 08:57 . 2007-08-15 04:20 409918 ----a-w c:\windows\System32\perfh014.dat
2009-04-21 08:56 . 2007-10-31 20:16 -------- d-----w c:\program files\mIRC
2009-04-21 08:50 . 2007-10-17 18:18 -------- d-----w c:\programdata\NVIDIA
2009-04-20 14:34 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-20 14:34 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-04-20 14:33 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-20 12:32 . 2008-08-21 10:02 -------- d-----w c:\programdata\Trend Micro
2009-04-20 12:24 . 2008-08-21 10:01 -------- d-----w c:\program files\Trend Micro
2009-04-20 11:59 . 2007-12-05 12:21 -------- d-----w c:\program files\Common Files\Steam
2009-04-20 11:58 . 2007-10-20 17:34 100648 ----a-w c:\users\Christoffer\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-20 11:47 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-20 11:13 . 2007-08-14 18:31 -------- d-----w c:\programdata\Microsoft Help
2009-04-20 11:01 . 2007-08-14 18:40 -------- d-----w c:\program files\Microsoft SQL Server
2009-04-20 10:44 . 2008-02-11 22:50 -------- d-----w c:\users\Christoffer\AppData\Roaming\LimeWire
2009-04-18 12:53 . 2007-10-20 21:37 -------- d-----w c:\users\Christoffer\AppData\Roaming\uTorrent
2009-03-26 13:23 . 2009-03-26 13:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-26 13:23 . 2009-03-26 13:23 1900544 ----a-w c:\windows\System32\usbaaplrc.dll
2009-03-17 03:38 . 2009-04-20 10:41 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-20 10:41 13824 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:38 . 2009-04-20 10:41 24064 ----a-w c:\windows\System32\amxread.dll
2009-03-16 23:48 . 2009-02-22 00:19 -------- d-----w c:\users\Christoffer\AppData\Roaming\Hamachi
2009-03-03 04:46 . 2009-04-20 10:41 3599328 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-20 10:41 3547632 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-20 10:41 827392 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:39 . 2009-04-20 10:41 183296 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:39 . 2009-04-20 10:41 551424 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:39 . 2009-04-20 10:41 26112 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-20 10:41 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:37 . 2009-04-20 10:41 98304 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:37 . 2009-04-20 10:41 54784 ----a-w c:\windows\System32\iasads.dll
2009-03-03 04:37 . 2009-04-20 10:41 44032 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-20 10:41 666624 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-20 10:41 17408 ----a-w c:\windows\System32\iashost.exe
2009-03-03 02:28 . 2009-04-20 10:41 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-02 10:35 . 2008-04-27 19:40 -------- d-----w c:\program files\Warcraft III
2009-02-13 08:49 . 2009-04-20 10:41 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 08:49 . 2009-04-20 10:41 1255936 ----a-w c:\windows\System32\lsasrv.dll
2008-08-25 17:08 . 2008-01-18 16:47 680 ----a-w c:\users\Christoffer\AppData\Local\d3d9caps.dat
2008-05-28 21:17 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-02-10 11:49 . 2008-02-10 11:49 99864 ----a-w c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2008-11-09 13:2008-11-09 13:13 13:55 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\jar50.dll
2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\myspell.dll
2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\spellchk.dll
2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\xpinstal.dll
2007-06-11 14:25 . 2007-06-11 14:25 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-15 39408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-02-13 486856]
"Telenor Online Start"="c:\program files\Telenor\Online Start\Telenor.exe" [2006-11-30 178312]
"Steam"="c:\program files\Steam\Steam.exe" [2008-12-29 1410296]
"Sidebar"="c:\program files\Windows Sidebar\SideBar.exe" [2008-01-18 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-10-20 24576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-15 185896]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-09 1838592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-19 4702208]
"Resume copy"="copyfstq.exe" - c:\windows\copyfstq.exe [2007-10-26 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Telenor Online Start"="c:\program files\Telenor\Online Start\Telenor.exe" [2006-11-30 178312]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Hurtigstart for Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5CF92585-B268-4835-9F2A-CF0D64312AE1}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{AFA3B790-A06C-4409-8410-2D809D70EC8B}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{0FFDF113-1FAD-4C77-BD92-7A53E1FDA8D3}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{E5AB9D7A-60AC-4647-A831-3C05D978D324}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{FEE5E50C-608A-4FFA-9EB1-057A3BBC9EF1}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{9F993580-5D65-4AA4-B7BC-682AFFB86400}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{8A784216-1542-4403-85D4-1ED55109CF10}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{FDE3FA0A-2C59-4629-B390-816357E07F15}c:\\users\\christoffer\\program files\\bittorrent_dna\\dna.exe"= UDP:c:\users\christoffer\program files\bittorrent_dna\dna.exe:dna.exe
"UDP Query User{09D657AD-9918-4630-9C9A-89E15D265F58}c:\\users\\christoffer\\program files\\bittorrent_dna\\dna.exe"= TCP:c:\users\christoffer\program files\bittorrent_dna\dna.exe:dna.exe
"TCP Query User{208E6E78-CEE8-4908-8F2F-C1DA3D370074}c:\\program files\\world of warcraft\\wow-2.2.0-engb-downloader.exe"= UDP:c:\program files\world of warcraft\wow-2.2.0-engb-downloader.exe:Blizzard Downloader
"UDP Query User{404B5350-8204-40A5-88BF-9037DC9581B7}c:\\program files\\world of warcraft\\wow-2.2.0-engb-downloader.exe"= TCP:c:\program files\world of warcraft\wow-2.2.0-engb-downloader.exe:Blizzard Downloader
"TCP Query User{2EE4D47D-54FF-4D4E-9918-43194ED5B42B}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{A8363595-8E41-4442-AD92-DD16EA79B8E0}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{D90DAFC9-9EED-4A48-94B9-B322A70FA3D3}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{3302AC63-25C5-403E-BB25-5EF4A0BAD820}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{C23283D8-4E79-4120-99B9-9EFCCD765305}c:\\program files\\octoshape streaming services\\christoffer\\octoshapeclient.exe"= UDP:c:\program files\octoshape streaming services\christoffer\octoshapeclient.exe:OctoshapeClient
"UDP Query User{FE61483C-EFC4-487B-82C3-FB976D96A860}c:\\program files\\octoshape streaming services\\christoffer\\octoshapeclient.exe"= TCP:c:\program files\octoshape streaming services\christoffer\octoshapeclient.exe:OctoshapeClient
"TCP Query User{A2528CBA-6447-4FE5-98D6-D41BB20E9886}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{ED5A4B12-1AED-40FA-9A83-5D688C72DC95}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{C9478F5B-4E5C-43E9-A4D4-F9FF323A64CA}c:\\users\\christoffer\\desktop\\cs 1.6\\hl.exe"= UDP:c:\users\christoffer\desktop\cs 1.6\hl.exe:hl.exe
"UDP Query User{9A6CFD01-621E-4A1B-BB04-ACBC8EEBD76F}c:\\users\\christoffer\\desktop\\cs 1.6\\hl.exe"= TCP:c:\users\christoffer\desktop\cs 1.6\hl.exe:hl.exe
"TCP Query User{6C142000-CAE1-476A-9B66-AA0A889EAC19}c:\\users\\christoffer\\desktop\\cs 1.6 - lan\\hl.exe"= UDP:c:\users\christoffer\desktop\cs 1.6 - lan\hl.exe:hl.exe
"UDP Query User{7827AFB1-0D40-4CF2-B604-2AFB1A7CFCCF}c:\\users\\christoffer\\desktop\\cs 1.6 - lan\\hl.exe"= TCP:c:\users\christoffer\desktop\cs 1.6 - lan\hl.exe:hl.exe
"{CE2A20B5-1B8C-4140-A737-EF53EEBD24FC}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{39D42132-77C4-4AB1-B65E-03A6CE7D79FF}"= TCP:c:\program files\DNA\btdna.exe:DNA
"TCP Query User{EF4673B4-47A9-4245-8195-D87F4EE706A7}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{03E07184-FCBD-43A0-97A5-7398BEDECB6F}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{02FF9D19-69C9-4D5F-8E2F-035718BE8074}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{81854E44-D48F-4157-803F-2E0264539995}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"{7B3C05D4-1B18-4A5D-ADCB-4CF93E707E9F}"= %ProgramFiles%\Telenor\Online Start\Telenor.exe:Online Start
"TCP Query User{2A4DE4B2-B143-4435-A535-F80FFCFBA392}c:\\users\\christoffer\\spill\\steam\\steamapps\\hooofbite\\half-life\\hl.exe"= UDP:c:\users\christoffer\spill\steam\steamapps\hooofbite\half-life\hl.exe:Half-Life Launcher
"UDP Query User{C924F210-E492-41E5-8910-B76B3AF3922D}c:\\users\\christoffer\\spill\\steam\\steamapps\\hooofbite\\half-life\\hl.exe"= TCP:c:\users\christoffer\spill\steam\steamapps\hooofbite\half-life\hl.exe:Half-Life Launcher
"{44CDE0B6-97DA-44A9-94D6-49F80DA999C8}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1E1BD58A-0E30-41FE-97ED-96FD7E9D04DA}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{80DDC25C-EDA2-4C16-B2B4-21B9D7B76C0C}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{D5EA9483-466E-4EE5-B9A3-C58B15ECF38B}"= UDP:c:\program files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{FCA0BBBF-1084-4AFE-ABC4-EC082CE919D3}"= TCP:c:\program files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{A81B7B24-B803-4B9A-841F-96336741F9BA}"= UDP:3724:Blizzard Downloader: 3724
"{45F0DA02-B42B-4E63-9346-1B45909E2CF7}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{320DC7F7-0D39-44BE-B9FF-45DD73848D12}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{45591359-474B-4B80-9D45-8AEF3EAF2416}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FA3A155F-B13C-4A9B-85C0-B4AB73586B83}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{468724B5-403C-496D-BC93-C4E7114BF05E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{489C66C2-7302-4BB8-8902-2E01A3498FF2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F812CE89-2096-401F-B532-5B181D6DA5E1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{CD6465CA-3AFE-4B6A-8000-67CEFD1BBAED}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{83F1D40F-7A15-4CE4-8007-341D276850C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5C5A057C-E69F-484B-8FE2-A226EF18B3DB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F14B7E63-D6F4-4112-B7C9-3E406F59AC60}"= UDP:c:\windows\services.exe:services.exe
"{90D346A7-F9B9-43C0-9972-EA9D0687888D}"= TCP:c:\windows\services.exe:services.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2009-04-20 145424]
S2 BcmSqlStartupSvc;Oppstartstjeneste for Business Contact Manager SQL Server;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-16 30312]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-04-20 36368]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2009-04-20 256528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79ab7129-cd4d-11dd-b27f-00301bbc1bc6}]
\shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80472f54-a1e2-11dd-8cb0-00301bbc1bc6}]
\shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cf06b78-aa7a-11dd-8791-00301bbc1bc6}]
\shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d12fe732-dc7a-11dc-a3bc-00301bbc1bc6}]
\shell\AutoRun\command - wd_windows_tools\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Christoffer\AppData\Roaming\Mozilla\Firefox\Profiles\7ju85325.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 17:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-26 17:43
ComboFix-quarantined-files.txt 2009-04-26 15:43

Pre-Run: 61 260 619 776 byte ledig
Post-Run: 66 186 878 976 byte ledig

299 --- E O F --- 2009-04-21 08:58

Jintan · 04-27-2009, 05:49 PM

ComboFix picked up on and deleted some autorun worm files as well. Good progress there. Let's do some other repairs then scan to see if anything remains.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Also disconnect from net access anytime you run ComboFix, reconnecting after it has completed it's scan.

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:

Files::
c:\windows\services.exe
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata08.sqm  
C:\sqmnoopt08.sqm  
C:\sqmdata07.sqm  
C:\sqmnoopt07.sqm  
Registry::
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Firewall Rules]
"TCP Query User{A2528CBA-6447-4FE5-98D6-D41BB20E9886}c:\\program files\\internet explorer\\iexplore.exe"=-
"UDP Query User{ED5A4B12-1AED-40FA-9A83-5D688C72DC95}c:\\program files\\internet explorer\\iexplore.exe"=-
"{F14B7E63-D6F4-4112-B7C9-3E406F59AC60}"=-
"{90D346A7-F9B9-43C0-9972-EA9D0687888D}"=-

Save this to your desktop as CFScript.txt

You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

---------------

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here.

Post back that log and the ComboFix log please.

hoofbite · 05-26-2009, 03:02 AM

The "extreme" version of the cursor moving by itself stopped for a long while.. but last night it started out jumping from one point to another on the screen.. only a small distance, every once in a while. Did this scan earlier too, but did it again now and this is the log: (by the way, before i started it, it said that it was running in some kind of reduced mode, cus it was outdated? i dunno)

