Mouse moving and programs opening mysteriously

[ksulli13]

For the last couple of days I have noticed that internet sites randomely came up when I wasn't in the room. Yesterday I was sitting at my computer and the mouse suddenly started moving and going into my favorites on IE. WHAT IS GOING ON!! I have windows XP, so I enabled the firewall and disabled any remote desktop stuff. I also updated all the windows critical update stuff, and the person can still get on my computer. What do I do??

[pam123]

Go here and do what it says : http://www.simplysup.com/

You've done the equivalent of closing the barn door after the horses have left and all the info on your computer must be considered compromised.
So after you remove the trojan you will have to change any passwords, etc. that you have.
Be really thorough about making sure you know how you got the trojan, though the fact thay you've just enabled the firewall and installed the updates now is a really good lead, and get yourself a third party firewall that keeps track of any program on your computer that wants web access.
This guy knows where you live and the fact that he seems to be more interested in freaking you out than ripping you off is just luck. Don't get caught again.
Also get a good AV.

[ksulli13]

I installed and ran the trojan removal tool and it didn't find anything. When I ran the windows update there was only one update that I didn't have installed, so I was pretty much up to date there. I also just realized that the firewall on my antivirus was enabled this whole time. Does anyone else have any ideas?

[pam123]

What firewall/AV ?

[ksulli13]

PC-cillin. The firewall doesn't give me much information about what is happening.

[pam123]

When you Ctrl-Alt-Delete what's running on your comp ?
An AV wouldn't stop many trojans and your firewall didn't either.

[Lobos]

HIJACKTHIS
Please do this. Click here to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).
Close all open windows and open HIJACK THIS. Click “Scan” . When the scan is finished (it only takes a second), the scan button will change to“Save Log”. Click on“Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET , most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

[ksulli13]

Let's see...
PCCCPFW
pccguide
alg
pccclient
pop3tray
tmntsrv
ipodservice
ituneshelper
jusched
hkcmd
svchost
lsass
csrss
smss
and some more of the normal system stuff

[ksulli13]

Here is the hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 11:17:02 PM, on 5/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\System32\gearsec.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\System32\hkcmd.exe
H:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\AIM\aim.exe
H:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
H:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
H:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
H:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
H:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
H:\Program Files\Kazaa Lite K++\KazaaLite.kpp
H:\Documents and Settings\Kyle\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] H:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] H:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [eX5] "H:\Program Files\EPoX\eX5\eX5.EXE" "5000"
O4 - HKLM\..\Run: [pccguide.exe] "H:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "H:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "H:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] H:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Disk Monitor] H:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [TrojanScanner] H:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] H:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Mountit.lnk = H:\Program Files\Roxio\WinOnCD 6 PE\MountIt.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup144.cab

[Lobos]

do you know what this file is

eX5.EXE

[Lobos]

do you know what this file is

eX5.EXE

[ksulli13]

yah it's something for my motherboard

[Lobos]

First create a folder just for hijack this and put it in there

next
run hijack this put a check next to these close all browsers and click fix



O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...abasetup144.cab


these are optional by fixing these will speed up your startup time you can still access them through start - programs

O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] H:\Program Files\iTunes\iTunesHelper.exe

[ksulli13]

Ok I did that, anything else?

[Lobos]

no really cant find anything wrong with your log
unless you had some startups that were unchecked besides that your clean

maybe running an online scan wouldn't hurt maybe two

Housecall
Panda scan
RAV


you should keep your firewall up at all times too especially if your online

did it stop once you put your firewall back on?

[pam123]

If I read the post correctly, it started while he had a firewall up " I also just realized that the firewall I had on my anti-virus was enabled the whole time".
That suggest that he downloaded the problem and by passed his protections.

[Lobos]

your right

i read this

For the last couple of days I have noticed that internet sites randomely came up when I wasn't in the room. Yesterday I was sitting at my computer and the mouse suddenly started moving and going into my favorites on IE. WHAT IS GOING ON!! I have windows XP, so I enabled the firewall and disabled any remote desktop stuff.


i guess i didnt read this that it was still happening with the firewall up

[ksulli13]

Yes my Pc-cillin firewall was up the whole time. After I realized what was happening I also enabled windows firewall

[pam123]

Like I said the guy seems more of a prankster then a thief but you've got to get rid of him.
My guess, since you have Kazza, is that you downloaded the problem with it.
If none of the suggestions work, those on-line scans from Lobos, then you're looking at a reformat but first, what where you downloading around the time this started ?
That could pinpoint what you downloaded that contained the trojan.

[vincevega]

I would do the scans Lobos and Pam123 recommend and then I would download TDS-3 Anti-Trojan 30 day trial software (Do a Google search) and scan my system before I reformat.

[ksulli13]

I tried an online scan and the trojan software and they didn't pick up anything. I don't use kazza very often but when I do it's just music. I think you're right that they are just messing with me but it's just kinda annoying when I have to fight the mouse with the guy. I'm on a college campus so it's probably someone around here. I'm hoping the campus firewall is doing it's job.

[pam123]

Quote:

Originally posted by ksulli13 I'm hoping the campus firewall is doing it's job.

Reformats are a pain but no, the campus firewall is not doing it's job and yes, whoever it is will be back.
Leave things as they are and you will have made all the data on your computer dependent on his good will.

[Redfallon]

I personally have found the pccillin software to be worthless. I would get another software firewall, like zonealarm. Make sure you block all incoming unsolicited traffic. avg with zonealarm is, IMHO, a much better solution than pc-cillin. XP sp2 is supposed to do alot better job with security. Have you downloaded all windows updates?

[Panama Red]

Just had a crazy thought as I read this. Is your mouse a cordless? Is it possible that someone else's mouse is operating on the same frequency as yours and this isn't really malicious but just coincidence? If yours is cordless, try a corded mouse and see if you still have the problem. (Like I said, this is a crazy idea!)

[ksulli13]

Yah I have all the windows updates and service packs. I also thought about the wireless mouse thing, but when he is doing things it's way to systematic, he goes exactly where he wants and clicks.