My computer has been taken over...HELP!

HI everyone,

So let me begin by saying I am new here and that this site is simply amazing. Thanks in advance to all of you who will take the time to post and help me with this ever frustrating problem.

I actually searched hi and low on google for a similar problem and found a a link that pretty much describes it exactly but a solution was never found to this poor guys (and now my) problem. Here is the link:

http://www.tech-forums.net/computer/topic/12078.html

My problem specifically is that at seemingly random times, my laptop hardrive will start accessing itself and then my mouse cursor will start jumping around seemingly possessed. Programs are opened, windows are opened and closed I've even had text moved around on a word document I have had open. Whatever this is it usually opens up several programs and windows and a few times its opened up user accounts windows. This has been EXTREMELY frustrating as I have been working on my masters thesis and have been fighting my computer at the same time. I can't trust my computer when I am away from it and have to put in hibernate mode.

I've tried disconnecting my ethernet connection and turning off the wireless modem and this "hijaking or comptuer possessing" occurs even when I am not online! This makes me think that I have either spyware, a virus, or trojan on my PC somewhere.

Here is what I have done that has not helped one iota so far:

I've updated all the cirtical security patches through Microsoft
I've installed Spyware S&D and updated it, run it, and deleted the 5 or 6 spyware programs it found.
I've installed SpywareBlaster and enabled all the protections
I've installed TrendMicro PC-Cillan, updated it and have run a virus check twice and nothing has been found.

I tried searching the forum for a good 15 minutes to see if anyone has had a similar problem and couldn't find anyone else with the same problem so sorry if this an issue that has already been dealt with.

I'm really at my wits end here and any help would be greatly appreciated. Below I've cut and paste the results of my HiJackThis logfile in case this provides anyone with obvious clues.

Thanks again for your help.

-Big (and Flaming Mad) D

Logfile of HijackThis v1.97.7
Scan saved at 12:14:37 AM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DIMITR~1.DON\LOCALS~1\Temp\Rar$EX00.991\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.47.38.116:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Boingo.lnk = ?
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi BigD Have you tried CWShredder? I don't know if nzsearch is legit either.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll

 

Darn three minute limit If nzsearch is not legit, Shredder should zap it.

 

Hi billH,

Thanks very much for your post. I will try Shredder and see what happens. I thought nzsearch was netzero search but it could very well be something else.

I'll try shredder and post my results.

Thanks again

 

I ran CWShredder and here are my results:

Done!
Your system was completely clean.
Windows XP (5.01.2600 SP1)
CWShredder v1.59.0
Written by Merijn - merijn@spywareinfo.com

Thanks for your suggestion billH but whatever I have been infected with seems to not be related to what CWShredder is looking for.

The frustration continues...

 

Hmmm . . . wonder if you have a hacker on board? HackerTracker might reveal whether or not you have your very own personal hacker.

 

billH,

Thanks for the continued assistance. I am running HackerTracker now and will post a result.

Big D

 

Ok,

I installed HackerTracker and it seems to provide similar information to Trend Micro PC-Cillan in that it gives me the IP address of port scans, etc. I definately have been attacked as I get a few port scan attempts a day that Trend Micro blocks, but my computer gets possessed even when I am not connected to the internet so I am thinking it is something already installed on my machine.

Thanks for the suggestion, though. The aggrivaiton continues...ugh

 

Here's a quick update. I've had hacker tracker installed now for over 12 hours and it hasn't logged a single attack although my computer has been opening programs, opening and closing windows and my mouse cursor has been fighting me - again even when I am not connected.

Any help is much obliged.

 

Could be a trojan but I'm going to take a different approach. What kind of mouse do you have?

 

Hi,

Thanks for your post. I have a Microsoft Wireless Optical Mouse (Blue). And I am running on a Sony Vaio VX88 with Windows XP home edition. I've thought about the mouse drivers being corrupt, but that wouldn't explain why specific programs are being opened and windows being opened and closed (even text moved around in a word document I had open),

You may be going somewhere else with the mouse thing though so I could be completely wrong.

Thanks in advance for your help.

-Big D

 

maybe interference or an incompatibility of some sort with the mouse and the laptop. Is it USB or PS/2?

 

It's USB, and I have had it ever since I have had the computer and I have always had Windows XP on the computer. I can understand some cursor issues, but opening specific programs and manipulating windows and text seem pretty strange especially since I haven't ever had a problem with the mosue before.

Right before something happens, I always have hard hard drive activity that lasts about 20 seconds and then something happens. I can usually predict when something is abou to happen just by listening to my hard drive activity.

Thanks for your continued help. This one seems to be a true mystery and it's driving me nutz...

 

Interference from cordless phones, etc. could cause this. Also, what about some voice-to-type software being activated?

Do you have a corded mouse you can try to see if it stops? Anything other wireless devices around?

 

Jamico,

Thanks for your post. I do have a cordless phone, and a cell phone, but I have had them for some time and used them within proximity of my laptop often in the past without problem.

I have been noticing a "fighting" my mouse cursor effect when something is about to happen, but often times when programs open up, windows are opened and closed, etc. the mouse cursor doesn't always move from its resting position and the excessive hard drive activity when this happens suggests to me that it is not the mouse but something on my computer. But I just don' t know. I can't seem to find anyone else who has had a similar problem except for the one post I found on the following tech forum below and there was no solution posted to the problem:

http://www.tech-forums.net/computer/topic/12078.html

Thanks again for your help.

 

So I just unplugged my wireless mouse and tried a PS/2 and I'm getting the same problem.

It was worth a try...

Ugh...

 

Been following his problem-- I'm just thinking it might just be a faulty memory stick-have you done a mem test to rule this out?

 

Hi Jujet84 and thanks for your post.

By memory stick, I am assuming you mean a memory module and not an actual memory stick which is what my Sony uses for media (no floppy drive, just a memory stick bay).

If you do mean a memory module, how would I go about checking this?

Thanks again.

Big D

 

Should have included in post---- before its called memtest 2.5 from Majorgeeks if you can let it run over nite or at least several hours http://www.majorgeeks.com/download350.html

 

Chk here for more info http://www.memtest86.com/

 

Thanks for the link. I will run the test and post my results. I haven't had any obvious memory problems and the laptop is less then a year and a half old so I would be pretty miffed if I had a bad memory module but at this point, I can't rule out anything.

I guess my laptop could also just be possesed but I am holding out for a more logical solution to spritzing holy water on it and wearing a garlic necklace while holding a cross in one hand and a bible in the other...

 

LOL great attitude Big D hope it works out for ya

 

Thanks jujet84,

Ran the memory test program and no dice. Everything checked out.

All I have to say is ughh....

The journey continues....

 

May the computer is caching your mouse movements while it pauses to access the disk....I've seen this on slower computers or when a process is tying up the cpu.

Try holding still when the drive flickers.

 

Hi Freddy,

Thanks for your post. I had thought about what you mentioned but I have tried holding still when this happens (the first few times it happened I was in awe and did nothing for a good minute while I watched all these programs open up...). The bizare thing is that it opens programs, files, windows I have never or rarely ever open, like user accounts or network folders.

 

Been doing some researching BigD am wondering if it's not your indexing --Quote
"What Microsoft said above. __What they don't say is that this service tends to run amok, indexing far more than necessary and starting without warning. For the benefit it provides, the resource usage is far from an equal tradeoff. Have you disabled your indexing? if not check this out and see no harm
http://www.theeldergeek.com/indexing_service.htm

 

jujet84,

Thanks for the post and the research, I'll disable the indexing protocol and post my results.

Big D

 

Well everyone, despite your best efforts so far, my problem still exists. I am running out of ideas.

Anyone have anything left to add before I call a priest?

 

I think I'd try Ed before the preist www.geniouszone.com, now center yourself and concentrate

 

Thanks guys for your recent posts. At the moment I am working on my thesis and I can't afford the many hours it will take to back up all my data (20 Gig worth at least) and reformat. I may have to fight the good fight with this thing until I am finished with the thesis and then have my priest come in and do the format.

Oh, and btw, I have also tried disabling the touchpad and also removing the USB mouse to no avail.

Thanks for all your help on this.

-Big D