Mouse moving and programs opening mysteriously

Discussion in 'Online Security' started by ksulli13, May 19, 2004.

  1. ksulli13

    ksulli13

    Joined:
    Mar 15, 2001
    Messages:
    53
    For the last couple of days I have noticed that internet sites randomely came up when I wasn't in the room. Yesterday I was sitting at my computer and the mouse suddenly started moving and going into my favorites on IE. WHAT IS GOING ON!! I have windows XP, so I enabled the firewall and disabled any remote desktop stuff. I also updated all the windows critical update stuff, and the person can still get on my computer. What do I do??
     
  2. pam123

    pam123 Computing Professor Staff Member

    Joined:
    Jun 19, 2001
    Messages:
    12,251
    Go here and do what it says : http://www.simplysup.com/

    You've done the equivalent of closing the barn door after the horses have left and all the info on your computer must be considered compromised.
    So after you remove the trojan you will have to change any passwords, etc. that you have.
    Be really thorough about making sure you know how you got the trojan, though the fact thay you've just enabled the firewall and installed the updates now is a really good lead, and get yourself a third party firewall that keeps track of any program on your computer that wants web access.
    This guy knows where you live and the fact that he seems to be more interested in freaking you out than ripping you off is just luck. Don't get caught again.
    Also get a good AV.
     
  3. ksulli13

    ksulli13

    Joined:
    Mar 15, 2001
    Messages:
    53
    I installed and ran the trojan removal tool and it didn't find anything. When I ran the windows update there was only one update that I didn't have installed, so I was pretty much up to date there. I also just realized that the firewall on my antivirus was enabled this whole time. Does anyone else have any ideas?
     
  4. pam123

    pam123 Computing Professor Staff Member

    Joined:
    Jun 19, 2001
    Messages:
    12,251
    What firewall/AV ?
     
  5. ksulli13

    ksulli13

    Joined:
    Mar 15, 2001
    Messages:
    53
    PC-cillin. The firewall doesn't give me much information about what is happening.
     
  6. pam123

    pam123 Computing Professor Staff Member

    Joined:
    Jun 19, 2001
    Messages:
    12,251
    When you Ctrl-Alt-Delete what's running on your comp ?
    An AV wouldn't stop many trojans and your firewall didn't either.
     
  7. Lobos

    Lobos

    Joined:
    Mar 28, 2004
    Messages:
    931
    Location:
    California
    HIJACKTHIS
    Please do this. Click here to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).
    Close all open windows and open HIJACK THIS. Click “Scan” . When the scan is finished (it only takes a second), the scan button will change to“Save Log”. Click on“Save Log” and save it to NotePad. Copy the entire log and paste it here.

    DO NOT FIX ANYTHING YET , most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.
     
  8. ksulli13

    ksulli13

    Joined:
    Mar 15, 2001
    Messages:
    53
    Let's see...
    PCCCPFW
    pccguide
    alg
    pccclient
    pop3tray
    tmntsrv
    ipodservice
    ituneshelper
    jusched
    hkcmd
    svchost
    lsass
    csrss
    smss
    and some more of the normal system stuff
     
