Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: This is a Security issue, but more!!!

16 Apr 2009   #51
Microsoft MVP

Windows 7 Ultimate 32bit SP1

Ooh man!
You can try to clean up that flash drive, or smash it and throw it away. They aren't that expensive any more.

Flash_Disinfector link

Next, turn off the Autorun feature in Windows

*** Note: Be sure to insert your flashdrive before you begin!

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this will help protect your drives from future infection.

PS ... my antivirus was claiming that a virus wanted access to my computer when I clicked on the disinfector link. It's a direct download, and it's safe!

My System SpecsSystem Spec
01 May 2009   #52

Updates! Jaycee and the kind lot of you please read...

If you have been following our story....
Last week you may remember, Flash Gordon and Dale Arden saved the Earth from destruction by shooting a rocket at a planet which threatened to collide with it. They became marooned the Emperor, Ming the Merciless, ordered Flash killed..... that is another story.... but if you have been following my story, I apologize for the lack of a response. My personal/financial life has been under some duress (and while I certainly cannot blame my new so-called "imaginary friend" who lives in my laptop (and moved to my new laptop because my idiocy (see my lastpost) answered that old question "did your mother have any children that lived?" with a resounding NO.

Well, It has been 28 days with my brand new HP dv4 1225 dx laptop (specs: AMD 64x Turion X2, 4ddr GB I still have my WD 500GB drive, which has been the only thing that has prevented me from going insane because I am allowed to keep some work product on this drive).

But I have a revelation for you all. Remember how so many would scoff at my idea that there was access to my laptop if I turned the wireless switch off--and I went so far as to remove the wireless NIC--and to my surprise, and everone else's disbelief (save this board) he (the perp who is in control of this virus/trojan, and therefore 100% in control of my laptop) still had very noticeable dynamic presence. I was stumped -- and just about considered psychiatric help.

But now...after reading and researching and dealing with my own personal menace -- who enjoys torturing me day after day -- at any hour and for any length of time (which to me us the most unbelieveable thing...I can see in some situations, scripts with automated responses can be used, but there are times when he is returning a volley of mine and it is just too well-tailored to be code-based...this type of a response can happen during any one of 24 hours in a day--so he is alerted when I do something or never sleeps....I would have to say that he cannot be much of family man given how much time he is at his PC).

In fact....even though he has been quite egregious in some acts (I caught that his name is Brendan) since he knows that I know about him, I will say that I am surprised I am even allowed to write this post on my the laptop in question because I am sure that not only does he know what I am typing at this second by virtue of having a VM-type screen on his monitor, or having a keylogger VPNed or on my disk....and to add more insult to injury, my new laptop has a built-in webcam, so he can probably see me furiously racing through the stack of books I have purchased in my losing battle with this trojan and the man or person behind it.

I have come close to really wiping all 250.5 GB of my drive, but since I do not have the HP driver installation recovery disks, I have not been able to do that. I do know now that on this laptop and on my old laptop, he would set aside X amount of disk space which I could never touch....I know that manufacturers use protected storage for a reason, but I have tried to use utilities to free up this protected area to no avail. My System Info stills says
Capacity 238GB (250,547,000 B).

The only solution then is to wipe the entire drive and use the recovery disks (but do I need to tatoo the motherboard too?...that is one of my current questions).

But here the big news -- in my opinon --and some of you may have heard of this little before, but I was compeltely unaware of this vulnerability. The gang at MS knows about it (but the issue in quesiton is barely mentioned or discussed as far as I can tell), but from what I have experienced.... this should be a very big bug alert.....If this was not addressed (and apparently on a brand new laptop running Norton and Vista 64x it was not caught) who knows how big of a potential problem this could be....Ready everyone??????

When I first removed my wireless NIC on my own laptop, I assumed there must have been another RF device on it. How else could I explain the fact that he was still exercising some control. I did the same thing on this new laptop, also an HP (but this is not HP dependent), and had same problem....

Here is the key to the magic..... Bluetooth. This guy is using bluetooth from an any AP (as he is using UDP via IPv6) to connect first and control my laptop -- even though the data throughput for BT is only 1MB/s maximum...that is enough. And with development of BT in recent years, and with the right power behind it, the range can be up to 1 mile!

