Need to get rid of suspected malware

[rosie012]

Hi and thankyou for this forum.

I am running Windows Vista Business with Service Pack 1 installed and have recently had 2 problems. I believe I have gotten rid of 1 but not both.

First - my mouse pointer kept popping down to the lower right edge of my screen. If I was in IE it landed in the general vicinity of the globe with the word Internet next to it and the words "Double click to change security settings appeared."

I downloaded Spybot, which found 2 trojans, mailskinner and another with a similar name. It got rid of these and that problem appears to be gone. I only mention it as this just happened and I can't really be sure it's gone just yet. I have no faith.

The second problem that persists is that pop up windows are trying to get through from different sites, but mainly from fp.pc-on-internet.com. I have Trend Micro Internet Security Pro running, so these are blocked, however this program keeps popping up a new tab in IE letting me know that it blocked the site, which is just as annoying.

Oddly, (or maybe not), the frequency that these tabs pop up increases as time goes by until I am constantly pulled away from the page I am at and unable to get much done.

In MSConfig I found two files that I couldn't identify as normal. They are siuiu.exe and eewmoie. Both are found at the Start tab, and I disabled them.

Also, in Control Panel - Programs - I found something called favorit - so I uninstalled that. I think it's actually gone, but who the heck knows.

Below are the results of the Deckard's System Scanner main.txt and the extra.txt file along with the Active Scan results file are attached.

Thank you for any help.


Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-04 19:55:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
22: 2008-08-04 23:34:33 UTC - RP76 - Windows Update
21: 2008-08-04 23:26:03 UTC - RP75 - Windows Update
20: 2008-08-04 21:49:05 UTC - RP74 - Removed The Sims™ Life Stories.
19: 2008-08-04 03:37:47 UTC - RP73 - Scheduled Checkpoint
18: 2008-08-03 04:24:14 UTC - RP72 - Scheduled Checkpoint


-- First Restore Point --
1: 2008-07-17 04:00:03 UTC - RP55 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-04 19:58:23
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\taskeng.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\WTablet\Pen_TabletUser.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
C:\Users\Owner\Desktop\dss.exe
C:\Windows\System32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\System32\PSIService.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\System32\Pen_Tablet.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Wacom Touch Service (WacomTouchService) - Unknown owner - C:\Windows\System32\WacomTouchService.exe


--
End of file - 12567 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 DpHost (Biometric Authentication Service) - c:\program files\digitalpersona\bin\dphostw.exe <Not Verified; DigitalPersona, Inc.; DigitalPersona Pro for Active Directory>
R2 HP Health Check Service - "c:\program files\hewlett-packard\hp health check\hphc_service.exe" <Not Verified; Hewlett-Packard; HP Health Check Service>

S3 Com4Qlb - "c:\program files\hewlett-packard\hp quick launch buttons\com4qlb.exe" <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 19:30:28 0 d-------- C:\Program Files\SpywareBlaster
2008-08-04 18:20:17 0 d-------- C:\Program Files\Panda Security
2008-08-04 17:49:38 0 d-------- C:\Windows\system32\appmgmt
2008-08-04 12:48:04 0 d-a------ C:\Users\All Users\TEMP
2008-08-04 12:47:50 0 d-------- C:\Program Files\Spyware Doctor
2008-08-04 12:46:24 0 d-------- C:\Users\All Users\Google Updater
2008-08-04 12:46:23 0 d-------- C:\Program Files\Google
2008-07-29 00:04:12 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-28 23:52:27 0 d-------- C:\Program Files\Sun
2008-07-19 09:23:35 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-19 09:23:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-11 14:20:58 0 d-------- C:\Users\Owner\equinox new tubes


