Any computer gurus?

[Jason Harris 31]

If anyone can give me help with what I think is a bad computer virus, I'd really appreciate it. Otherwise, I'm going to have to nuke the operating system, which isn't such a pain, but finding the CD-Roms and licenses of the programs installed sure can be a pain.

First, I've had Symantec Anti-Virus and Kaspersky AV, as well as four spyware programs installed and current, yet I still have had the following symptoms for most of the past six weeks or so:

Basically, without warning and with random timing -- sometimes three times in fifteen seconds, sometimes hours apart -- the computer switches to another open window, AND THEN GOES BACKWARDS in the first window. What I mean is let's say that in one window I clicked on MSH, then Ice Hockey, while earlier I had been at ESPN, whose window is still opened. Without warning, I'll be back at ESPN, while the other window goes to the front page of MSH. (Backwards from the Ice Hockey Forum.)

I've also noticed that even if I have only one window open, there seems to be an "interruption" where it wants to go to another window, but it refreshes itself instead.

Last, whenever this occurs, it almost invariably is accompanied by a frozen or sluggish mouse. What I mean by sluggish is it's almost as though the virus was written in a way that it can tell where I want to point the mouse, so as I approach that button or link, it won't let me go there to highlight. Generally, thirty to ninety seconds later, I'll have control of the mouse again.

I've Googled "mouse sluggish virus" and was encouraged to find information about two viruses with possible fixes. I can't remember what the first virus was, but the second was called Nyxem Worm (AKA MyWife Worm or Kama Sutra Worm), yet I couldn't find any of the suspect files that had been listed.

Needless to say, this is a pain in the rear when it hits, to the extent I might soon have the necessary hole for a wall safe. :D

Again, any suggestions would be greatly appreciated.

[Chadd 916]

Download AVG, run it and see what it finds.

http://free.grisoft.com/doc/1

[rogue 0]

Download HiJackThis!

When you open it, click do a system scan and save a log file

It will take a couple seconds to scan and then a notepad document will open, paste that all here or PM it to me. This will be the best way to find whats causing it. From there I can help you remove it.

[Jason Harris 31]

AVG didn't find any infections. (Nor did Kapersky this morning.)

Here' the log from HiJackThis. Thanks in advance.

Logfile of HijackThis v1.99.1

Scan saved at 11:48:40 PM, on 4/30/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\CAPM1RSK.EXE

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\system32\ps2.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe

C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe

C:\WINDOWS\System32\WISPTIS.EXE

C:\Program Files\DIGStream\digstream.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\Grisoft\AVG Free\avgcc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Real\RealOne Player\RealPlay.exe

C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/sports

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

F3 - REG:win.ini: load=

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [systemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"

O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"

O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE

O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe

O4 - Global Startup: Microsoft Broadband Networking.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03c98d31179c70...ip/RdxIE601.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144464167750

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Windows Defender Service (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

[stevoc 0]

I found some info regarding the following programs running:

C:\WINDOWS\System32\WISPTIS.EXE

C:\Program Files\DIGStream\digstream.exe

The digstream seems to be more dangerous than the wisptis program. (it appears you have an electronic pen connected?)

Here are a few links regarding both programs, which both seem to be resource hogs...

digstream.exe

wisptis.exe

Not saying these are your problem, but since the digstream is a disney product used by ESPN, it may be a good place to start.

good luck!

[Vapor 0]

Does this only happean in ie? DOWNLOAD FIREFOX. Dosent sound like a virus to me... Maybe its a keybaord malfunction?! Nahh, cant be... try unpluggin components or uninstalling recent software that you have installed. How bout you use system restore? May be an idea...

[rogue 0]

Hm.. the hijackthis log doesn't seem to have anything suspicious. Well there is one file, C:\WINDOWS\system32\CAPM1RSK.EXE that the Hijackthis analysis site says is bad, but when I looked up info about it initially it is for a canon printer.

I don't think theres anything wrong with it, but just to check, go here and paste the log in, click analyze and wait a few seconds, when its done scroll down to where the red exclamation mark is and click the paper clip next to the file name. Upload the file to have it checked.

The site comes up with a warning about another file (C:\HP\EXPLOREBAR\HPTOOLKT.DLL), I don't belive this would be causing any problems, but I also doubt you use if for anything, so if you want, just to be safe:

Run hijackthis again, click systemscan only, after it scans find C:\HP\EXPLOREBAR\HPTOOLKT.DLL and check the box, then click fix.

Theres a few other things I'll look into, but i need to write a paper quick for a class.

Do you happen to have a wireless keyboard or mouse, if so one of them may be causing the problem. Also check the lens on the bottom of your mouse for hair or dirt that may be making it read improperly. I doubt either of these things is causing the problem, but theres always the chance.

Ill try to post again later tonite with some more advice.

[usahockey22 0]

Switch browsers. Netscape/Mozilla/Firefox. If you are using MS IE to browse the internet these days, you are just asking for trouble. It runs much slower than the others, and opens your browser to much more adware/spyware/viruses which can all attach themselves to your browser software without you knowing it, making it faulty, and even slower. My advice is to just completely uninstall internet explorer, and use firefox..you should notice quite a difference.

[Vapor 0]

unitstall ie? GOOD LUCK. that thing is tied so tightly into the regisrty that theres no way that puppy is coming out. the whole explorer folder system is based on ie, impossible to uninstall

[yipperzz 28]

i don't see anything weird on your hijackthis log either. i would try another browser and see if that happens. maybe your mouse is malfunctioning or something. you can check it by using another browser.

[golfpuck 0]

one problem is you have too many antivirus and spyware applications

pick one of each and remove the rest...

and trouble shoot again.

[Jason Harris 31]

Okay, I deleted a couple of the programs that showed up in HiJack This, as well as having run a couple of anti-virus programs. Unfortunately, the problem is still persisting and just as intermittent. Sometimes it goes an hour without any switching, while other times it switches to another window as quickly as I try to switch it back.

I'm starting to think there's an inevitable conclusion -- I'm going to have to overwrite Windows XP and start over again. I have some concerns, since it's possible I could lose information or not find licenses for programs I've downloaded, but I'm not sure what else will work.

By the way, I've tried Mozillla this week and the problem still happened.

[Chadd 916]

Okay, I deleted a couple of the programs that showed up in HiJack This, as well as having run a couple of anti-virus programs. Unfortunately, the problem is still persisting and just as intermittent. Sometimes it goes an hour without any switching, while other times it switches to another window as quickly as I try to switch it back.

I'm starting to think there's an inevitable conclusion -- I'm going to have to overwrite Windows XP and start over again. I have some concerns, since it's possible I could lose information or not find licenses for programs I've downloaded, but I'm not sure what else will work.

By the way, I've tried Mozillla this week and the problem still happened.

If you're going to do that, save all of your important stuff by burning it to cd or putting it on another computer. Then format the disk and start with a perfectly clean install. Otherwise you may end up with the same problems.

[wristshot19 0]

I doubt that it is a virus, but here is a virus checker that is worth trying out...

Go to http://housecall.trendmicro.com/ and follow their "Scan Your PC" link to do an online virus scan. I have had a lot of luck with this tool.

The other tool to use to clean spyware is Ad Aware (free) by lavasoft. None of the spyware programs out are perfect so trying more than one doesn't hurt. The other one I would recommend is Spy Sweeper (not so free) by Webroot. Try these out. Feel free to PM me with any questions.

[yipperzz 28]

maybe you should pick up another hard drive (it's not that expensive these days) and reinstall Windows. start over on the new drive and then slowly transfer everything over. if there's anything you need, you can always plug in the old hard drive.

[Vapor 0]

so this happeans in all windows, even like aim, or quicktime? I cant see this being a virus. Try using a different keyboard and mouse. I mean there is nothing else I can think that it would be, dosent sound like a corrupted kernel or anything... just sounds wierd...

[Jason Harris 31]

so this happeans in all windows, even like aim, or quicktime?

At first I thought it was only happening when I've been browsing, but I realize now that it's happening on all windows, although not all windows can "go back a screen." In other words, it might leave MSH (and go back a screen) to go to Outlook, or it leaves Outlook and goes to MSH, but it stays in the same window in Outlook.

Plugging in a different keyboard would be an easy test, so I'll try that.

[mack 44]

It's possessed.

[Chadd 916]

so this happeans in all windows, even like aim, or quicktime?

At first I thought it was only happening when I've been browsing, but I realize now that it's happening on all windows, although not all windows can "go back a screen." In other words, it might leave MSH (and go back a screen) to go to Outlook, or it leaves Outlook and goes to MSH, but it stays in the same window in Outlook.

Plugging in a different keyboard would be an easy test, so I'll try that.

Leave your task manager on the screen and see what what program suddenly spikes in processor utilization.

[Jason Harris 31]

One thing I've noticed is multiple (seven) processes of svchost.exe. Is that normal?

[Vapor 0]

One thing I've noticed is multiple (seven) processes of svchost.exe. Is that normal?

yes

[Vapor 0]

let me elaborate (i was on my pda)... svchost is a process that manages 32 bit dlls, it pretty much looks to the registry and finds out what it has to load so the system can run.... some viruses can use the service against you... but hijack this would find a corrupted dll (hopefully)

[crutesie 0]

how long has it been going on for?

you could try system restore

[Jason Harris 31]

how long has it been going on for?

you could try system restore

I tried going back to a couple of earlier dates with System Restore, but it didn't seem to work.

I'm going to hook up a new keyboard and mouse today to see if maybe my current ones have become corrupted.

[ken 0]

It does sound like it might be the keyboard and/or mouse. Perhaps some keys are sticking on the keyboard/mouse causing it to switch windows.

I bet a new keyboard/mouse will fix it.