This is a Security issue, but more!!!

Page 2 of 13 FirstFirst 123412 ... LastLast

  1. Posts : 57
    Windows 7
    Thread Starter
       #11

    Thank you guys...


    OK. I want to thank you for all of your answers... I have to say it is quite a relief to have some other minds working with me on this problem as I either end up talking to someone with a blank, glassy-eyed stare as they have no idea what I am talking about, or, if they do, they think I am on some psychotropic substance.

    But to the topic. I do not want to sound cocky, but this IS in fact some strange hijacking. Here are some stats. (A) Number of times installed Windows Vista (in the beginning): 2x. (B) # of times I have either wiped the HD and did a slow format and installed Windows 7 straight from the DVD which I burned from the MS image.....untouched from the download (i.e., Build 7000): 40 to 50 times. (C) # times I have reformated my hard drive and installed Ubuntu, only to suffer similar problems with network funny-business (suddenly iwconfig was no longer recognized as a command, or suddenly, I have no wireless adapter.)

    I am attaching a number of other docs to this post, namely output from wininternals utilities. I have also included some other items. Please look at them... Some I understand, some I don't (not quite sure how handles work for instance). I will say, irrespective of my complete understanding of all of this output, after about 10 minutes of looking at this stuff, if you have been working with computers for anywhere over 5 years (and I am going on 20...in various areas), something just SMELLS. IT is undeniable. I do not know if this guy who is trying to ruin my life is doing this to several wireless PC's outhtere to build some sort of chained netowrk of his own (if that makes sense), but given the amount of time he has had to have put inot this endeavor, it would seem it has gone beyond a simple revenge for my intrusion into a network to use the net.


    Docs attached:

    -A VMMAP (sysinternals) report on a service called WmiPrvSE )always in my task manager)
    -Another VMMap of services.exe--a common process in taskmanager, but this one that is particularly important to this guy. If I lower the priority (or kill it of course), he shuts down my system (but the system is still on, if you know what I mean, i.e. lights are on --screen is dead). Also, Services.exe has about 10-15 svchost processes running immediately after I login after installation. This cannot be right.
    -Pipelist (from sysinternals as well)
    -AccessEnum (sysinternals).... OK, look at this. Why are their so many network based processes on here? Why is trustedinstaller everywhere????? [FYI, in the registry where all of these ISATAP and other adapters exists, I have modified them so they will not work (did not touch my wireless adapter), made my Administrator the sole owner of these keys, and made user "SERVICE" (i.e., TrustedInstaller) a user with all privs denied. I actually was able to use my PC for about 4 hours after this!!!!
    --autorunsc (wininternals)
    Also very strange.
    --Accesschk (wininternals) -f -t -s (file is called perm.txt) (I think those were the switches) on drive c: Please tell me this does not look crazy.... This is my f&*!inG LAPTOP!!!!

    --Laslty, I am sending a copy of HKLM. It also seems unusual, although I will admit, the registry and me are only good friends, not intimate in any way :) .

    I really think the only way I am able to install win 7 is to find a hospital or lead-lined room where there is no RF or WIFI. Then install a firewall to keep this guys UDP packets from hitting my adapter. And yes, my adapters are all on. PLUS two ISATAP, TEREDO, SSDP, and a bunch of others... I will try to send a screenshot of my device manager tomorrow (it is loaded with "unknown devices" and numerous other devices when one shows "hidden devices" from the menu.

    Thanks again guys.... I owe you big.... I am about to use this fine 1.5 year old dual core HP as a paperweight....beause after 3 different OS installations in locations all over Chicago, I still cannot use my PC as I am accustomed.

    Paul
      My Computer


  2. Posts : 2,899
    Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
       #12

    i cut this is pieces so that it makes it easier to answer

    pjvex386 said:
    OK. I want to thank you for all of your answers... I have to say it is quite a relief to have some other minds working with me on this problem as I either end up talking to someone with a blank, glassy-eyed stare as they have no idea what I am talking about, or, if they do, they think I am on some psychotropic substance.
    theres alot of these snobbish people thinking that you are paraniod...
    trust me ive seen them in action in my schools in some places of business

    But to the topic. I do not want to sound cocky, but this IS in fact some strange hijacking. Here are some stats. (A) Number of times installed Windows Vista (in the beginning): 2x. (B) # of times I have either wiped the HD and did a slow format and installed Windows 7 straight from the DVD which I burned from the MS image.....untouched from the download (i.e., Build 7000): 40 to 50 times. (C) # times I have reformated my hard drive and installed Ubuntu, only to suffer similar problems with network funny-business (suddenly iwconfig was no longer recognized as a command, or suddenly, I have no wireless adapter.)
    the ubuntu problem seems more problematic with either your password (a easy to guess password would be obvious or a the same password used frequently or not even having a password also count) or you are using a very weak WPA password or a WEP key...(never use WEP if you can use WPA2)
    as for the adapter dispearing we can make sure its not someone changing things in your computer by using a completely different password (that no-one can guess)
    if this is still happening in ubuntu then we can be almost positive this might be a hardware problem (as ubuntu and Windows are completely different OS and the only thing that would have in common would be passwords and hardware....)
    also make sure no-one has access to your machine between the time you changed the password (and i mean no-one...) but you so we can check off that it is not a remote attack


    I am attaching a number of other docs to this post, namely output from wininternals utilities. I have also included some other items. Please look at them... Some I understand, some I don't (not quite sure how handles work for instance). I will say, irrespective of my complete understanding of all of this output, after about 10 minutes of looking at this stuff, if you have been working with computers for anywhere over 5 years (and I am going on 20...in various areas), something just SMELLS. IT is undeniable. I do not know if this guy who is trying to ruin my life is doing this to several wireless PC's outhtere to build some sort of chained netowrk of his own (if that makes sense), but given the amount of time he has had to have put inot this endeavor, it would seem it has gone beyond a simple revenge for my intrusion into a network to use the net.

    Docs attached:

    -A VMMAP (sysinternals) report on a service called WmiPrvSE )always in my task manager)
    -Another VMMap of services.exe--a common process in taskmanager, but this one that is particularly important to this guy. If I lower the priority (or kill it of course), he shuts down my system (but the system is still on, if you know what I mean, i.e. lights are on --screen is dead). Also, Services.exe has about 10-15 svchost processes running immediately after I login after installation. This cannot be right.
    -Pipelist (from sysinternals as well)
    -AccessEnum (sysinternals).... OK, look at this. Why are their so many network based processes on here? Why is trustedinstaller everywhere????? [FYI, in the registry where all of these ISATAP and other adapters exists, I have modified them so they will not work (did not touch my wireless adapter), made my Administrator the sole owner of these keys, and made user "SERVICE" (i.e., TrustedInstaller) a user with all privs denied. I actually was able to use my PC for about 4 hours after this!!!!
    --autorunsc (wininternals)
    Also very strange.
    --Accesschk (wininternals) -f -t -s (file is called perm.txt) (I think those were the switches) on drive c: Please tell me this does not look crazy.... This is my f&*!inG LAPTOP!!!!
    as for the svhosts yeah there are supposed to be there
    what would be unsual would be if they are running from another location other than the default which is "C:\Windows\System32\svchost.exe"
    also check in (if you are in windows)
    now the trustedinstaller is there for reason so that users donot mess up the computer by not giving acess to core components (such as special OS keys kernel components [stuff that if its modified can break your computer] and that only windows updates should be accessing and modifying])
    this should simplify what this means
    Wiki said:
    Windows File Protection worked by registering for notification of file changes in Winlogon. If any changes were detected to a protected system file, the modified file was restored from a cached copy located in a compressed folder at %WinDir%\System32\dllcache. Windows Resource Protection works by setting discretionary access control lists (DACLs) and access control lists (ACLs) defined for protected resources. Permission for full access to modify WRP-protected resources is restricted to the processes using the Windows Modules Installer service (TrustedInstaller.exe). Administrators no longer have full rights to system files. Protected resources can be modified or replaced only if administrators take ownership of the resource and add the appropriate Access Control Entries (ACEs).
    Windows Resource Protection - Wikipedia, the free encyclopedia
    System File Checker - Wikipedia, the free encyclopedia
    the machine is simply protecting itself from what it thinks is a attack as such actions are not usually needed for normal operation of a machine

    as for the teredo adapters they are installed for use of IPv6 (which i admit is not useful yet) but as long as you make sure that you read this as this will explain some of the network technologies vista brought (and that xp had to some extent)
    Windows Vista networking technologies - Wikipedia, the free encyclopedia
    and IPv6
    IPv6 - Wikipedia, the free encyclopedia
    what you need to know is that networking is know carried out a little differently compared to xp


    --Laslty, I am sending a copy of HKLM. It also seems unusual, although I will admit, the registry and me are only good friends, not intimate in any way :) .

    I really think the only way I am able to install win 7 is to find a hospital or lead-lined room where there is no RF or WIFI. Then install a firewall to keep this guys UDP packets from hitting my adapter. And yes, my adapters are all on. PLUS two ISATAP, TEREDO, SSDP, and a bunch of others... I will try to send a screenshot of my device manager tomorrow (it is loaded with "unknown devices" and numerous other devices when one shows "hidden devices" from the menu.

    Thanks again guys.... I owe you big.... I am about to use this fine 1.5 year old dual core HP as a paperweight....beause after 3 different OS installations in locations all over Chicago, I still cannot use my PC as I am accustomed.

    Paul
    please make sure that instead of deleting these keys and unnistalling these devices you disabled them
    this should be good: How to Disable TCP/IPv6 Teredo Tunneling in Vista » My Digital Life
    one thing you can do is to delete all your backups and start completely fresh (i mean completely....) use ubuntu to delete anything you can download from the net fresh and clean...
    since what im thinking is that some of your files might be infected with a malware...
    please make sure you one more reinstall of windows
    make sure your router is using WPA or WPA2 to broadcast you network (use a very strong password)
    same with windows password
    never have your computer running without no password
    also for a period of time do not let anyone access the router ( a week should be enough) except you to make sure that someone that was not using your router and your Access point as a point of attack....
    install any updates (include any drivers too)
    download avast and have it running...
    of course have a firewall and have that running too...
    make sure that *any* apps are download from
      My Computer


  3. Posts : 20
    Windows7
       #13

    run a scan with malwarebytes and check if ur system is running properly in safe mode
      My Computer


  4. Posts : 1,360
    win7 ultimate / virtual box
       #14

    darkassain said:
    since what im thinking is that some of your files might be infected with a malware...
    viewing from a distance this sounds the most likely to me

    nobody is going to sit at a computer with a remote connection waiting for that very moment that your connection appears in order to exploit it

    many ppl have used malware/trojans to place exe's that send echo requests to remote computers that will activate as soon as a network connection is made

    this can only mean that the trigger is on your computer and somewhere in YOUR files
      My Computer


  5. Posts : 4,364
    Windows 11 21H2 Current build
       #15

    Well, no one is going to sit at a computer and keep doing it - but there are *plenty* of bots that will sit there and keep trying over and over again.

    However, I think there is something else related here. I think it is hardware still - or a rootkit.
      My Computer


  6. Posts : 57
    Windows 7
    Thread Starter
       #16

    Again thank you guys for all your help. Dark, ickymay, etc. You all have valid points. I am losing my mind, my money, and my career (practically) because of this dilemma.

    I am not going to say anything much.....except, you cannot realize how f*cked up my situation is and WEIRD.

    Get this.... After complaining to everyone--including to you guys on this board, I decided to be a man, and well, I just wanted to get rid of what I know was the problem as originally described..(i.e., someone is hijacking my system -- whether I wipe the drive, and re-install W7, or zero it out with 8 passes--it doesn't matter. Same problem.). So, I opened it up and took out the wireless NIC. Thought my life would be fine..

    Guess what....NOTHING HAS CHANGED!!!!!! Well, it is easier to be quicker than this guy and get to stuff and disable it because the RF/wireless card was a big help to him....but although it defies the law of physics. Someone is accessing my computer which does not have wireless capability on some other protocal.....

    to prove this (I hope). I am attaching the output of several sysinternals utilities. The enviornment I ran them in was a wiped disk, then booted to the PE recovery mode. with the x: prompt.... So windows is not fully installed, and the rest of the drive is clean clean clean....

    But--I think NOW I know the solution. aAs ickymay suggested, it is a trojan (it is actually a P2P Worm). But as this guy is a very very very sophisticated individual, the worm is on protected storage.... So this means I have to do a low level format.

    But I want to wait to hear your responses before I do this because, if you are thinking like I am......this is pretty significant to Microsoft if someone can do this.... meaning.....someone can, through various protocols, access and take-over my PC.....and what's more dangerous is that even if the wireless NIC is removed, it may improve your situation, but it does not eliminate it.

    Talk to me... I think I should write an article on this or something.... I could tell you more but I am at a public PC cafe and I can no longer afford it because I cannot work because I cannot get my laptop to function with wireless nor have complete control over it. I am not lying.
    This is a Security issue, but more!!! Attached Files
      My Computer


  7. Posts : 2,899
    Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
       #17

    pjvex386 said:
    Again thank you guys for all your help. Dark, ickymay, etc. You all have valid points. I am losing my mind, my money, and my career (practically) because of this dilemma.

    I am not going to say anything much.....except, you cannot realize how f*cked up my situation is and WEIRD.

    Get this.... After complaining to everyone--including to you guys on this board, I decided to be a man, and well, I just wanted to get rid of what I know was the problem as originally described..(i.e., someone is hijacking my system -- whether I wipe the drive, and re-install W7, or zero it out with 8 passes--it doesn't matter. Same problem.). So, I opened it up and took out the wireless NIC. Thought my life would be fine..

    Guess what....NOTHING HAS CHANGED!!!!!! Well, it is easier to be quicker than this guy and get to stuff and disable it because the RF/wireless card was a big help to him....but although it defies the law of physics. Someone is accessing my computer which does not have wireless capability on some other protocal.....

    to prove this (I hope). I am attaching the output of several sysinternals utilities. The enviornment I ran them in was a wiped disk, then booted to the PE recovery mode. with the x: prompt.... So windows is not fully installed, and the rest of the drive is clean clean clean....

    But--I think NOW I know the solution. aAs ickymay suggested, it is a trojan (it is actually a P2P Worm). But as this guy is a very very very sophisticated individual, the worm is on protected storage.... So this means I have to do a low level format.

    But I want to wait to hear your responses before I do this because, if you are thinking like I am......this is pretty significant to Microsoft if someone can do this.... meaning.....someone can, through various protocols, access and take-over my PC.....and what's more dangerous is that even if the wireless NIC is removed, it may improve your situation, but it does not eliminate it.

    Talk to me... I think I should write an article on this or something.... I could tell you more but I am at a public PC cafe and I can no longer afford it because I cannot work because I cannot get my laptop to function with wireless nor have complete control over it. I am not lying.
    ok hold on did you read what the other poster have posted?
    also did you actually physically remove the Wireless nic or just disable it...
    man i would love getting my hands on this laptop...
    i just want to see how he's getting into your machine...
    like i said have you changed your passwords in safe mode?
    and make it very hard to guess...
    how do you check if your password is good enough you ask?
    my favorite site is here
    Strength Test
    while i also advise this site it does not like my passwords http://www.passwordmeter.com/ (most likely because they wont fit... on the first i got overkill...
    Length: 60
    Strength: Very Strong - More often than not, this level of security is overkill.
    Entropy: 156.7 bits
    Charset Size: 62 characters)
    Last edited by darkassain; 19 Mar 2009 at 00:34.
      My Computer


  8. Posts : 1,360
    win7 ultimate / virtual box
       #18

    pjvex386 said:
    I decided to be a man, and well, I just wanted to get rid of what I know was the problem as originally described..(i.e., someone is hijacking my system -- whether I wipe the drive, and re-install W7, or zero it out with 8 passes--it doesn't matter. Same problem.). So, I opened it up and took out the wireless NIC. Thought my life would be fine..

    Guess what....NOTHING HAS CHANGED!!!!!! Well, it is easier to be quicker than this guy and get to stuff and disable it because the RF/wireless card was a big help to him....but although it defies the law of physics. Someone is accessing my computer which does not have wireless capability on some other protocal......
    If I didn't know better this sounds like a peice of hardware on your system designed specifically for remote access similar to the Dell DRAC5 Remote Management Card does

    now I know they have equivalent devices for laptop's so can I ask where did you get the laptop and was it from a corporate entity that might have used or have use for such a device ?

    does your laptop have an embedded remote access controller , on the dell 2650 this is known as ERA and dell says "ERA is an embedded controller with its own microprocessor and memory that uses a proprietary bus and is powered by the system in which it is installed."

    their website talks about it here

    now is it possible you are experiencing legitimate or possibly illegal use of this device

    if you do have this device (which operates independantly of any OS) maybe you just need to reconfigure it :)
      My Computer


  9. Posts : 1,360
    win7 ultimate / virtual box
       #19

    pjvex386 said:
    First my specs:
    Dell HP Pavillion 2212
    Dual Core 1.6GHz
    [/SIZE][/FONT]
    I cannot find anywhere that lists your laptop

    theres a 2212 opteron chip that HP use but no laptop listed on dell or HP's site with the name you quote

    do you have the actual name of this machine or am i missing something
      My Computer


  10. Posts : 57
    Windows 7
    Thread Starter
       #20

    forgot a few things


    Sorry.

    First to Ickyman, I was not thinking or something, but my laptop is a HP Pavillion dv200 laptop (specific sub-model is an HP 2210us), so let's start with that for purposes of clarity.

    Second.... I was not paying attention to the upload requirements, and about six of the files had extensions "not permitted". So I will either convert them to .pdf, or if they are formatted to read by one of the WinsysinternalsSuite utilities, I will try to export it in some format that is allowed.

    And, to darkassasin, or anyone else for that matter, I would be more than happy to allow one of you guys to SSH or tunnel to my laptop (if my intruder friend allows it that is), and while one the phone with you, you can do whatever you want.

    I can tell you a few things from memory (since this has consumed my energy for so long)... First the services he will not let me have access to under any conditions are RPC, RPC End Mapper, Plug N Play, DCOM Server, and Group Policy Client (in other words, in Properties, everything on every tab is greyed out.

    Futher, I am attaching a few screenshots. Two .jpegs are of the device manager screen. In both "DeviceMan I.jpg" and "DeviceMan II.jpg" I tried to annotate it with MS-Paint (didn't want to try to complicate things by putting them in photoshop) so I can explain what I think about them. Keep in mind, I may not know what the hell I am talking about.

    In Deviceman I, Item "1" shows two HID devices that seem somehow unneeded and yet always there. Items "2" and "3" are almost certainly being used -- I cannot say why, I just know in the past when I disabled them, I would get "spanked" somehow (for example, I often play MP3s through itunes -- never had a problem-- BUT after disabling one or both of these devices, my audio would be gone and nothing I did (reload drivers, or rebooting) would correct the problem (but then... after 2 or 3 hours I would start the laptop and everything was fine.) [Note: maybe this is somebody my dad hired to teach me discipline,the value of a dollar, and the evils of rock and roll]

    Item "4" in DeviceMan.jpg I shows all the protocols available (after checking "Show Hidden Devices".

    In DeviceMan II.jpg, Items "A" and "B" are somehow important to his process. Item "C" is one of the strange "unknown device" entries.

    Now Item "D" requires a little extra info. As I mentioned in my last post, I pulled out my wireless NIC (and I pulled the whole card out, I did not just disconnect the leads). Things worked ok, but it seemed to really make him mad, and he did what he could to stop his significant loss of control... eventually after causing the PC to stop (with lights on, screen black), and I restarted it, I could not get any Wireless connection. [Note: One trick I know he employs when I get too close or agressive in stopping processes or services or deleting/modifying registry keys (which in each case were done based on educated guesses), my system would stop as mentioned above, then when I would reboot, it a recovery dialog box for Startup Repair would come up suggesting the usual. I would skip this, and whether I was booting to Windows proper, or ANY safe mode, or even "Last Good Known Configuration", I would get a blue screen and a dump. Being skeptical, I would boot from my installation disk, make the choice myself to go to Advanced Repairs, run Startup repair, and 10 seconds later, I get a message essentialy telling me I was a moron beause there was nothing wrong with my startup. I would check the report, and sure enough, every test that was run would be successful. Now if I let the first Startup Repair run on a whim, it would take 10 minutes or more, then tell me either Windows could not repair the problem (diagnostic report would still say all was fine), OR the "startup repair" tool (which I suspect is a bit of hacker/cracker ledgerdemain) would scan other peripheral HDs and say that I had to restore certain files from them! This was confusing... but a few days later I went to the USB HD drive in question (the 500GB WD "MY BOOK") and at a prompt look at the directory with "DIR" and switch /a, which you all may know shows hidden files... Let's just say I thought I was looking at a virtual copy of %winddir%/system32. So I think he was trying to be efficient and use my drive to transfer files he needed from it rather than upload them via whatever alien net protocol he would use (and we know for instance that Teredo is pretty slow).

    I say all of this because, to my surprise (although it is a very hesitant and wary surprise), I am sending this from the laptop in question. Why this is possible is because of this theory of mine. Today, I was desperate and really needed to get on the net (there is an open network that I have can get on), and I was going to take a chance and reinstall the wireless NIC, then instal Win-7, and pray that my "new dad" would let me use the car to go to slashdot.com or someplace similar. Before I began, I thought. WHy not start with a little advantage, and install the OS first, then reinstall the Wireless Nic. I did this, and while his presence is still evident in the taskmanager and in services (the grayed ones), and elsewhere, he seems to be a little calmer and not quite so abusive in usurping my PC. However...I have one other farfetched theory as to why this may be happening.... Yesterday -- before I reinstalled the NIC and WIN7, I booted up with a LIVE ubuntu CD, and put in a flash drive which I had saved a low level formatting tool. I was simply doing this to confirm it was there and that the application was saved in such a way to make the flash drive bootable. Well, when in Linux, he actually deleted the files for this utility!!! So I had to go back to my local internet cafe and get another copy. But, methinks he may know I have found his secret and rather than be pushy and restrict me from whatever he wants, he is playing nice, using my system for whatever he using it for and allowing me to do what I need to do with very little interference.... It's like we made up and suddenly he has decided after all that perhaps he and I can live happily together on my laptop.....rather than risking my format and him losing all access to my laptop. I know this sounds so damn strange, but it is happeneing, I can assure you.

    OK. I am signing off... but one more thing, I do not know if this site limits the number of files I can upload, but I have 4 more that I have repeatedly tried to upload and have been unable. Since I have been living with this "Gremlin" paranoia.... [e.g., the other day the Send button on my cell phone didn't work, and immediately a reflexive wave of fear overcame me as I thought "My god, he has gotten into my cell phone too!!!". I might need to go on Zoloft for a few months after this ordeal is over so I stop thinking I am being tracked and surveiled by Ashcroft, a radical NSA program, or perhaps Ewoks.

    Thanks again... I hope this all results in something interesting.... because I have really been ridiculed over it all....(the other day I told someone at Best Buys' Geek Squad (I know the futility of this but I thought I would ask their top windows guy what he thought. Know what he said? When I said I removed the wireless NIC and was still having intrusion problems, he laughed at me and told me I needed a priest, not a service professional from their "esteemed" group of crack technicions. Well, what the ol' Squad lacks in skill, they at least make up in a glib sense of humor.....
    Attached Thumbnails Attached Thumbnails This is a Security issue, but more!!!-deviceman-i.jpg   This is a Security issue, but more!!!-deviceman-ii.jpg  
    This is a Security issue, but more!!! Attached Files
      My Computer


 
Page 2 of 13 FirstFirst 123412 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 21:40.
Find Us