-- Find3M Report ---------------------------------------------------------------

2008-08-04 19:49:17 27839 --a------ C:\Users\Owner\AppData\Roaming\nvModes.001
2008-08-04 19:48:28 0 d-------- C:\Users\Owner\AppData\Roaming\WTablet
2008-08-04 19:44:50 12 --a------ C:\Windows\bthservsdp.dat
2008-08-04 12:47:50 0 d-------- C:\Users\Owner\AppData\Roaming\PC Tools
2008-07-31 17:35:26 952 --ahs---- C:\Windows\system32\KGyGaAvL.sys
2008-07-28 23:52:08 0 d-------- C:\Program Files\Java
2008-07-23 21:32:43 27839 --a------ C:\Users\Owner\AppData\Roaming\nvModes.dat
2008-07-19 09:23:38 0 d-------- C:\Users\Owner\AppData\Roaming\Malwarebytes
2008-07-10 03:05:55 0 d-------- C:\Program Files\Windows Mail
2008-07-08 15:36:50 0 d-------- C:\Users\Owner\AppData\Roaming\Adobe
2008-06-23 06:26:06 90166 --a------ C:\Windows\hpqins15.dat
2008-06-23 06:25:03 0 d-------- C:\Program Files\HP
2008-06-18 2252 0 d-------- C:\Users\Owner\AppData\Roaming\Amazon
2008-06-18 2209 0 d-------- C:\Program Files\Amazon
2008-06-14 2217 0 d-------- C:\Users\Owner\AppData\Roaming\WinRAR
2008-06-11 03:11:28 0 d-------- C:\Program Files\Yahoo!
2008-06-09 22:58:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-09 22:56:44 0 d-------- C:\Users\Owner\AppData\Roaming\CyberLink
2008-06-09 1426 0 d-------- C:\Users\Owner\AppData\Roaming\Corel
2008-06-09 14:03:51 0 d-------- C:\Program Files\Common Files\Corel
2008-06-09 14:01:52 0 d-------- C:\Program Files\Corel
2008-06-09 14:01:52 0 d-------- C:\Program Files\Common Files
2008-06-09 13:25:04 0 d-------- C:\Program Files\Bonjour
2008-06-09 13:16:12 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-09 03:02:59 0 d-------- C:\Program Files\MSXML 4.0
2008-06-09 00:19:23 0 d-------- C:\Users\Owner\AppData\Roaming\Macromedia
2008-06-09 00:14:11 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-08 20:18:35 0 d-------- C:\Users\Owner\AppData\Roaming\Logitech
2008-06-08 20:18:01 0 d-------- C:\Users\Owner\AppData\Roaming\Leadertech
2008-06-08 20:18:01 0 d-------- C:\Program Files\Common Files\Logishrd
2008-06-08 20:15:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-08 20:15:37 0 d-------- C:\Program Files\Logitech
2008-06-08 19:57:43 0 d-------- C:\Users\Owner\AppData\Roaming\Yahoo!
2008-06-08 19:38:54 0 d-------- C:\Program Files\Trend Micro
2008-06-07 21:25:25 0 d-------- C:\Users\Owner\AppData\Roaming\Hewlett-Packard
2008-06-07 21:23:53 0 d-------- C:\Users\Owner\AppData\Roaming\Symantec
2008-06-07 21:23:15 0 d-------- C:\Users\Owner\AppData\Roaming\DigitalPersona
2008-06-07 21:23:02 0 d-------- C:\Users\Owner\AppData\Roaming\Identities
2008-06-07 21:22:54 81 --a------ C:\Windows\system32\LOG
2008-06-07 21:22:30 0 dr------- C:\Program Files\Online Services
2008-06-07 21:21:12 0 d-------- C:\Program Files\Electronic Arts
2008-06-07 21:15:36 0 d-------- C:\Program Files\HPQ
2008-06-07 21:15:33 0 d-------- C:\Program Files\Common Files\LightScribe
2008-06-07 21:14:11 0 d-------- C:\Users\Owner\AppData\Roaming\Macrovision
2008-06-07 21:14:11 0 d-------- C:\Program Files\Broadcom
2008-06-07 21:14:10 0 d-------- C:\Users\Owner\AppData\Roaming\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
02/15/2008 07:38 AM 103760 --a------ C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
03/27/2008 11:51 PM 501056 --a------ C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [11/07/2007 09:16 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [11/07/2007 09:16 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [11/07/2007 09:16 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/28/2008 02:05 AM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [11/01/2007 12:44 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/10/2007 03:59 AM C:\Windows\RtHDVCpl.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [12/19/2007 10:27 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [09/27/2007 07:05 PM]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [09/13/2007 07:32 PM]
"DpAgent"="C:\Program Files\DigitalPersona\Bin\dpagent.exe" [09/20/2007 02:12 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/20/2008 10:23 PM]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [08/22/2007 08:31 PM]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" []
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 08:24 PM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [10/03/2007 07:15 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [09/21/2007 03:10 AM C:\Windows\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [08/16/2007 12:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/20/2008 10:23 PM]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [08/23/2007 05:36 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/20/2008 10:25 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [02/16/2008 05:01 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [9/5/2007 4:09:54 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [6/8/2008 8:16:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eewmoie]
c:\users\owner\appdata\local\eewmoie.exe eewmoie

