Jump to content


Photo

Computer Doing Random Things But Probably Not Malware


  • Please log in to reply
13 replies to this topic

#1 Rorroh

Rorroh

    New Member

  • Members
  • Pip
  • 8 posts

Posted 26 August 2011 - 06:49 PM

I got a new computer about 4 months ago and it's had some really weird problems. One of the most obvious things is that whenever the mouse is supposed to be in the top-left corner, it freezes to where it was a frame before. If I move it to the right or down one pixel, it ends up where it's supposed to be, one pixel from the corner. Safe mode does not have this problem.

Another thing, sometimes it randomly does things. I've seen it type randomly, move the mouse randomly, disable my wireless card (WNDA3100v2; possibly unrelated), switch windows, open random programs and shut down/sleep. When it shuts down it's a hard shutdown, but it may be due to something else.

It's been acting weird since the beginning but I haven't been too bothered with it until very recently. My computer is an iBuyPower custom that was sold by Walmart, but I don't remember which one it was exactly since it's out of my browsing history. The only programs, from what I remember, that were installed when I got it and before I did anything else were avast! Antivirus, Sandboxie, Google Chrome and the Netgear WNDA3100v2 drivers.

Today I woke up to find my computer not responding to either my keyboard or mouse; the monitor was on but black like it usually is when it's idle and the computer was running but the mouse's light wasn't turning on as if it was disconnected. I pressed the power button and it came up to the about:air page on Chrome that I left it on, but the JavaScript console was up and the number 4 was in it and neither my keyboard nor my mouse would do anything at all. After a few minutes it seemed that I could get the keyboard to type things into the console — but then the screen when black again and shut off. Boot asked me if I wanted to go into safe mode so I did so. Everything seemed fine in there. After a little while I ended up going into MSConfig and disabling the AMD External Events Utility, AMD FUEL Service and FLEXnet (some people on forums said FLEXnet can cause issues) from the Services, and rebooted.

After rebooting, things seem to be a little more normal. The top-left pixel thing seems to still persist, though, and it's probably way too early to truly tell if the problem is gone. I was hoping that someone might be able to shed some light on what's going on while I wait to see.

What I have:

  • Operating System: Windows 7 64 bit
  • Processor: AMD Athlon™ II X3 440 Processor (3 CPUs), ~3.0GHz
  • Memory: 4096MB RAM
  • Hard Drive: 1 TB
  • Video Card: ATI Radeon HD 5450
  • Antivirus: avast! Antivirus
  • Antimalware: MalwareBytes (for a week last week to see what would happen, uninstalled today; it was doing more harm than good)

Thanks for any input.

#2 DarkSnakeKobra

DarkSnakeKobra

    May the penguin be with you!

  • Honorary Members
  • PipPipPipPipPipPip
  • 5,262 posts
  • Gender:Male
  • Location:~
  • Interests:Scripting, GNU/Linux, photography

Posted 26 August 2011 - 07:34 PM

Sounds like you got ripped off. I'd suggest taking it back to Walmart as it seems like someone tampered with the computer and returned it. The symptoms indicate possible backdoor(a program installed to allow access from a remote computer) activity and someone is remotely controlling it. This isn't unheard of ether. Although I've never heard of Avast or Sandboxie being preinstalled, but it's possible.

I'm not a staff member just another Malwarebytes' user.

Advice: Hug your dog, cat etc everyday! :)


#3 mountaintree16

mountaintree16

    bird lover

  • Honorary Members
  • PipPipPipPipPipPip
  • 7,754 posts
  • Gender:Not Telling
  • Location:USA
  • Interests:Hiking, music, birds, bird watching, walking, reading, animals, computer security, poetry...

Posted 26 August 2011 - 09:14 PM

Was this machine possibly the display model?

Our character is what we do when we think no one is looking.

-H. Jackson Brown Jr.

 

It's not what we do once in a while that shapes our lives.
It's what we do consistently.

Tony Robbins


#4 Rorroh

Rorroh

    New Member

  • Members
  • Pip
  • 8 posts

Posted 26 August 2011 - 11:46 PM

Ooh, this got responses faster than I thought it would.

Buttons: Sorry, to clarify: I didn't mean they were preinstalled, I meant I installed them first before I did anything else. I did it from a flash drive.

MountainTree16: I don't think Walmart has iBuyPower computers on display. It was a ship-to-store thing.

Ever since disabling those three things everything seems to be running fine. Usually it messes up at least a little bit by this point. Also, I HAVE noticed a few.. I'll just link this: [Another forum thread]. I installed Microsoft Network Monitor to see what I could dig up but I have no idea how to use it fully and ended up with nothing useful.

#5 DarkSnakeKobra

DarkSnakeKobra

    May the penguin be with you!

  • Honorary Members
  • PipPipPipPipPipPip
  • 5,262 posts
  • Gender:Male
  • Location:~
  • Interests:Scripting, GNU/Linux, photography

Posted 27 August 2011 - 12:04 AM

Ah I see.

I'd uninstall that and download TCPVIEW by Microsoft. Don't worry you won't have to install it. Just extract it and run TCPVIEW.exe and safe the log. Then post it back here.:)

I'm not a staff member just another Malwarebytes' user.

Advice: Hug your dog, cat etc everyday! :)


#6 Rorroh

Rorroh

    New Member

  • Members
  • Pip
  • 8 posts

Posted 27 August 2011 - 12:23 AM

Uninstalled, downloaded and extracted TCPView, and.. hey, that's kinda cool. How long do you think I should keep it running before I post the log? MalwareBytes seemed to detect the connections every few hours.

#7 Rorroh

Rorroh

    New Member

  • Members
  • Pip
  • 8 posts

Posted 27 August 2011 - 12:30 AM

Hm. Or I had a misconception and it only shows open connections. Either way it's cool.

Log attached.

Attached Files

  • Attached File  log.txt   15.04KB   149 downloads


#8 DarkSnakeKobra

DarkSnakeKobra

    May the penguin be with you!

  • Honorary Members
  • PipPipPipPipPipPip
  • 5,262 posts
  • Gender:Male
  • Location:~
  • Interests:Scripting, GNU/Linux, photography

Posted 27 August 2011 - 01:35 AM

You have at least 1 outgoing connection to a risky site.

67.205.77.202

PhishTank Report for that ip range.

1261777 hxxp://t.ymlp89.com/manauujuatajhsaoaesub/click.ph... PhishReporter
1261776 hxxps://livechat.boldchat.com/aid/2307475884/bc.ch... MagicDude4Eva
1261775 hxxp://2sempre-juntos.com/templates/default/Cadast... buaya
1261774 hxxp://bouchonsdamourgso.fr/modules/mod_mainmenu/m... buaya
1261771 hxxp://secure.runescape.com.m-weblogin-rsforums.co... dkarl1212
1261770 hxxp://pyapal.com/ PhishReporter
1261769 hxxp://soassist.pt/ext/halifax.co.uk/online.htm cleanmx
1261767 hxxp://www.paypaltrl.com/ PhishReporter
1261766 hxxp://freemoney.nazuka.net/ mitphishing
1261765 hxxp://paypal.com.cgi-bin.webscrcmd.dispatch-5885d... PhishReporter
1261764 hxxp://www.99310905.com/www.paypal.co.au/default.a... PhishReporter
1261763 hxxp://sites-commerciaux.com/media/splitpdf/180312... PhishReporter
1261762 hxxp://paypal.com.cpjs.fr/verify/update/correlatio... PhishReporter
1261761 hxxp://paypal.hostwing.net/www.paypal.fr/fr.html PhishReporter
1261760 hxxp://deckonengineering.com/paypal/Verify/logo/lo...


Listed under Malwarebytes' recently purchased hpHosts by MysteryFCM ;)

http://hosts-file.ne...=67.205.77.202

I highly recommend getting your pc checked out and change all your passwords from a known clean pc and let your financial services aware of suspicious charges.

