This is a Security issue, but more!!!

That's why I asked you to run the woamI script .... you never posted it for me, can you do so now, please?

It's located here:
wng's blog: WhoAmI

So, I'm new here, but i saw this thread and i had to say I'm intrigued.
I'm no stranger to security, forensics, and system hardening, so i might be of some service to you.

My recommendations are as follows:
1. Re-download your windows 7 ISO from Microsoft, and burn.
2. Disable all network adapters, and disconnect all removable storage.
3. Re-install windows 7.
4. Use a NEW administrator password, one you haven't used before, something random, mixed alpha numeric, and symbol characters.
5. Use a program like Acronis true image, or other free alternative to take an image of you operating system.
6. Enable network devices.
7. Use windows update, and install other needed drivers.
8. Take another image of your operating system with all needed drivers 9. Tweak services, and install needed applications, and a good firewall, and anti-virus (Outpost firewall, ESET NOD32)
10. Take yet another image of your operating system, the way you like it. 11. Boot from a live CD, connect your external storage devices, use anti-virus software on the live cd to scan all your disks, including external storage devices. If your files are infected, either format the external storage, or clean the infection via your live cd.
12. Boot into windows, enjoy



There are only a few methods for a security breach to remain after a hard drive format, and with no network access. These methods are not usually employed in your circumstances, as they require tailor made code. The methods that are public, that I'm aware of right now are, GPU, bios, ACPI and rootkits that infect your boot record. These possibilities are highly unlikely in your case. I think if you follow the above steps, you should be on your way to a perfectly infection free machine.

Hope this helps, and let me know how it goes.

Good luck.


*EDIT*

Another possible thought, you could also be exposing yourself to this breach via your web browser. I would suggest installing firefox, with the no-script add-on, and browsing the web via a limited user account, or using dropmyrights.exe (available here: Browsing the Web and Reading E-mail Safely as an Administrator)

I am glad this thread has something of valid interest. Don't want to become the "sideshow freak" of threads.

OK.. I have a lot to say, but I will say it quickly (leave out jokes, arcane references, and anecdotes).

I am in Firefox at the moment working off of a Mint Linux Live CD because my RNAV and I had a very big battle today (my trying to kill him/his connection & him trying to prevent me). I didn't lose necessarily; I went too fast....just like when I missed the fact that Baarod said he lived in Chicago (where I live as well) about 3 thread pages ago. He offered to help me if my latest plan at the time failed. I would have met him anywhere in the city for his help...and for someone else to see/witness this first hand. [NOTE TO BAAROD: Sorry I missed that last sentence in your post a few pages back. My mistake! But I do think we are close in any event (except it is no less unbelievable), but if I am still dealing with this in the next 24-48 hours, I would be glad to take you up on any help you would give. We can go to the Starbucks of your choice, I will buy coffee and you can use my laptop for 30 minutes.]

AND JACEE, AS SOON AS I AM ABLE TO GET BACK INTO WINDOWS, I WILL PROMPTLY RETURN THE OUTPUT. I APOLOGIZE FOR NOT RETURNING IT TO YOU AS YOU HAD ASKED.

When I say I went too fast in my fight today, I refer to a post by Darkassasin from a week or two ago. He mentioned Avast had a bootable antivirus disk. I managed to procure a clean one-time emergency use .iso of this item from an online friend. I managed to burn the CD, and restarted.... However, when I looked at the Avast page earlier, I did not take note of the fact that it if for XP. Reason this is a problem is because the original XP image never had SATA drivers, so I get the BSOD just when it gets to the menu on an XP installation disk. I had downloaded a XP Black version with SATA drivers--to use as a last resort (as I do not think XP has the same "cutting edge vulnerabilities" that Vista and WIN 7 do), so I have SATA drivers already extracted and ready to be combined with the AV bootCD--which was my plan.

I went into the Linux Live CD and was about to leave to find a another clean computer (well...... "clean" at this point, means working) and rebuild an XP image, with both the necessary SATA drivers and the antivirus software, but I started doing research in MSDN (where it is easy to get immersed for quite some time), and when I checked the time, it was about an 1.5 hours later...So by then the places I know (or friends having PCs), were closed or unavailable, respectively. So tomorrow morning I will build and use the bootable AV cd.

A few things I learned about this thing today. I actually managed to injure it to the point where he needed me to reboot to take back his former control.... Strangely the only thingone that has injured this thing yet has been the utility Registry Booster. I do not even use registry utilities anymore, but I found a site which did a "scan" for malware last night, and it turned out to be an advertisement for Uniblue's Registry Booster. So I went ahead and got it. At one time I used this same program quite often...back then if I ran the utility every other day, I might get 100-140 registry errors on a bad day....(btw, the errors are classified in several categories, like .dlls, invalid shortcuts, OLE/COM/ActiveXt, etc.). I ran this frequently utility and went to a web page to read something, and a few minutes later I went back and noticed that there were 600 errors in "System Software". I was warily encouraged, so I let it run. But it never stopped. It got up to 3000 errors in this category, so I stopped the utility. I then cleaned the errors. It did clean them...sort of... but whatever it did do was not healthy for my RNAV because (this is the cross-my-heart-truth) the mouse pointer was literally vibrating when it was in the "cleaning" stage. After that, I refused the "restart now" request by the application and instead ran it 3 or 4 more times... Each time it had a large number of errors--most of them located in the 64 to 32 bit conversion section of the registry (the WOW64to32 windows module--I think you can see the actual process (or service?) in one of my task manager screen shots.of late).

Though you will all probably be annoyed since I persist at this, but I ask you to just scan the following links...

HTML Code:

http://msdn.microsoft.com/en-us/library/aa457707.aspx

HTML Code:

http://msdn.microsoft.com/en-us/library/aa916286.aspx

HTML Code:

http://msdn.microsoft.com/en-us/library/aa916530.aspx

OK...three links are enough, but they are from pages upon pages of incredibly informative material in MSDN regarding bluetooth. I felt like I was reading keywords from bad dreams that I had forgotten...so much about bluetooth (from the MS Windows description and implementation of it) in Windows Mobile and actual full PC Windows platforms fit like a veritable glove with so much of what I have observed.....

If you do not read those links and the numerous related ones, I will just share a few key points...(I want to add that I am not forcing a deduction on this either...the whole thing has spooked me and has made me uncomfortable/skittish... while I very much appreciate everyone's help, I will admit that it tortures the alpha male side of my ego that I--who has often been described by friends and family as "really good with computers" for the past 20-25 years--could not take care of this virus/trojan/worm/whatever three months ago and without seeking professional/expert help.)

I. FIrst, bluetooth can pair with any device in an unsecured (i.e., without authentication) and silent manner. As used in the previous sentence, the word "Device" includes PCs, APs (access points) and modems.

II. Most of the drivers used inconnection with bluetooth were related.to audio services.

III. Bluetooth requires the .Net framework to function (Ummm...I had forgot to mention this to you guys before as it did not seem entirely strange when I noticed it because MS can be ubiquitous however and whenever it wants to be, but in the past 2-3 weeks I have consistently noticed that before opening up firefox for the first time, and immediately after (re-)installation of my OS and all other applications, Firefox would report "one new add-on [had been] installed". The add-on in question was for .Net 2.0).

IV. The MSDN specifically refers to "Mobile PCs" as a primary or intended target within the scope of what the MSDN calls "API controlled devices". Mobile PCs, as it is defined includes laptops and notebook computers". <<<--- it might be merely the nascent mental disorder of which I shall succomb in the near future, but I almost heard thunder when I read that....!

I'll stop there, but seriously, I could go on and on and on...Well, OK, here are a few more quickly....

V. Someplace in this thread I mention that in Linux, my eth1 (wireless) adapter disappears completely and is replaced by pan0. Never saw that in reference to anything wireless until I read about bluetooth using and enabling a Personal Area Network.

VI. Mobile PCs have a new platform which developers can use to extend the functionality of their applications...called Windows SideShow Platform -- known on VIsta and Windows 7 as Windows Sidebar... For weeks (and I thought this was an innocuous bug), the Windows Sidebar would come up at startup no matter how many times I removed it or disabled it from doing so....read below:

Introduction
Gadgets for Sidebar, though developed using the functionality of the Microsoft HTML (MSHTML) runtime, are not limited by the standard browser security model. Since gadgets are locally installed mini-applications that provide a rich set of system access APIs, a packaging and deployment method similar to a typical executable distribution is employed. Packaging

A gadget is downloaded as a "package" of resources and configuration files. The package is distributed as a zip file or as a Windows cabinet (.cab) file. Both methods of distribution require the file extension, .zip or .cab, to be changed to .gadget. If the file is packaged as a .cab file, you can use a code signing certificate to provide information about the origin of the gadget. The user is then presented with this information before the gadget files are extracted. The signtool.exe application included with Visual Studio 2005 can be used to sign a gadget.

Note There is no requirement for gadgets to be digitally signed since the certificates are costly and not commonly used by the developer community likely to create gadgets.
Downloading

Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. When integrated with Internet Explorer, Windows Defender performs file scanning on downloads to help ensure that one does not accidentally download malicious software. Gadget packages are included in the Windows Defender scan.