So the bottom line is that my trojan advertises not from the Wireless Nic, but from some BT device... something audio related as my audio never works unless I install the driver from the website (and boy does he get mad when I shut down the process entitled audiohg (but he has since found a workaround to this--he subsequently used some compoent of windows presentation, and now I do not know what he is doing). The trojan advertises my address and the radio signal picks it up. Given the range of bluetooth, it is impossible for me to hide from it -- no matter where I am, so is he). He quickly picks up this beacon, and whether I am with or withour wireless capability. He is incontrol of my laptop. Now if I really screw around with the drive and reformat it slow and install linux, then install XP unitl it crashes (because I have a SATA drive), then most of what he normally hides on my disk someplace is gone and it does take him awhile to get back to a level where he can do anything....including the use X11 or samba shares to destroy any refreshing expererience I could possibly derive from using Linux (Ubuntu). [I have logged on to a fresh install of Ubuntu Intrepid, and I am always pleasantly informed that I am not root.]

And while I would like to have this person drawn and quartered, I have to give him my respect for his thorough knowledge of windows server/client environments (NT, 2003, and 2008), Linux, all software, hardware, EVERYTHING. This guy is no slouch. But it underscores one thing. If he wanted to be purely malicious, he could have been. He is merely an annoyance and prevents me from doing many things when I want to. Many people would not even know he is there. But I like my system set up in a certain way and have been around windows long enough to know the way the "kernel" works.

So, though I know a complete wipe and reinstall will cure my problem. It would still give me great joy to defeat him without doing that. if someone can take me to the next step, I would be grateful.. Really, if I could only have an intimate understanding (as if it is a trivial thing) of the Vista/WIN7 registry, I could get rid of this guy in an hour.... but alas, I do not -- nor to very many others -- possess this knowledge.

But he does. And very well too.


The only thing I am going to attach in the way of diagnostics is a Sysinternals run of LoadOrd, which shows everything that is loaded at startup. But please anyone out there need something let me know. Also, my offer from a few months ago still stands: if anyone would like to get on the phone with me and Putty/Plink/SSH into my laptop and have a look see, I would love it.....

Columns are:
"Start Value" "Group Name" "tag" "Service/Device" "Display Name" "Image Path"

