Hi, I'm running the latest version of Viruscan and thought I would never have to write a post like this but hopefully someone can help. My problem is that if I leave my mouse alone on the desktop the cursor will, after about 10 minutes, open up a menu and several seconds later shutdown the computer. If I maximize a program such as a text document or put the cursor on top of small window (far away from the desktop), the cursor will move around by itself several times before opening up the My Computer screen or the Calculator and then shutdown my computer. I've seen this virus/trojan open up the Start menu too. I have also tried AVG today and it did not help. I also cannot use sytem restore. I get an error telling me that I cannot restore to that point and am given an option to restore at some other point but no point seems to work. Does anyone know how to fix this?

Looks like you either have a mallicious trojan horse or somebody is executing commands on your PC remotely via software like PC Anywhere. I recommend using a good virus scanner (McAfee, NAV) in safe mode while turning system restore off. As for your problem with system restore either this virus is interfering with it, or the restore points have been corrupted somehow, it's a common problem, usually works when restore points are made manually.

Also scan system with Ad-aware (latest version, spyware blaster, trojan remover and spybot search and destroy, they should pick up something. If you still have the same problem download Hijack-This (hijackthis.com) and CWshredder. Post your hijackthis log on this website than one of the guys can have a look and point out anything suspicious. If you don't know what they are DON'T delete them, this can cause more problems

I give up. Here's my hijackthis file: Logfile of HijackThis v1.97.6 Scan saved at 5:04:07 PM, on 11/15/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\NMSSvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\WINDOWS\System32\PROMon.exe C:\WINDOWS\ehome\ehmsas.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Programs\ScanSoft\OmniPagePro12.0\Opware12.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\Programs\Acrobat 5\Distillr\AcroTray.exe C:\M2000\UTILITIES\Hauppauge\WinTVSel.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\Program Files\OpenOffice.org1.0.3\program\soffice.exe C:\Program Files\MozillaFirebird\MozillaFirebird.exe C:\Documents and Settings\ROB\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.developer.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.viewsonic.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 8\LaunchList.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\QuickTime 6\qttask.exe" -atboottime O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup O4 - HKLM\..\Run: [Opware12] "C:\Programs\ScanSoft\OmniPagePro12.0\Opware12.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.exe" /background O4 - HKCU\..\Run: [PPWebCap] C:\Programs\PaperPort 9\PPWebCap.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe O4 - Startup: restart_vs.lnk = D:\Viewsonic.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Programs\Acrobat 5\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Shortcut to WinTVSel.lnk = C:\M2000\UTILITIES\Hauppauge\WinTVSel.exe O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.viewsonic.com O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/139b20a085229e6d4614/netzip/RdxIE601.cab O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5588657407 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4299/mcfscan.cab I did run Mcafee in safe mode (after turning off system restore) yesterday while the cursor behaved itself throughout the whole 3 hour scan, mcafee found nothing unusual. I ran Spybot and Adaware on my computer today and i ran a trojan scan from a link I found on this site. I have not yet run cwshredder because after a google search i ran into a post here where a guy said it ruined his registry, so i'll wait for any responses to this hijackthis log first.

Problem solved! McAfee Viruscan 7 today found iSpyNOW on my computer and deleted it. A couple of weeks ago, I uninstalled viruscan so that I could try the free trial of Norton and see if it could find anything. It didn't. I reinstalled viruscan, updated it, and checked the heuristics checkboxes (not sure if I did that before). Then I turned off system restore, booted in safe mode as numerous posts in this forum have recommended, and McAfee did the rest. I went to the McAfee site, researched iSpyNOW, and then deleted these 2 files: C:\WINDOWS\SYSTEM32\shelldata\cfg\applog.dat C:\WINDOWS\SYSTEM32\shelldata\cfg\windowlog.dat Two other important things I feel I should note are that I put a password on my computer and uninstalled McAfee Firewall. Not putting a password on an xp pro system with DSL was obviously stupid and is likely what got me in this mess, but it didn't prevent my shutdowns. What did prevent them was Zonealarm. It was the first firewall I ever used and I always liked how it very clearly alerts me when something wants to act as a server. "Run a dll as an app" was constantly trying to run off to the internet and a handful of other programs also wanted server rights. All were denied, and my computer started behaving again. Instead of mysterious shutdowns, I got a red alert box whenever I started mozilla or IE telling me that internet access was denied to [long address]. Cool. So thank you to Zonealarm for stopping the shutdowns, thank you to Mcafee for finding the source of all this mess, thank you to this forum for teaching me about safe mode and system restore, and thank you to System Mechanic for cleaning up after everybody.

I forgot to mention one more thing - I uninstalled Microsoft's Messenger. I had to do it in safe mode because otherwise I'd get a message telling me that it's in use. I noticed a problem with messenger after installing Norton 2004 Pro free trial. I got into the habit of exiting messenger after my system booted but all of a sudden I kept getting a message telling me that I couldn't exit because it was in use. (I didn't uninstall right away because I assumed Norton was using it.) This was also the program that was incessantly bothering Zonealarm. If I left my mouse alone for 5 - 10 minutes, Zonealarm would surely alert me that messenger tried to access the internet. I just remembered all this while searching pcmag.com for a good instant messenger. I was thinking about reinstalling messenger and read this at pcmag: "MSN Messenger includes some of the best extra utilities we've seen. For example, it is the only application in this roundup that supports real application sharing—meaning a user can see and control applications on the remote system. One user can browse Web sites while the remote user watches in real time. The Whiteboard, which is similar to Microsoft's Paint utility, can be used to share images, sketches, and so on. In addition, Windows XP's remote assistance is available with a simple button click. This utility lets one user take complete control of another user's desktop." Wow.