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-19 4702208]
"Resume copy"="copyfstq.exe" - c:\windows\copyfstq.exe [2007-10-26 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Telenor Online Start"="c:\program files\Telenor\Online Start\Telenor.exe" [2006-11-30 178312]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Hurtigstart for Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5CF92585-B268-4835-9F2A-CF0D64312AE1}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{AFA3B790-A06C-4409-8410-2D809D70EC8B}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{0FFDF113-1FAD-4C77-BD92-7A53E1FDA8D3}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{E5AB9D7A-60AC-4647-A831-3C05D978D324}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{FEE5E50C-608A-4FFA-9EB1-057A3BBC9EF1}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{9F993580-5D65-4AA4-B7BC-682AFFB86400}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{8A784216-1542-4403-85D4-1ED55109CF10}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{FDE3FA0A-2C59-4629-B390-816357E07F15}c:\\users\\christoffer\\program files\\bittorrent_dna\\dna.exe"= UDP:c:\users\christoffer\program files\bittorrent_dna\dna.exe:dna.exe
"UDP Query User{09D657AD-9918-4630-9C9A-89E15D265F58}c:\\users\\christoffer\\program files\\bittorrent_dna\\dna.exe"= TCP:c:\users\christoffer\program files\bittorrent_dna\dna.exe:dna.exe
"TCP Query User{208E6E78-CEE8-4908-8F2F-C1DA3D370074}c:\\program files\\world of warcraft\\wow-2.2.0-engb-downloader.exe"= UDP:c:\program files\world of warcraft\wow-2.2.0-engb-downloader.exe:Blizzard Downloader
"UDP Query User{404B5350-8204-40A5-88BF-9037DC9581B7}c:\\program files\\world of warcraft\\wow-2.2.0-engb-downloader.exe"= TCP:c:\program files\world of warcraft\wow-2.2.0-engb-downloader.exe:Blizzard Downloader
"TCP Query User{2EE4D47D-54FF-4D4E-9918-43194ED5B42B}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{A8363595-8E41-4442-AD92-DD16EA79B8E0}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{D90DAFC9-9EED-4A48-94B9-B322A70FA3D3}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{3302AC63-25C5-403E-BB25-5EF4A0BAD820}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{C23283D8-4E79-4120-99B9-9EFCCD765305}c:\\program files\\octoshape streaming services\\christoffer\\octoshapeclient.exe"= UDP:c:\program files\octoshape streaming services\christoffer\octoshapeclient.exe:OctoshapeClient
"UDP Query User{FE61483C-EFC4-487B-82C3-FB976D96A860}c:\\program files\\octoshape streaming services\\christoffer\\octoshapeclient.exe"= TCP:c:\program files\octoshape streaming services\christoffer\octoshapeclient.exe:OctoshapeClient
"TCP Query User{A2528CBA-6447-4FE5-98D6-D41BB20E9886}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{ED5A4B12-1AED-40FA-9A83-5D688C72DC95}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{C9478F5B-4E5C-43E9-A4D4-F9FF323A64CA}c:\\users\\christoffer\\desktop\\cs 1.6\\hl.exe"= UDP:c:\users\christoffer\desktop\cs 1.6\hl.exe:hl.exe
"UDP Query User{9A6CFD01-621E-4A1B-BB04-ACBC8EEBD76F}c:\\users\\christoffer\\desktop\\cs 1.6\\hl.exe"= TCP:c:\users\christoffer\desktop\cs 1.6\hl.exe:hl.exe
"TCP Query User{6C142000-CAE1-476A-9B66-AA0A889EAC19}c:\\users\\christoffer\\desktop\\cs 1.6 - lan\\hl.exe"= UDP:c:\users\christoffer\desktop\cs 1.6 - lan\hl.exe:hl.exe
"UDP Query User{7827AFB1-0D40-4CF2-B604-2AFB1A7CFCCF}c:\\users\\christoffer\\desktop\\cs 1.6 - lan\\hl.exe"= TCP:c:\users\christoffer\desktop\cs 1.6 - lan\hl.exe:hl.exe
"{CE2A20B5-1B8C-4140-A737-EF53EEBD24FC}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{39D42132-77C4-4AB1-B65E-03A6CE7D79FF}"= TCP:c:\program files\DNA\btdna.exe:DNA
"TCP Query User{EF4673B4-47A9-4245-8195-D87F4EE706A7}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{03E07184-FCBD-43A0-97A5-7398BEDECB6F}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{02FF9D19-69C9-4D5F-8E2F-035718BE8074}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{81854E44-D48F-4157-803F-2E0264539995}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"{7B3C05D4-1B18-4A5D-ADCB-4CF93E707E9F}"= %ProgramFiles%\Telenor\Online Start\Telenor.exe:Online Start
"TCP Query User{2A4DE4B2-B143-4435-A535-F80FFCFBA392}c:\\users\\christoffer\\spill\\steam\\steamapps\\hooofbite\\half-life\\hl.exe"= UDP:c:\users\christoffer\spill\steam\steamapps\hooofbite\half-life\hl.exe:Half-Life Launcher
"UDP Query User{C924F210-E492-41E5-8910-B76B3AF3922D}c:\\users\\christoffer\\spill\\steam\\steamapps\\hooofbite\\half-life\\hl.exe"= TCP:c:\users\christoffer\spill\steam\steamapps\hooofbite\half-life\hl.exe:Half-Life Launcher
"{44CDE0B6-97DA-44A9-94D6-49F80DA999C8}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1E1BD58A-0E30-41FE-97ED-96FD7E9D04DA}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{80DDC25C-EDA2-4C16-B2B4-21B9D7B76C0C}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{D5EA9483-466E-4EE5-B9A3-C58B15ECF38B}"= UDP:c:\program files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{FCA0BBBF-1084-4AFE-ABC4-EC082CE919D3}"= TCP:c:\program files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{A81B7B24-B803-4B9A-841F-96336741F9BA}"= UDP:3724:Blizzard Downloader: 3724
"{45F0DA02-B42B-4E63-9346-1B45909E2CF7}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{320DC7F7-0D39-44BE-B9FF-45DD73848D12}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{45591359-474B-4B80-9D45-8AEF3EAF2416}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FA3A155F-B13C-4A9B-85C0-B4AB73586B83}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{468724B5-403C-496D-BC93-C4E7114BF05E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{489C66C2-7302-4BB8-8902-2E01A3498FF2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F812CE89-2096-401F-B532-5B181D6DA5E1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{CD6465CA-3AFE-4B6A-8000-67CEFD1BBAED}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{83F1D40F-7A15-4CE4-8007-341D276850C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5C5A057C-E69F-484B-8FE2-A226EF18B3DB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F14B7E63-D6F4-4112-B7C9-3E406F59AC60}"= UDP:c:\windows\services.exe:services.exe
"{90D346A7-F9B9-43C0-9972-EA9D0687888D}"= TCP:c:\windows\services.exe:services.exe
"{6C0B4524-4BC9-48AA-B794-90B25196E5F1}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{ABAE8E55-0517-4DA9-872E-28D7C5DB9172}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [20.04.2009 14:04 145424]
R2 BcmSqlStartupSvc;Oppstartstjeneste for Business Contact Manager SQL Server;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [16.01.2008 11:21 30312]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [20.04.2009 14:04 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [20.04.2009 14:04 256528]
S2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [20.04.2009 14:04 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [20.04.2009 14:26 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [20.04.2009 14:26 677128]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25.09.2007 16:59 15152]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24.11.2008 22:31 29263712]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79ab7129-cd4d-11dd-b27f-00301bbc1bc6}]
\shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80472f54-a1e2-11dd-8cb0-00301bbc1bc6}]
\shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cf06b78-aa7a-11dd-8791-00301bbc1bc6}]
\shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d12fe732-dc7a-11dc-a3bc-00301bbc1bc6}]
\shell\AutoRun\command - wd_windows_tools\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\users\Christoffer\AppData\Roaming\Mozilla\Firefox\Profiles\7ju85325.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 23:49
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-25 23:53
ComboFix-quarantined-files.txt 2009-05-25 21:53
ComboFix2.txt 2009-05-10 15:28
ComboFix3.txt 2009-04-26 15:43

Pre-Run: 87 669 514 240 byte ledig
Post-Run: 88 099 123 200 byte ledig

257 --- E O F --- 2009-05-01 09:52

Jintan · 05-26-2009, 08:00 PM

Over a month has gone by without a response from you here. I would normally just suggest you start a new thread, but I see no reason to just add to the workload here of one of my teammates. If we take this cause up again, why should I think you will not just stop responding again?