Boot WdfLoadGroup n/a* Wdf01000 Kernel Mode Driver Frameworks service
Boot Boot Bus Extender 1 ACPI Microsoft ACPI Driver
Boot Boot Bus Extender 2 msisadrv
Boot Boot Bus Extender 3 pci PCI Bus Driver
Boot Boot Bus Extender 6 vdrvroot Microsoft Virtual Drive Enumerator Driver
Boot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100
Boot System Bus Extender 7 Compbatt Microsoft Composite Battery Driver
Boot System Bus Extender 9 volmgr Volume Manager Driver
Boot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100
Boot System Bus Extender 15 pciide
Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100
Boot SCSI Miniport 33 atapi IDE Channel
Boot SCSI Miniport 64 msahci
Boot SCSI miniport n/a* amdxata
Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100
Boot Filter 1 CLFS @%SystemRoot%\system32\clfs.sys,-100
Boot Base 1 KSecDD
Boot Base 2 CNG
Boot Base n/a* pcw Performance Counters for Windows Driver
Boot File System n/a* Fs_Rec
Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200
Boot Cryptography 2 KSecPkg
Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\tcpipcfg.dll,-50003
Boot Extended Base n/a* storflt @%SystemRoot%\system32\vmstorfltres.dll,-1000
Boot n/a* n/a* Disk Disk Driver
Boot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100
Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101
Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101
Boot PnP Filter* 2* rdyboost ReadyBoost
Boot n/a* n/a* spldr Security Processor Loader Driver
Boot n/a* n/a* volsnap Storage volumes
System SCSI CDROM Class 3 cdrom CD-ROM Driver
System Base 1 Null
System Base 2 Beep Beep
System Video Save 1 VgaSave
System Video Save n/a* RDPCDD @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100
System Video Save n/a* RDPENCDD @%systemroot%\system32\drivers\RDPENCDD.sys,-101
System Video Save n/a* RDPREFMP @%systemroot%\system32\drivers\RdpRefMp.sys,-101
System File system n/a* Msfs
System File system n/a* Npfs
System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004
System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000
System PNP_TDI n/a* NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2
System NDIS 16 WfpLwf WFP Lightweight Filter
System NDIS 18 Psched @%SystemRoot%\System32\drivers\pacer.sys,-101
System NDIS 24 vwififlt Virtual WiFi Filter Driver
System NetBIOSGroup 2 NetBIOS NetBIOS Interface
System n/a* n/a* blbdrive
System network* 9* CSC @%systemroot%\system32\cscsvc.dll,-202
System Network* n/a* DfsC @%systemroot%\system32\drivers\dfsc.sys,-101
System n/a* n/a* discache @%systemroot%\system32\drivers\discache.sys,-102
System n/a* n/a* mssmbios Microsoft System Management BIOS Driver
System n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2
System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000
System n/a* n/a* TermDD Terminal Device Driver
System n/a* n/a* Wanarpv6 @%systemroot%\system32\rascfg.dll,-32012
Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100
Automatic COM Infrastructure n/a* DcomLaunch @oleres.dll,-5012
Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001
Automatic COM Infrastructure n/a* RpcSs @oleres.dll,-5010
Automatic Event Log n/a* eventlog @%SystemRoot%\system32\wevtsvc.dll,-200
Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\audiosrv.dll,-204
Automatic AudioGroup n/a* AudioSrv @%SystemRoot%\system32\audiosrv.dll,-200
Automatic AudioGroup n/a* STacSV Audio Service
Automatic ProfSvc_Group n/a* CscService @%systemroot%\system32\cscsvc.dll,-200
Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112
Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300
Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200
Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192
Automatic UIGroup n/a* UxSms @%SystemRoot%\system32\dwm.exe,-2000
Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1
Automatic PlugPlay n/a* PlugPlay @%SystemRoot%\system32\umpnpmgr.dll,-100
Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100
Automatic PlugPlay n/a* wudfsvc @%SystemRoot%\system32\wudfsvc.dll,-1000
Automatic NDIS 14 rspndr Link-Layer Topology Discovery Responder
Automatic NDIS 15 lltdio Link-Layer Topology Discovery Mapper I/O Driver
Automatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100
Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101
Automatic TDI n/a* lmhosts @%SystemRoot%\system32\lmhsvc.dll,-101
Automatic TDI n/a* Wlansvc @%SystemRoot%\System32\wlansvc.dll,-257
Automatic ShellSvcGroup n/a* ShellHWDetection @%SystemRoot%\System32\shsvcs.dll,-12288
Automatic SchedulerGroup n/a* Schedule @%SystemRoot%\system32\schedsvc.dll,-100
Automatic SpoolerGroup n/a* Spooler @%systemroot%\system32\spoolsv.exe,-1
Automatic NetworkProvider n/a* BFE @%SystemRoot%\system32\bfe.dll,-1001
Automatic NetworkProvider n/a* LanmanWorkstation @%systemroot%\system32\wkssvc.dll,-100
Automatic NetworkProvider n/a* MpsSvc @%SystemRoot%\system32\FirewallAPI.dll,-23090
Automatic n/a* n/a* adfs
Automatic n/a* n/a* AESTFilters Andrea ST Filters Service
Automatic n/a* n/a* Apple Mobile Device Apple Mobile Device
Automatic n/a* n/a* Bonjour Service Bonjour Service
Automatic n/a* n/a* clr_optimization_v2.0.50727_32 Microsoft .NET Framework NGEN v2.0.50727_X86
Automatic n/a* n/a* clr_optimization_v2.0.50727_64 Microsoft .NET Framework NGEN v2.0.50727_X64
Automatic n/a* n/a* CryptSvc @%SystemRoot%\system32\cryptsvc.dll,-1001
Automatic n/a* n/a* DPS @%systemroot%\system32\dps.dll,-500
Automatic n/a* n/a* EventSystem @comres.dll,-2450
Automatic n/a* n/a* FDResPub @%systemroot%\system32\fdrespub.dll,-100
Automatic n/a* n/a* iphlpsvc @%SystemRoot%\system32\iphlpsvc.dll,-500
Automatic n/a* n/a* LanmanServer @%systemroot%\system32\srvsvc.dll,-100
Automatic n/a* n/a* MMCSS @%systemroot%\system32\mmcss.dll,-100
Automatic n/a* n/a* NlaSvc @%SystemRoot%\System32\nlasvc.dll,-1
Automatic n/a* n/a* nsi @%SystemRoot%\system32\nsisvc.dll,-200
Automatic n/a* n/a* PcaSvc @%SystemRoot%\system32\pcasvc.dll,-1
Automatic n/a* n/a* PEAUTH PEAUTH
Automatic n/a* n/a* secdrv Security Driver
Automatic n/a* n/a* sppsvc @%SystemRoot%\system32\sppsvc.exe,-101
Automatic n/a* n/a* SysMain @%SystemRoot%\system32\sysmain.dll,-1000
Automatic n/a* n/a* tcpipreg TCP/IP Registry Compatibility
Automatic n/a* n/a* TrkWks @%SystemRoot%\system32\trkwks.dll,-1
Automatic n/a* n/a* WinDefend @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
Automatic n/a* n/a* Winmgmt @%Systemroot%\system32\wbem\wmisvc.dll,-205
Automatic n/a* n/a* wscsvc @%SystemRoot%\System32\wscsvc.dll,-200
Automatic n/a* n/a* WSearch @%systemroot%\system32\SearchIndexer.exe,-103
Automatic n/a* n/a* wuauserv @%systemroot%\system32\wuaueng.dll,-105
My System SpecsSystem Spec
01 May 2009   #53

