New
#91
hmmmWhy, if I just log on a network, is one of my svchost processes running ssh?
Remote SSH: Run processes anywhere on different platforms
This is a Security issue, but more!!!
-
-
New #92
So the article does not seem like it is some au gratis... like a unix shell account, you have to get lucky or pay for it.
I have been saying all along that whatever this RNAV thing is, ipv6 and UDP packets are a core part of his MO (see the netstat screenshot attached) central to it operations. I just got done deleting my routing table, and there were a lot of link local fe80::00 type addresses, but then one (1) real ipv6 address which I had know idea as to where it was. I went into netsh interface ipv6, and set state disabled to every switch that seemed to make sense, then did the same to netsh interface ipv6 teredo, and again to netsh interface ipv6 6to4. Everyone of these adapters is used at one time or another.
Further, my modem -- now I may be behind the curve here, but how would my modem be essential if I am wired via ethernet to a gateway with a moderate firewall? Because if I uninstall and DELETE the driver for this modem, my system whines saying it needs the driver for an "audio bus"... Do not have a screenshot of this, but do you know what that means at all? I have said this, and I believe that media (again, as said many times above in other posts) is key...whether as a component of bluetooth or some other RF helper). I will terminate the audiohg process, and immediately, the Presentationfontchache process will start (and coincidentally, right as this is starting I see "conhost" start and then disappear after the presentationfontcache is running). I delete this the fontcache, and Windows Presentation will come up; I delete this then a third party (HP) DVD driver comes up.... you get the idea.... they are all media related.... that's quite odd.
Also, I look at the Windows defender "program explorer" and there are two processes (see screenshot called doubles) running in many cases, one for me under the name Operations/connor ("Operations" is my computername at the moment, and I often go by Connor for historical reasons....(well, I have been a photographer part time for 10 years and "Connor Troy" was the name I used because I liked those irish names), and the other is for NT Authority/System. I can never tell them apart when I am trying to decide who to include in the security tab of an application or file I have been denied access to because the domain is never apparent. So, I probably chose the wrong users to add back in after I remove trusted installer and NT Authority/administrators.... it is all very confusing. Plus, as and added bit of info....the RNAV also gets noticeably irritated if I change the WORKGROUP to something else.... I do this to annoy him... like I will just change it to "soiffasoifysio" random characters..... Also, this is why I change my computer name every time I reinstall. I know these keeps him on his toes. He has a lot of software apps (native to windows) that he must use like "Quick Launch", because I will terminate this, and it will immediately restart (complete with the "conhost" showing up to briefly until its job is done).
Darkassasin told me about a little program called prio which shows the priority of processes, and it also added some other features to the taskmanager dialog box.... it put an extra tab that showed TCP/IP connections. I promise you that this was the screenshot when I was not connected to a network via ethernet and my wireless switch was off. See screenshot called TCP. Explain that...! :) What is with all of the asterisks????
I also am convinced that the RNAV is keen on a windows network, since in the adapter properties of either my ehternet or wireless adapter, netBios over TCP is always on, not on AUTO, plus, the box to look up LMHosts is always checked. If I uncheck this, turn NetBIOS over TCP/IP to Auto or off, and uncheck the LMHosts look up, I can usually take some control back over my adapter if it says I do not have an internet connection--which any fool would know is ledgerdemain, because though I cannot get to the internet (only local), windows diagnostics spends all of 3 seconds to tell me there is nothing it can do for me and to contact my administrator (it never runs that quickly), AND my network icon in the systray looks perfectly functional (like it would have local and internet access). ....so something is awry.... When I do the above, I can get it back.... I also uninstall Windows Network Client network and file and printer sharing from the adapter. And see this screenshot from Windows Defender which is the section in Program Explorer specifically for Winsock (screeenshot is called Winsock).
Lastly, I found some little application called Advanced System Care off of CNET.com, which doesn't do a specific thing incredibly well, but it does A LOT of things moderately well. Anyway, I was able to download it and install it (which is somewhat rare, as I can never download a firewall (an anti-virus application usually will make it, but a firewall??? that gets it really irritated, I usually end up fighting for control of everything until I have to reboot after the system hangs.) Anyway, I ran this little app 4 or 5 times (each time I ran it, the original "hardcore" settings I configured initially would always change to something much gentler, but I would check this, change them back and re-run it. After running it 5 times back to back, each time I came up with over 1000 problems in each category (i.e., Optimization, Security DEFENSE, Disk Defrag, and Security Analyser). And at the end, there was some vindication for me... check out this screen shot.
called hijack. I am almost gloating....
Sorry to dump all this on you, but there are two more screenshots I have attached, called tun and vpn. These are the full keys of two adapters under HKLM/SYSTEM/cuurentcontrolset/class/CLSID-whatever----/####. I may be paranoid, but that seems awful furtive......
Paul
-
New #93
This little app I found on CNET which claimed I was hijacked, led me to the ESET online scanner.
First thing it did was a basic chkdsk. But the results (see screenshot), ARE LIKE NOTHING I have ever seen before. This index error problem looks like it has been this way for some time. I ran a chkdsk this afternoon.... There must be 4 screenshots worth of these errors. Could this have been hidden from me???
-
New #94
You have quite a few services running! Look at BlackViper's suggested configuration:
Vista
Windows Vista Service Pack 1 Service Configurations by Black Viper
Win7
Windows 7 Service Configurations by Black Viper
-
New #95
Jacee, et.al.
Coincidentally, I just revisited this issue about a week ago... But I agree with you. I do have a lot of services running. I first discovered what a "service" was when I trying to speed up an over-laden XP installation a few years ago and since then I always try to prune unnecessary services.
However in the case of Windows 7 -- or rather since my RNAV -- my options are limited... [which come to think of it..I can at least thank this problem for compelling my introduction to Windows 7; I downloaded Build 7000 and installed as a main OS (I know, I know) because my version of Vista at the time (late last January) had become decimated due to the RNAV and I did want to pay for the factory recovery disks to reinstall Vista...it turned out that I Windows 7 was a much more enjoyable experience, even in beta, and honestly, I would not even have Vista "retail" running now (as shown in my latest screenshots) except it is an intermediate step to get to Windows 7 with all of the software that came with this new HP notebook].
When I say my options are limited it is because--as is my mantra during this thread and ordeal--I do not have much control of what I can and cannot do when it comes to Windows (Vista or 7) since the initial infection (and my subsequent reinfection) of this monster.
I think I had mentioned about 9 or 10 pages ago (!) that several services had their options grayed out. I know that grpsvc is hardened and I am limited in what I can do with that service (which is a hack I am looking for at the moment because if I can find a way around these NTFS restrictions that are being placed on me -- as if I was an employee in a big company with an actual need for group policy -- half of this battle would be over in an hour). But several other services are off-limits to me as well. To further explain what I have experienced, I want to tell you that these services were not "off-limits" at first. Like all other Windows 7 users (I presume), I thought I could disable services if need be. And I needed to because I was not only trying to streamline the OS (this is back in February), but because I was trying to determine if in fact any of the services were related to the problem I was having (my infection). One by one, I discovered which services were vital to the RNAV's proper functioning. First, I would stop a particular service, and if it was used by the RNAV, there would be a screeen flicker or tremor, or the system would hang. At first I thought it was my fault and I should not have stopped the service because the OS needed it (however by now I know the important services -- but there were new ones to contend with in WIN 7). Upon reboot -- or, in the alternative, if a system crash had not resulted from my stopping the service, the next time I restarted my PC, the service I had disabled was now running again. A bit dismayed, I would look at it, double check the function of the service to make sure it was not OS-vital, and if it was something I didn't think I needed, I would try stopping it/disabling it one more time. But....upon my next restart, these services would be again running--and to my surprise when I looked at them this time, certain parts of the extension menus and the properties box were grayed out!
As I was just getting familiar to WIN 7, I was pretty confused, but I came to my senses and realized that even if this was a new windows version (and even if it was beta), no OS was self-protective quite like this...almost like some living entity.... which is why my mindset this whole time has been that I have been dealing with a person who is, at least part of the time, actively involved in the control of my particular PC. But then again, I am not a computer security expert, and do not know if computer viruses-- as with the variety their carbon-based creators are suceptible to--have the ability to actually evolve to survive. I imagined computer viruses might relocate themselves, or do a few other things based on their original programming, but, for a virus to restart a service twice before it decides that it does not want the "stupid human" to shut it down again and disables it...... I mean I am sure there are countless sci-fi stories (and I was thinking HAL 2000 when I typed "stupid human" above) about such occurences, but I didn't think that really happened. [Well, until I read about Conflicker anyway....with its ability to update, etc.]
So, I realize that I have a lot services running, but I just do not touch a lot of them now because my actions have rendered the following services un-alterable (or un-stoppable): PlugnPlay, RPCsvc, RPCss, DCOM Service Process Launcher, SAM, Task Scheduler, and Windows Driver Foundation -User Mode Driver Framework (Note: this is from memory, so please correct me if any of the foregoing services come "hardened" at installation time).
In addition, the Routing, Peer to Peer Grouping services were at one time off limits to me, but the evolving RNAV has found other ways to subsist without them.
Which brings me to an interesting feature I thought I would make known: one strange signature of this thing is that it picks up services that I might install temporarily if it likes them. This means that even if I uninstall the application (from where the service in question originated), the service will initially uninstall along with the application, but in 1-2 hours, that formerly uninstalled service is now running again and probably continues running to this day.
That really weirded me out because I didn't know how a virus could just grab and control a 20-50MB (or more) file and call it its own. I later realized that my WD My Book was a repository more or less for all of its necessary equipment.
But before you start calling your friends and telling them you met a very amusing, but sadly, mentally unstable individual on the sevenforums.com, I do have good circumstantial evidence to back this up. Thankfully, WD external backup drives (like Maxtor, and others) have very obvious blinking lights indicating when they are being accessed. About 3 months ago, I had been sitting in the room where I work/use the notebook, (probably reading and trying to learn Asterisk, which I still have not gotten a grip on) and peripherally saw the drive light blinking for several minutes, more than 5 at least. I had no scheduled backps or anything like that, so there really would be no reason (that I know of) that windows would need to access an external drive for 5-10 minutes. Obviously, some serious data was being accessed. I kept an eye on the drive since then it will sometimes access it for 4 or 5 minutes. I have more info to verify this, but I know I can get a bit long-winded, so I will just say that it uses external space if it is available for storage. [Unfortunately, my WD stopped working correctly (do not know if this is related to the infection or not, but if anyone knows a good site on DIY external drive repair, please let me know).
I'll end this post because it is me mostly rambling again, but I do want to ask a general, but related question.... is there a way to hide files beyond the standard windows "hidden" files? The only other method of hiding files (at least in windows) that I know is the "index.dat-type method" (which I do not understand...I only remember it took a lot of work to get to those .dat files).
PLast edited by pjvex386; 17 May 2009 at 17:20.
-
New #96
If I was in your position pjvex386, I would seriously consider letting Baarod have your machine for a little bit so he can play around with it some...as per his offer. Are you geographically close to him?
Either way, your sanity will be restored and I am betting that no matter what the problem is or isn't, he will set it right.
-
New #97
It installs applications that look legitimate (or even helpful). On just a guess, I tried to "change" not uninstall, something I never installed Cyberlink DVD Suite. I thought it might have been part of the HP apps with the notebook, but there was already a DVD player application.
Anyway, when I clicked on "Change" it said "The application you wish to modify is located on a Network Source that is unavailable right now. Please try again later."
I mentioned that media drivers are used for facillitating communication in some form.... I think it can use any driver for most media. Yesterday, along with the application I mentioned that was helpful, I downloaded Manycam, which is a interesting applicatino to use with a webcam. But before I even installed it (I was downloading several things), the RNAV installed it because it showed up in the task manager.
-
New #98
TorrentG:
I would be more than willing to have anyone short of a plumber take a look at my laptop. I must have missed the post you refer to. This isn't a matter of money (although I am in a crunch at the moment), but rather I do not know of anyone who will believe me, or see what I am seeing as it takes someone with experience and who can just sit and perform normal functions on it for an hour. That service/competence level doesn't comport with the "Geek Squad" employment handbook.
However, I am in Chicago, and do not drive anymore (well, I still drive, but no longer have a car). Is Baarod located near the midwest anywhere? If he is not, does he know of someone in the city? Is VPNing, Remote Assistance, SSHing not a viable (or too risky) an option?
Paul
-
New #99
Paul, have you read this before? Also, have you done this?
In previous versions of Windows, many users used the built-in Administrator account on a regular basis.
This account has full control over everything on the computer.
When you install Vista, you may be surprised to learn that the Administrator account is disabled by default.
That's to encourage you to follow best practices and create your own administrative account.
It also makes it a little harder for hackers; they all knew that the account named Administrator
existed and so had half of what they needed (the account name) to log on with it.
You can enable the built-in Administrator account if you really want to, by running the Command Prompt as administrator
(right click its icon and select Run as Administrator; click Continue at the UAC prompt) and typing the following:
net user administrator /active:yes
This causes the Administrator account to appear on the Welcome screen.
Note that it does not have a password set by default; the first thing you should do is
set a strong password for it.
-
New #100
Jacee:
Yes, I was one of those hacker-types who could be assigned the old "Power User" privilege level and create full administrator rights (which is why these circumstances drive me particularly crazy).
Two laptops ago I used to treat enabling the "hidden" Administrator user like it was invoking Alan Turing and Archimedes combined. Now that is my user all the time. It is worthless compared to a 2003 or 2008 server admin privilege (but I think the software in my case is, in fact, NT). But I remember that there are NTFS workarounds where the local admin can have absolute power. I just cannot find it or figure it out.
If you know this priceless bit of information, it would be extremely helpful.
Paul
Related Discussions