04-22-2009, 08:22 PM	#2 (permalink)
Jintan Analyst, Security Team Join Date: Feb 2006 Posts: 222 OS: 2K	Re: Mouse-cursor moves by itself, even when the mouse is unplugged Welcome to TSF hoofbite, Noooo, you sure do not want to be deleting files you are not sure of, and especially those like "services.exe" which is usually an essential (and protected) system file. Not seeing any infection here so far - let's run a repair scan then check after. To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Download Malwarebytes' Anti-Malware from Here or Here. Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform quick scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then. __________________

04-23-2009, 09:16 AM	#3 (permalink)
hoofbite Registered User Join Date: Apr 2009 Posts: 4 OS: Windows Vista Longhorn	Re: Mouse-cursor moves by itself, even when the mouse is unplugged The "living" cursor suddenly stopped by the way, before I ran this scan, but I ran it anyway.. and it found like 31 infected files, so I guess it was about time I ran one. I pressed delete, and then I had to reboot.. but a lot of files is still quarantined in MBAM, should I delete these too? Malwarebytes' Anti-Malware 1.36 Databaseversjon: 2029 Windows 6.0.6001 Service Pack 1 23.04.2009 17:07:56 mbam-log-2009-04-23 (17-07-56).txt Skanntype: Rask Skann Objekter skannet: 79660 Tid tilbakelagt: 7 minute(s), 24 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 5 Registerverdier infisert: 7 Registerfiler infisert: 3 Mapper infisert: 4 Filer infisert: 12 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\xp_securitycenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\vwsrfton.bxwe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\vwsrfton.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf94dbf9-b064-4473-8c40-bc68145805da} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{cf94dbf9-b064-4473-8c40-bc68145805da} (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> Quarantined and deleted successfully. Registerfiler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Mapper infisert: C:\Program Files\XPSecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\data (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPSecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. Filer infisert: C:\Program Files\XPSecurityCenter\comp.dat (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\htmlayout.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\pthreadVC2.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\un.ico (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\unzip32.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\data\daily.cvd (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPSecurityCenter\Uninstall.lnk (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPSecurityCenter\XPSecurityCenter.lnk (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully. Last edited by hoofbite; 04-23-2009 at 09:19 AM.

04-23-2009, 06:25 PM	#4 (permalink)
Jintan Analyst, Security Team Join Date: Feb 2006 Posts: 222 OS: 2K	Re: Mouse-cursor moves by itself, even when the mouse is unplugged Quarantined means held harmless, so not really an issue there right now. Malwarebytes actually undid quite a few malware-related system changes and removed a rogue security software package. Let's check now to see what else might remain there. Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Also disconnect from net access anytime you run ComboFix, reconnecting after it has completed it's scan. Download the latest version of Combofix.exe from here and save it to your C folder (C:\ComboFix.exe). Doubleclick on combofix.exe and the scan will start (go ahead and install the Recovery Console if you are asked to do so). When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. __________________

04-27-2009, 03:10 AM	#5 (permalink)
hoofbite Registered User Join Date: Apr 2009 Posts: 4 OS: Windows Vista Longhorn	Re: Mouse-cursor moves by itself, even when the mouse is unplugged ComboFix 09-04-25.A3 - Christoffer 26.04.2009 17:38.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1044.18.2047.1192 [GMT 2:00] Running from: c:\users\Christoffer\Desktop\ComboFix.exe AV: Trend Micro Internet Security On-access scanning disabled (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Autorun.inf d:\recycler\autorun.inf d:\recycler\desktop.ini d:\recycler\Folder.htt d:\recycler\info.exe d:\recycler\protect.ed d:\recycler\warning.bmp G:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 ))))))))))))))))))))))))))))))) . 2009-04-23 07:34 . 2009-04-23 07:34 -------- d-----w c:\users\Christoffer\AppData\Roaming\Malwarebytes 2009-04-23 07:34 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-23 07:34 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-23 07:34 . 2009-04-23 07:34 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-23 07:34 . 2009-04-23 07:34 -------- d-----w c:\users\All Users\Malwarebytes 2009-04-23 07:34 . 2009-04-23 07:34 -------- d-----w c:\programdata\Malwarebytes 2009-04-21 08:54 . 2009-04-21 08:54 290 ----a-w C:\Partition_1 (C) - Snarvei.lnk 2009-04-20 14:29 . 2007-11-17 21:22 3636 ----a-w c:\windows\system32\drivers\nvphy.bin 2009-04-20 13:15 . 2009-04-20 13:15 -------- d--h--w c:\windows\PIF 2009-04-20 12:06 . 2009-04-20 12:06 -------- d-----w c:\users\Christoffer\AppData\Local\Trend Micro 2009-04-20 12:04 . 2009-04-20 12:04 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys 2009-04-20 12:04 . 2009-04-20 12:04 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys 2009-04-20 12:04 . 2009-04-20 12:04 256528 ----a-w c:\windows\system32\drivers\tmwfp.sys 2009-04-20 12:04 . 2009-04-20 12:04 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys 2009-04-20 12:04 . 2009-04-20 12:04 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys 2009-04-20 12:04 . 2009-04-20 12:04 145424 ----a-w c:\windows\system32\drivers\tmlwf.sys 2009-04-20 12:04 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys 2009-04-20 12:04 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys 2009-04-20 12:04 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-04-20 11:58 . 2009-04-20 11:58 -------- d-----w c:\users\All Users\Office Genuine Advantage 2009-04-20 11:58 . 2009-04-20 11:58 -------- d-----w c:\programdata\Office Genuine Advantage 2009-04-20 11:08 . 2009-04-20 11:08 118 ----a-w c:\windows\system32\MRT.INI 2009-04-20 10:51 . 2008-06-20 01:14 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll 2009-04-20 10:51 . 2008-06-20 01:14 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll 2009-04-20 10:51 . 2008-06-20 01:14 97800 ----a-w c:\windows\system32\infocardapi.dll 2009-04-20 10:51 . 2008-06-20 01:14 37384 ----a-w c:\windows\system32\infocardcpl.cpl 2009-04-20 10:51 . 2008-06-20 01:14 11264 ----a-w c:\windows\system32\icardres.dll 2009-04-20 10:51 . 2008-06-20 01:14 622080 ----a-w c:\windows\system32\icardagt.exe 2009-04-20 10:51 . 2008-06-20 01:14 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll 2009-04-20 10:51 . 2008-06-20 01:14 326160 ----a-w c:\windows\system32\PresentationHost.exe 2009-04-20 10:45 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll 2009-04-20 10:45 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll 2009-04-20 10:45 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll 2009-04-20 10:45 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll 2009-04-20 10:45 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll 2009-04-20 10:42 . 2008-12-05 04:32 428544 ----a-w c:\windows\system32\EncDec.dll 2009-04-20 10:42 . 2008-12-05 04:31 217088 ----a-w c:\windows\system32\psisrndr.ax 2009-04-20 10:42 . 2008-12-05 04:32 293376 ----a-w c:\windows\system32\psisdecd.dll 2009-04-20 10:42 . 2008-12-05 04:31 80896 ----a-w c:\windows\system32\MSNP.ax 2009-04-20 10:42 . 2008-12-05 04:31 177664 ----a-w c:\windows\system32\mpg2splt.ax 2009-04-20 10:40 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll 2009-04-20 10:40 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll 2009-04-20 10:38 . 2008-11-27 04:43 268288 ----a-w c:\windows\system32\schannel.dll 2009-04-20 10:37 . 2009-02-09 03:10 2033152 ----a-w c:\windows\system32\win32k.sys 2009-04-20 10:23 . 2009-04-20 10:23 -------- d-----w c:\program files\Microsoft IntelliPoint 2009-04-11 01:53 . 2009-04-11 01:53 268 ---ha-w C:\sqmdata08.sqm 2009-04-11 01:53 . 2009-04-11 01:53 244 ---ha-w C:\sqmnoopt08.sqm 2009-04-09 09:24 . 2009-04-09 09:24 172 ---ha-w C:\sqmdata07.sqm 2009-04-09 09:24 . 2009-04-09 09:24 172 ---ha-w C:\sqmnoopt07.sqm 2009-04-09 08:02 . 2009-04-09 08:02 -------- d-----w c:\users\Christoffer\AppData\Roaming\Apple Computer 2009-04-09 08:01 . 2009-03-19 14:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-04-09 08:01 . 2008-04-17 10:12 107368 ----a-w c:\windows\system32\GEARAspi.dll 2009-04-09 08:01 . 2009-04-09 08:01 -------- dc----w c:\windows\system32\DRVSTORE 2009-04-09 08:01 . 2009-04-09 08:01 -------- d-----w c:\program files\iPod 2009-04-09 08:01 . 2009-04-09 08:01 -------- d-----w c:\users\All Users\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-09 08:01 . 2009-04-09 08:01 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-09 08:01 . 2009-04-09 08:01 -------- d-----w c:\program files\iTunes 2009-04-09 08:00 . 2009-04-09 08:00 -------- d-----w c:\program files\Bonjour 2009-04-09 07:59 . 2009-04-09 08:00 -------- d-----w c:\program files\QuickTime 2009-04-09 07:59 . 2009-04-09 08:01 -------- d-----w c:\users\All Users\Apple Computer 2009-04-09 07:59 . 2009-04-09 08:01 -------- d-----w c:\programdata\Apple Computer 2009-04-09 07:56 . 2009-04-09 08:01 -------- d-----w c:\program files\Common Files\Apple 2009-04-08 22:05 . 2009-04-08 22:05 268 ---ha-w C:\sqmdata06.sqm 2009-04-08 22:05 . 2009-04-08 22:05 244 ---ha-w C:\sqmnoopt06.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-26 15:17 . 2007-10-20 21:25 -------- d-----w c:\program files\Betsson Poker 2009-04-26 13:36 . 2007-10-21 00:00 -------- d-----w c:\program files\World of Warcraft 2009-04-26 09:44 . 2008-12-29 15:38 -------- d-----w c:\program files\Steam 2009-04-21 14:52 . 2007-10-31 20:16 -------- d-----w c:\users\Christoffer\AppData\Roaming\mIRC 2009-04-21 08:57 . 2007-08-15 04:20 66236 ----a-w c:\windows\System32\perfc014.dat 2009-04-21 08:57 . 2007-08-15 04:20 409918 ----a-w c:\windows\System32\perfh014.dat 2009-04-21 08:56 . 2007-10-31 20:16 -------- d-----w c:\program files\mIRC 2009-04-21 08:50 . 2007-10-17 18:18 -------- d-----w c:\programdata\NVIDIA 2009-04-20 14:34 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat 2009-04-20 14:34 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat 2009-04-20 14:33 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat 2009-04-20 12:32 . 2008-08-21 10:02 -------- d-----w c:\programdata\Trend Micro 2009-04-20 12:24 . 2008-08-21 10:01 -------- d-----w c:\program files\Trend Micro 2009-04-20 11:59 . 2007-12-05 12:21 -------- d-----w c:\program files\Common Files\Steam 2009-04-20 11:58 . 2007-10-20 17:34 100648 ----a-w c:\users\Christoffer\AppData\Local\GDIPFONTCACHEV1.DAT 2009-04-20 11:47 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail 2009-04-20 11:13 . 2007-08-14 18:31 -------- d-----w c:\programdata\Microsoft Help 2009-04-20 11:01 . 2007-08-14 18:40 -------- d-----w c:\program files\Microsoft SQL Server 2009-04-20 10:44 . 2008-02-11 22:50 -------- d-----w c:\users\Christoffer\AppData\Roaming\LimeWire 2009-04-18 12:53 . 2007-10-20 21:37 -------- d-----w c:\users\Christoffer\AppData\Roaming\uTorrent 2009-03-26 13:23 . 2009-03-26 13:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-26 13:23 . 2009-03-26 13:23 1900544 ----a-w c:\windows\System32\usbaaplrc.dll 2009-03-17 03:38 . 2009-04-20 10:41 40960 ----a-w c:\windows\AppPatch\apihex86.dll 2009-03-17 03:38 . 2009-04-20 10:41 13824 ----a-w c:\windows\System32\apilogen.dll 2009-03-17 03:38 . 2009-04-20 10:41 24064 ----a-w c:\windows\System32\amxread.dll 2009-03-16 23:48 . 2009-02-22 00:19 -------- d-----w c:\users\Christoffer\AppData\Roaming\Hamachi 2009-03-03 04:46 . 2009-04-20 10:41 3599328 ----a-w c:\windows\System32\ntkrnlpa.exe 2009-03-03 04:46 . 2009-04-20 10:41 3547632 ----a-w c:\windows\System32\ntoskrnl.exe 2009-03-03 04:40 . 2009-04-20 10:41 827392 ----a-w c:\windows\System32\wininet.dll 2009-03-03 04:39 . 2009-04-20 10:41 183296 ----a-w c:\windows\System32\sdohlp.dll 2009-03-03 04:39 . 2009-04-20 10:41 551424 ----a-w c:\windows\System32\rpcss.dll 2009-03-03 04:39 . 2009-04-20 10:41 26112 ----a-w c:\windows\System32\printfilterpipelineprxy.dll 2009-03-03 04:37 . 2009-04-20 10:41 78336 ----a-w c:\windows\System32\ieencode.dll 2009-03-03 04:37 . 2009-04-20 10:41 98304 ----a-w c:\windows\System32\iasrecst.dll 2009-03-03 04:37 . 2009-04-20 10:41 54784 ----a-w c:\windows\System32\iasads.dll 2009-03-03 04:37 . 2009-04-20 10:41 44032 ----a-w c:\windows\System32\iasdatastore.dll 2009-03-03 03:04 . 2009-04-20 10:41 666624 ----a-w c:\windows\System32\printfilterpipelinesvc.exe 2009-03-03 02:38 . 2009-04-20 10:41 17408 ----a-w c:\windows\System32\iashost.exe 2009-03-03 02:28 . 2009-04-20 10:41 26624 ----a-w c:\windows\System32\ieUnatt.exe 2009-03-02 10:35 . 2008-04-27 19:40 -------- d-----w c:\program files\Warcraft III 2009-02-13 08:49 . 2009-04-20 10:41 72704 ----a-w c:\windows\System32\secur32.dll 2009-02-13 08:49 . 