Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help! mouse jumping with tribalfusion popups


  • This topic is locked This topic is locked

#1
fellowpeon

fellowpeon

    New Member

  • Member
  • Pip
  • 6 posts
Hi. I'm getting a strange mouse jumping issue with my computer that sometimes results in tribalfusion ads popping up. There seem to be always be a lot of applications opening, icons moved and right-click menus appearing on the screen as well, as though my mouse was possessed and indiscriminately right- and left-clicking all over the screen. This has only been going on for a week or so, I think. Here's my Ewido scan report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:41:20 PM, 9/21/2005
+ Report-Checksum: 39956F06

+ Scan result:

:mozilla.8:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.13:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.14:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.21:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.24:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.26:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.34:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.35:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.36:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.37:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.38:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.49:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.50:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.57:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.58:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.59:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.60:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.62:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:C:\Documents and Settings\simon\Application Data\Mozilla\Firefox\Profiles\tgbv6r95.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup


::Report End


**********************************

and from hijack this!:

Logfile of HijackThis v1.99.1
Scan saved at 5:42:59 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\shared\software downloads post 2-10-05\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

***********************

Thanks in advance for the help!

Edited by coachwife6, 07 October 2005 - 03:46 PM.

  • 0

Advertisements


#2
fellowpeon

fellowpeon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
oh, I should mention that I did most of everything in the "Read First" thread. I already scanned my computer with cwshredder and spyware s&d, and ran a flush with cleanup! Also, two other things: a) the mouse jumping/pop-up problem occurs intermittently and is not constant, and b) the damage seems to be contained when I don't move my mouse during the pop-up fits. It seems as though craziness needs input from the mouse to really wreak havoc.

thanks again!
Simon
  • 0

#3
fellowpeon

fellowpeon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
One more note: the only recent software changes to my computer (aside from downloading and installing all the antispyware software such as cwshredder, cleanup!, hijackthis, etc.) have been 1) upgrading to the latest itunes and then disabling the bonjour service b/c it was making the computer lag, and 2) upgrading to the newest version of zone alarm (667, I think).

Also, this guy seems to be having the same problem:

http://www.geekstogo...howtopic=64798
  • 0

#4
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
have you already checked off items in hijack this? Your list is very small.

Please run hijack this again and post a log in this thread...also,

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Edited by coachwife6, 30 September 2005 - 04:02 PM.

  • 0

#5
fellowpeon

fellowpeon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Yes, I did check off a few things already the last time I posted. Sorry, I sort of just keep my computer running cleanly in general and will remove things that don't look familiar. I was still getting the mouse jumping problem after those posts, but yesterday since switched over to a usb mouse. I just wanted to see if the problem is maybe tied to the ps/2 mouse port or to the mouse itself. So far, no problems in the last day or so, though I haven't really been using my computer much since yesterday.

Hmm. . . an a.tribalfusion.com just now popped-under w/o any mouse troubles. Is that adware or is that geekstogo.com advertising?

Here's a fresh hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:54 AM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\shared\software downloads post 2-10-05\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

************************************

and here's the silent runners log:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Firefox Wallpaper.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 62 seconds, including 18 seconds for message boxes)


**************************

thanks for responding!

simon
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi Simon. I don't see anything that should be causing problems. Are you still having difficulties?

Download and save backlight to your desktop. Doubleclick blbeta.exe, accept the agreement, leave [X]scan through Windows Explorer checked, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
  • 0

#7
fellowpeon

fellowpeon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi, coachwife! Since switching over to a usb mouse I've had no problems. I suppose that means the problem either involved my ps/2 mouse port or the mouse itself. . . How embarrassing. I'll have to find a new ps/2 mouse and see which is causing the herky-jerky.

Here's the fs-backlight log -- it's pretty scant:

10/07/05 13:20:28 [Info]: BlackLight Engine 1.0.23 initialized
10/07/05 13:20:28 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/07/05 13:20:28 [Note]: 4019 4
10/07/05 13:20:28 [Note]: 4005 0
10/07/05 13:20:32 [Note]: 4006 0
10/07/05 13:20:32 [Note]: 4011 1296
10/07/05 13:20:34 [Note]: FSRAW library version 1.7.1011
10/07/05 13:21:41 [Note]: 4007 0


********************************

thanks again for your help! y'all are the best!

simon
  • 0

#8
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I think you are good to go. :tazz:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Since this topic appears resolved, it will now be closed. If you are the topic starter and you need it reopened, please PM a staff member.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP