HELP - strange pc behaviour but no virus or trojan detected

Discussion in 'malware problems & news' started by laowai, Apr 17, 2005.

Thread Status:
Not open for further replies.
  1. laowai

    laowai Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    5
    Hello,

    I am running on Windows XP sp2, with zonealarm free edition as firewall and antivir personal home editiona s antivirus. I implement all windows upgrades and regularly update my antivirus signature.

    Yet, I have witnessed strange behaviour for 10 days: my browser (Maxthon), MSWord, Windows Explorer or Windows calculator sometimes lauches by themselves while I am away. They don't seem to do any harm but this really looks strange.

    I have tried to follow advices written elsewhere in the forum but could not make any progress.
    More specifically I have followed advices of Blackspear as detailed at https://www.wilderssecurity.com/showthread.php?t=47830&highlight=find trojan

    Here is what I have done:
    - I unactivated windows restore, dowloaded all the following softwares and restarted in safe mode
    - I then run successively :
    * Trojan remover
    * Ade-aware
    * Kapersky trial edition
    * Stinger (standalone anti-virus scanner from McAfee)
    * sysclean ( the trend micro package)
    Nothing was deteted. I still experience the strange behaviours however and according to what I read int he forum, it really looks like somone hijacked my windows.

    Can your ecommend any other steps I could take to identify and fix the issue.

    Thank you.
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Did not read the link..but wondering how long you are away ? Do you have any screen saver programs running..do you have any special hibernation time outs set in.. are these programs just launched already when you go back to you desktp..or do you have to move your mouse first and then they appear ?

    Are you log in as admin or as another users at the time..possibly a limited users..

    Do you have any tasks set to be done during this time you are away that might have run ?

    things like that..and then also when did this all start happening..and can you and can you then pin down the time frame to some software that you knowingly had downloaded.
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Laowai, welcome to Wilders.

    I would suggest that you download and run “Hijack This” found here and post your log at one of the forums found at A-SAP.

    The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    Once your system is clean I would suggest that you take a look here: Why did I get infected in the first place? Also, for further information on security and how to make your system that much stronger, see here, as well there are discussions here and even more here.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  5. laowai

    laowai Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    5
    Hello Primrose,

    Thanks for your quick reply.

    No I have not any shceduled activity, hibernation or screen saver. Sometimes it happens even when I am in front of the computer. Suddenly, the calculator starts or a search in explorer. I even witnesssed this while running all these scagn on my pc ...:-(

    It seems that all started 10 days ago as I installed a wireless peer-to-peer network on my pc. At this point I had to temporarly reduce the security in zonealarm to make it work.
     
  6. laowai

    laowai Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    5
    HEllo Blackspear,

    Thank you for the advice. I am following it.
    I will keep you posted if anyone finds something.
     
  7. laowai

    laowai Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    5
    Hey Primerose,

    This might be this. Now it won't explain how it came on my computer neither how I can remove it. I will read this in details tomorrow.
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Let us know first how you made out with the instructions blackspear gave you cause I was itching to have you do the same thing. :) Then if they did not come up with anything for you that solved your mystery..post back and let us kick around some other ideas...thanks for the additional info..anything like that you can think of really helps. ;)
     
  9. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    The fact that you just installed this wireless networking is interesting..you might want to give us more details on that since most of those can..enable teams to set up a private network in the field, either using a wired Ethernet hub, or directly between laptops enabled with wireless LAN (802.11 a, b or g).Printer Sharing - Enhanced printer sharing allows users to share their printer with all team members, reducing hardware requirements in the field. Documents can be conveniently printed directly from within the application (e.g. MS Word, Excel), just like on the office network.

    Internet Connection Sharing - Internet connections can be shared out to other members of the peer-to-peer network. This is particularly useful when one member of the team has an Ethernet connection and wants to easily share that out to the whole team using the wireless LAN capabilities built into the laptops.

    File and Folder Sharing - secure folder sharing to remotely open files and run applications peer-to-peer, just as if they were on the corporate network.


    I guess it is possible that is there is a hickup or glitch in the kinds of network you did install..it might be the cause of the problem as it drops connection or has a possible bug in the software.
     
  10. laowai

    laowai Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    5
    Hello,

    This is to update you on my progress.
    I posted my HJT on Vitalsecurity.

    I got Sygate personal firewall installed which log any strange behaviour: it identified that an application type32.exe launched at startup) highjacking my browser.
    I tried to stop it from launching at startup by chaning the startup config (start / run / msconfig, in startup tap, untick it ).
    Now it did seem to work for the first 30 mn but also it is still unticked, the strange behaviour continue.
    ---I'll keep you posted.

    Concerning the wireless installation, I had connected two pc with usb keys and shared my internet connection on the one infected now. I had to reduce the protection of zonealarm at the time to get it working which is probably when I got attacked.

    Any further idea is welcome.
     
Loading...
Thread Status:
Not open for further replies.