Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: This is a Security issue, but more!!!


19 Mar 2009   #21

 
Forgot to finish a thought in my last post....

POSTSCRIPT Number 2... I never really finished my comment on Item "D" in DeviceMan II.jpeg.... As I said things on my laptop tpday are virutally without problem because I installed WIN 7 and then the card (or my theory that the low level format threat has caused him to back off).

Anyway, Item D is a coprecessor that is some HP bug I believe and it should not be there.. BUT until this day, when I would install WIN-7 normally, there would be 5 other devices under this "Other Devices" category. They would be Base Device in 4 instances, and an "unknown device" in the last instance.

Now I think because I was able uninstal these software based devices yesterday when I just instaled windows without the card. So maybe it is too dificultfor him to get these things reinstalled now that we are both experienced with tactics of the other.... By the way, these Base Devices would show up in the registry too... Cannot remember where, but if someone is interested, go through the HKLM I attached last week...

Also, still cannot seem to attach 3 zip files and one txt file which I think would be helpful. Do not know if it is ALF living in my laptop or I just need to reboot....which I do not want to do lest my old problems return.....
Thanks,

Paul

My System SpecsSystem Spec
.

19 Mar 2009   #22

 
Trying to make this easier for any or everyone...

....who is helping me or just interested in this phenomenon. More information if anyone wants to look at it.

Plus another text file containing output from TCPview.exe (another sysinternalssuite utility). Prior to today, I was never able to run this utility. It generated a strange error which can only be attributed to the problem I am having.

I am also attaching two jpegs. I was trying to install Splunk (a very interesting application btw --check it out if not familiar), and in the process of information gathering for configuration, I ran my X-Netstat GUI utility. While doing this, I saw some items that might be of interest to those following...

The first jpeg is the Routing Table. And the second is the NetBios Remote machine list/table.

I am also attaching the latest secedit output (which was included in my very first post). This is an update.

AND, lastly, a zip file containing several output files from VMMAP (again from sysinternals). Unfortunately there is no way to view these files unless you have the utility... free from microsoft (who evidently bought sysinterals a few years ago).

I know this is an overwhelming amount of data. But I guess the reason I am here is because I am not quite skilled enough to look at this info and put it together in some coherent fashion.

I still am trying to climb the learning curve for ipv6. I say this because of the numerous ipv6 addresses in routing table.....


Attached Thumbnails
This is a Security issue, but more!!!-routeing-table.jpg   This is a Security issue, but more!!!-netbios-remote-machine.jpg  
Attached Files
File Type: txt secedit3-20.txt (5.6 KB, 25 views)
File Type: txt tcpview3-19.txt (2.6 KB, 55 views)
File Type: zip vmmap-files.zip (21.1 KB, 3 views)
My System SpecsSystem Spec
20 Mar 2009   #23

Windows 8.1 Pro RTM x64
 
 

This is very puzzling. According to your IP address, you are based in Chicago, Illinois. However, the file you supplied, tcp-view3-19.txt, mentions Cairo numerous times. One of the entries also links to the University of Minho, based in Portugal. There are also an alarming number of uTorrent connections, linking to Argentina, Serbia, Philippines.
Do you have a torrent client installed and running, and do you have any connection in any way whatsoever with the aforementioned Portuguese University?
My System SpecsSystem Spec
.


20 Mar 2009   #24

win7 ultimate / virtual box
 
 

Going back to the start

Quote   Quote: Originally Posted by pjvex386 View Post
About 6 weeks ago, I authenticated with a wireless network near my residence and used the internet for a bit. I did this again over the next few days, and then started noticing some very strange things ocuring. My task manager had a number of processes that I never recognized (even though I was using Windows 7 beta), and it seemed as if I had a lot of services that were server based.
this is not unusual in windows (more so in win 7) , what where the names of the services ? (you can make a copy from within task manager)
Quote   Quote: Originally Posted by pjvex386 View Post
After trying to look further into what was happening, I started getting "access denied" messages all over the place. I enabled my Administrator user, and logged in. Still no luck.... I was encountering "Access Denied" whenever I tried to look at either certain files in System32 or in the Registry.
this is not unusual albeit annoying with windows 7 where permissions are "stiffer" and can seem to be even more obtrusive , the same happens to me
Quote   Quote: Originally Posted by pjvex386 View Post
Below, I am including my latest complete Remote Access Diagnostics dump (netsh interface ras), but before I get there, I would like to share my theory. Laugh if you must...almost everyone (in IT or not) has laughed at me as if I was some sort of conspiracy nut!!

I think because WIndows 7 and Windows Vista install with ipv6 adapters (ISATAP, TEREDO, etc) advertising from the get-go, I am being hijacked and I cannot find a way to rid my pc of this problem... I do not know how they are getting in... Even after I log in, I disable ALL adapters, and then set state disabled to netsh interface 6to4, ISATAP, TEREDO, etc. I reset ipv4 and ipv6, and reset Winsock (which is loaded with items). AND, the trick they are using is UDP... UDP in most cases can bypass NAT and firewalls, so its quick and they can find me in seconds---
on the hardware in your laptop your drivers are unlikely to properly utilise ipv6 !!
Quote   Quote: Originally Posted by pjvex386 View Post
FYI: I have reformated (slow not quick) my drive and reinstalled Windows 7 no less than 40 times.
reinstalling 40 times is more than excessive and is madly chasing down the wrong route
Quote   Quote: Originally Posted by pjvex386 View Post
Somehow this cretin is still finding access into my PC. I try to install Kapersky's Techinical Preview, but this intruder knows how to filter it rendering it mostly useless.
what where the error messages ?
Quote   Quote: Originally Posted by pjvex386 View Post
I know this is a weakness from Microsoft....I mean all I need is to find a room with lead-lined walls to reinstall Windows 7 in and I am good... Because I can go 5 miles from where the network was originally, and somehow, I am advertising some beacon which IDs me on the internet and creates a tunnel....
sorry but this is a conspiracy theory
Quote   Quote: Originally Posted by pjvex386 View Post
No matter where I go, I cannot escape this.... I am nearing insanity. Please, please help.... I have deleted all of the ipv6 addresses from ROUTE as well as my loopback adapter address.... But nothing works...
I can't see the point in deleting things as this is just going to generate even more strange responses from the OS

I can't help feeling that with your self confessed limited knowledge you have made this whole situation look very complicated , and If you genuinally want to solve this issue I suggest you make sure any sensitive information is safely removed and backed up to a disc or stick then start again with a fresh install , DO NOT install anything other than the OS (such as 3rd party progs) and then try answer some of the questions to the problems you origonally encountered above ??

If anyone is gaining access we need to keep it simple to nail it down and if there's nothing sensitive on your lappie then they cannot gain anything other than a bit of free time messing with your life which we can turn to our advantage
My System SpecsSystem Spec
20 Mar 2009   #25
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

pjvex386, did you ever run Malwarebyte's AntiMalware? If you did, can you copy and paste the .txt log? I'd like to see it please.
My System SpecsSystem Spec
20 Mar 2009   #26

 
Back again

Well, today was not as good as yesterday. After having a good day merely because I had uninterrupted internet access all day, I thought that before I retired for the evening, I would push my luck and attempt to install the Kapersky Technical Review for Windows 7.

Now if you are amused that I say push my luck, I can understand your reaction. I probably would be thinking that this poor idiot is much closer to a "conspiracy theory" mindset than I am to fact and the immutable laws of physics. I guess it would be fair to say that this ordeal is making me feel like I am experiencing the famed "Helsinki Syndrome"...., i.e. since I have become so exasperated and fatigued over this problem, part of me has surrendered. In other words, if I am lucky enough to have a day (or an hour) when I have internet access (because the either the adapter is not missing, or irretrieveably disabled in the device manager or the registry, or it is only able to access local network service), I feel myself become become obsequious to my invisible guest and be as nice as possible to this entity so they won't cutoff my wireless adapter...this means I do not disable anything unusual in device manager or start deleting restrictive key values in the registry (which I am competant enough to know how to do as it relates to a good number of hardware and software components)

But, though I thought my troubles were diminishing or perhaps gone, it was not to be. The bad news was that it was clear that -- upon installation of Kapersky -- someone didn't like it because when Kapersky finished installing and the configuration process began, I noticed the password protect fields and "Run As" options where grayed out and inaccessible. I wasn't even surprised although this was a first. Prior to this, he or whomever only prevented me from checking an option to specifically monitor the possibility of peer-to-peer worms (this was accomplished by disabling the "P2P Worm" option box, in other words, if I would check it-along with the other trojacns and viruses, then close the window, if I then immediately re-opened it, the P2P worm checkbox remained unchecked, yet all of the other nasty worms and trojans were still checked).

So I tried to continue to confiure various things, and was even able to update the virus database, but then I see "page cannot be displayed" in a firefox tab. So I check the icon in the systray and well, perhaps coincidentally, but perhaps not, it shows that now I only have Local Access I have been using a strong network for 4 hours and it goes to local access at the same time I am doing something that might block his UDP packets (which is the primary means of access used). I did decide to block a few very unusual UDP packets that did not seem right. Then everything froze. Now if blocking a few outbound UDP packets can freeze my entire PC, then I still have a lot to learn because that seems a bit much.

When I rebooted, everything was amok.... The windows updates that were installed 4 hours earlier (the normal post Win-7 installation updates) were gone and my desktop was dim, and the Aero feature didn't work. I also tried going to MMC which I had successfully been able to do as only an Administrator-User, but now, as THE ADMINISTRATOR I could only pull up a "volatile" version of MMC....it was worthless to even try to use it as it was merely a red herring which kept me occupied while I thought I was actually looking at genuine information or actualy making true configurations (in other words, MMC would behave much like the P2P checkbox incident above).

BUT, the good news was that I was able to use System Restore (another first), and it actually had every restore point it should have had.... So I went back to a point pre-Kapersky and all was has been well ever since.

I have to run right now, but I am attaching a few screenshots that are interesting. I ran an AccessEnum utility from"Net Tools" and I was bewildered. When using the sysinternals accessenum utility, I would not get these results....

Just look at the line items I have marked in red, and et me know if you think I am being rash in my supposition that this is an entity and not a virus or some other malware.

BTW, I am running a FULL scan of MBAM and will send the report/log of it in my next post.

Paul

Check next post for attachments. For some reason, the pop-up screen says I am logged out.... so I am just going to send this post as it.
My System SpecsSystem Spec
20 Mar 2009   #27

Windows 8.1 Pro RTM x64
 
 

Hi Paul,

Just in case you are wondering, the Kaspersky Technical Review for Windows 7 has now expired (I was using that, but have now switched to Avast! Home Edition).
My System SpecsSystem Spec
20 Mar 2009   #28

 
Attachments

Here are the attachments I spoke of in my last post.

Accessenum.jpg is of the windows directory showing read access, write access, and deny.... I have annotated the jpeg with my comments......


AccessenumRoot.jpg is shows the same thing on the C;| drive. Some odd things here too. See red marks.....

AccessenumAppdata.jpg shows part of Program Files/AppData. The "Read" users were SIDS in some cases and therefore quite long, so as to show the entirety, I did this in two screenshots. The first part shows the read permissions, and in Accessenum part II, I moved the scrollbar over so the Write and Deny Fields were visible.

Then please post here and tell me that what you see in these screenshots is neither abnormal nor some WIN-7 oddity...... I have wanted it to be something explainable or normal for a long time..... Because if this is or has been done to anyone else, they might not have noticed...... I only caught on because I get a little annoyed when I see a process, a file, or an object I do not recognize......

BTW, I tried to run the same accessenum utility on HKLM. But for some reason, after using it all over my hard drive, when I went to the registry it crashed. It crashes everytime I try to re-run the utility-- but only when I scan he registry. Coincidence? Perhaps.... after all this is a beta OS, and you never know.... but at the same time, from the opposite perspective.....you never know!


Attached Thumbnails
This is a Security issue, but more!!!-accessenum.jpg   This is a Security issue, but more!!!-accessenumroot.jpg   This is a Security issue, but more!!!-appdata-part-i.jpg   This is a Security issue, but more!!!-appdata-part-ii.jpg  
My System SpecsSystem Spec
20 Mar 2009   #29

 

Oh, I had written another post earlier addressing some things a few of you brought up, and I either lost it or something happened because I had to rewrite it.

But I forgot to include a reply to Dwarf. Dwarf: Yes... sorry if that made it confusing... I was using uTorrent at the time... Because I had not been able to use the net on my laptop for so long, I was downloading some things I needed...... But I do not want anyone to infer that I have buggy "warez". Virtually all my software is purchased or share/free ware. Whatever is not has been with me for a long time... and it wouldn't be the cause of this problem..

Also, to Darkassassin. Thank you for your lengthy reply. I am trying to heed your advice.... And trust me, I knew that reformatting my dive and re-installing that number of times was excessive.... but at least 70% of those instances, I was unable to reboot using ANY FORM of recovery..... I own the Stanek "Windows Command Line" second edition which covers Vista, and a SAMS Administrators Guide to Vista, and anything in either of those books which describes a recovery without a full reinstall has or had been tried before I resorted to re-installation...

I only reformatted because I figured why take the chance something was left in some disk sector.... so I would do a reformat (either slow or quick)
My System SpecsSystem Spec
20 Mar 2009   #30

Windows 8.1 Pro RTM x64
 
 

Hi Paul,

Those attachments look fine. All the asterisk indicates is that the contents of the folder(s) in question is/are not currently accessible because of a permissions/ownership issue. The reason why you see 2 entries with these is because you can actually see the folder itself, but you cannot open it to access the contents.

Going back to your earlier post, and the file tcp-view3-19.txt, do you have any connection in any way whatsoever with the University of Minho, based in Portugal?
My System SpecsSystem Spec
Closed Thread

 This is a Security issue, but more!!!




Thread Tools



Similar help and support threads for2: This is a Security issue, but more!!!
Thread Forum
HELP File Security Issue!!!!!!!! General Discussion
Security Issue System Security
Solved System Security issue System Security
Ad-Hoc Security Issue System Security
Security Setting issue System Security
Please help me! Security issue Network & Sharing
Urgent!!! security issue System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:47 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33