2009-04-20 10:41 1255936 ----a-w c:\windows\System32\lsasrv.dll 2008-08-25 17:08 . 2008-01-18 16:47 680 ----a-w c:\users\Christoffer\AppData\Local\d3d9caps.dat 2008-05-28 21:17 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini 2008-02-10 11:49 . 2008-02-10 11:49 99864 ----a-w c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT 2008-11-09 13:2008-11-09 13:13 13:55 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\jar50.dll 2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\myspell.dll 2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\spellchk.dll 2008-12-23 16:2007-10-20 19:02 20:17 . c:\program files\mozilla firefox\components\xpinstal.dll 2007-06-11 14:25 . 2007-06-11 14:25 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-15 39408] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-02-13 486856] "Telenor Online Start"="c:\program files\Telenor\Online Start\Telenor.exe" [2006-11-30 178312] "Steam"="c:\program files\Steam\Steam.exe" [2008-12-29 1410296] "Sidebar"="c:\program files\Windows Sidebar\SideBar.exe" [2008-01-18 1233920] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-10-20 24576] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-15 185896] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-09 1838592] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-19 4702208] "Resume copy"="copyfstq.exe" - c:\windows\copyfstq.exe [2007-10-26 73728] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Telenor Online Start"="c:\program files\Telenor\Online Start\Telenor.exe" [2006-11-30 178312] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Hurtigstart for Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AutoUpdateDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{5CF92585-B268-4835-9F2A-CF0D64312AE1}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone) "{AFA3B790-A06C-4409-8410-2D809D70EC8B}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA "{0FFDF113-1FAD-4C77-BD92-7A53E1FDA8D3}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA "{E5AB9D7A-60AC-4647-A831-3C05D978D324}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent "{FEE5E50C-608A-4FFA-9EB1-057A3BBC9EF1}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent "TCP Query User{9F993580-5D65-4AA4-B7BC-682AFFB86400}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent "UDP Query User{8A784216-1542-4403-85D4-1ED55109CF10}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent "TCP Query User{FDE3FA0A-2C59-4629-B390-816357E07F15}c:\\users\\christoffer\\program files\\bittorrent_dna\\dna.exe"= UDP:c:\users\christoffer\program files\bittorrent_dna\dna.exe:dna.exe "UDP Query User{09D657AD-9918-4630-9C9A-89E15D265F58}c:\\users\\christoffer\\program files\\bittorrent_dna\\dna.exe"= TCP:c:\users\christoffer\program files\bittorrent_dna\dna.exe:dna.exe "TCP Query User{208E6E78-CEE8-4908-8F2F-C1DA3D370074}c:\\program files\\world of warcraft\\wow-2.2.0-engb-downloader.exe"= UDP:c:\program files\world of warcraft\wow-2.2.0-engb-downloader.exe:Blizzard Downloader "UDP Query User{404B5350-8204-40A5-88BF-9037DC9581B7}c:\\program files\\world of warcraft\\wow-2.2.0-engb-downloader.exe"= TCP:c:\program files\world of warcraft\wow-2.2.0-engb-downloader.exe:Blizzard Downloader "TCP Query User{2EE4D47D-54FF-4D4E-9918-43194ED5B42B}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++ "UDP Query User{A8363595-8E41-4442-AD92-DD16EA79B8E0}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++ "TCP Query User{D90DAFC9-9EED-4A48-94B9-B322A70FA3D3}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{3302AC63-25C5-403E-BB25-5EF4A0BAD820}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{C23283D8-4E79-4120-99B9-9EFCCD765305}c:\\program files\\octoshape streaming services\\christoffer\\octoshapeclient.exe"= UDP:c:\program files\octoshape streaming services\christoffer\octoshapeclient.exe:OctoshapeClient "UDP Query User{FE61483C-EFC4-487B-82C3-FB976D96A860}c:\\program files\\octoshape streaming services\\christoffer\\octoshapeclient.exe"= TCP:c:\program files\octoshape streaming services\christoffer\octoshapeclient.exe:OctoshapeClient "TCP Query User{A2528CBA-6447-4FE5-98D6-D41BB20E9886}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{ED5A4B12-1AED-40FA-9A83-5D688C72DC95}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "TCP Query User{C9478F5B-4E5C-43E9-A4D4-F9FF323A64CA}c:\\users\\christoffer\\desktop\\cs 1.6\\hl.exe"= UDP:c:\users\christoffer\desktop\cs 1.6\hl.exe:hl.exe "UDP Query User{9A6CFD01-621E-4A1B-BB04-ACBC8EEBD76F}c:\\users\\christoffer\\desktop\\cs 1.6\\hl.exe"= TCP:c:\users\christoffer\desktop\cs 1.6\hl.exe:hl.exe "TCP Query User{6C142000-CAE1-476A-9B66-AA0A889EAC19}c:\\users\\christoffer\\desktop\\cs 1.6 - lan\\hl.exe"= UDP:c:\users\christoffer\desktop\cs 1.6 - lan\hl.exe:hl.exe "UDP Query User{7827AFB1-0D40-4CF2-B604-2AFB1A7CFCCF}c:\\users\\christoffer\\desktop\\cs 1.6 - lan\\hl.exe"= TCP:c:\users\christoffer\desktop\cs 1.6 - lan\hl.exe:hl.exe "{CE2A20B5-1B8C-4140-A737-EF53EEBD24FC}"= UDP:c:\program files\DNA\btdna.exe:DNA "{39D42132-77C4-4AB1-B65E-03A6CE7D79FF}"= TCP:c:\program files\DNA\btdna.exe:DNA "TCP Query User{EF4673B4-47A9-4245-8195-D87F4EE706A7}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III "UDP Query User{03E07184-FCBD-43A0-97A5-7398BEDECB6F}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III "TCP Query User{02FF9D19-69C9-4D5F-8E2F-035718BE8074}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC "UDP Query User{81854E44-D48F-4157-803F-2E0264539995}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC "{7B3C05D4-1B18-4A5D-ADCB-4CF93E707E9F}"= %ProgramFiles%\Telenor\Online Start\Telenor.exe:Online Start "TCP Query User{2A4DE4B2-B143-4435-A535-F80FFCFBA392}c:\\users\\christoffer\\spill\\steam\\steamapps\\hooofbite\\half-life\\hl.exe"= UDP:c:\users\christoffer\spill\steam\steamapps\hooofbite\half-life\hl.exe:Half-Life Launcher "UDP Query User{C924F210-E492-41E5-8910-B76B3AF3922D}c:\\users\\christoffer\\spill\\steam\\steamapps\\hooofbite\\half-life\\hl.exe"= TCP:c:\users\christoffer\spill\steam\steamapps\hooofbite\half-life\hl.exe:Half-Life Launcher "{44CDE0B6-97DA-44A9-94D6-49F80DA999C8}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{1E1BD58A-0E30-41FE-97ED-96FD7E9D04DA}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In) "{80DDC25C-EDA2-4C16-B2B4-21B9D7B76C0C}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In) "{D5EA9483-466E-4EE5-B9A3-C58B15ECF38B}"= UDP:c:\program files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader "{FCA0BBBF-1084-4AFE-ABC4-EC082CE919D3}"= TCP:c:\program files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader "{A81B7B24-B803-4B9A-841F-96336741F9BA}"= UDP:3724:Blizzard Downloader: 3724 "{45F0DA02-B42B-4E63-9346-1B45909E2CF7}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In) "{320DC7F7-0D39-44BE-B9FF-45DD73848D12}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In) "{45591359-474B-4B80-9D45-8AEF3EAF2416}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{FA3A155F-B13C-4A9B-85C0-B4AB73586B83}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{468724B5-403C-496D-BC93-C4E7114BF05E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{489C66C2-7302-4BB8-8902-2E01A3498FF2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{F812CE89-2096-401F-B532-5B181D6DA5E1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{CD6465CA-3AFE-4B6A-8000-67CEFD1BBAED}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{83F1D40F-7A15-4CE4-8007-341D276850C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{5C5A057C-E69F-484B-8FE2-A226EF18B3DB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{F14B7E63-D6F4-4112-B7C9-3E406F59AC60}"= UDP:c:\windows\services.exe:services.exe "{90D346A7-F9B9-43C0-9972-EA9D0687888D}"= TCP:c:\windows\services.exe:services.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) "DoNotAllowExceptions"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe::Enabled:BitTorrent R2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2009-04-02 50192] R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008] R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128] R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712] S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2009-04-20 145424] S2 BcmSqlStartupSvc;Oppstartstjeneste for Business Contact Manager SQL Server;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-16 30312] S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-04-20 36368] S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2009-04-20 256528] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79ab7129-cd4d-11dd-b27f-00301bbc1bc6}] \shell\AutoRun\command - H:\Launch.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80472f54-a1e2-11dd-8cb0-00301bbc1bc6}] \shell\AutoRun\command - setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cf06b78-aa7a-11dd-8791-00301bbc1bc6}] \shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d12fe732-dc7a-11dc-a3bc-00301bbc1bc6}] \shell\AutoRun\command - wd_windows_tools\setup.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = .local IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\users\Christoffer\AppData\Roaming\Mozilla\Firefox\Profiles\7ju85325.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?"); . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-26 17:41 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2009-04-26 17:43 ComboFix-quarantined-files.txt 2009-04-26 15:43 Pre-Run: 61 260 619 776 byte ledig Post-Run: 66 186 878 976 byte ledig 299 --- E O F --- 2009-04-21 08:58