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support


OPTION 1
  • As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in the Malware Removal forum so a qualified helper can help you fix any malware related problems/infections you may have.
  • Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.
  • After posting your new post, make sure under options, you select Track this topic and choose Immediate Email Notification, so that you're alerted when someone has replied to your post.
  • One of the expert helpers there will give you one-on-one assistance when one becomes available.
  • Please refrain from making any further changes to your computer such as (Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

    NOTE: Please DO NOT post back to (bump) your topic within the first 48 hours.
    Replying to your own posts changes the post count and helpers are looking for topics with zero replies. If you reply to your own post helpers may think that you're already being helped and thus overlook your post.
  • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
    Or
  • You may send a Private Message to a Moderator asking for assistance.


OPTION 2

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or here.


OPTION 3

If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our Malwarebytes Premium Services support site.


Please be patient, someone will assist you as soon as it is possible.


PS: Please use the "ADD REPLY" Posted Image button instead of other ones when you start replying. :)

I'm not a staff member just another Malwarebytes' user.

Advice: Hug your dog, cat etc everyday! :)


#9 Rorroh

Rorroh

    New Member

  • Members
  • Pip
  • 8 posts

Posted 27 August 2011 - 10:31 AM

Thanks for noticing that. That address is being used by BitCoin, but I only downloaded that program two days ago. I'll blacklist that connection but it's probably not the problem. Did you notice anything else suspicious?

I've attached another log just in case.

Attached Files

  • Attached File  log.txt   12.04KB   142 downloads


#10 DarkSnakeKobra

DarkSnakeKobra

    May the penguin be with you!

  • Honorary Members
  • PipPipPipPipPipPip
  • 5,262 posts
  • Gender:Male
  • Location:~
  • Interests:Scripting, GNU/Linux, photography

Posted 27 August 2011 - 02:12 PM

You're welcome.:) I see. There were a few from China, but they weren't listed as being malicious on hpHOSTS. I'll take a look at the new log shortly.:)

I'm not a staff member just another Malwarebytes' user.

Advice: Hug your dog, cat etc everyday! :)


#11 Rorroh

Rorroh

    New Member

  • Members
  • Pip
  • 8 posts

Posted 27 August 2011 - 09:38 PM

Got anything?

#12 CWB

CWB

    Forum Deity

  • Honorary Members
  • PipPipPipPipPipPip
  • 1,910 posts

Posted 28 August 2011 - 01:15 AM

hmmm ...
a google of "bitcoin" turns up a lot of stuff that makes it look like a real scam-o-rama .
google : "bitcoin malware" ... how about that , the scamers are getting scammed with the user out the real money .

over all , it looks like a very risky deal ... especially since you may have been infected when you installed the program .

#13 Rorroh

Rorroh

    New Member

  • Members
  • Pip
  • 8 posts

Posted 28 August 2011 - 03:01 AM

Thanks for taking the time to investigate.

Bitcoin is an open-source P2P virtual currency system. Anyone can look at the source code at any time to see if there's anything malicious or exploitable so the chances of something sneaking into the code are very slim.

Ah, I see what you're talking about with that Google search. Bitcoin uses processing power (either CPU or GPU; it's up to the user to decide) to generate Bitcoins to trade. That processing power goes right into authentication of Bitcoin transactions, if you were wondering. Since Bitcoins have real-world value, being a currency and all, there are many instances where people try to use other's processing power to generate Bitcoins for them, as pointed out in results 1 and 3 of the Google search. The Bitcoin count is stored in a virtual wallet on the person's computer as a single file. The other Google search results are to discussions and articles discussing the existence of malware that steals that file from the infected computer's hard drive, effectively stealing the Bitcoins from them.

Although, looking back at what you said, I think you understood that last bit. I'm rather tired tonight and may have misinterpreted.

#14 DarkSnakeKobra

DarkSnakeKobra

    May the penguin be with you!

  • Honorary Members
  • PipPipPipPipPipPip
  • 5,262 posts
  • Gender:Male
  • Location:~
  • Interests:Scripting, GNU/Linux, photography

Posted 02 September 2011 - 05:20 PM

Got anything?


Sorry for the late response been really busy. :)

Found a few bad ip's in the log.

97.81.163.217
109.196.188.11
74.125.65.17
8.26.207.126

I recommend following my previous post and get your computer checked out.:)

I'm not a staff member just another Malwarebytes' user.

Advice: Hug your dog, cat etc everyday! :)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users