I forgot one thing

One more thing.... one thing this guy will not let me touch is the hiberfil.sys on the root drive. It is hidden. I can delete the pagefil.sys, but not the hiberfil.sys. As Administrator, I am not even allowed to look at the security tab.

See Screenshot below.

Attached Thumbnails
This is a Security issue, but more!!!-hiberfil.png  
My System SpecsSystem Spec

02 May 2009   #54

Win 7

Run elevated command prompt "powercfg -h off" and bam say goodbye hiberfil.sys, i would ditch the bonjour service as well if i was you.
My System SpecsSystem Spec
02 May 2009   #55



I did that and it worked--no more hiberfil. But the three card monty game continues. Now the pagefile.sys is the file I cannot delete. First the pagefile.sys was hidden, so I did an c:\attrib -a -s -h -r -i *.* I got the following:
Unable to change attribute - C:\pagefile.sys

When I try to look at the properties, I get the same as I did for the hiberfil.sys. See screenshot.

I would be glad to get rid of those because those contain files that make his hijacking jobs a lot easier.....

Yup. Thanks for your response. I would like to rid my drive of those files (although i understand the utility of the pagefile.

My main question to you and to anyone (and everyone) is .... is there a registry setting where I can disable all bluetooth connectivity? Plus make this setting persistent, and not in a volatile environment.....?????

And Yup, I hate Apple's use of Bonjour...nothing but trouble. I have just reinstalled everything so many times, I forget about that. Anyway I clicked it away in HJT. Speaking of which, I thought I would paste my current run of HJT for anyone so that it may be assistance. I marked entries in red I am concerned about.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:40 AM, on 5/2/2009
Platform: Unknown Windows (WinNT 6.01.2981)
MSIE: Internet Explorer v8.00 (8.00.7077.0000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O13 - Gopher Prefix:
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_8b2066212420dc24\AESTSr64.e xe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_8b2066212420dc24\STacSV64.e xe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

End of file - 6152 bytes


Attached Thumbnails
This is a Security issue, but more!!!-pagefile.png  
My System SpecsSystem Spec
02 May 2009   #56

Win 7

Type "virtual memory" in the start menu it will show you how to turn off the pagefile, as for bluetooth there is a service that can be disabled for that.
My System SpecsSystem Spec
02 May 2009   #57

Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)

Quote   Quote: Originally Posted by YupYup View Post
Type "virtual memory" in the start menu it will show you how to turn off the pagefile, as for bluetooth there is a service that can be disabled for that.
not only that but you can disable the driver or unnistall it...
you can even unnistall the driver and delete the service...
as for the reason for pagefile not being assescible is more by desing as your OS and apps write to disk and back
this article should be a good start on that
My System SpecsSystem Spec
02 May 2009   #58

Thanks guys

Yup & Dark (and to others who may be reading).