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\siuiu]
c:\users\owner\appdata\local\siuiu.exe siuiu

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ

*Newly Created Service* - PAVBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-04 19:59:33 ------------

I'd like to amend my own post to say that I did not get rid of the problem with my mouse after all. If I did it was temporary and after a reboot it is back. Once again, the mouse pointer keeps popping down to the lower right edge of the window when I'm in IE to where the globe is with the word Internet next to it. The words Double click to change security settings appear. This increases in frequency until it happens every few seconds and is really irritating, as you can imagine.

Thank you again,

Rosie

[rosie012]

Bump, please.

Thank you.

Rosie

[Ried]

Hello Rosie, and thank you for taking the time to explain your symptoms and the steps you've already taken.

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure how to do this, please see this link http://www.bleepingcomputer.com/forums/topic114351.html

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt for further review.

[rosie012]

Hi Ried, and thanks for your help. Hopefully I have done as you requested properly. The contents of the ComboFix file has been pasted into this reply. I'm feeling overwhelmed, but learning these new things can't be a bad thing. I suppose.

Rosie



ComboFix 08-08-09.03 - Owner 2008-08-10 0:15:31.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1861 [GMT -4:00]
Running from: C:\Users\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-04 19:41 . 2008-08-04 19:41 <DIR> d-------- C:\Deckard
2008-08-04 19:30 . 2008-08-04 19:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-04 18:20 . 2008-08-04 18:20 <DIR> d-------- C:\Program Files\Panda Security
2008-08-04 18:20 . 2008-06-19 17:24 28,544 --a------ C:\Windows\System32\drivers\pavboot.sys
2008-08-04 12:48 . 2008-08-10 00:07 <DIR> d-a------ C:\Users\All Users\TEMP
2008-08-04 12:48 . 2008-08-10 00:07 <DIR> d-a------ C:\ProgramData\TEMP
2008-08-04 12:46 . 2008-08-09 00:19 <DIR> d-------- C:\Users\All Users\Google Updater
2008-08-04 12:46 . 2008-08-09 00:19 <DIR> d-------- C:\ProgramData\Google Updater
2008-08-04 12:46 . 2008-08-04 12:46 <DIR> d-------- C:\Program Files\Google
2008-07-29 00:04 . 2008-07-29 08:09 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-29 00:04 . 2008-07-29 08:09 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-07-29 00:04 . 2008-07-29 00:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-28 23:52 . 2008-07-28 23:52 <DIR> d-------- C:\Program Files\Sun
2008-07-19 09:23 . 2008-07-19 09:23 <DIR> d-------- C:\Users\Owner\AppData\Roaming\Malwarebytes
2008-07-19 09:23 . 2008-07-19 09:23 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-19 09:23 . 2008-07-19 09:23 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-19 09:23 . 2008-07-19 10:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 22:33 . 2008-06-25 21:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-12 22:33 . 2008-06-25 21:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-12 22:33 . 2008-06-25 23:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-11 14:20 . 2008-07-11 16:02 <DIR> d-------- C:\Users\Owner\equinox new tubes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 04:23 --------- d-----w C:\Users\Owner\AppData\Roaming\WTablet
2008-07-29 03:52 --------- d-----w C:\Program Files\Java
2008-07-24 01:32 27,839 ----a-w C:\Users\Owner\AppData\Roaming\nvModes.dat
2008-07-10 07:05 --------- d-----w C:\Program Files\Windows Mail
2008-07-08 16:50 --------- d-----w C:\ProgramData\Microsoft Help
2008-06-23 10:25 --------- d-----w C:\Program Files\HP
2008-06-19 02:06 --------- d-----w C:\Users\Owner\AppData\Roaming\Amazon
2008-06-19 02:06 --------- d-----w C:\Program Files\Amazon
2008-06-15 03:20 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-06-11 07:11 --------- d-----w C:\Program Files\Yahoo!
2008-06-11 02:38 --------- d-----w C:\ProgramData\WildTangent
2008-06-10 02:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-10 02:57 --------- d-----w C:\ProgramData\CyberLink
2008-06-10 02:56 --------- d-----w C:\Users\Owner\AppData\Roaming\CyberLink
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll
2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-20 22:23 1233920]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 17:36 455968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 05:01 492808]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 22:25 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-07 21:16 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-07 21:16 8501792]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-07 21:16 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 02:05 1045800]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-11-01 12:44 671744]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-12-19 22:27 468264]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 19:32 222504]
"DpAgent"="C:\Program Files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 14:12 671744]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 20:31 80896]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 20:24 54840]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 19:15 480560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-16 12:00 531272]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-10 03:59 4702208 C:\Windows\RtHDVCpl.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\Windows\KHALMNPR.Exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-09-05 16:09:54 727592]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-06-08 20:16:10 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{78B35E1E-35E2-4F52-844C-B48C584C7AD7}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2FE07A7D-7A16-4DCE-A4D5-E7D817F633BF}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7AC0EA07-3C09-4755-877B-EBE657B9ED41}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{09F16182-1211-469A-976C-FE8C8BAD5227}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{808B515A-3C99-4877-95E1-5EB4CCEAF42B}"= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{9A59F702-8221-47F5-B6AD-29DDBBA48871}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{CF62C3F1-C4A3-416F-8F20-281CD724F891}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{983BB620-6E22-42A2-9FB3-582787ADD9AA}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4C74FFBD-6526-4F7F-A173-86BE448F3273}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{72E65C68-CE99-4E43-A3AB-7CE2A33027AD}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{56770C86-B59A-4A7E-8C5C-6AA0BB551911}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4F2CFFEB-5B1D-4BE6-AF85-4A76AFF99952}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{7C4F4574-AF17-4968-B7DB-20B62990A42E}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\system32\DRIVERS\tmlwf.sys [2008-02-16 05:00]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [2007-12-19 22:28]
R2 TabletServicePen;TabletServicePen;C:\Windows\system32\Pen_Tablet.exe [2007-11-08 07:37]
R2 tmwfp;Trend Micro WFP Callout Driver;C:\Windows\system32\DRIVERS\tmwfp.sys [2008-02-16 05:00]
R2 WacomTouchService;Wacom Touch Service;C:\Windows\system32\WacomTouchService.exe [2007-10-16 09:55]
R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 13:30]
R3 Wacomhidfilter;Wacom HID Filter;C:\Windows\system32\DRIVERS\wacomhidfilter.sys [2007-11-05 11:39]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\Windows\system32\DRIVERS\wacommousefilter.sys [2007-02-16 06:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\Windows\system32\DRIVERS\wacomvhid.sys [2007-10-06 05:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\Windows\system32\DRIVERS\WacomVKHid.sys [2007-02-15 11:11]
R3 WacomVTHid;Virtual Touch Driver;C:\Windows\system32\DRIVERS\WacomVTHid.sys [2007-02-22 09:55]
S2 QPSched;QuickPlay Task Scheduler (QTS);C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [2007-12-19 22:28]
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-09-18 09:12]
S3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-09-18 09:12]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-09-18 09:12]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-20 22:23]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-20 22:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-eewmoie - c:\users\owner\appdata\local\eewmoie.exe
MSConfigStartUp-siuiu - c:\users\owner\appdata\local\siuiu.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 -: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 00:24:55
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Windows\TEMP\TMP0000003D9BE76657BBF9CEE3