VII. Also...here is a frightening white paper....a page in the MSDN references a white paper entitled "Wireless Web: Microsoft Mobile Internet Toolkit Lets Your Web Application Target Any Device Anywhere"
But for some strange (!) reason I could not access it.

VIII. Then.....there is this paper:
Windows Mobile 5.0 Application Security Jason Fuller, Microsoft Corporation, May 2005
Summary: Every Windows Mobile–based device implements a set of security policies that determine whether an application is allowed to run and, if allowed, with what level of trust. To develop an application for a Windows Mobile–based device, you need to know what the security configuration of your device is. You also need to know how to sign your application with the appropriate certificate to allow the application to run (and to run with the needed level of trust). (9 printed pages)

Note This document describes the designed and intended functionality of the security model. This does not guarantee that a targeted malicious attack cannot compromise the intended security protections. The following security functionality is provided as is and is for informational purposes only. Microsoft makes no warranties, expressed, implied or statutory as to the performance of this functionality.

IX There is a section called [MS-RAIW]: Remote Administrative Interface: WINS Specification. A sub-topic of this is called Remote Administrative Interface: WINS protocol relies on RPC [MS-RPCE] as a transport. It is used to manage WINS service on servers that implement the Windows Internet Naming Service (WINS) Replication and Autodiscovery Protocol [MS-WINSRA].

X. And remember what I said about the service "Plug and Play"??? A service I would usually disable but since early on I am prohibited to do so???? Read the following straight from the MSDN (emphasis added):

Universal Plug and Play (UPnP) is a distributed, open networking architecture that enhances peer-to-peer network connectivity for personal computers, wireless devices, and other intelligent appliances. UPnP uses existing standard protocols, such as TCP/IP, Hypertext Transfer Protocol (HTTP), and Extensible Markup Language (XML) to seamlessly connect networked devices and to manage data transfer among connected devices.

[...]

UPnP provides an architectural framework for creating self-configuring, self-describing devices and services. Networks managed by UPnP require no setup by users or network administrators because UPnP supports automatic discovery.

UPnP enables a device to dynamically join a network, obtain an IP address, and convey its capabilities on request. Control points can use the UPnP application programming interface (API) to learn about the presence and capabilities of devices that are registered on the network. A device can leave a network smoothly and automatically when it is no longer in use.

UPnP uses no device drivers. It is media-independent and can be used on any operating system (OS). UPnP offers programmatic control to applications. UPnP enables developers to write their own user interfaces for devices, forgoing the vendor-provided interface.

Security Note: (thanks MS for making this section easily discoverable and with all implied risks outlned thoroughky!!!)
Because a UPnP service can potentially be remotely activated without authentication, it presents an area of vulnerability for a networked system. When UPnP services are deployed in a controlled environment, such as a home or business intranet where all the users are trusted, the risk of malicious attack is lessened.

XI. Another interesting quote:

The Remote API (RAPI)
The Windows CE Remote API is a specialized remote procedure call (RPC) facility. We call it a "remote procedure call" API because RAPI functions cause remote function calls on connected devices. It is "specialized" because you can only call a limited subset of device-side functions. Most RAPI functions provide access to a device's object store and device-side file systems. As we describe in Chapter 16, the object store is the permanently mounted RAM-based storage area that contains the built-in file system, the system registry, and property databases. This is not the only storage available, however, and RAPI also lets you access whatever installable file system is present to support removable Compact Flash cards, Smart Media cards, disk drives, etc. [Comment 21cs.49]

Remote API and .NET Remoting [Comment 21cs.50]
If you have worked with the desktop .NET Framework, you might have heard about .NET Remoting and be wondering about its relationship to the Remote API. Aside from similar names, these two technologies have nothing in common. [Comment 21cs.51]
The ability to access the object store means that a RAPI program can access any stored data. You can, for example, open a file and copy part of it – or all of it – from the device to the desktop. You could open the system registry and create new keys, or read and write values on existing keys. You have complete access to the property databases in the object store, so that you can create a database, delete a database, add or remove database records, and read or write individual property values. [Comment 21cs.52]
The Remote API is a set of functions that are exactly like the Win32 functions used to access files, registry entries, and CE databases. The only difference is that each of the functions has a slightly different name – a prefix of "Ce." For example, the Win32 function to open a file is CreateFile; its RAPI equivalent is CeCreateFile. Once a file is opened, you read a file's contents by calling CeReadFile, and close the file by calling CeCloseHandle. This is different from the approach we took to file access in Chapter 15, where we discuss using System.IO classes. And instead of ADO .NET classes, access to property databases is through a set of C-callable functions with names like CeCreateDatabase and CeWriteRecordProps. [Comment 21cs.53]
***I mentioned to Jacee earlier today that the RPC service (along with Plug and Play) have, since the beginning of this, been strictly off-limits to me...

XII. Quote on .Net Services 4/2009.NET Services Overview
Microsoft .NET Services is a set of Microsoft-built and hosted Windows Communication Foundation services for building Internet-enabled applications. .NET Services provides applications with a common infrastructure to name, discover, expose, secure, and orchestrate Web services.
In This Section

.NET Services is designed to significantly lower the entry barriers for new types of interconnected Internet-scale applications regardless of whether they are Web-based, they work through application-to-application federation, or they want to exploit the rich user experience and media capabilities of modern desktop environments. .NET Services consists of the following three services:

Service Bus The Service Bus provides a hosted, secure, and broadly accessible infrastructure for pervasive communication, large-scale event distribution, naming, and service publishing. The Service Bus provides connectivity options for service endpoint, providing connectivity options for service endpoints that would otherwise be difficult or impossible to reach. Endpoints can be located behind network address translation (NAT) boundaries, or bound to frequently changing, dynamically assigned IP addresses, or both.[...]
**I had a problem with the Serivce Bus looking for an audio driver just yesterday.
----------------------------------------

OK, I know that is alot (and there is so much more that directly correlates to things on my system), and you may have skimmed it, but I am telling you with absolute conviction, this is a schematic for what is happening to me -- at least in part. If you all put on your old hacker hats--the ones that made you really think out of the box about how to make something do what it was not intended to do (now in one's career in IT, they call that "problem solving"), you could conceive very easily of the potential for misuse....I read perhaps 60 pages from the MSDN, and the recipe for this all system and for what is happening to me jumped out Even if I had not seen so many of the protocols, methods, support platforms, and other unusual things on my system that one does not typically encounter

I have a little more to say (I have not said much actually, since everything above this is a quote), but I am going to post this now before I lose it--that is part of the paranoia I have been developing over the months.

Paul

Again I will say thank you to anyone who spends anytime reading this thread and providing feedback with the intention of solving my problem. Writing this from Linux LIVE. Windows is too hazardous at the moment.

Secondly, I wish to for the record say that while I have made a lot of jokes here and am not in the IT industry (but reconsidering it coincidentally) , but rather more of a severe hobbyist. Beginning in 1979 (I was 11-12?) with an Apple II and a 10 oz card which held Applesoft BASIC. I started there. Because BASIC only provided so much functionality, and there was nothing else except the manuals with that came with the Apple II, I taught myself Assembly at 11. I wasn't very proficient, but I could certainly soup a a program in BASIC on the Apple with a short subroutine that "poked" hex entries (in decimal form) into registers that consequently created a 15 to 30 line (i.e., "line" means 8 8-bit hex entries (it had the column on the right showing the mnemonic functions that show the "language" that was intended to be a level up from machine language, for those who are familiar) which created flashy output that BASIC could never produce.....

I got a job at 13 as a night administrator at a computer consulting firm doing maintenance from the console on a IBM 4300 mainframe computer. Through the end of high school (wherein I learned Pascal and was introduced to SQL), I continued to work at the same company after school and during the summer, programming in VSAM, DL/1, and PL/1-based COBOL, the debugging of which included learning to read memory dumps, which further required going through the 30-60 greenbar pages of hex that was thrown out and even further and most important, it required no small amount of keen (and accrued) insight as to how a computer processor accesses memory and when. In short, by high school, I had to understand core computer fundamentals, or how computers "think", better than many of the people who were even in the computer industry at the time (~1984-85)

I continued in college briefly learning LISP, FORTRAN, then started a semester in C programming, but by then I got a little bored with the idea of being a programmer (bad idea considering I only needed to wait about 8 years to make some good cash with those acquired skills). I went into heavy science intending on medical school, but like my posts here, I got a bit distracted. i graduated from UW-Madison with a B.S. and a (meager) History major (but was maybe 15 credits short of 4 other majors, so these days I usually say my major was "game show contestant"). After that, unsure of what I wanted to do, I took the LSATs and went to law school at Loyola in Chicago (exactly when I should have been coding the first HTML based web pages). I was and still am an attorney, having practiced in transactional Real Estate and Corporate law. I also have a patent license having passed the USPTO bar exam studying for 4 weeks when the recommended period for successful studying for this 28% passage-rate exam is 8 months. Law eventually burned me out about a 1.5 years ago (after billling 2600 hours/year for god knows how long), and since then I have seriously rediscovered my old love of computers. I had learned VBA while I was at the law firms so I could do excel spreadsheets quicker and more effectively than any secretary of mine... And in the last 12 months I have practiced law on the side, learning Perl and Python, and reacquainting myself with Unix/Linux. I am in a financial crunch now because as a miserable lawyer, I was very wealthy, but as a much happier person writing easier Perl scripts (before last February) for small businesses for added income, I am moderately poor. Without the huge law income, I was forced to cut back my expenses oh, I would say 500%. I sold my condo and my car, pawned my Rolex, and am now hoping to end this little early mid-life crisis by figuring out exactly where I would like to take my still developing IT skills.