I understand some of the basics of the pagefile--i.e. that it is virtual memory, and how windows uses it.

Perhaps I am just getting skiddish..... but that is also why I offered to let someone SSH to my PC... I have been posting about this particular issue since late February and it spans two laptops (again, my fault for reinfecting the second laptop).

But first, let me just get some foundational understanding since I have no benchmarks....

After deleting the hiberfil (and again, thank you for that command...honestly, I may have tried to use it before, but the files names in my system32 directory change quiet often), this is what my C:\ root directory drive looks like (using c:\dir /a). Can someone confirm that for Win 7, 64 bit, these are all common directories?

Volume in drive C has no label.
Volume Serial Number is A269-346A

Directory of C:\

05/01/2009 01:34 PM <DIR> $Recycle.Bin
04/05/2009 12:34 AM <JUNCTION> Documents and Settings [C:\Users]
05/02/2009 03:50 AM 4,024,258,560 pagefile.sys
04/04/2009 09:44 PM <DIR> PerfLogs
05/01/2009 05:13 PM <DIR> Program Files
05/02/2009 11:06 AM <DIR> Program Files (x86)
05/01/2009 05:13 PM <DIR> ProgramData
05/01/2009 01:34 PM <DIR> Recovery
05/02/2009 09:23 AM <DIR> swsetup
05/02/2009 11:05 AM <DIR> System Volume Information
05/01/2009 01:34 PM <DIR> Users
05/02/2009 11:07 AM <DIR> Windows
2 File(s) 4,024,259,457 bytes
11 Dir(s) 228,287,938,560 bytes free is a log of the sysinternals diag app called TCPVIEW which I believed I posted here once before. Now at the time of this log I was on the internet, and was in gmail, and on another board in addition to this one. But there are so many IPv6 and UDP connections (which is another signature -- in my opinion -- of something being not quite right), that I wanted to get your opinion. I had mentioned in a post several weeks ago, that the use of the loopback adapter with ipv6 is a component to this as well.

[Note: Security Team is a board I was on when I ran this, and also, "Prague" is the name of my pc.]

AppleMobileDeviceService.exe:1460 TCP Prague:27015 Prague:0 LISTENING
firefox.exe:2580 TCP Prague:49383 localhost:49384 ESTABLISHED
firefox.exe:2580 TCP Prague:49384 localhost:49383 ESTABLISHED
firefox.exe:2580 TCP Prague:49385 localhost:49386 ESTABLISHED
firefox.exe:2580 TCP Prague:49386 localhost:49385 ESTABLISHED
firefox.exe:2580 TCP prague:51725 ESTABLISHED
firefox.exe:2580 TCP prague:51730 ESTABLISHED
firefox.exe:2580 TCP prague:51761 ESTABLISHED
firefox.exe:2580 TCP prague:51774 CLOSE_WAIT
firefox.exe:2580 TCP prague:51775 ESTABLISHED
jusched.exe:2416 TCP prague:49330 CLOSE_WAIT
lsass.exe:528 TCP Prague:49156 Prague:0 LISTENING
lsass.exe:528 TCPV6 prague:49156 prague:0 LISTENING
services.exe:488 TCP Prague:49155 Prague:0 LISTENING
services.exe:488 TCPV6 prague:49155 prague:0 LISTENING
svchost.exe:1172 UDP Prague:llmnr *:*
svchost.exe:1172 UDPV6 prague:5355 *:*
svchost.exe:1504 UDP Prague:ssdp *:*
svchost.exe:1504 UDP prague:ssdp *:*
svchost.exe:1504 UDP Prague:ws-discovery *:*
svchost.exe:1504 UDP Prague:ws-discovery *:*
svchost.exe:1504 UDP Prague:49152 *:*
svchost.exe:1504 UDP prague:61501 *:*
svchost.exe:1504 UDP Prague:61502 *:*
svchost.exe:1504 UDPV6 [0:0:0:0:0:0:0:1]:1900 *:*
svchost.exe:1504 UDPV6 [fe80:0:0:0:f1b7:192:5db4:4cf3]:1900 *:*
svchost.exe:1504 UDPV6 prague:3702 *:*
svchost.exe:1504 UDPV6 prague:3702 *:*
svchost.exe:1504 UDPV6 prague:49153 *:*
svchost.exe:1504 UDPV6 [fe80:0:0:0:f1b7:192:5db4:4cf3]:61499 *:*
svchost.exe:1504 UDPV6 [0:0:0:0:0:0:0:1]:61500 *:*
svchost.exe:736 TCP Prague:epmap Prague:0 LISTENING
svchost.exe:736 TCPV6 prague:135 prague:0 LISTENING
svchost.exe:832 TCP Prague:49153 Prague:0 LISTENING
svchost.exe:832 TCPV6 prague:49153 prague:0 LISTENING
svchost.exe:832 UDPV6 [fe80:0:0:0:f1b7:192:5db4:4cf3]:546 *:*
svchost.exe:928 TCP Prague:49154 Prague:0 LISTENING
svchost.exe:928 TCPV6 prague:49154 prague:0 LISTENING
*System:4 TCP prague:netbios-ssn Prague:0 LISTENING
*System:4 TCP Prague:microsoft-ds Prague:0 LISTENING
*System:4 TCP Prague:icslap Prague:0 LISTENING
*System:4 TCP Prague:wsd Prague:0 LISTENING
*System:4 UDP prague:netbios-ns *:*
*System:4 UDP prague:netbios-dgm *:*
*System:4 TCPV6 prague:445 prague:0 LISTENING
*System:4 TCPV6 prague:2869 prague:0 LISTENING
*System:4 TCPV6 prague:5357 prague:0 LISTENING
wininit.exe:424 TCP Prague:49152 Prague:0 LISTENING
wininit.exe:424 TCPV6 prague:49152 prague:0 LISTENING

*What are these connections????

Lastly, as far as Bluetooth... First, are any of you familiar with this vulnerability or have you heard of it being used to implement full PC control? The microsoft bulletin is not that easy to find, but ut is here: and an update to that buletin here

First thing (per microsoft) I have gone into the c:\windows\inf director and deleted every file that started with BTH (and there were at least 10), which had extensions of .inf or .pnf. I basically executed a del bth*.inf and a del bth*.pnf. But this did nothing... As far as a bluetooth service.... there may be one, but it is not a native windows service.

I won't list all of my running services now. But as I said in my first post, since day 1, a service related to audio was always running and I never understood why. I had never seen this in XP (nor Vista to the best of my recollection), and it seemed peculiar--especially because when I typically booted up, my audio would not work (the little speaker with the lined-through circle would be orange on my laptop panel). And from what I have read, since bluetooth is often used to connect to audio devices, I guessed that this was a source. I deleted the service and it caused a complete mess of everything. For example, I was denied access to my own root drive. Does there seem to be a causal relationship there?

But this audio service now does not run. There is another service, but I do not what it is, and there are too many non-native services for anyone to guess. What I might do (since I do it every two days or so anyway out of necessity) is reformat and reinstall Windows 7 from scratch. Then 10 minutes after that--without any program installations being done -- I will post my running services and someone can tell me if there is a "fly"


My System SpecsSystem Spec
02 May 2009   #59

Windows 8.1 Pro RTM x64

Hi Paul,

What is this swsetup directory?
My System SpecsSystem Spec
02 May 2009   #60



That directory is used by HP. It is where drivers are located and it is used in some recovery processes. I do not really use it or know about it because, as I said, I had to reformat this laptop about 3 hours after I bought it. I then installed WIN 7 (Build 7077) on it and then installed drivers from the HP website. But as you may know, HP does not include all drivers...which is why I had to pay and order for the disks so I can then wipe my drive completely.