  9. ksulli13

    ksulli13

    Joined:
    Mar 15, 2001
    Messages:
    53
    Here is the hijackthis log

    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:02 PM, on 5/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    H:\WINDOWS\System32\smss.exe
    H:\WINDOWS\system32\winlogon.exe
    H:\WINDOWS\system32\services.exe
    H:\WINDOWS\system32\lsass.exe
    H:\WINDOWS\system32\svchost.exe
    H:\WINDOWS\System32\svchost.exe
    H:\WINDOWS\system32\spoolsv.exe
    H:\WINDOWS\System32\gearsec.exe
    H:\WINDOWS\System32\svchost.exe
    H:\WINDOWS\Explorer.EXE
    H:\WINDOWS\System32\hkcmd.exe
    H:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    H:\Program Files\iTunes\iTunesHelper.exe
    H:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
    H:\Program Files\Messenger\msmsgs.exe
    H:\Program Files\iPod\bin\iPodService.exe
    H:\Program Files\AIM\aim.exe
    H:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    H:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    H:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
    H:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
    H:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
    H:\Program Files\Kazaa Lite K++\KazaaLite.kpp
    H:\Documents and Settings\Kyle\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] H:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] H:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [eX5] "H:\Program Files\EPoX\eX5\eX5.EXE" "5000"
    O4 - HKLM\..\Run: [pccguide.exe] "H:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "H:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "H:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] H:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Disk Monitor] H:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
    O4 - HKLM\..\Run: [TrojanScanner] H:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpyKiller] H:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Mountit.lnk = H:\Program Files\Roxio\WinOnCD 6 PE\MountIt.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
     
  10. Lobos

    Lobos

    Joined:
    Mar 28, 2004
    Messages:
    931
    Location:
    California
    do you know what this file is

    eX5.EXE
     
  11. Lobos

    Lobos

    Joined:
    Mar 28, 2004
    Messages:
    931
    Location:
    California
    do you know what this file is

    eX5.EXE
     
  12. ksulli13

    ksulli13

    Joined:
    Mar 15, 2001
    Messages:
    53
    yah it's something for my motherboard
     
  13. Lobos

    Lobos

    Joined:
    Mar 28, 2004
    Messages:
    931
    Location:
    California
    First create a folder just for hijack this and put it in there

    next
    run hijack this put a check next to these close all browsers and click fix



    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...abasetup144.cab


    these are optional by fixing these will speed up your startup time you can still access them through start - programs

    O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] H:\Program Files\iTunes\iTunesHelper.exe
     
  14. ksulli13

    ksulli13

    Joined:
    Mar 15, 2001
    Messages:
    53
    Ok I did that, anything else?
     
  15. Lobos

    Lobos

    Joined:
    Mar 28, 2004
    Messages:
    931
    Location:
    California
    no really cant find anything wrong with your log
    unless you had some startups that were unchecked besides that your clean

    maybe running an online scan wouldn't hurt maybe two

    Housecall
    Panda scan
    RAV


    you should keep your firewall up at all times too especially if your online

    did it stop once you put your firewall back on?
     
  16. pam123

    pam123 Computing Professor Staff Member

    Joined:
    Jun 19, 2001
    Messages:
    12,251
    If I read the post correctly, it started while he had a firewall up " I also just realized that the firewall I had on my anti-virus was enabled the whole time".
    That suggest that he downloaded the problem and by passed his protections.
     
  17. Lobos

    Lobos

    Joined:
    Mar 28, 2004
    Messages:
    931
    Location:
    California
    your right

    i read this

    For the last couple of days I have noticed that internet sites randomely came up when I wasn't in the room. Yesterday I was sitting at my computer and the mouse suddenly started moving and going into my favorites on IE. WHAT IS GOING ON!! I have windows XP, so I enabled the firewall and disabled any remote desktop stuff.


    i guess i didnt read this that it was still happening with the firewall up
     
  18. ksulli13

    ksulli13

    Joined:
    Mar 15, 2001
    Messages:
    53
    Yes my Pc-cillin firewall was up the whole time. After I realized what was happening I also enabled windows firewall
     
  19. pam123

    pam123 Computing Professor Staff Member

    Joined:
    Jun 19, 2001
    Messages:
    12,251
    Like I said the guy seems more of a prankster then a thief but you've got to get rid of him.
    My guess, since you have Kazza, is that you downloaded the problem with it.
    If none of the suggestions work, those on-line scans from Lobos, then you're looking at a reformat but first, what where you downloading around the time this started ?
    That could pinpoint what you downloaded that contained the trojan.
     
  20. vincevega

    vincevega

    Joined:
    Feb 9, 2003
    Messages:
    181
    I would do the scans Lobos and Pam123 recommend and then I would download TDS-3 Anti-Trojan 30 day trial software (Do a Google search) and scan my system before I reformat.
     

Share This Page