DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   Spyware? hijacked cursor at "2:Open" sign (http://www.daniweb.com/forums/thread24297.html)

Dave Balmer May 25th, 2005 11:56 am
Spyware? hijacked cursor at "2:Open" sign
 
Hi-

I'm running Win 98 SE:A. On bootup, the cursor is hijacked to a yellow sign that says "2:Open". Once, I think it said "1:Explorer".

I've virus and spyware the dickens out of this thing. Found Alexa spyware (deleated) and a file that had been infected with Micro-128 (C)- deleated.

On boot-up, I've still got the same problem.

Perplexed-

Dave

dlh6213 May 25th, 2005 12:17 pm
Re: Spyware? hijacked cursor at "2:Open" sign
 
Hi Dave, welcome to DaniWeb :D

To help us see what you have going on, get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then, close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

And check this thread before you post the log:
http://www.daniweb.com/techtalkforums/thread24085.html

Dave Balmer May 25th, 2005 1:28 pm
Re: Spyware? hijacked cursor at "2:Open" sign
 
Quote:
Originally Posted by dlh6213
Hi Dave, welcome to DaniWeb :D

To help us see what you have going on, get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then, close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

And check this thread before you post the log:
http://www.daniweb.com/techtalkforums/thread24085.html
Here's the LogFile:

Logfile of HijackThis v1.99.1
Scan saved at 1:23:33 PM, on 5/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATWTUSB.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\TBLMOUSE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\atwtexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\MSTMON_Q.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MEMOREX\TRAVELDRIVE2B\SHWICON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\DOWNLOAD\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\SYSTEM\MSTMON_Q.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ShowIcon_Memorex_USB Product Driver v2.13r002] C:\Memorex\TravelDrive2B\shwicon.exe -t"Memorex\USB Product Driver v2.13r002"
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Mass Storage Check Registry] rundll32.exe C:\WINDOWS\SYSTEM\ShellExt\MSDServ.dll,CheckRegistry
O4 - HKCU\..\Run: [VIP ORGANIZER.EXE] C:\PROGRAM FILES\VIP QUALITY SOFTWARE\VIP ORGANIZER\VIP ORGANIZER.EXE
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

DMR May 25th, 2005 9:33 pm
Re: Spyware? hijacked cursor at "2:Open" sign
 
That's a clean log, and neither Alexa nor the micro-128 virus would cause such behaviour as far as I know. Had you installed any software around the time you first noticed this (think carefully...)? My first thought is that the icon is part of some freebie cursor accessory or the like (although I don't see anything in your log to support that hunch).

Do you get a normal cursor when you boot into Safe Mode? (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)


All times are GMT -4. The time now is 9:58 am.

Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC