Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: This is a Security issue, but more!!!

18 May 2009   #111
pjvex386

 

Here is a screenshot in Linux where I know he is in addition to Windows. To anyone with strong Linux skills who knows precisely what "ps a" was designed as a command to show the user, tell me what it is in fact, showing us?

I can get around in Linux but do not have the same knowledge that I have in Windows.. the man page for ps a states the following (for option/switch "a"), which is too confusing for me....

a - Lift the BSD-style "only yourself" restriction, which
is imposed upon the set of all processes when some
BSD-style (without "-") options are used or when the ps
personality setting is BSD-like. The set of processes
selected in this manner is in addition to the set of
processes selected by other means. An alternate
description is that this option causes ps to list all
processes with a terminal (tty), or to list all
processes when used together with the x option.


Note in the screenshot that the X11 process is the only one that has a timestamp -- good evidence running to the possibility that it is from another machine. And X11 is a terminal emulator. I did not want to describe anything I didn't know, so I pasted this from a Linux site.
GlossaryThe X Window System was specifically designed to allow the graphical output of a program running on one machine to appear on a different machine, possibly one that is physically remote and/or a different make and architecture. In other words, X11 was designed to be a platform-independent, networked graphics framework.


In X11 parlance, the "display" denotes the box on which the graphical output will appear. Interestingly, an individual display is defined by the X11 documentation as having exactly one keyboard and one pointer (i.e., mouse), but potentially multiple CPUs, monitors, etc.


The "screen" corresponds to the actual physical display device; in most cases this will be a monitor. X11 allows for an arbitrary number of screens to be connected to each display. Think of a workstation with two monitors or a departmental server, connected to a larger number of (relatively dumb) X terminals.
Jacee: Until I get back into Windows, this is the best evidence I have of another machine networked to mine. I hope to get back in soon... I do not know if I want to reinstall everything on a clean drive or just install 7 (which still keeps the old system on the root, correct?). I have used this particular installation for a few days now and I would like to retrieve some things from it.

Also, I want to tell of at least one added observation I had in the course of the last 12 hours. While in Linux (or at some other time, but based on what I will describe shortly, the time requirements must have been such that I had to have the laptop on and not be in Windows, and it is not too frequent that I am in Linux for the several hours I was last night reading from MSDN.

When I left Linux and tried to start windows, I found that I came to a black screen about 10 seconds after BIOS. I was surprised also that no function keys except F10 worked during the BIOS startup, UNLESS I entered BIOS using F10, loaded default settings, saved them, and came back out to restart. Then I could use function keys--one of which is a shortcut menu to modify the boot sequence--so I could force the PC to go to the CD, since the CD/DVD drive, which had a bootable CD in it, was not being accessed although it has long since been ordered to boot from floppy, CD, USB, then HD. The floppy had been disabled (I don't have one, but it is just an observation) as well.

When I finally got to the Windows 7 PE environment, I opened notepad to look around at the volumes. My Recovery partition, which is to restore my system to factory settings and image, had been decimated and moved. Well, it was copied. There were four log files in the Windows directory of the now mostly empty Recovery directory. They showed that a script had run to move certain Windows elements to another volume which had been assign the letter D. Anything else was deleted. Also, there was another log file that had about 30 lines showing "PRELOAD BASEX.wim" where X was sequentially numbered starting from 1. So this explained to me how he is always there before me ready to go. He has all of his functionality which I do not have before I even login to Windows. Now here is one coincidence that is very unfortunate: I immediately thought to grab those log files. But, I was in PE, and I think I mentioned that my WD backup drive--usually always connected--is not working right now. If memory serves, USB flash drives were always recognized in PE, but today, I could not get one to show up. I even used a new one which I had been saving for the day that I was rid of this problem and if I needed a flash drive I would have a clean one available. But I could do nothing. I do not know how to burn a CD from the command line -- nor if it is even possible from PE, but I would have done that. I was stuck looking at the best evidence yet of the existence of something that showed more than a typical virus' sense of purpose, and I could not copy it or move it to post it here. Sorry. I hope this type of thing never happens again, or I surely will go crazy. During this I had the dreadful thought that even if I actually met Baarod for his help my laptop would somehow seem as if nothing out of the ordinary was taking place. But I do not think that will happen as there have been far more times when I have not had any problems taking a screenshot, pasting it into Paint, then saving it to a flash drive for safe-keeping...

