Virus? Easter Egg? Break in? Keylogger? What is this? 1

[orman]

Someone in our company was working in an Excel spreadsheet when all of a sudden the computer started typing by itself. It was doing it for about 10 minutes. Full words, nonsense sentenses like '...the red embassy had dog bite child over the river of the ...' (Not from the typed text.)

Whenever another cell was clicked, it would start typing there. It stopped after about 10 minutes by itself.
Did the MS AntiSpyware, Norton AV scans - nothing found.

Any ideas?

 

[erikhertzel]

Whoa!

That sounds scary. Is this machine behind the company's firewall, what protection does it have?

I would run Hijack This! and see if there is anything wierd going on...

Anyhow, download Hijack This! from here:

http://www.majorgeeks.com/download3155.html

Erik

 

[2ffat]

I've seen this on computers that have a microphone installed and somehow the speech to text gets turned on. Also, do you have any Excel macros running?


James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[electronicsfreak]

Something else from what ive discovered from past experience of working with multiple pcs. I would reccomend checking behind norton antivirus with another. Norton from my experiences has not been very good at picking up viruses and is also very heavy resource hog. Anyways I seriously reccomend checking behind it. Your problem sounds alot like a backdoor trojan.

 

[aquias]

Norton or Symantec? Big difference between the two products.

Additionally, I would run an online scanner

http://housecall.trendmicro.com

And follow Erik's advice and get a hijackthis log up here. Additionally...

Go to

http://ewido.com

and download and run Ewido, and paste that log here as well.

 

[orman]

Ran a scan from housecall.tredmicro.com - There was a "MS Word" vunerability, but that was all.

Will have to run ewido.com's scan tomorrow...

Found that someone in a forum on the net had the same problem in Jan of 04 - so it doesn't appear to be new.

Here is the HIJACK Log:
=================================================
Logfile of HijackThis v1.99.1
Scan saved at 1:27:53 PM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NALNTSRV.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Novell\GroupWise\notify.exe
C:\WINDOWS\Explorer.exe
C:\Novell\GroupWise\grpwise.exe
C:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://192.168.100.70/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eqlgo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://192.168.100.70/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.2:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D197DBF5-A960-6CAE-20A1-FFCAF4879290} - C:\WINDOWS\system32\addtp32.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [127.tmp] C:\DOCUME~1\PWhitman\LOCALS~1\Temp\127.tmp.exe 0 28129
O4 - HKLM\..\Run: [127.tmp.exe] C:\DOCUME~1\PWhitman\LOCALS~1\Temp\127.tmp.exe 3 28129
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\notify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -

http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab

O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) -

https://www.paychoiceonline.com/webpayroll/ActiveReports/arview2.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

O16 - DPF: {E39EFE5A-58CC-4C5D-8966-D9BD2FA27F41} (WebForm Launch Server) -

http://files.stf.com/Downloads/WebFormServer_v1.cab

O16 - DPF: {FD743937-86DE-482B-B44B-A219730DD30A} (WebForm Launch Server) -

http://files.stf.com/Downloads/WebFormServer_v2.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Workstation NetLogon Service (?%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\mfcjx32.exe (file missing)

 

[erikhertzel]

Remove the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eqlgo.dll/sp.html#28129

O4 - HKLM\..\Run: [127.tmp] C:\DOCUME~1\PWhitman\LOCALS~1\Temp\127.tmp.exe 0 28129

O4 - HKLM\..\Run: [127.tmp.exe] C:\DOCUME~1\PWhitman\LOCALS~1\Temp\127.tmp.exe 3 28129

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O23 - Service: Workstation NetLogon Service (?%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\mfcjx32.exe (file missing)

I would definately run the Trend Micro as well and Ewido, I think it will find some telling information based on what I see in your Hijack This Log...

Let us know.

Erik

 

[aquias]

As a side note...(sorry, forgot to post this earlier) run hijackthis! from a permanent location. It will make backups of everything you remove and when/if you need to restore a setting you'll most likely lose that setting.

Additionally...

O2 - BHO: (no name) - {D197DBF5-A960-6CAE-20A1-FFCAF4879290} - C:\WINDOWS\system32\addtp32.dll (file missing)

And Erik...do you live here

 

[pechenegs]

______________________________________________________________________


Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Workstation NetLogon Service
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.


Note: You may get an error here when trying to access the properties of the
service. If you do get an error, just select the service and look there in
the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


In Hijack This, click on the "Open Misc Tools section" button. Next click the
"Delete an NT service" button. Copy and paste the following in that box:

?%AF夶À¨

Click OK.




Download DelDomains.inf from here:

http://www.mvps.org/winhelp2002/DelDomains.inf

Rightclick DelDomains.inf and choose install.

 

[orman]

FYI: Here is the main portion of the ewido scan. Did the repair.

I'd do what Pechenegs suggestted later today or tomorrow.


_______________________________________________
ewido security suite online scanner

http://www.ewido.net

__________________________________________________


Name: Spyware.WebRebates
Path: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins
Risk: High

Name: Spyware.SearchRelevancy
Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Relevancy
Risk: High

Name: Spyware.SearchRelevancy
Path: HKLM\SOFTWARE\SearchRelevancy
Risk: High

Name: Spyware.SearchRelevancy
Path: HKLM\SOFTWARE\SearchRelevancy\Update
Risk: High

Name: Spyware.Cookie.Excite
Path: :mozilla.6:C:\Documents and Settings\msec\Application Data\Mozilla\Firefox\Profiles\qv7pnqle.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Excite
Path: :mozilla.7:C:\Documents and Settings\msec\Application Data\Mozilla\Firefox\Profiles\qv7pnqle.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Excite
Path: :mozilla.8:C:\Documents and Settings\msec\Application Data\Mozilla\Firefox\Profiles\qv7pnqle.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Advertising
Path: :mozilla.9:C:\Documents and Settings\msec\Application Data\Mozilla\Firefox\Profiles\qv7pnqle.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Atdmt
Path: :mozilla.10:C:\Documents and Settings\msec\Application Data\Mozilla\Firefox\Profiles\qv7pnqle.default\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Specificclick
Path: :mozilla.23:C:\Documents and Settings\PWhitman\Application Data\Mozilla\Firefox\Profiles\7gctdgre.default\cookies.txt
Risk: Medium

 

[prismtx]

Does this computer by any chance have a wireless keyboard? It does not happen often, but I have seen where a keyboard picks up signals from someone elses wireless device.

 

[orman]

No Wireless keyboard.

 

[erikhertzel]

Orman,

Did you get rid of this:

?%AF夶À¨

That looks to me like the likely source and did you do what Pechenegs suggested?