X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=wTQlnBTxMeowFjJ1
	70lPiYyNVDN1k2Qh+HgSW9sSLS04yxyOBhfcb5PMf0WkGYhVrkh5np/aE6603Csm
	AMHqMg4M9oWOZt7nJ/CwB0DvI5sMFbAPQeH1NfR70ULl9I7ADNjiPFF1x+7Tv+we
	sibK9+qtaazxyN6wTV8yUKXQ5B8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=/t8PoWO8+kUTCflGPavbSQ
	3G6yc=; b=QT9v9/gYSymt/o1STQR3l70KzCkBB87o7q7SHJvrtORk6jd4c6gSNP
	D2RxQg5P3M0/3VYBZFE2wQVf3YriFEI7xPBKUveanXHnOF28XmwzXi7vemNZV/vE
	N5nWMC1LVVRBWyAZJUPi/wWT1ix2HSl8u8V28rVNGDDsox/WGhxq4=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.4 required=5.0 tests=AWL,BAYES_00,EXECUTABLE_URI,KAM_EXEURI,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=firewall, malware, compromised, Assistance
X-HELO: smtp-out-no.shaw.ca
X-Authority-Analysis: v=2.2 cv=dZbw5Tfe c=1 sm=1 tr=0 a=MVEHjbUiAHxQW0jfcDq5EA==:117 a=MVEHjbUiAHxQW0jfcDq5EA==:17 a=IkcTkHD0fZMA:10 a=w_pzkKWiAAAA:8 a=fgj1ks8Boy0PR_7ASW0A:9 a=QEXdDO2ut3YA:10 a=sRI3_1zDfAgwuvI8zelB:22
Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca
Subject: Re: XLanuch.exe is a Trojan-It allows remote control of my pc without my knowledge or permission
To: cygwin AT cygwin DOT com
References: <CAPXRkNEx44KFypaqj+hjrF+r8Es-xSmBTCcT2PED7XSrAchGNw AT mail DOT gmail DOT com> <CACoZoo13PwvqZ6p6kuUAggTfBW0sF3absub0i7rFBXz50vLk5A AT mail DOT gmail DOT com>
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Message-ID: <30051303-5c89-3f71-6de5-aece77a58c6c@SystematicSw.ab.ca>
Date: Wed, 28 Jun 2017 10:55:25 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CACoZoo13PwvqZ6p6kuUAggTfBW0sF3absub0i7rFBXz50vLk5A@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfJAHUuZ+wFo6yLQPy03jAO8KbMxCLO2nJhmYcefHSq96EJnrRUa5I2/Z98ie/dVvIf5kxg4B05OoJBGK+rZMPSs/2uNrV3thQu/hIaipgKQVQ9o4Npiq zbFbjLfBYW/CuLRGv/IvlnCwCUApDS02lSdAJZqSmiIaMgFneuZWGfFi/PSlSdGW60TPGhTyjlHRnQ==
X-IsSubscribed: yes

On 2017-06-28 10:21, Erik Soderquist wrote:
> On Wed, Jun 28, 2017 at 12:07 PM, Sagar Kapadia  wrote:
>> HI,
>> I wish to report that Cygwin.XLaunch.exe is a Trojan and it allows
>> remote control of a pc without the users knowledge or permission. I
>> installed the cygwin package and the Xwindows server too. However,
>> today, I found somebody controlling my pc remotely. I know because the
>> mouse behaved erratically and then the XLanuch configuration screen
>> came up. I tried to kill it using the Task Manager but it would
>> restart. I had to reboot and turn off networking and then delete the
>> cygwin folder.

I've had mice behave like that when they needed a new battery or before they
died; also intermittent responsiveness which can have weird results, while
Windows Update is failing to apply patches and backing them out in the background.
Replace your mouse battery and check Windows Update History for that timeframe.

> Where did you get this copy of cygwin from?  Did you use the official
> installer package from the cygwin site?
> https://www.cygwin.com/setup-x86_64.exe or
> https://www.cygwin.com/setup-x86.exe
> XLaunch itself is a wizard to configure X server sessions, and if
> someone remote controllig your PC is happening with the legitimate
> XLaunch executable, I would suspect there is something else unwanted
> on your machine that is using XLaunch as a tool.
> However, if the cygwin source you downloaded from was either
> compromised or was not a legitimate mirror to start with, that is not
> a direct fault of cygwin, but rather a fault of the source of your
> download.
>> I dont know if you are aware of this issue or not, but I found it
>> serious enough to report.

Do you have Remote Access or Remote Assistance enabled on your system?
Have you opened up your firewall to allow remote access?
Did you run a malware scan to identify if there is something on your system?

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple