The square block cursor shows up in most text entering places (i.e. address bar, google box, notepad, run command prompt, internet explorer) but not in MS Word or Firefox, the latter I installed just yesterday. The cursor in Word and Firefox is a normal thin blinking line.
I suspect some sort of spy-ware or mal-ware. But it seems to be a strange symptom. The worst trouble is that I can't be sure where my cursor is when editing because the block takes up several letters at a time.
I have followed the steps suggested in "the must read this" post.
Below are HighJackThis and Activescan results
(1) HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:09 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\j2 Messenger 4.2\J2GTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.221.10:8080
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PxToolbarHelper Class - {21276F44-27FC-440E-A99E-A72324740419} - C:\Program Files\eGrabber\eGrabber ResumeFinder 2008\PxRFToolbarHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: ResumeFinder - {8A2B3DEC-D8A5-4199-BB0F-1180993826FF} - C:\Program Files\eGrabber\eGrabber ResumeFinder 2008\ResumeFinder.dll
O3 - Toolbar: eGrabber - {9E7E32DD-9584-4265-B223-43AA0D6E4E8C} - C:\Program Files\eGrabber\ResumeGrabber Pro 2008\PxInternetExplorer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: j2 4.2.lnk = C:\Program Files\j2 Messenger 4.2\J2GTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1169628721418
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198171041697
O16 - DPF: {6F0C8A85-8B0D-11D2-801B-00105AA78F4A} (CobAgent4 Class) - http://ecare4c.netop...t_4.2.1.316.cab
O16 - DPF: {7873B468-E762-4143-83E6-7258CB6B5D9D} (ECareAgent Class) - http://ecare4c.netop.../ECareAgent.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com...tall/AxCtp2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.co...upldr-2k-xp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 8870 bytes
(2) Activescan
Incident Status Location
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Virus:W97M/Groov.C Disinfected Working Folders\Deleted Items\Contacts\Mary Lou Smith\Raytheon Systems Company Exempt & International Exempt Job Postings 1/18/99\RISCOCOV.doc
Virus:W97M/Class.D Disinfected Working Folders\Deleted Items\Contacts\Ken Bradley\Resume\WALKER, RANDY - Bradley & Assoc..doc
Virus:W97M/Marker.AO Disinfected Working Folders\Inbox\Candidates Sent\Ref.RON86442\RESUME.DOC
Virus:W97M/Melissa.A Disinfected Working Folders\Inbox\Mortgage\Job # : EVR1202 - Commercial Mortgage Loan Underwriter\nbncovletter.doc
Virus:W97M/Melissa.A Disinfected Working Folders\Inbox\Mortgage\Job # : EVR1202 - Commercial Mortgage Loan Underwriter\max'sresume.doc
Virus:W97M/Myna.C Disinfected Working Folders\Inbox\Mortgage\(no subject)\BRIAN3.doc
Virus:W97M/Titch.A Disinfected Working Folders\Inbox\Mortgage\Joseph H. Adams, Jr.-Candidate for VP Client Relations\resume addendum.doc
Virus:W97M/Titch.A Disinfected Working Folders\Inbox\GMAC Mortgage\GMAC Mortgage II\Joseph H. Adams, Jr.-Candidate for VP Client Relations\resume addendum.doc
Virus:W97M/Titch.A Disinfected Working Folders\Inbox\GMAC Mortgage\Joseph H. Adams, Jr.-Candidate for VP Client Relations\resume addendum.doc
