# Crazy Mouse Cursor



## CityGI (Jan 15, 2008)

Hello.

My mouse cursor seems to have a mind of its own these days. It moves around the screen and clicks on stuff like someone is controlling it. I have determined that it is some kind of macro running in the background. It acts up without any connection to the internet and it has done this with three different mice now. Whatever it is avoids being detected by Spybot and Avast! antivirus in safe mode.

I'm running windows XP SP2 and am using a wireless logitech mouse (don't know the model). Any help or advice would be greatly appreciated. This thing is driving me off the deep end!


----------



## tetonbob (Jan 10, 2005)

Are all the mouse you've tried been wireless? Does a hard-wired mouse do the same thing?

Do you live in an apartment building, or close to other neighbors?


----------



## koala (Mar 27, 2005)

Are you on a wireless network? Do you have any VPN software installed?

How long have you had the problem? Are you logged in as Administrator?

Do you lose control of the mouse when it starts moving, or is it as though 2 people are controlling it at the same time? Look in Event Viewer when the mouse starts moving.

It's safe to unplug a USB mouse without switching the compuer off. Next time it starts acting up, unplug the mouse to see if it carries on moving.

Anything you don't recognise in Start > Run > msconfig > Startup?


----------



## CityGI (Jan 15, 2008)

Hard-wired mice do the same thing. I'm on a wireless network with WEP encryption. I don't live near neighbors. It seems as if there are two people moving the cursor at once. No VPN. It seems like I've had it for about a month. I'm logged in as administrator. I have unplugged it when it started moving and it kept on going. I have nothing but the essentials starting with Windows.


----------



## biga800 (Jan 12, 2008)

hey im like not a pro or anything but i had a idea....
try running ya pc in safe mode an see if it does... because if it does u may find the program running in task manager 

yea and if u do find it then u know what it is and u can like Google it .....


----------



## koala (Mar 27, 2005)

Have you checked in Control Panel > Admin Tools > Event Viewer?

Does it definitely appear as though someone is controlling the mouse, and it's not just random movements?

If it's a laptop, have you tried disabling the touchpad?

You say you think it's a macro running in the background. Can you give us some more details about this and how you discovered it.


----------



## johnwill (Sep 26, 2002)

Please post a HijackThis 2.00.2 Log here.


----------



## CityGI (Jan 15, 2008)

Here's the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:52 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://music.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Audio Deck\EnMixCPL.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [BitTorrent] "D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185909384765
O17 - HKLM\System\CCS\Services\Tcpip\..\{B696F7A3-74BB-4738-800A-3717EFE06CA7}: NameServer = 68.87.96.146,68.87.85.98
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

What should I look for in the event viewer? And yeah, it definitely looks like there is someone else controlling the mouse. It will just start moving across the screen and click on stuff. It almost shutdown the computer once. It's a desktop, so no touchpad. And I think it's something running in the background because I've eliminated anything else I could think of (first post). It's something local because I've physically disabled my network connection while it was moving and kept going. I think it is a macro because it isn't random movement. 

Oh, and I think I forgot to mention that it does this randomly. I never know when it will happen. Today, for instance, it hardly moved at all.

EDIT: I just noticed the announcement thread at the top of the board about HijackThis logs. Should I post elsewhere?


----------



## johnwill (Sep 26, 2002)

Well, I don't see anything there, but perhaps making sure you don't have any malware would be the first place to start. I was looking for unusual stuff starting up. 

I do see a Chat Server that could explain it, but I don't know anything about it.


Please follow this HJT Log 5 Step Process to post a HijackThis log in the HijackThis Log Help forum here.


----------



## tetonbob (Jan 10, 2005)

CityGI

Please be sure to post a set of logs from Deckard's System Scanner as outlined in Step 5 of the link johnwill has given when you do create your new thread.

It's much more comprehensive than HijackThis.


----------



## qnerve (Feb 29, 2008)

Defragmenting fixed my mouse double click problem, at least it seems so thus far.


----------



## johnwill (Sep 26, 2002)

Well, that makes no sense, but if it worked. :smile:


----------