Dmex: I agree with Jfar, your post was thorough, well thought-out, easily readable, and obviously, more believable, or perhaps I should say plausible in its rejection of my apparent conjecture regarding spooks in my laptop accessing via Bluetooth.

Nonetheless, as of this moment, more than anytime in the past 3.5 weeks since I found myself left with nothing else except bluetooth as a means of penetration (since I had exhausted my options to fix or block I would say 99% of every other possible means), I stand behind this postulation with firm conviction. Yes, it was a theory originally. But in the past month, after paying a bit more attention to my problem, reading about the Windows services I did not recognize, exploring certain corners of Windows I had not investigated before (like environment variables), and now, after spending an aggregate of approximately 8 hours reading MSDN, covering what I could in that time pertaining to .NET, Bluetooth, and the finer points of various MS Mobile platform implementations and their related APIs and the functionality among them, I stand firmer than ever of the concept. Bluetooth, at least as a initial means, is accessing my laptop from an AP, the signal originating from who knows where, and because I do not want it there restricting me as I have never been restricted before in windows (I never really investigated RPCsvc before Dmex, but in an earlier post, I asked which services of the ones I was prohibited from altering were already hardened in Windows, like grpsvc is), I take steps to change the situation, and that results in more reactions by my opponent, and then, of course still further actions, by me. There is a client-server relationship. There is synchronization taking place, there are dialog boxes at random times popping up in IE8 (when I happen to be in there) stating "Unsigned ActiveX scripts are not that harmful. Would you like to enable them?", I have existed with Vista and no gadgets/sidebar for a year on a laptop after deciding I did not want Sidebar to startup with Windows. Never had a problem after that. Now, everytime I restart, there is that Sidebar again. Why? Why the Windows Sidebar? Is this only coincidental that it also happens to be a mobile platform that could potentially enable or assist through scripting, a larger and more significant breach of my laptop? Why is Cyberlink Power2Go (nothing but audio related apps) installed on my system when I checked the web and determined that HP did not bundle that with the laptop. Is it just coincidental that audio drivers, or the Tablet service are both used with Bluetooth and Windows Mobile PC? Is it coincidence that Remote Differential Compression and RIP listener, again both potentially used with Mobile PC and Bluetooth, turned on as a Windows feature? Coincidence? How many coincidences before they start becoming possibilities?

Now I know that each of you altruistic individuals who have shown me generosity of time and knowledge over the past four months are not shrinks, but I offer that resume/bio only because I wish to impress upon you that I may not know the heaps and stacks and threads of windows processes, but I do understand computers....and like everyone here, I have used windows since it was a clumsy, jerry-rigged, mac/xerox imitation GUI, scotch-taped over DOS, where you were lucky if it didn't crash once an hour.

And with that knowledge, I may joke about going crazy (I still may be), and I do realize there are a lot of things one could do with the information found on MSDN, but I am hoping you will not write me off by saying that I am simply some nervous, hyperactive, paranoid, quasi-articulate computer layman, and therefore my speculations deserve no minimal consideration. I hope that maybe if you now know my background, in addition to coming up with very plausible rejections to my notions, you might give working backwards a chance and see if it is possible, as one alternative route, to perhaps suggest actions or steps I could take that would put my theory to rest based on the merits of those educated suggestions.

I am exhausted and could tell you so much more about what has happened today. I will post later to explain them, but I can only leave you with screenshots I was very lucky to get. Think out of the box please. Beyond the viruses/trojans/worms we all know and all somewhat comfortably understand through and including our understanding of the Conflicker family of worms (unless there has been something more novel and threatening that I missed in the news or on the boards).

Look at these screenshots. And again, I could say so many more things right now that might push (or pull) you over to my side, but I need to sleep. The only thing I will say is that when you look at these screenshots, keep in mind that every application, or service or component in windows that you can spot in these pictures--aside from a very few items--either came with a native Vista installation (or with the HP programs bundled with the laptop) or someone else put them there. Someone other than MS, HP, or myself.

Thank you for your understanding.

Paul