Virus:W97M/Groov.C Disinfected Working Folders\Contacts\Mary Lou Smith\Raytheon Systems Company Exempt & International Exempt Job Postings 1/18/99\RISCOCOV.doc
Virus:W97M/Class.D Disinfected Working Folders\Contacts\Ken Bradley\Resume\WALKER, RANDY - Bradley & Assoc..doc
Spyware:Spyware/Virtumonde Not disinfected Working Folders\MailFrontier Junk Mail\Campaign Report
Virus:W97M/Marker.AO Disinfected Personal Folders\Inbox\Candidates Sent\Ref.RON86442\RESUME.DOC
Virus:W97M/Melissa.A Disinfected Personal Folders\Inbox\Mortgage\Job # : EVR1202 - Commercial Mortgage Loan Underwriter\nbncovletter.doc
Virus:W97M/Melissa.A Disinfected Personal Folders\Inbox\Mortgage\Job # : EVR1202 - Commercial Mortgage Loan Underwriter\max'sresume.doc
Virus:W97M/Myna.C Disinfected Personal Folders\Inbox\Mortgage\(no subject)\BRIAN3.doc
Virus:W97M/Titch.A Disinfected Personal Folders\Inbox\Mortgage\Joseph H. Adams, Jr.-Candidate for VP Client Relations\resume addendum.doc
Virus:W97M/Titch.A Disinfected Personal Folders\Inbox\GMAC Mortgage\GMAC Mortgage II\Joseph H. Adams, Jr.-Candidate for VP Client Relations\resume addendum.doc
Virus:W97M/Titch.A Disinfected Personal Folders\Inbox\GMAC Mortgage\Joseph H. Adams, Jr.-Candidate for VP Client Relations\resume addendum.doc
Virus:W97M/Groov.C Disinfected Personal Folders\Contacts\Mary Lou Smith\Raytheon Systems Company Exempt & International Exempt Job Postings 1/18/99\RISCOCOV.doc
Virus:W97M/Class.D Disinfected Personal Folders\Contacts\Ken Bradley\Resume\WALKER, RANDY - Bradley & Assoc..doc
Virus:Trj/SpamtaLoad.BP Disinfected Personal Folders\Junk E-mail\Mail server report.\Update-KB5343-x86.zip[Update-KB5343-x86.exe]
Virus:Trj/SpamtaLoad.BP Disinfected Personal Folders\Junk E-mail\Status\text.txt.cmd
Virus:W32/Spamta.OL.worm Disinfected Personal Folders\Junk E-mail\Mail server report.\Update-KB8550-x86.zip[Update-KB8550-x86.exe]
Virus:W32/Spamta.OL.worm Disinfected Personal Folders\Junk E-mail\hello\doc.txt.scr
Virus:W97M/Marker.AO Disinfected Personal Folders\Inbox\Candidates Sent\Ref.RON86442\RESUME.DOC
Virus:W97M/Melissa.A Disinfected Personal Folders\Inbox\Mortgage\Job # : EVR1202 - Commercial Mortgage Loan Underwriter\nbncovletter.doc
Virus:W97M/Melissa.A Disinfected Personal Folders\Inbox\Mortgage\Job # : EVR1202 - Commercial Mortgage Loan Underwriter\max'sresume.doc
Virus:W97M/Myna.C Disinfected Personal Folders\Inbox\Mortgage\(no subject)\BRIAN3.doc
Virus:W97M/Titch.A Disinfected Personal Folders\Inbox\Mortgage\Joseph H. Adams, Jr.-Candidate for VP Client Relations\resume addendum.doc
Virus:W97M/Titch.A Disinfected Personal Folders\Inbox\GMAC Mortgage\GMAC Mortgage II\Joseph H. Adams, Jr.-Candidate for VP Client Relations\resume addendum.doc
Virus:W97M/Titch.A Disinfected Personal Folders\Inbox\GMAC Mortgage\Joseph H. Adams, Jr.-Candidate for VP Client Relations\resume addendum.doc
Virus:W97M/Groov.C Disinfected Personal Folders\Contacts\Mary Lou Smith\Raytheon Systems Company Exempt & International Exempt Job Postings 1/18/99\RISCOCOV.doc
Virus:W97M/Class.D Disinfected Personal Folders\Contacts\Ken Bradley\Resume\WALKER, RANDY - Bradley & Assoc..doc
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp
Any suggestions?
Thanks,
Jimbo