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\wlanext.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\WTablet\Pen_TabletUser.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
**************************************************************************
.
Completion time: 2008-08-10 0:31:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 04:31:10

Pre-Run: 163,084,374,016 bytes free
Post-Run: 162,828,828,672 bytes free

226 --- E O F --- 2008-08-09 04:20:35

[Ried]

Hi Rosie,

Quote:

I'm feeling overwhelmed, but learning these new things can't be a bad thing. I suppose.

It's always unnerving/overwhelming when one suspects their personal computer has been compromised by an outside source. We'll try to get you through this step by step, and hopefully you'll begin to feel the sense of having control over your system once more.





Please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html

Under SCANNING OPTIONS, use the following Settings:

• Action options - Report only
• Second option - Report only

Once finished, click on the Details button to view the results.
To the upper right of the results you will see an option saying "Click here to export the scan results" Post the log of the scan results in your next reply.

Also, is your cursor still dropping to the bottom of IE?

[rosie012]

Hi: The mouse is behaving at this point in time.

The scan took a very short amount of time. Maybe a minute, perhaps less. Let me know if this sounds wrong to you. Here are the results that I got.

Rosie


BitDefender Online Scanner



Scan report generated at: Sun, Aug 10, 2008 - 20:05:24





Scan path:







Statistics

Time
00:00:00

Files
3

Folders
0

Boot Sectors
3

Archives
0

Packed Files
0




Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
1436223

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
43

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Report

Second Action
None

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

No virus found.

[Ried]

It should have taken much longer than that. From your report, it indicates BitDefender was only set to scan 3 Files and 3 Boot Sectors - it should have been set to scan your entire computer.

Please try again. Follow the image I provided in my previous post. Let me know if you run into any difficulties.

[rosie012]

OK, I'll do it again.

Also, mouse cursor is once again popping down to the lower part of the screen. It didn't do it at all last evening but started up again this morning.

Rosie

[rosie012]

Hi:

I ran BitDefender again yesterday afternoon and I could have sworn I posted the results. Which begs the question of where I put them. Here are those results:

BitDefender Online Scanner



Scan report generated at: Mon, Aug 11, 2008 - 1407





Scan path: C:\;D:\;E:\;C:\Users\Public\Documents;C:\Users\Public\Downloads;C:\Users\Public\Music;C:\Users\Public\Pictures;C:\Users\Public\Recorded TV;C:\Users\Public\Videos;C:\Users\Owner\Artists I Like;C:\Users\Owner\Bluetooth Software;C:\Users\Owner\equinox new tubes;C:\Users\Owner\fics;C:\Users\Owner\Finished Walls;C:\Users\Owner\My PSP Files;C:\Users\Owner\some crops;C:\Users\Owner\textures and things;C:\Users\Owner\writing;C:\Users\Owner\Searches;C:\Users\Owner\Videos;C:\Users\Owner\Pictures;C:\Users\Owner\Desktop;C:\Users\Owner\Contacts;C:\Users\Owner\Favorites;C:\Users\Owner\Music;C:\Users\Owner\Downloads;C:\Users\Owner\Documents;C:\Users\Owner\Links;C:\Users\Owner\Saved Games;C:\Users\Owner\Desktop\13-Stargate-SG-1-Shell-Game-Download;C:\Users\Owner\Desktop\13-Stargate-SG-1-Shell-Game-Download.zip;C:\Users\Owner\Desktop\aot;C:\Users\Owner\Desktop\art;C:\Users\Owner\Desktop\spyware malware programs and logs;C:\Users\Owner\Desktop\StargateSG1GiftOfTheGodsABQGC;







Statistics

Time
01:40:01

Files
565571

Folders
21739

Boot Sectors
3

Archives
4544

Packed Files
59231




Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
1436347

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
43

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Report

Second Action
None

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

No virus found.