EDIT: My mistake...ignore the remainder or my post (except the last paragraph is interesting). The search that I had done (discussed below), came up and I thought it said "C:\installer ". Actually the search was done on C:\ but the file I checked said "c:\windows\installer" which is legitimate.

See? I am getting so jumpy about this... I hate having to feel unsure whether I can or cannot do something on my own system. I cannot explain what I am experiencing...but it is the way the windows open and close... For instance I will install something, and an installer windows comes up, and then .1 second after that there is a slight tremor on the screen and then the installer dialog box comes up again. Besides all of the crazy files and GUIDs and encrypted bit masks all over the registry, it also feels like something is double-checking everything that is happening. And it is just too obvious when I install an antivirus application (and I have installed all of the applications listed on the Windows 7 page). It is the way the system will coincidentally hang. But it is not entirely system behaves with a purpose. If I download and try to install an AV application on my laptop, it will hang as soon as I install it. BUT, if I take my laptop to an internet cafe, use another PC, download the same AV installer virus application, put in on a flash drive, then install it on my laptop as quick as possible after inserting the flash drive, the application will successfully install until completion....but then it will never update
(again is this a coincidence?), or there will be certain options greyed out which I know should not be (see an earlier post where I mention this phenomena when I was using Kaspersky back in February).

IF I had the means, I would pay any of you or some MS security consultant to travel to me and just look at my PC and try to work on it normall for 1 hour. They would realize that there is a virus/trojan, and that it is or has completly taken over my system. But what I do not understand is the motive. So far, nothing malicious has been done. It is as if he is just using my bandwidth or something. I have not figured that out.

But -- something strange just happened -- I was in a windows explorer directory searching on all files with today's date as date modified. While this was running, I tended to some other things in other windows. I just looked back and saw this (see screenshot). It says there is a directory called "installer" located on C.

I am only aware of "dir /a" as a means for displaying hidden directories and or folders. Is there a not only a hidden but a super-hidden attribute NTFS has which would allow these files not to be detected? (this is a footprint basically....I do not know why Windows Explorer ended up like that....but it was part of this hijacking I am suffering.

The main other "footprint" that I see (and I have seen it about 500 times), is when I go to regedit. You know how regedit saves the last key you edited or were viewing? Well, the one thing this guy does not do is disable this feature, so I have seen where he has been countless times -- that is not to say I understand the keys he is changing, but unless windows as to move around in the registry like that and then the last place windows referenced the registry is saved and would typically come up when you entered Regedit.exe (which I highly doubt is the case in WIN7 as I have never seen that occur before), then it is this phantom, because it is not me.


Attached Thumbnails
This is a Security issue, but more!!!-installer.png  
My System SpecsSystem Spec
Closed Thread

 This is a Security issue, but more!!!

Thread Tools

Similar help and support threads
Thread Forum
Security issue: IE10 Security message when opening MSN
I normally use MSN as my home page when I browse with IE10 as my default browser. This morning when I checked my email I had a message that purported to be from Microsoft that stated thew following: Microsoft account Security alert We think that someone else might have accessed the...
Browsers & Mail
Security Issue
Hi golden i have MWB as well and thought of myself as pretty secure however i let my parents get ahold of the comp and theres trojans and text files and crazy shiz neway i follow the path provided to where one of the virus's resided and low and behold i couldnt get to the dang cookies neway i...
System Security
Ad-Hoc Security Issue
Ok I hope you can help me out here. I'm convinced this is a security issue. From time to time my laptop drops wireless signal & when I try to re-connect to my router, I notice there's this available ad-hoc network to connect to called hp.nomodel etc... I of course have never connected to this...
System Security
Please help me! Security issue
Hi all.. sorry about the uppercase title but Im desperate.. I have a sony vaio windows 7, since Im 20 and my mom wanted to use my laptop at times I HAD to make her an independent account and manage my sharing and security settings, so I denied her account all permissions etc.. but now I cant...
Network & Sharing
Urgent!!! security issue
I apologise if i am posting this in the wrong place but this is quite urgent. 2 of my accounts have just been hacked,, and it seems my windows live account had a hack attempt on it. I am trying to reset my passwords, but i beleive there is either a keylogger on the pc or smth wrong with windows...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:33.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App