04-27-2009, 05:49 PM	#6 (permalink)
Jintan Analyst, Security Team Join Date: Feb 2006 Posts: 222 OS: 2K	Re: Mouse-cursor moves by itself, even when the mouse is unplugged ComboFix picked up on and deleted some autorun worm files as well. Good progress there. Let's do some other repairs then scan to see if anything remains. Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Also disconnect from net access anytime you run ComboFix, reconnecting after it has completed it's scan. Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it: Code: Files:: c:\windows\services.exe C:\sqmdata06.sqm C:\sqmnoopt06.sqm C:\sqmdata08.sqm C:\sqmnoopt08.sqm C:\sqmdata07.sqm C:\sqmnoopt07.sqm Registry:: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Firewall Rules] "TCP Query User{A2528CBA-6447-4FE5-98D6-D41BB20E9886}c:\\program files\\internet explorer\\iexplore.exe"=- "UDP Query User{ED5A4B12-1AED-40FA-9A83-5D688C72DC95}c:\\program files\\internet explorer\\iexplore.exe"=- "{F14B7E63-D6F4-4112-B7C9-3E406F59AC60}"=- "{90D346A7-F9B9-43C0-9972-EA9D0687888D}"=- Save this to your desktop as CFScript.txt You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan. ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. --------------- Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes: Remove found threats Scan unwanted applications Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here. Post back that log and the ComboFix log please. __________________

