Help my PC is Possessed!

[icyboyedy]

Weird thing is happening on my PC and nothing has worked so far. I am running Windows XP.  I have run Trendmicro virus and spyware scans and nothing has been found. Same with Ad-Aware and Ewido spyware scanners.  This is what happens; I'll be on the computer and then the START button menu pops up by itself,  then wherever I move the mouse, a left click menu pops up and sometimes it closes IE windows  and will freez for a minute or two. What could this be?

[dl65]

 icyboyedy.....  Is this something which just started ?
What hapened just prior to that ......... any indication of bugs ?
How about we start with a hijackthis logfile .........  get hijackthis at ....... http://www.majorgeeks.com/download3155.html     ......  once you have , do a scan, save the scan to your desktop and post it here ...use as many posts as necessary to get it all in .

dl65  

[icyboyedy]

Logfile of HijackThis v1.99.1
Scan saved at 11:14:33 AM, on 09/03/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Netscape Internet Service\NSClient.exe
C:\Program Files\Common Files\ISPCOMP\SystemTrayIcon.exe
C:\Program Files\Netscape Internet Service\_NSWatchman.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {86AA461F-2A5B-4889-B543-E1BBA6746D61} - (no file)
O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\System32\safeie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126385425662
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D05705C-B4C3-4C13-B6E1-6947C4F58DEE}: NameServer = 205.188.146.145
O20 - Winlogon Notify: st3d - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O2

[icyboyedy]

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

[icyboyedy]

This problem has been occurring once or twice a month since about January or so, but this week it has occurred multiple times a day. This is really the only problem I have on my PC, the above mentioned tools usually keep my machine running very well.  I am stumped as to what it could be.

[unlovedwarrior]

try backing your computer up and reformatting that will solve the problem..

[honvetops]

what are your hardware specs on your computer & cpu ?
Can you monitor the temperatures inside the case?

[icyboyedy]

I'm running Windows XP on a 800mhz Pentium 3 with 384mb of RAM. I do not know the temps of the cache, but the fans are working.

While running the Ewido and other programs in safe mode I noticed that the problem also occurred. So I ran MSCONFIG  to see what programs ran on startup and I found one with no name Software\Microsoft\Windows\Current Version\Run  that looks very suspicious. Any clue?

[unlovedwarrior]

can you gives the .exe file name

[Fed]

Can you borrow a mouse & keyboard to swap out as a test?
One at a time of course.

[unlovedwarrior]

lol is anyone going to look at the log??

[icyboyedy]

Switched the mouse, why would that cause problems? The file in question is blank, just as written above. I had a chat with a tech from my Isp to verify the Isp files that looked suspicious.

[unlovedwarrior]

can you gives the .exe file name

^^

[icyboyedy]

Checked the file again. There is a new entry, it is blank, but checked off, and the old one is also there, not checked, interesting.

HKLM/Software/Microsoft/Windows/Current Version/Run

[unlovedwarrior]

http://www.iss.net/security_center/advice/Reference/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/default.htm

http://www.google.com/search?hl=en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=HKLM/Software/Microsoft/Windows/CurrentVersion/Run+&spell=1

these might help but im not sure