Malware that randomly opens documents and disables mouse buttons

[Astronerd]

The symptoms are:
Randomly opening documents and programs (like RealAudio/Video)
Disabling the mouse buttons so nothing can be clicked

I've updated Adobe Reader and Java but when the machine is trying to update Windows, the three updates fail over and over. One was a Windows Security Update and the other two are Office Security Updates.
This machine runs McAfee Security Center.

All of the 8 Step tasks have been run (had to run GMER a third time because I missed saving the log).
The files are attached.

Thanks,
The Astronerd

 

[Bobbye]

You has a full dose of MyWebSearch! But the symptoms you describe are unusual for malware. What is displaying in these Windows that open? Is there a video running? Are there ads showing??

Can you define the mouse problem please. Does the screen freeze? Can you move the cursor around but when you click on something, nothing happens? Is this right and left mouse buttons as well as the scroll wheel? Have you checked out the pointer device driver in the device manager?

I'm going to check the rest of the logs. While I do, please run the following:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
================================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave the logs from both in your next reply.

 

[Astronerd]

When the RealPlayer pops up, no video or audio is running.
The other documents that pop up are random... an .xls or a .doc
The mouse problem happened after a few minutes. Neither mouse button worked afterward. You could still move the cursor (After the MalwareBytes cleanup, this hasn't re-occured).
When the mouse buttons quit working, the only way to shut down was to hold the case switch down for 6 seconds.
This machine is used for the Peraus Design Landscape Company Billing. I would like to keep from re-formatting if possible.

The two files you requested are attached.

Thanks,
The Astronerd

 

[Astronerd]

It also looks as if the same three Windows Updates are failing to complete.

Thanks,
The Astronerd

 

[Astronerd]

Upon further investigation, I've found that the copy of Microsoft Office on this machine is not valid. Would that cause ALL updates to fail?

Thanks,
The Astronerd

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\docume~1\Family\LOCALS~1\Temp\J8DLjMK
c:\docume~1\Family\LOCALS~1\Temp\1q8xgUo0 
c:\docume~1\Family\LOCALS~1\Temp\YN4o03
C:\WINDOWS\CouponBarIE.dll

Folder::
Registry::

Driver::
3158bta6
5069b3w6
c4wdb4af

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
=====================
Please download HijackThis from here.

• Save it to a permanent folder (such as C:\HJT).
• Next, open HijackThis, and select Do a system scan and save a logfile.
• A Notepad document will open. Please post the log.

=============================
By the way, when I ask you to leave a log, please include all the contents of the log. Example: in Eset log, you just copied the one malware entry.

Questions:
1. Are you currently running both an HP and a Lexmark printer? If not, which one are you now using. You have processes running from an HP printer installed in 2002, but you also have a Lexmark printer installed in 2007.
2. Microsoft Baseline Security Analyzer (MBSA) with date of 2010-04-29 is running. this is usually for an IT in en enterprise setting. Did you know that?
3. There is a folder c:\documents and settings\Family\SecurityScans. What is this? Date is same as the MBSA.

Thanks for your patience. I've been away from the computer most of last couple of days.

 

[Bobbye]

I've found that the copy of Microsoft Office on this machine is not valid. Would that cause ALL updates to fail?

Do you mean would it cause both the Windows updates AND the Office update to fail? Possibly, I don't know. When Windows run the WGA tool, I guess it would be up against what it finds.

 

[Astronerd]

Here are the logs you requested. The MBSA will be deleted shortly. The HP printer has been deleted.

The invalid copy of Office 2007 will shortly be deleted. Maybe that will allow the Windows Update to complete sucessfully? I don't know.

 

[Bobbye]

Here are some left-overs from HP:

Please reopen HijackThis to 'do system scan only'. Check each of the following entries if present:

C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?ptnrS=ZKxdm021YYUS&ptb=ebER3YJD8hAfVDuOj3NI5Q&n=77c0c73c
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

Close all Windows except for Hijackthis and click on "Fix Checked."
==========================
Please open Notepad and copy the following text into a new file:

sc config Pml Driver HPH11 start= disabled
sc stop Pml Driver HPH11
sc delete Pml Driver HPH11

• Save the file to the desktop as remove.bat Make sure the "Save as type"field says "All files".
• Double-click on remove.bat to run it.
• A DOS box will open and close, that is normal.
• If any errors errors encountered please post.
• When done you can delete the remove.bat file.

=======================
How is the system running now?