Another point I confirmed was when I was in Linux today, I did a command which shows active and running hardware. One line in particular caught my eye. It said "Kernel, time since start=22:10". Which means the CPU had been with power for 22 hours. This is twice now I have observed in either Windows or Linux, that my PC has been "on" or, with power, far longer than I have realized.

Yesterday, prior to my reading MSDN, I left my house with my laptop and took a walk. I was hoping to avoid going to find another PC to create a bootable AV CD as I intended originally. I thought if I changed location and kept moving, perhaps I could boot the PC and burn an image quickly.

While I was walking, at least three times I powered down the laptop using my usual routine of taking the battery out, and holding down the power button for 15-30 seconds (approx.). I know now that this is far to short of a period to completely discharge the motherboard. 22 hours earlier I had put the battery back in the notebook because I decided that I would leave it out while I slept last night -- for all of 3 hours -- which was not enough for me, but enough to apparently discharge the notebook completely. I will have to check specs on HP's website, but I wonder how long the notebook can hold power without the battery.... I had suggested in an earlier post that this might be half of the confusion....he always seems to be in there (my laptop) -- and he survives the swapping of hard drives (maybe), because he rarely needs to leave since there is power....

The notebook never completely loses power unless the battery is removed for a minimum period. And right now, my only evidence as to this information is that 3 hours is enough time but I wish I knew a shortcut to discharging it a bit more quickly.

Paul

and good night




Attached Thumbnails
This is a Security issue, but more!!!-ftfbfh.jpg  
My System SpecsSystem Spec
.
18 May 2009   #112
compussrnj

Windows 7, Windows XP SP3 x86
 
 

pjvex386,

I've been following your thread for awhile now, and I'm really wondering if you read my post, a page or so ago. I'm certain this will be sufficent to rid your infection.

When you booted into the Linux live-cd (which is write protected so it operates from memory only) the possibility of you being infected are probably less than 1%. The reason being, as stated above the live-cd runs in your CPU/RAM only. It dosen't touch your disk. You could remove all hard drives in their entirety, and still boot the live cd, and use it. The only possible way any infection that is using advanced technequies such as infecting your recovery partition, bios, or GPU, could possibly compromise the linux distro running entirely in ram, is if it was memory resident, and had the capability to realtime patch data in your memory, on windows, and alinux flavors. This would be VERY complicated to do as each operating system stores data in diffrent areas of memory. The attacker would need to be intimate with your specefic hardware, and bios. The possibility of this is extremely low.


I suggest you read my previous post, follow all the steps, and enjoy your clean windows machine.

Good luck!


*EDIT*

The screenshot you supplied looks fine!
My System SpecsSystem Spec
18 May 2009   #113
jfar

Vista Ult64, Win7600
 
 

Quote   Quote: Originally Posted by compussrnj View Post
pjvex386,

I've been following your thread for awhile now, and I'm really wondering if you read my post, a page or so ago. I'm certain this will be sufficent to rid your infection.

When you booted into the Linux live-cd (which is write protected so it operates from memory only) the possibility of you being infected are probably less than 1%. The reason being, as stated above the live-cd runs in your CPU/RAM only. It dosen't touch your disk. You could remove all hard drives in their entirety, and still boot the live cd, and use it. The only possible way any infection that is using advanced technequies such as infecting your recovery partition, bios, or GPU, could possibly compromise the linux distro running entirely in ram, is if it was memory resident, and had the capability to realtime patch data in your memory, on windows, and alinux flavors. This would be VERY complicated to do as each operating system stores data in diffrent areas of memory. The attacker would need to be intimate with your specefic hardware, and bios. The possibility of this is extremely low.


I suggest you read my previous post, follow all the steps, and enjoy your clean windows machine.

Good luck!


*EDIT*

The screenshot you supplied looks fine!
I'd say you have two chances of that happening, this man does not do anything that he is asked to do, he just goes on and on trying to convince everybody that he is telling the truth, and just seems to ignore everyones requests to do certain things, that may help him.
My System SpecsSystem Spec
.

