My cursor has taken over my computer, opening windows and doing things

[Dragon's Girl]

On 4 Apr 2007 12:35:31 -0700, cbgerry wrote:
>> While I'm web surfing, every once in a while, the cursor seems to open its
>> own windows and move around the screen at high speed (like about ten
>> windows get opened in about five seconds or so).
> You will need to run Windows Updates immediately and install the
> following emergency Critical Update released yesterday:

Oh my! Thank you!
I didn't realize I had been taken over for real.

The news articles seem to point to exactly what is happening to me.

I am still reading the articles but at the same time, I'm trying the
softwares you suggested! Thank you. Thank you. Thank you!

Do you think my shutting down the computer after 30 seconds to a minute of
the windows going bonkers on me protected me somewhat from their attacks or
did they already do their damage?

[Dragon's Girl]

I'm running programs one by one.

Ad-Aware SE Personal found the "Win32.Hacktool.ToolEvid" critical with a
"TAC" rating whatever that is, of 3, saying "Object EvID4226Patch.exe found
in this archive".

It's still scanning but that's the first it found.

[cbgerry]

On Apr 5, 9:26 am, Dragon's Girl <dragonsg...@sbcglobal.net> wrote:
> I'm running programs one by one.
>
> Ad-Aware SE Personal found the "Win32.Hacktool.ToolEvid" critical with a
> "TAC" rating whatever that is, of 3, saying "Object EvID4226Patch.exe found
> in this archive".
>
> It's still scanning but that's the first it found.

===================>
If you need further help you can post at my group - - - No Trolls
there because it is my group and I don't allow them. The troll trash
talkers tend to be attracted to helpers and persons needing help.
Mental disturbances perhaps. This gets too annoying sometimes at
public news groups or forums that are unsupervised. I don't put up
with and run several groups as well as our own website group. Just
visit this group and click "Post" or you can also register to join:

Post to: (No membership required):
Click Post at Group Website or send email to:
AntiSpyGroup@yahoogroups.com
Group Website: 9View your posts here):
http://tech.groups.yahoo.com/group/antispygroup/
Message Board: (click messages at Group Website):
http://tech.groups.yahoo.com/group/a...group/messages

[louise]

cbgerry wrote:
> On Apr 5, 9:26 am, Dragon's Girl <dragonsg...@sbcglobal.net> wrote:
>> I'm running programs one by one.
>>
>> Ad-Aware SE Personal found the "Win32.Hacktool.ToolEvid" critical with a
>> "TAC" rating whatever that is, of 3, saying "Object EvID4226Patch.exe found
>> in this archive".
>>
>> It's still scanning but that's the first it found.
>
> ===================>
> If you need further help you can post at my group - - - No Trolls
> there because it is my group and I don't allow them. The troll trash
> talkers tend to be attracted to helpers and persons needing help.
> Mental disturbances perhaps. This gets too annoying sometimes at
> public news groups or forums that are unsupervised. I don't put up
> with and run several groups as well as our own website group. Just
> visit this group and click "Post" or you can also register to join:
>
> Post to: (No membership required):
> Click Post at Group Website or send email to:
> AntiSpyGroup@yahoogroups.com
> Group Website: 9View your posts here):
> http://tech.groups.yahoo.com/group/antispygroup/
> Message Board: (click messages at Group Website):
> http://tech.groups.yahoo.com/group/a...group/messages
>
Which group should one choose? I can't tell the differences
from the names.

Louise

[cmsix]

"louise" <louise@invalid.invalid> wrote in message
news:57u0poF2ebksjU2@mid.individual.net...
> cbgerry wrote:
>> On Apr 5, 9:26 am, Dragon's Girl <dragonsg...@sbcglobal.net> wrote:
>>> I'm running programs one by one.
>>>
>>> Ad-Aware SE Personal found the "Win32.Hacktool.ToolEvid" critical with a
>>> "TAC" rating whatever that is, of 3, saying "Object EvID4226Patch.exe
>>> found
>>> in this archive".
>>>
>>> It's still scanning but that's the first it found.
>>
>> ===================>
>> If you need further help you can post at my group - - - No Trolls
>> there because it is my group and I don't allow them. The troll trash
>> talkers tend to be attracted to helpers and persons needing help.
>> Mental disturbances perhaps. This gets too annoying sometimes at
>> public news groups or forums that are unsupervised. I don't put up
>> with and run several groups as well as our own website group. Just
>> visit this group and click "Post" or you can also register to join:
>>
>> Post to: (No membership required):
>> Click Post at Group Website or send email to:
>> AntiSpyGroup@yahoogroups.com
>> Group Website: 9View your posts here):
>> http://tech.groups.yahoo.com/group/antispygroup/
>> Message Board: (click messages at Group Website):
>> http://tech.groups.yahoo.com/group/a...group/messages
>>
> Which group should one choose? I can't tell the differences from the
> names.
>
> Louise

Rode home on the mailtrain,
somewhere to the south I heard them say.

cmsix

[Gerald309]

On Apr 4, 10:47 am, Dragon's Girl <dragonsg...@sbcglobal.net> wrote:
> Lately, my cursor seems to have taken over my Windows computer windows.
>
> While I'm web surfing, every once in a while, the cursor seems to open its
> own windows and move around the screen at high speed (like about ten
> windows get opened in about five seconds or so).
>
> After about fifteen or twenty seconds of this, I just hold down the power
> key to reboot as there is nothing I can do while the cursor is going
> freescale on me. Then, the problem goes away until the next time it occurs
> again a day or two later.
>
> Does anyone else have this cursor take over problem on Windows XP?
> Do you know what the fix?
> Even though I have a firewall, could it be a virus or spyware doing this?
> How can I tell?


============================> For the Wise Guys:
SCOPE OF THE CURRENT PROBLEM:

Spammers feast on ANI vulnerability
http://news.yahoo.com/s/infoworld/20...oworld/87423_1


San Francisco (InfoWorld) - Microsoft moved to fix the critical .ANI
vulnerability that affects roughly a dozen of its most popular
products, including Vista, but spammers and malware brokers are
already tapping into the flaw to infect unprotected machines.

Most enterprises should already be aware of the problem, and IT
departments are likely scrambling to get Microsoft's security update
in place, but attackers have likely been hammering away at the
widespread vulnerability for months, according to security experts.

The IT community became aware of the .ANI glitch -- which affects the
manner in which roughly a dozen Microsoft Windows products handle
malformed animated cursor files -- as a wave of spam and malware
attacks hit the Internet after April 1.

However, experts say the problem -- which was first reported to
Redmond, Wash.-based Microsoft in Dec. 2006 -- has likely been
assailed for some time by attackers seeking to maintain a much lower
profile.

Rated by Secunia as an extremely critical flaw -- the Copenhagen-based
security software maker's most severe vulnerability ranking -- experts
say that the .ANI glitch is currently being exploited in a wide
variety of formats that are likely to ensnare a large number of PCs
worldwide with malware, adware, and botnet programs.

Microsoft also issued fixes for seven other security vulnerabilities
in addition to the .ANI problem in an ahead-of-schedule patch
delivered on April 3.

Researchers at San Diego-based Websense reported the discovery of over
450 unique sites hosting .ANI-based spyware threats, adding up to tens
of thousands of URLs infected with the malware. Unprotected end users
visiting those sites will be redirected and hit with a password-
stealing spyware program labeled as "ad.exe" which most anti-virus
programs cannot catch, Websense reported.

Experts have also highlighted the rapid emergence of a new wave of
attacks that are infecting end users who merely open e-mails or
attachments laced with the viruses.

In one of the most popular iterations of the e-mail-based threats,
users are being sent spam messages that advertise links to URLs
hosting lurid images of embattled pop singer Britney Spears.

Users targeted in the campaign receive e-mail with the subject line
"Hot Pictures of Britiney Speers" that has been written in HTML to
help avoid filtering tools. After opening the infected spam e-mail,
people who then click on the links are redirected to malware sites
that host JavaScript code believed to be controlled by servers used by
Russian cyber-criminals.

Roger Thompson, chief technology officer at Exploit Prevention Labs,
based in Marietta, Georgia, said that the attacks being served up by
that group run the full gamut of threats, from botnet software to
sophisticated root kits.

The expert said that the root kit, dubbed 200.exe, eventually calls
out to an account on Microsoft's Hotmail servers to announce itself
and seek out additional malware to download onto infected machines.
Thompson said the spam attacks started in earnest on April 1.

"This spam ring has a nasty set of encrypted exploits, and it is
clearly all Russian in origin, as the sites that are being used are
written in Russian," he said. "They're also using a new [malware]
encryption style that we only first saw about a month ago; they're
rapidly adding new exploits to these encrypted attacks, and the .ANI-
based stuff is just the latest."

Thompson said that many machines have already been infected using the
attack, and that he believes many more will come under control of the
malware before systems can be patched, including many corporate users.

"With the embedded HTML they will catch people; there's no need to
download anything. These are thoughtful attackers and they are gaining
command and control right over port 80, and straight through the
firewall," he said. "If there's a patch that you've missed they're
going to get you, and we believe this is all still gathering steam."

The expert said that the .ANI threats may have actually first been
created by Chinese hackers attempting to steal people's passwords to
the World of Warcraft online video game, with other attackers
subsequently modifying the code for their own means.

Other experts said the attacks will likely result in new hordes of
widespread botnets, which will allow attackers to piggyback even more
spam and malware campaigns onto their existing threats.

Since the .ANI flaw is present on so many relevant Microsoft products,
botnet herders will likely flock to take advantage of the flaw, said
Max Cacares, director of product management at penetration testing
specialists Core Security, based in Boston.

"One reason why spammers are interested is because a lot of the
underground community takes advantage of botnets to relay their work,
and this is great for building huge bontets since it works on every
version of Windows that you care about," Cacares said. "With the
potential to exploit it directly from Outlook, this is great for
compromising a huge variety of users, and once it's made part of
botnet, it also becomes a huge asset for all kinds of spammers."

Some researchers said they were surprised that there have not been
more widespread attacks since the vulnerability was first made public
so long ago.

"We actually haven't seen a huge proliferation yet," said David
Frazer, director of technology services for anti-virus specialists F-
Secure, based in Helsinki. "But with four patches issued from
Microsoft between the original announcement and the release of all
this code, one could say it might have been fixed sooner;
fortuitously, we haven't seen as many infections as might have
happened."

Matt Sergeant, senior anti-spam technologist at security software
maker MessageLabs, based in Gloucester, U.K., said that Russian
hackers are known to have been seeking new flaws that would allow them
to deliver massive amounts of malware code in short periods of time.

"We're very much aware that Russian guys have been on the lookout for
a new attack, their botnets have actually been diminishing since
October 2006 since the Warezov virus," he said. "They're looking for
anew angle to get in and with the security improvements in Vista,
they're worried that they can't crack into stuff as easy as in past,
but this proves that might not be the case."

The expert contends that the hackers are working furiously to find new
avenues for attack, and predicted that many have shifted their efforts
to the .ANI vulnerability over the last several days.

"These guys have teams of programmers working on this 24 hours a day,
trying to find some way in, and when a major software vendors releases
a patch, they move quickly," said Sergeant. "Especially on a Tuesday
morning, most businesses are not ready to get a patch immediately
installed; this is likely creating a huge opportunity for these guys
to get stuff installed on people's computers and increase the size of
their botnets."

=============/.