[Ried]

Hi Rosie,

I wonder where it went as well. You most likely had it in Preview and forgot to hit Submit.

I'm not finding any infections. Click on the world icon next to Internet. What is IE Security Settings currently set at? It should be 'Medium High'

[rosie012]

Hi Ried:

The security settings are at Medium-High.

The computer/mouse cursor worked fine all day today until about an hour ago when it started popping back down to that lower corner where the globe is.

I can't understand why there are times when it doesn't happen and other times when it does.

However, there have been no popups at all for days. Not even Trend Micro pop ups telling me they are blocking a pop up.


Somebody told me to change the batteries in the mouse so I bought new one's and did that. This was earlier in the day. Didn't help.

Strangely enough, the cursor hasn't moved itself down to that corner since I started typing this e-mail. Normally it would have by now.

waiting, waiting,...

nope - it seems to have stopped on it's own. for now. crazy cursor.


Rosie

[Ried]

Do you have another mouse you can use? See if it still happens with a different one.

[rosie012]

The mouse is a Logitech wireless mouse which communicates with the computer via a nano receiver plugged into a usb port. When the mouse started acting up I turned it off but that didn't stop the problem. I pulled out the nano receiver and the problem stopped.

That was last night.

This morning when it all started again I again pulled out the nano receiver and very soon after this the mouse cursor popped down to the corner one more time and then behaved afterward.

Later I plugged the receiver back in and have been using the mouse just fine since then.

So is something interfering with the signal or is the wireless mouse not well. If this is a possibility, then I just have to keep poking away and playing with it and seeing if each time I have this problem it stops when I take the receiver out and switch to the mouse in the notebook. Or buy a new one when I get the chance.

Suzan

[Ried]

Good work, Suzan.

You may want to talk to the folks over in the Hardware Support. Perhaps someone there may be familiar with this particular behavior and have some ideas for you.


In the meantime, we have some tidying up to do.


Your logs are clean. The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In this day in age, it's good to educate oneself regarding internet risks. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[rosie012]

Hi Ried:

I have spent some time now with the wireless mouse in and with it out and the strange popping to the lower part of the screen happens either way. This is a tablet and before the cursor pops down I now realize that often another graphic flashes on the screen, the icon of the tablet PC Input Panel. Isn't that bizarre. Maybe there is a conflict.

Anyway -

I ran Combofix uninstall.

I already had SpywareBlaster 4.3 and I have now downloaded IE SpyAd.

Spybot is another program that I have installed, but I see that you don't rec that one. Should I uninstall it?

My other computer has always had Norton AntiVirus and never had a problem. I put Trend Micro on this one. I'd like to blame the program for this problem, but as I think back I believe I got one of those popups telling me that it detected a security problem of somekind and would I like to scan. Thinking this was Trend Micro, as it is a new program for me that I'm not familiar with, I may have clicked yes on what was really a spyware/malware ad. What I don't understand though, is how the initial ad got through in the first place.

So, I'm getting rid of Trend Micro and going back to Norton, which I am familiar with.

As for the McAfee Site Advisor, I'll have to think about that. I take after my father and get into unreasonable feuds with big businesses that don't even know I'm feuding with them. McAfee would be one of my feuds. I gave them a try before Trend Micro. It wasn't a good experience. No infections, but ... really not a happy time for me and the computer.

Thank you very much for all your help. I do appreciate the time you took and the knowledge.

And I will read the articles.

Suzan

[Ried]

Hi Suzan, and you're welcome.

Spybot is an excellent tool. I didn't list that one simply because I did notice that in your logs:

Quote:

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

It's one of the first things I look for in Running Processes because it will interfere with registry changes if they need to be made.

Quote:

What I don't understand though, is how the initial ad got through in the first place.

There are many ways they can get through. Unfortunately, no Anti Virus or Anti Malware tool can block everything.

When you get the chance, look over those links I gave you to read. They're quite informative.


Take care.