18 May 2009   #114
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

I agree with jfar ...all apparent good help has been ignored. So either pjvex386 is conducting his own experiments or is just missing the boat completely.
My System SpecsSystem Spec
18 May 2009   #115
torrentg

7600.20510 x86
 
 

I concur and think he is doing this for his own amusement. When the admin verifies as a "freak thread", it does add an lol factor.
My System SpecsSystem Spec
18 May 2009   #116
compussrnj

Windows 7, Windows XP SP3 x86
 
 

Yes, i agree, this must be a lonely troll doing it for kicks. If that's the case (Which I'm almost certain) i hope he has a nasty run-in with parite.
My System SpecsSystem Spec
18 May 2009   #117
Lordbob75

Windows 7 Ultimate x64, Mint 9
 
 

Hey pjvex386,

I have two suggestions for you:
One, go buy a BRAND NEW HDD and destroy the old one (or nuke it but Boot and Nuke).
Two, go buy a LEGAL copy of WINDOWS (anyone) from a damn STORE! Get a LEGIT CD key, and INSTALL IT FRESH. Then, go BUY a ROUTER from a STORE, and SIGN UP for a ISP service and get a MODEM. BUY a AV/FIREWALL and INSTALL it FIRST thing after installing you LEGAL copy of Windows, WHILE YOU ARE NOT CONNECTED TO THE INTERNET.

If this DOES NOT solve it, then you should ACTUALLY DO IT, and stop being so paranoid.

~Lordbob
My System SpecsSystem Spec
18 May 2009   #118
lokiundergod

Windows 7 64-bit
 
 

Quote   Quote: Originally Posted by Lordbob75 View Post
Hey pjvex386,

I have two suggestions for you:
One, go buy a BRAND NEW HDD and destroy the old one (or nuke it but Boot and Nuke).


~Lordbob
If you read through the thread carefully, you'll see that a new hd was already purchased to replace the original.

In reply to the ps command, a quick search reveals that it lists what processes are currently running the -A switch, like ls -a, lists all processes, while the lower case "-a" switch lists info on the most requested processes.

Would you have been doing this around 10 pm, by any chance?
My System SpecsSystem Spec
19 May 2009   #119
johngalt

 

Correct - however, if you're running a version of Linux that has a GUI of any kind running, you can pretty much bet that there is going to be an X process running, on top of which your DM of choice will run, right?

So how is that X call unusual? Only way I can see it being unusual is if you're running a strictly command line client that never calls X to start.
My System SpecsSystem Spec
19 May 2009   #120
Legand

Windows 7 x86
 
 

What an interesting read, I would have to concur with the last few posts and the Admins conclusive findings on this one.

May I suggest turning down the transmit power on your wifi router or bluetooth, as you say you took a walk and say this little man is still in there hacking you. I think the power may be at such a level it's frying something other than eggs.
My System SpecsSystem Spec
Closed Thread

 This is a Security issue, but more!!!




Thread Tools




Similar help and support threads
Thread Forum
Security issue: IE10 Security message when opening MSN
I normally use MSN as my home page when I browse with IE10 as my default browser. This morning when I checked my email I had a message that purported to be from Microsoft that stated thew following: Microsoft account Security alert We think that someone else might have accessed the...
Browsers & Mail
HELP File Security Issue!!!!!!!!
Hello everyone. New to the forum here. Glad to find one as great as this. Anyways heres the deal. I am trying to backup very important file from my Toshiba Satellite Laptop via external HD and flash drives. But it seems like every time I hook something up to it, it says write protected. So I...
General Discussion
Security Issue
Hi golden i have MWB as well and thought of myself as pretty secure however i let my parents get ahold of the comp and theres trojans and text files and crazy shiz neway i follow the path provided to where one of the virus's resided and low and behold i couldnt get to the dang cookies neway i...
System Security
Ad-Hoc Security Issue
Ok I hope you can help me out here. I'm convinced this is a security issue. From time to time my laptop drops wireless signal & when I try to re-connect to my router, I notice there's this available ad-hoc network to connect to called hp.nomodel etc... I of course have never connected to this...
System Security
Security Patch Issue
Belarc Advisor tells me that an important patch needs to be installed. It is Q2455033 which applies to MS Expression Encoder. When I go to the Windows Update site, I am informed that all is up-to-date. I cannot find a way to manually download this patch. Any ideas?
Windows Updates & Activation
Please help me! Security issue
Hi all.. sorry about the uppercase title but Im desperate.. I have a sony vaio windows 7, since Im 20 and my mom wanted to use my laptop at times I HAD to make her an independent account and manage my sharing and security settings, so I denied her account all permissions etc.. but now I cant...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:09.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App