05-26-2009, 03:02 AM	#7 (permalink)
hoofbite Registered User Join Date: Apr 2009 Posts: 4 OS: Windows Vista Longhorn	Re: Mouse-cursor moves by itself, even when the mouse is unplugged The "extreme" version of the cursor moving by itself stopped for a long while.. but last night it started out jumping from one point to another on the screen.. only a small distance, every once in a while. Did this scan earlier too, but did it again now and this is the log: (by the way, before i started it, it said that it was running in some kind of reduced mode, cus it was outdated? i dunno) "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-19 4702208] "Resume copy"="copyfstq.exe" - c:\windows\copyfstq.exe [2007-10-26 73728] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Telenor Online Start"="c:\program files\Telenor\Online Start\Telenor.exe" [2006-11-30 178312] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Hurtigstart for Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AutoUpdateDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{5CF92585-B268-4835-9F2A-CF0D64312AE1}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone) "{AFA3B790-A06C-4409-8410-2D809D70EC8B}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA "{0FFDF113-1FAD-4C77-BD92-7A53E1FDA8D3}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA "{E5AB9D7A-60AC-4647-A831-3C05D978D324}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent "{FEE5E50C-608A-4FFA-9EB1-057A3BBC9EF1}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent "TCP Query User{9F993580-5D65-4AA4-B7BC-682AFFB86400}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent "UDP Query User{8A784216-1542-4403-85D4-1ED55109CF10}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent "TCP Query User{FDE3FA0A-2C59-4629-B390-816357E07F15}c:\\users\\christoffer\\program files\\bittorrent_dna\\dna.exe"= UDP:c:\users\christoffer\program files\bittorrent_dna\dna.exe:dna.exe "UDP Query User{09D657AD-9918-4630-9C9A-89E15D265F58}c:\\users\\christoffer\\program files\\bittorrent_dna\\dna.exe"= TCP:c:\users\christoffer\program files\bittorrent_dna\dna.exe:dna.exe "TCP Query User{208E6E78-CEE8-4908-8F2F-C1DA3D370074}c:\\program files\\world of warcraft\\wow-2.2.0-engb-downloader.exe"= UDP:c:\program files\world of warcraft\wow-2.2.0-engb-downloader.exe:Blizzard Downloader "UDP Query User{404B5350-8204-40A5-88BF-9037DC9581B7}c:\\program files\\world of warcraft\\wow-2.2.0-engb-downloader.exe"= TCP:c:\program files\world of warcraft\wow-2.2.0-engb-downloader.exe:Blizzard Downloader "TCP Query User{2EE4D47D-54FF-4D4E-9918-43194ED5B42B}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++ "UDP Query User{A8363595-8E41-4442-AD92-DD16EA79B8E0}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++ "TCP Query User{D90DAFC9-9EED-4A48-94B9-B322A70FA3D3}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{3302AC63-25C5-403E-BB25-5EF4A0BAD820}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{C23283D8-4E79-4120-99B9-9EFCCD765305}c:\\program files\\octoshape streaming services\\christoffer\\octoshapeclient.exe"= UDP:c:\program files\octoshape streaming services\christoffer\octoshapeclient.exe:OctoshapeClient "UDP Query User{FE61483C-EFC4-487B-82C3-FB976D96A860}c:\\program files\\octoshape streaming services\\christoffer\\octoshapeclient.exe"= TCP:c:\program files\octoshape streaming services\christoffer\octoshapeclient.exe:OctoshapeClient "TCP Query User{A2528CBA-6447-4FE5-98D6-D41BB20E9886}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{ED5A4B12-1AED-40FA-9A83-5D688C72DC95}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "TCP Query User{C9478F5B-4E5C-43E9-A4D4-F9FF323A64CA}c:\\users\\christoffer\\desktop\\cs 1.6\\hl.exe"= UDP:c:\users\christoffer\desktop\cs 1.6\hl.exe:hl.exe "UDP Query User{9A6CFD01-621E-4A1B-BB04-ACBC8EEBD76F}c:\\users\\christoffer\\desktop\\cs 1.6\\hl.exe"= TCP:c:\users\christoffer\desktop\cs 1.6\hl.exe:hl.exe "TCP Query User{6C142000-CAE1-476A-9B66-AA0A889EAC19}c:\\users\\christoffer\\desktop\\cs 1.6 - lan\\hl.exe"= UDP:c:\users\christoffer\desktop\cs 1.6 - lan\hl.exe:hl.exe "UDP Query User{7827AFB1-0D40-4CF2-B604-2AFB1A7CFCCF}c:\\users\\christoffer\\desktop\\cs 1.6 - lan\\hl.exe"= TCP:c:\users\christoffer\desktop\cs 1.6 - lan\hl.exe:hl.exe "{CE2A20B5-1B8C-4140-A737-EF53EEBD24FC}"= UDP:c:\program files\DNA\btdna.exe:DNA "{39D42132-77C4-4AB1-B65E-03A6CE7D79FF}"= TCP:c:\program files\DNA\btdna.exe:DNA "TCP Query User{EF4673B4-47A9-4245-8195-D87F4EE706A7}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III "UDP Query User{03E07184-FCBD-43A0-97A5-7398BEDECB6F}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III "TCP Query User{02FF9D19-69C9-4D5F-8E2F-035718BE8074}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC "UDP Query User{81854E44-D48F-4157-803F-2E0264539995}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC "{7B3C05D4-1B18-4A5D-ADCB-4CF93E707E9F}"= %ProgramFiles%\Telenor\Online Start\Telenor.exe:Online Start "TCP Query User{2A4DE4B2-B143-4435-A535-F80FFCFBA392}c:\\users\\christoffer\\spill\\steam\\steamapps\\hooofbite\\half-life\\hl.exe"= UDP:c:\users\christoffer\spill\steam\steamapps\hooofbite\half-life\hl.exe:Half-Life Launcher "UDP Query User{C924F210-E492-41E5-8910-B76B3AF3922D}c:\\users\\christoffer\\spill\\steam\\steamapps\\hooofbite\\half-life\\hl.exe"= TCP:c:\users\christoffer\spill\steam\steamapps\hooofbite\half-life\hl.exe:Half-Life Launcher "{44CDE0B6-97DA-44A9-94D6-49F80DA999C8}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{1E1BD58A-0E30-41FE-97ED-96FD7E9D04DA}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In) "{80DDC25C-EDA2-4C16-B2B4-21B9D7B76C0C}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In) "{D5EA9483-466E-4EE5-B9A3-C58B15ECF38B}"= UDP:c:\program files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader "{FCA0BBBF-1084-4AFE-ABC4-EC082CE919D3}"= TCP:c:\program files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader "{A81B7B24-B803-4B9A-841F-96336741F9BA}"= UDP:3724:Blizzard Downloader: 3724 "{45F0DA02-B42B-4E63-9346-1B45909E2CF7}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In) "{320DC7F7-0D39-44BE-B9FF-45DD73848D12}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In) "{45591359-474B-4B80-9D45-8AEF3EAF2416}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{FA3A155F-B13C-4A9B-85C0-B4AB73586B83}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{468724B5-403C-496D-BC93-C4E7114BF05E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{489C66C2-7302-4BB8-8902-2E01A3498FF2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{F812CE89-2096-401F-B532-5B181D6DA5E1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{CD6465CA-3AFE-4B6A-8000-67CEFD1BBAED}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{83F1D40F-7A15-4CE4-8007-341D276850C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{5C5A057C-E69F-484B-8FE2-A226EF18B3DB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{F14B7E63-D6F4-4112-B7C9-3E406F59AC60}"= UDP:c:\windows\services.exe:services.exe "{90D346A7-F9B9-43C0-9972-EA9D0687888D}"= TCP:c:\windows\services.exe:services.exe "{6C0B4524-4BC9-48AA-B794-90B25196E5F1}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client "{ABAE8E55-0517-4DA9-872E-28D7C5DB9172}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) "DoNotAllowExceptions"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe::Enabled:BitTorrent R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [20.04.2009 14:04 145424] R2 BcmSqlStartupSvc;Oppstartstjeneste for Business Contact Manager SQL Server;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [16.01.2008 11:21 30312] R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [20.04.2009 14:04 36368] R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [20.04.2009 14:04 256528] S2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [20.04.2009 14:04 50192] S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [20.04.2009 14:26 497008] S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [20.04.2009 14:26 677128] S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25.09.2007 16:59 15152] S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24.11.2008 22:31 29263712] --- Other Services/Drivers In Memory --- Deregistered* - sptd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79ab7129-cd4d-11dd-b27f-00301bbc1bc6}] \shell\AutoRun\command - H:\Launch.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80472f54-a1e2-11dd-8cb0-00301bbc1bc6}] \shell\AutoRun\command - setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cf06b78-aa7a-11dd-8791-00301bbc1bc6}] \shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d12fe732-dc7a-11dc-a3bc-00301bbc1bc6}] \shell\AutoRun\command - wd_windows_tools\setup.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = .local IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll FF - ProfilePath - c:\users\Christoffer\AppData\Roaming\Mozilla\Firefox\Profiles\7ju85325.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?"); . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-25 23:49 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2009-05-25 23:53 ComboFix-quarantined-files.txt 2009-05-25 21:53 ComboFix2.txt 2009-05-10 15:28 ComboFix3.txt 2009-04-26 15:43 Pre-Run: 87 669 514 240 byte ledig Post-Run: 88 099 123 200 byte ledig 257 --- E O F --- 2009-05-01 09:52

05-26-2009, 08:00 PM	#8 (permalink)
Jintan Analyst, Security Team Join Date: Feb 2006 Posts: 222 OS: 2K	Re: Mouse-cursor moves by itself, even when the mouse is unplugged Over a month has gone by without a response from you here. I would normally just suggest you start a new thread, but I see no reason to just add to the workload here of one of my teammates. If we take this cause up again, why should I think you will not just stop responding again? __________________